Configure fail2ban
This commit is contained in:
parent
86170d0393
commit
e0c008be2c
36
machine.yml
36
machine.yml
@ -145,6 +145,42 @@
|
||||
mail_postfix_conf is changed or
|
||||
mail_postfix_credentials is changed
|
||||
|
||||
# ----------------------------------------------------------------------------------------------
|
||||
# Fail2Ban configuration.
|
||||
# ----------------------------------------------------------------------------------------------
|
||||
|
||||
- name: Install fail2ban
|
||||
apt:
|
||||
name: fail2ban
|
||||
|
||||
- name: Configure fail2ban
|
||||
template:
|
||||
src: ./root/etc/fail2ban/jail.local.j2
|
||||
dest: /etc/fail2ban/jail.local
|
||||
mode: 0644
|
||||
register: fail2ban_conf
|
||||
|
||||
- name: Configure fail2ban sshd jail
|
||||
template:
|
||||
src: ./root/etc/fail2ban/jail.d/sshd.local.j2
|
||||
dest: /etc/fail2ban/jail.d/sshd.local
|
||||
mode: 0644
|
||||
register: fail2ban_sshd_jail
|
||||
|
||||
- name: Enable/start fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: started
|
||||
enabled: yes
|
||||
|
||||
- name: Restart fail2ban
|
||||
service:
|
||||
name: fail2ban
|
||||
state: restarted
|
||||
when:
|
||||
fail2ban_conf is changed or
|
||||
fail2ban_sshd_jail is changed
|
||||
|
||||
# ----------------------------------------------------------------------------------------------
|
||||
# SystemD mails.
|
||||
# ----------------------------------------------------------------------------------------------
|
||||
|
5
root/etc/fail2ban/jail.d/sshd.local.j2
Normal file
5
root/etc/fail2ban/jail.d/sshd.local.j2
Normal file
@ -0,0 +1,5 @@
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = {{ ansible_port }}
|
||||
findtime = 1d
|
||||
bantime = 2w
|
32
root/etc/fail2ban/jail.local.j2
Normal file
32
root/etc/fail2ban/jail.local.j2
Normal file
@ -0,0 +1,32 @@
|
||||
[DEFAULT]
|
||||
|
||||
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
||||
# will not ban a host which matches an address in this list. Several addresses
|
||||
# can be defined using space (and/or comma) separator.
|
||||
ignoreip = 127.0.0.1/8 ::1 {{ subnet_address }}/{{ subnet_masklen }}
|
||||
|
||||
# "bantime" is the number of seconds that a host is banned.
|
||||
bantime = 1d
|
||||
|
||||
# Destination email address used solely for the interpolations in jail.{conf,local,d/*}
|
||||
# configuration files.
|
||||
destemail = root
|
||||
|
||||
# Sender email address used solely for some actions
|
||||
sender = fail2ban
|
||||
|
||||
# Specify chain where jumps would need to be added in ban-actions expecting parameter chain. Chain
|
||||
# variable needs to be overridden in jail.local, as the uppercase `chain = INPUT` declaration in
|
||||
# jail.conf shadows proper lowercase declaration in nftables-common.conf.
|
||||
chain = input
|
||||
|
||||
# Default banning action (e.g. iptables, iptables-new, iptables-multiport, shorewall, etc) It is
|
||||
# used to define action_* variables. Can be overridden globally or per section within jail.local
|
||||
# file. Use nftables instead of iptables.
|
||||
banaction = nftables[type=multiport]
|
||||
banaction_allports = nftables[type=allports]
|
||||
|
||||
# Choose default action. To change, just override value of 'action' with the interpolation to the
|
||||
# chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local globally (section
|
||||
# [DEFAULT]) or per specific section.
|
||||
action = %(action_mw)s
|
@ -8,6 +8,8 @@ ssh_user:
|
||||
# Machine variables
|
||||
hostname:
|
||||
domain:
|
||||
subnet_address:
|
||||
subnet_masklen:
|
||||
|
||||
# Postfix variables
|
||||
postfix_smtp_server:
|
||||
|
Loading…
Reference in New Issue
Block a user