From ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 23 Jan 2020 05:33:17 +0100
Subject: Improve/harden fail2ban configuration.

 * Use nftables sets with a timeout
 * Start daemon with a hardened unit file and restricted Capability
   Bounding Set.  (This requires to change the log path to
   /var/log/fail2ban/*.)
 * Skip database as we don't care about persistence.
 * Refactor jail.local
---
 .../files/etc/fail2ban/action.d/nftables-allports.local  | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 roles/common/files/etc/fail2ban/action.d/nftables-allports.local

(limited to 'roles/common/files/etc/fail2ban/action.d/nftables-allports.local')

diff --git a/roles/common/files/etc/fail2ban/action.d/nftables-allports.local b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
new file mode 100644
index 0000000..3c8c030
--- /dev/null
+++ b/roles/common/files/etc/fail2ban/action.d/nftables-allports.local
@@ -0,0 +1,16 @@
+[Definition]
+# No need to create sets and rules, these are defined globally in nftables.conf
+actionstart =
+actionstop =
+actioncheck =
+
+# unbanning is taken care of by setting a timeout on the nft set already
+actionunban =
+
+[Init]
+# With banaction = *-allports there is no need for separate rule names
+set_name = fail2ban
+blocktype = drop
+
+[Init?family=inet6]
+set_name = fail2ban6
-- 
cgit v1.2.3