diff options
-rw-r--r-- | roles/common/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/common/tasks/fail2ban.yml | 10 | ||||
-rw-r--r-- | roles/common/tasks/main.yml | 1 | ||||
-rw-r--r-- | roles/common/templates/etc/fail2ban/jail.local.j2 | 45 |
4 files changed, 59 insertions, 0 deletions
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 17fbfb2..e23e099 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -15,3 +15,6 @@ - name: Update rkhunter's data file command: /usr/bin/rkhunter --propupd + +- name: Restart fail2ban + service: name=fail2ban state=restarted diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml new file mode 100644 index 0000000..64283df --- /dev/null +++ b/roles/common/tasks/fail2ban.yml @@ -0,0 +1,10 @@ +- name: Install fail2ban + apt: pkg=fail2ban + +- name: Configure fail2ban + template: src=etc/fail2ban/jail.local.j2 + dest=/etc/fail2ban/jail.local + owner=root group=root + mode=0644 + notify: + - Restart fail2ban diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 1d57812..a2b7aad 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -5,3 +5,4 @@ - include: firewall.yml tags=firewall,iptables - include: samhain.yml tags=samhain - include: rkhunter.yml tags=rkhunter +- include: fail2ban.yml tags=fail2ban diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 new file mode 100644 index 0000000..818ec88 --- /dev/null +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -0,0 +1,45 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +[DEFAULT] + +# Destination email address used solely for the interpolations in +# jail.{conf,local} configuration files. +destemail = admin@fripost.org + +action = %(action_)s + +# +# JAILS +# + +[ssh] + +enabled = true +port = {{ ansible_ssh_port|default('22') }} +filter = sshd +logpath = /var/log/auth.log +maxretry = 5 + +[ssh-ddos] + +enabled = true +port = {{ ansible_ssh_port|default('22') }} +filter = sshd-ddos +logpath = /var/log/auth.log +maxretry = 2 + + +# Generic filter for pam. Has to be used with action which bans all ports +# such as iptables-allports, shorewall +[pam-generic] + +enabled = true +# pam-generic filter can be customized to monitor specific subset of 'tty's +filter = pam-generic +# port actually must be irrelevant but lets leave it all for some possible uses +port = all +banaction = iptables-allports +port = anyport +logpath = /var/log/auth.log +maxretry = 6 |