Description =========== This role configures fail2ban. Requirements ============ Roles ----- Only Parent roles. Variables --------- * fail2ban_loglevel: * description: * sets the loglevel output * default: `INFO` * choices: [`1 = ERROR`, `2 = WARN`, `3 = INFO`, `4 = DEBUG`] * fail2ban_logtarget: * description: * Sets the log target. This could be a file, SYSLOG, STDERR or STDOUT. * default: `/var/log/fail2ban.log` * fail2ban_syslog_target: * description: * Sets the syslog target instance. * default: `/var/log/fail2ban.log` * fail2ban_syslog_facility: * description: * tbd... * default: `1` * fail2ban_socket: * description: * Sets the socket file, which is used to communicate with the daemon. * default: `/var/run/fail2ban/fail2ban.sock` * fail2ban_pidfile: * description: * Sets the pid file, which is used to to store the process ID of the daemon (Only works on `fail2ban >= 0.8.9`). * default: `/var/run/fail2ban/fail2ban.pid` * fail2ban_ignoreips: * description: * Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions. * default: `[127.0.0.1/8]` * fail2ban_bantime: * description: * Sets the bantime in seconds. * default: `600` * fail2ban_maxretry: * description: * Maximum number of retries before the host is put into jail. * default: `3` * fail2ban_findtime: * description: * A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime` in seconds. * default: `600` * fail2ban_backend: * description: * Specifies the backend used to get files modification. * default: `auto` * choices: tbd... * fail2ban_banaction: * description: * Sets the global/default banaction. * default: `iptables-multiport` * fail2ban_protocol: * description: * Sets the default protocol. * default: `tcp` * choices: tbd... * fail2ban_chain: * description: * Specifies the chain where jumps would need to be added in iptables-* actions. * default: `INPUT` * fail2ban_action: * description: * Default action. **Note that variables (including the actions defined elsewhere in the config files) must be wrapped in python-style `%(` and `)s` so they are expanded**. * default: `%(action_)s` * fail2ban_services: * description: * Service definitions. * default see `defaults/main.yml` * fail2ban_services.{n}.name [required]: * description: * Service name. * default: undefined * example: `sshd`, `ssh` * fail2ban_services.{n}.enabled: * description: * Whether or not enabled. * default: `true` * choices: `true`, `false` * fail2ban_services.{n}.* [optional]: * description: * Name of the option * fail2ban_services.{n}.*.* [optional]: * description: * Value of the option Processes ========= 1. install fail2ban 2. create configuration files from templates License ======= BSD-3-Clauses Contributors ============ * Michael Klix (michael.klix@tu-dresden.de) Based on the provided SDM framework of * Martin Pietsch (martin.pietsch@tu-dresden.de) Mainly influenced by the implementation/example of Nicolas Bigot . Literature ========== * https://fail2ban.org/wiki/index.php/Category:HTTP * https://fedoraproject.org/wiki/Fail2ban_with_FirewallD * https://computingforgeeks.com/install-and-use-firewalld-on-ubuntu-18-04-ubuntu-16-04 * https://www.digitalocean.com/community/tutorials/how-to-protect-an-nginx-server-with-fail2ban-on-ubuntu-14-04 * https://snippets.aktagon.com/snippets/554-how-to-secure-an-nginx-server-with-fail2ban