summaryrefslogtreecommitdiffstats
path: root/roles/common/templates
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-01-23 05:33:17 +0100
committerGuilhem Moulin <guilhem@fripost.org>2020-01-25 01:57:05 +0100
commitee4e9e9836ad05279647b04eb1e8a3a4b0e16568 (patch)
treed4e566a7b535f7d62e4fd6fd1a521ea6d7563d21 /roles/common/templates
parent7641a5d5d152db349082b1d0ec93a40888b2ef8e (diff)
Improve/harden fail2ban configuration.
* Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
Diffstat (limited to 'roles/common/templates')
-rw-r--r--roles/common/templates/etc/fail2ban/jail.local.j289
1 files changed, 20 insertions, 69 deletions
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
index 618fbd7..29b004c 100644
--- a/roles/common/templates/etc/fail2ban/jail.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -7,87 +7,38 @@
# jail.{conf,local} configuration files.
destemail = admin@fripost.org
-# Specify chain where jumps would need to be added in iptables-* actions
-chain = fail2ban
+# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
+# will not ban a host which matches an address in this list. Several addresses
+# can be defined using space (and/or comma) separator.
+ignoreip = 127.0.0.0/8, ::1, {{ ipsec_subnet }}
-# Choose default action.
-action = %(action_)s
-
-# Don't ban ourselves.
-ignoreip = 127.0.0.0/8 {{ ipsec_subnet }}
+banaction = nftables-allports
+logpath = /var/log/fail2ban/fail2ban.log
#
# JAILS
#
-[ssh]
-
-enabled = true
-port = {{ ansible_port|default('22') }}
-filter = sshd
-logpath = /var/log/auth.log
-maxretry = 5
-
-[ssh-ddos]
-
-enabled = true
-port = {{ ansible_port|default('22') }}
-filter = sshd-ddos
-logpath = /var/log/auth.log
-maxretry = 2
-
-
-# Generic filter for pam. Has to be used with action which bans all ports
-# such as iptables-allports, shorewall
-[pam-generic]
-
-enabled = true
-# pam-generic filter can be customized to monitor specific subset of 'tty's
-filter = pam-generic
-# port actually must be irrelevant but lets leave it all for some possible uses
-port = anyport
-banaction = iptables-allports
-logpath = /var/log/auth.log
-maxretry = 6
+[sshd]
+enabled = true
-{% if 'MX' in group_names %}
[postfix]
+enabled = {{ 'MX' in group_names }}
-enabled = true
-port = smtp
-filter = postfix
-logpath = /var/log/mail.log
-maxretry = 10
-{% endif %}
-
-
-{% if 'IMAP' in group_names %}
[dovecot]
+enabled = {{ 'IMAP' in group_names }}
-enabled = true
-port = imap2,imaps,pop3,pop3s,sieve
-filter = dovecot
-logpath = /var/log/mail.log
-{% endif %}
-
-
-{% if 'MSA' in group_names %}
-[sasl]
-
-enabled = true
-port = submission,submissions
-filter = postfix-sasl
-logpath = /var/log/mail.warn
-{% endif %}
-
+[postfix-sasl]
+enabled = {{ 'MSA' in group_names }}
-{% if 'webmail' in group_names %}
-[roundcube]
+[roundcube-auth]
+enabled = {{ 'webmail' in group_names }}
+# XXX Bullseye: logpath = /var/log/roundcube/errors.log
-enabled = true
-port = http,https
-filter = roundcube
-logpath = /var/log/roundcube/errors
-{% endif %}
+[nextcloud]
+enabled = {{ 'nextcloud' in group_names }}
+port = http,https
+filter = nextcloud
+logpath = /var/log/nextcloud/nextcloud.log
# vim: set filetype=dosini :