summaryrefslogtreecommitdiffstats
path: root/roles/common/tasks
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-01-23 05:33:17 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-01-25 01:57:05 +0100
commitee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch)
treed4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/tasks
parent7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff)
Improve/harden fail2ban configuration.
* Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
Diffstat (limited to 'roles/common/tasks')
-rw-r--r--roles/common/tasks/fail2ban.yml68
1 files changed, 55 insertions, 13 deletions
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 84e6b7a..89427ea 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,37 +1,79 @@
- name: Install fail2ban
apt: pkg=fail2ban
-- name: Configure fail2ban
+# Log into a dedicate directory so we can use ReadWriteDirectories in
+# the .service file
+- name: Create directory /var/log/fail2ban
+ file: path=/var/log/fail2ban
+ state=directory
+ owner=root group=adm
+ mode=0750
+
+- name: Fix fail2ban logrotate snippet
+ lineinfile: dest=/etc/logrotate.d/fail2ban
+ state=present
+ line="/var/log/fail2ban/*.log"
+ insertbefore="^[^#]*\\s{$"
+ tags:
+ - logrotate
+
+- name: Configure fail2ban (fail2ban.local)
+ copy: src=etc/fail2ban/fail2ban.local
+ dest=/etc/fail2ban/fail2ban.local
+ owner=root group=root
+ mode=0644
+ register: r1
+ notify:
+ - Restart fail2ban
+
+- name: Configure fail2ban (jail.local)
template: src=etc/fail2ban/jail.local.j2
dest=/etc/fail2ban/jail.local
owner=root group=root
mode=0644
- register: r1
+ register: r2
notify:
- Restart fail2ban
-- name: Add roundcube filter
- copy: src=etc/fail2ban/filter.d/roundcube.conf
- dest=/etc/fail2ban/filter.d/roundcube.conf
+- name: Configure fail2ban (action.d/nftables-allports.local)
+ copy: src=etc/fail2ban/action.d/nftables-allports.local
+ dest=/etc/fail2ban/action.d/nftables-allports.local
owner=root group=root
mode=0644
- register: r2
- when: "'webmail' in group_names"
+ register: r3
notify:
- Restart fail2ban
-- name: Add dovecot filter
- copy: src=etc/fail2ban/filter.d/dovecot.conf
- dest=/etc/fail2ban/filter.d/dovecot.conf
+- name: Copy filters
+ copy: src=etc/fail2ban/filter.d/
+ dest=/etc/fail2ban/filter.d/
owner=root group=root
mode=0644
- register: r3
- when: "'IMAP' in group_names"
+ register: r4
+ notify:
+ - Restart fail2ban
+
+- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf
+ file: path=/etc/systemd/system/fail2ban.service.d
+ state=directory
+ owner=root group=root
+ mode=0750
+
+- name: Harden fail2ban.service
+ copy: src=etc/systemd/system/fail2ban.service.d/override.conf
+ dest=/etc/systemd/system/fail2ban.service.d/override.conf
+ owner=root group=root
+ mode=0644
+ register: r5
notify:
+ - systemctl daemon-reload
- Restart fail2ban
- name: Start fail2ban
service: name=fail2ban state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
- meta: flush_handlers
+
+- name: Delete /var/lib/fail2ban/fail2ban.sqlite3
+ file: path=/var/lib/fail2ban/fail2ban.sqlite3 state=absent