From ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Thu, 23 Jan 2020 05:33:17 +0100
Subject: Improve/harden fail2ban configuration.

 * Use nftables sets with a timeout
 * Start daemon with a hardened unit file and restricted Capability
   Bounding Set.  (This requires to change the log path to
   /var/log/fail2ban/*.)
 * Skip database as we don't care about persistence.
 * Refactor jail.local
---
 roles/common/tasks/fail2ban.yml | 68 +++++++++++++++++++++++++++++++++--------
 1 file changed, 55 insertions(+), 13 deletions(-)

(limited to 'roles/common/tasks/fail2ban.yml')

diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index 84e6b7a..89427ea 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,37 +1,79 @@
 - name: Install fail2ban
   apt: pkg=fail2ban
 
-- name: Configure fail2ban
+# Log into a dedicate directory so we can use ReadWriteDirectories in
+# the .service file
+- name: Create directory /var/log/fail2ban
+  file: path=/var/log/fail2ban
+        state=directory
+        owner=root group=adm
+        mode=0750
+
+- name: Fix fail2ban logrotate snippet
+  lineinfile: dest=/etc/logrotate.d/fail2ban
+              state=present
+              line="/var/log/fail2ban/*.log"
+              insertbefore="^[^#]*\\s{$"
+  tags:
+    - logrotate
+
+- name: Configure fail2ban (fail2ban.local)
+  copy: src=etc/fail2ban/fail2ban.local
+        dest=/etc/fail2ban/fail2ban.local
+        owner=root group=root
+        mode=0644
+  register: r1
+  notify:
+    - Restart fail2ban
+
+- name: Configure fail2ban (jail.local)
   template: src=etc/fail2ban/jail.local.j2
             dest=/etc/fail2ban/jail.local
             owner=root group=root
             mode=0644
-  register: r1
+  register: r2
   notify:
     - Restart fail2ban
 
-- name: Add roundcube filter
-  copy: src=etc/fail2ban/filter.d/roundcube.conf
-        dest=/etc/fail2ban/filter.d/roundcube.conf
+- name: Configure fail2ban (action.d/nftables-allports.local)
+  copy: src=etc/fail2ban/action.d/nftables-allports.local
+        dest=/etc/fail2ban/action.d/nftables-allports.local
         owner=root group=root
         mode=0644
-  register: r2
-  when: "'webmail' in group_names"
+  register: r3
   notify:
     - Restart fail2ban
 
-- name: Add dovecot filter
-  copy: src=etc/fail2ban/filter.d/dovecot.conf
-        dest=/etc/fail2ban/filter.d/dovecot.conf
+- name: Copy filters
+  copy: src=etc/fail2ban/filter.d/
+        dest=/etc/fail2ban/filter.d/
         owner=root group=root
         mode=0644
-  register: r3
-  when: "'IMAP' in group_names"
+  register: r4
+  notify:
+    - Restart fail2ban
+
+- name: Create directory /etc/systemd/system/fail2ban.service.d/override.conf
+  file: path=/etc/systemd/system/fail2ban.service.d
+        state=directory
+        owner=root group=root
+        mode=0750
+
+- name: Harden fail2ban.service
+  copy: src=etc/systemd/system/fail2ban.service.d/override.conf
+        dest=/etc/systemd/system/fail2ban.service.d/override.conf
+        owner=root group=root
+        mode=0644
+  register: r5
   notify:
+    - systemctl daemon-reload
     - Restart fail2ban
 
 - name: Start fail2ban
   service: name=fail2ban state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed or r3.changed or r4.changed or r5.changed)
 
 - meta: flush_handlers
+
+- name: Delete /var/lib/fail2ban/fail2ban.sqlite3
+  file: path=/var/lib/fail2ban/fail2ban.sqlite3 state=absent
-- 
cgit v1.2.3