Configure fail2ban
This commit is contained in:
parent
86170d0393
commit
e0c008be2c
36
machine.yml
36
machine.yml
@ -145,6 +145,42 @@
|
|||||||
mail_postfix_conf is changed or
|
mail_postfix_conf is changed or
|
||||||
mail_postfix_credentials is changed
|
mail_postfix_credentials is changed
|
||||||
|
|
||||||
|
# ----------------------------------------------------------------------------------------------
|
||||||
|
# Fail2Ban configuration.
|
||||||
|
# ----------------------------------------------------------------------------------------------
|
||||||
|
|
||||||
|
- name: Install fail2ban
|
||||||
|
apt:
|
||||||
|
name: fail2ban
|
||||||
|
|
||||||
|
- name: Configure fail2ban
|
||||||
|
template:
|
||||||
|
src: ./root/etc/fail2ban/jail.local.j2
|
||||||
|
dest: /etc/fail2ban/jail.local
|
||||||
|
mode: 0644
|
||||||
|
register: fail2ban_conf
|
||||||
|
|
||||||
|
- name: Configure fail2ban sshd jail
|
||||||
|
template:
|
||||||
|
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
|
||||||
|
dest: /etc/fail2ban/jail.d/sshd.local
|
||||||
|
mode: 0644
|
||||||
|
register: fail2ban_sshd_jail
|
||||||
|
|
||||||
|
- name: Enable/start fail2ban
|
||||||
|
service:
|
||||||
|
name: fail2ban
|
||||||
|
state: started
|
||||||
|
enabled: yes
|
||||||
|
|
||||||
|
- name: Restart fail2ban
|
||||||
|
service:
|
||||||
|
name: fail2ban
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
fail2ban_conf is changed or
|
||||||
|
fail2ban_sshd_jail is changed
|
||||||
|
|
||||||
# ----------------------------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------------------------
|
||||||
# SystemD mails.
|
# SystemD mails.
|
||||||
# ----------------------------------------------------------------------------------------------
|
# ----------------------------------------------------------------------------------------------
|
||||||
|
5
root/etc/fail2ban/jail.d/sshd.local.j2
Normal file
5
root/etc/fail2ban/jail.d/sshd.local.j2
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
port = {{ ansible_port }}
|
||||||
|
findtime = 1d
|
||||||
|
bantime = 2w
|
32
root/etc/fail2ban/jail.local.j2
Normal file
32
root/etc/fail2ban/jail.local.j2
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
[DEFAULT]
|
||||||
|
|
||||||
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||||
|
# will not ban a host which matches an address in this list. Several addresses
|
||||||
|
# can be defined using space (and/or comma) separator.
|
||||||
|
ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
|
||||||
|
|
||||||
|
# "bantime" is the number of seconds that a host is banned.
|
||||||
|
bantime = 1d
|
||||||
|
|
||||||
|
# Destination email address used solely for the interpolations in jail.{conf,local,d/*}
|
||||||
|
# configuration files.
|
||||||
|
destemail = root
|
||||||
|
|
||||||
|
# Sender email address used solely for some actions
|
||||||
|
sender = fail2ban
|
||||||
|
|
||||||
|
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain. Chain
|
||||||
|
# variable needs to be overridden in jail.local, as the uppercase `chain = INPUT` declaration in
|
||||||
|
# jail.conf shadows proper lowercase declaration in nftables-common.conf.
|
||||||
|
chain = input
|
||||||
|
|
||||||
|
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is
|
||||||
|
# used to define action_* variables. Can be overridden globally or per section within jail.local
|
||||||
|
# file. Use nftables instead of iptables.
|
||||||
|
banaction = nftables[type=multiport]
|
||||||
|
banaction_allports = nftables[type=allports]
|
||||||
|
|
||||||
|
# Choose default action. To change, just override value of 'action' with the interpolation to the
|
||||||
|
# chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local globally (section
|
||||||
|
# [DEFAULT]) or per specific section.
|
||||||
|
action = %(action_mw)s
|
@ -8,6 +8,8 @@ ssh_user:
|
|||||||
# Machine variables
|
# Machine variables
|
||||||
hostname:
|
hostname:
|
||||||
domain:
|
domain:
|
||||||
|
subnet_address:
|
||||||
|
subnet_masklen:
|
||||||
|
|
||||||
# Postfix variables
|
# Postfix variables
|
||||||
postfix_smtp_server:
|
postfix_smtp_server:
|
||||||
|
Loading…
Reference in New Issue
Block a user