Improve/harden fail2ban configuration.

* Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
author: Guilhem Moulin <guilhem@fripost.org> 2020-01-23 05:33:17 +0100
committer: Guilhem Moulin <guilhem@fripost.org> 2020-01-25 01:57:05 +0100
commit: ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch)
tree: d4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/tasks
parent: 7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff)
1 files changed, 55 insertions, 13 deletions
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 84e6b7a..89427ea 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,37 +1,79 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
-- name: Configure fail2ban
+# Log into a dedicate directory so we can use ReadWriteDirectories in
+# the .service file
+- name: Create directory /var/log/fail2ban
+  file: path=/var/log/fail2ban
+        state=directory
+        owner=root group=adm
+        mode=0750
+
+- name: Fix fail2ban logrotate snippet
+  lineinfile: dest=/etc/logrotate.d/fail2ban
+              state=present
+              line="/var/log/fail2ban/*.log"
+              insertbefore="^[^#]*\\s{$"
+  tags:
+    - logrotate
+
+- name: Configure fail2ban (fail2ban.local)
+  copy: src=etc/fail2ban/fail2ban.local
+        dest=/etc/fail2ban/fail2ban.local
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart fail2ban
+
+- name: Configure fail2ban (jail.local)
   template: src=etc/fail2ban/jail.local.j2
             dest=/etc/fail2ban/jail.local
             owner=root group=root
             mode=0644
-  register: r1
+  register: r2
   notify:
     - Restart fail2ban
 
-- name: Add roundcube filter
-  copy: src=etc/fail2ban/filter.d/roundcube.conf
-        dest=/etc/fail2ban/filter.d/roundcube.conf
+- name: Configure fail2ban (action.d/nftables-allports.local)
+  copy: src=etc/fail2ban/action.d/nftables-allports.local
+        dest=/etc/fail2ban/action.d/nftables-allports.local
         owner=root group=root
         mode=0644
-  register: r2
-  when: "'webmail' in group_names"
+  register: r3
   notify:
     - Restart fail2ban
 
-- name: Add dovecot filter
-  copy: src=etc/fail2ban/filter.d/dovecot.conf
-        dest=/etc/fail2ban/filter.d/dovecot.conf
+- name: Copy filters
+  copy: src=etc/fail2ban/filter.d/
+        dest=/etc/fail2ban/filter.d/
         owner=root group=root
         mode=0644
-  register: r3
-  when: "'IMAP' in group_names"
+  register: r4
+  notify:
+    - Restart fail2ban
+
+- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf
+  file: path=/etc/systemd/system/fail2ban.service.d
+        state=directory
+        owner=root group=root
+        mode=0750
+
+- name: Harden fail2ban.service
+  copy: src=etc/systemd/system/fail2ban.service.d/override.conf
+        dest=/etc/systemd/system/fail2ban.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  register: r5
   notify:
+    - systemctl daemon-reload
     - Restart fail2ban
 
 - name: Start fail2ban
   service: name=fail2ban state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
 
 - meta: flush_handlers
+
+- name: Delete /var/lib/fail2ban/fail2ban.sqlite3
+  file: path=/var/lib/fail2ban/fail2ban.sqlite3 state=absent
author	Guilhem Moulin <guilhem@fripost.org>	2020-01-23 05:33:17 +0100
committer	Guilhem Moulin <guilhem@fripost.org>	2020-01-25 01:57:05 +0100
commit	ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch)
tree	d4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/tasks
parent	7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff)