summaryrefslogtreecommitdiffstats
path: root/roles/common/templates/etc/fail2ban
Commit message (Collapse)AuthorAgeFiles
* Improve Debian 11's fail2ban rules.Guilhem Moulin2022-12-181
|
* Roundcube: Port to Debian 10.Guilhem Moulin2020-05-171
| | | | | We use the version from buster-backports (currently 1.4.4+dfsg.1-1~bpo10+1) for the elastic theme.
* Improve/harden fail2ban configuration.Guilhem Moulin2020-01-251
| | | | | | | | | * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local
* MSA: Open 465/TCP for Email Submission over TLS.Guilhem Moulin2019-03-191
| | | | See RFC 8314 sec. 3.3 "Cleartext Considered Obsolete".
* Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.Guilhem Moulin2018-12-091
|
* Set up IPSec tunnels between each pair of hosts.Guilhem Moulin2016-05-221
| | | | | | | | | | | | | | | We use a dedicated, non-routable, IPv4 subnet for IPSec. Furthermore the subnet is nullrouted in the absence of xfrm lookup (i.e., when there is no matching IPSec Security Association) to avoid data leaks. Each host is associated with an IP in that subnet (thus only reachble within that subnet, either by the host itself or by its IPSec peers). The peers authenticate each other using RSA public key authentication. Kernel traps are used to ensure that connections are only established when traffic is detected between the peers; after 30m of inactivity (this value needs to be less than the rekeying period) the connection is brought down and a kernel trap is installed.
* s/ansible_ssh_/ansible_/Guilhem Moulin2016-02-121
|
* typoGuilhem Moulin2015-06-071
|
* typoGuilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Tell vim the underlying filetype of templates for syntax highlighting.Guilhem Moulin2015-06-071
|
* Whitelist our IPs against fail2ban.Guilhem Moulin2015-06-071
| | | | | | | This is important as we don't want the IMAP server baning the webmail, for instance. (The fail2ban instance running next to the webmail should ban the attacker, but that running next to the IMAP server shouldn't ban legit users.)
* Configure the webmail.Guilhem Moulin2015-06-071
|
* Configure the Mail Submission Agent.Guilhem Moulin2015-06-071
|
* Configure the IMAP server.Guilhem Moulin2015-06-071
| | | | (For now, only LMTP and IMAP processes, without replication.)
* Configure the MX:es.Guilhem Moulin2015-06-071
|
* wibbleGuilhem Moulin2015-06-071
|
* Use a dedicated 'fail2ban' chain for fail2ban.Guilhem Moulin2015-06-071
| | | | So it doesn't mess with the high-priority rules regarding IPSec.
* Configure fail2ban.Guilhem Moulin2015-06-071