diff options
Diffstat (limited to 'roles/common')
-rw-r--r-- | roles/common/files/etc/fail2ban/filter.d/roundcube.conf | 16 | ||||
-rw-r--r-- | roles/common/files/etc/postfix/master.cf | 1 | ||||
-rw-r--r-- | roles/common/tasks/fail2ban.yml | 15 | ||||
-rw-r--r-- | roles/common/templates/etc/fail2ban/jail.local.j2 | 10 | ||||
-rw-r--r-- | roles/common/templates/etc/iptables/services.j2 | 3 |
5 files changed, 43 insertions, 2 deletions
diff --git a/roles/common/files/etc/fail2ban/filter.d/roundcube.conf b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf new file mode 100644 index 0000000..c8cb5d3 --- /dev/null +++ b/roles/common/files/etc/fail2ban/filter.d/roundcube.conf @@ -0,0 +1,16 @@ +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) +# Values: TEXT +# +failregex = IMAP Error: Login failed for \S+ from <HOST>\. AUTHENTICATE \S+: Authentication failed\. + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/roles/common/files/etc/postfix/master.cf b/roles/common/files/etc/postfix/master.cf index 3540e32..38b2ecb 100644 --- a/roles/common/files/etc/postfix/master.cf +++ b/roles/common/files/etc/postfix/master.cf @@ -11,6 +11,7 @@ smtp inet n - - - - smtpd 16132 inet n - - - - smtpd 2526 inet n - - - - smtpd +2580 inet n - - - - smtpd submission inet n - - - - smtpd pickup fifo n - - 60 1 pickup cleanup unix n - - - 0 cleanup diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index d5007b9..be26c79 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -1,17 +1,28 @@ - name: Install fail2ban apt: pkg=fail2ban +- name: Add addititional filters + copy: src=etc/fail2ban/filter.d/{{ item }} + dest=/etc/fail2ban/filter.d/{{ item }} + owner=root group=root + mode=0644 + register: r1 + with_items: + - roundcube.conf + notify: + - Restart fail2ban + - name: Configure fail2ban template: src=etc/fail2ban/jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=0644 - register: r + register: r2 notify: - Restart fail2ban - name: Start fail2ban service: name=fail2ban state=started - when: not r.changed + when: not (r1.changed or r2.changed) - meta: flush_handlers diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 661c862..7c5bc0e 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -81,3 +81,13 @@ port = submission filter = sasl logpath = /var/log/mail.warn {% endif %} + + +{% if 'webmail' in group_names %} +[roundcube] + +enabled = true +port = http,https +filter = roundcube +logpath = /var/log/roundcube/errors +{% endif %} diff --git a/roles/common/templates/etc/iptables/services.j2 b/roles/common/templates/etc/iptables/services.j2 index 2a36932..3ddb87e 100644 --- a/roles/common/templates/etc/iptables/services.j2 +++ b/roles/common/templates/etc/iptables/services.j2 @@ -25,3 +25,6 @@ in tcp 993 # IMAPS {% if 'MSA' in group_names %} in tcp 587 # SMTP-AUTH {% endif %} +{% if 'webmail' in group_names %} +in tcp 80,443 # HTTP/HTTPS +{% endif %} |