summaryrefslogtreecommitdiffstats
path: root/roles/common/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files')
-rw-r--r--roles/common/files/etc/fail2ban/action.d/nftables-allports.local16
-rw-r--r--roles/common/files/etc/fail2ban/fail2ban.local20
-rw-r--r--roles/common/files/etc/fail2ban/filter.d/nextcloud.conf6
-rw-r--r--roles/common/files/etc/fail2ban/filter.d/roundcube.conf16
-rw-r--r--roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf18
5 files changed, 60 insertions, 16 deletions
diff --git a/roles/common/files/etc/fail2ban/action.d/nftables-allports.local b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
new file mode 100644
index 0000000..3c8c030
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
@@ -0,0 +1,16 @@
+[Definition]
+# No need to create sets and rules, these are defined globally in nftables.conf
+actionstart =
+actionstop =
+actioncheck =
+
+# unbanning is taken care of by setting a timeout on the nft set already
+actionunban =
+
+[Init]
+# With banaction = *-allports there is no need for separate rule names
+set_name = fail2ban
+blocktype = drop
+
+[Init?family=inet6]
+set_name = fail2ban6
diff --git a/roles/common/files/etc/fail2ban/fail2ban.local b/roles/common/files/etc/fail2ban/fail2ban.local
new file mode 100644
index 0000000..53cba35
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/fail2ban.local
@@ -0,0 +1,20 @@
+[Definition]
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+# Only one log target can be specified.
+# If you change logtarget from the default value and you are
+# using logrotate -- also adjust or disable rotation in the
+# corresponding configuration file
+# (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | FILE ] Default: STDERR
+#
+logtarget = /var/log/fail2ban/fail2ban.log
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+# A value of ":memory:" means database is only stored in memory
+# and data is lost when fail2ban is stopped.
+# A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = None
diff --git a/roles/common/files/etc/fail2ban/filter.d/nextcloud.conf b/roles/common/files/etc/fail2ban/filter.d/nextcloud.conf
new file mode 100644
index 0000000..22305d6
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/filter.d/nextcloud.conf
@@ -0,0 +1,6 @@
+# Source: https://github.com/nextcloud/vm/blob/master/apps/fail2ban.sh
+
+[Definition]
+failregex=(?:^{|,)\"message\":\"Login failed: <F-USER>.*?</F-USER> \(Remote IP: '<HOST>'\)\"(:?,|}$)
+ (?:^{|,)\"message\":\"Login failed: <F-USER>.*?</F-USER> \(Remote IP: <HOST>\)\"(:?,|}$)
+ (?:^{|,)\"remoteAddr\":\"<HOST>\",.*Trusted domain error
diff --git a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
deleted file mode 100644
index c8cb5d3..0000000
--- a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-[Definition]
-
-# Option: failregex
-# Notes.: regex to match the password failures messages in the logfile. The
-# host must be matched by a group named "host". The tag "<HOST>" can
-# be used for standard IP/hostname matching and is only an alias for
-# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values: TEXT
-#
-failregex = IMAP Error: Login failed for \S+ from <HOST>\. AUTHENTICATE \S+: Authentication failed\.
-
-# Option: ignoreregex
-# Notes.: regex to ignore. If this regex matches, the line is ignored.
-# Values: TEXT
-#
-ignoreregex =
diff --git a/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
new file mode 100644
index 0000000..e3e651f
--- /dev/null
+++ b/roles/common/files/etc/systemd/system/fail2ban.service.d/override.conf
@@ -0,0 +1,18 @@
+[Unit]
+After=nftables.service
+
+[Service]
+# Need explicit rights to read logs as we don't grant CAP_DAC_READ_SEARCH
+SupplementaryGroups=adm
+
+# Hardening
+NoNewPrivileges=yes
+ProtectSystem=strict
+ReadWriteDirectories=/var/log/fail2ban
+RuntimeDirectory=fail2ban
+PrivateDevices=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW