summaryrefslogtreecommitdiffstats
path: root/roles/common
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common')
-rw-r--r--roles/common/files/etc/fail2ban/filter.d/roundcube.conf16
-rw-r--r--roles/common/files/etc/postfix/master.cf1
-rw-r--r--roles/common/tasks/fail2ban.yml15
-rw-r--r--roles/common/templates/etc/fail2ban/jail.local.j210
-rw-r--r--roles/common/templates/etc/iptables/services.j23
5 files changed, 43 insertions, 2 deletions
diff --git a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
new file mode 100644
index 0000000..c8cb5d3
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
@@ -0,0 +1,16 @@
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+# host must be matched by a group named "host". The tag "<HOST>" can
+# be used for standard IP/hostname matching and is only an alias for
+# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+#
+failregex = IMAP Error: Login failed for \S+ from <HOST>\. AUTHENTICATE \S+: Authentication failed\.
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf
index 3540e32..38b2ecb 100644
--- a/roles/common/files/etc/postfix/master.cf
+++ b/roles/common/files/etc/postfix/master.cf
@@ -11,6 +11,7 @@
smtp inet n - - - - smtpd
16132 inet n - - - - smtpd
2526 inet n - - - - smtpd
+2580 inet n - - - - smtpd
submission inet n - - - - smtpd
pickup fifo n - - 60 1 pickup
cleanup unix n - - - 0 cleanup
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index d5007b9..be26c79 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,17 +1,28 @@
- name: Install fail2ban
apt: pkg=fail2ban
+- name: Add addititional filters
+ copy: src=etc/fail2ban/filter.d/{{ item }}
+ dest=/etc/fail2ban/filter.d/{{ item }}
+ owner=root group=root
+ mode=0644
+ register: r1
+ with_items:
+ - roundcube.conf
+ notify:
+ - Restart fail2ban
+
- name: Configure fail2ban
template: src=etc/fail2ban/jail.local.j2
dest=/etc/fail2ban/jail.local
owner=root group=root
mode=0644
- register: r
+ register: r2
notify:
- Restart fail2ban
- name: Start fail2ban
service: name=fail2ban state=started
- when: not r.changed
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 661c862..7c5bc0e 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -81,3 +81,13 @@ port = submission
filter = sasl
logpath = /var/log/mail.warn
{% endif %}
+
+
+{% if 'webmail' in group_names %}
+[roundcube]
+
+enabled = true
+port = http,https
+filter = roundcube
+logpath = /var/log/roundcube/errors
+{% endif %}
diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2
index 2a36932..3ddb87e 100644
--- a/roles/common/templates/etc/iptables/services.j2
+++ b/roles/common/templates/etc/iptables/services.j2
@@ -25,3 +25,6 @@ in tcp 993 # IMAPS
{% if 'MSA' in group_names %}
in tcp 587 # SMTP-AUTH
{% endif %}
+{% if 'webmail' in group_names %}
+in tcp 80,443 # HTTP/HTTPS
+{% endif %}