From ee4e9e9836ad05279647b04eb1e8a3a4b0e16568 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Thu, 23 Jan 2020 05:33:17 +0100 Subject: Improve/harden fail2ban configuration. * Use nftables sets with a timeout * Start daemon with a hardened unit file and restricted Capability Bounding Set. (This requires to change the log path to /var/log/fail2ban/*.) * Skip database as we don't care about persistence. * Refactor jail.local --- roles/common/templates/etc/fail2ban/jail.local.j2 | 89 +++++------------------ 1 file changed, 20 insertions(+), 69 deletions(-) (limited to 'roles/common/templates/etc/fail2ban') diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 618fbd7..29b004c 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -7,87 +7,38 @@ # jail.{conf,local} configuration files. destemail = admin@fripost.org -# Specify chain where jumps would need to be added in iptables-* actions -chain = fail2ban +# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban +# will not ban a host which matches an address in this list. Several addresses +# can be defined using space (and/or comma) separator. +ignoreip = 127.0.0.0/8, ::1, {{ ipsec_subnet }} -# Choose default action. -action = %(action_)s - -# Don't ban ourselves. -ignoreip = 127.0.0.0/8 {{ ipsec_subnet }} +banaction = nftables-allports +logpath = /var/log/fail2ban/fail2ban.log # # JAILS # -[ssh] - -enabled = true -port = {{ ansible_port|default('22') }} -filter = sshd -logpath = /var/log/auth.log -maxretry = 5 - -[ssh-ddos] - -enabled = true -port = {{ ansible_port|default('22') }} -filter = sshd-ddos -logpath = /var/log/auth.log -maxretry = 2 - - -# Generic filter for pam. Has to be used with action which bans all ports -# such as iptables-allports, shorewall -[pam-generic] - -enabled = true -# pam-generic filter can be customized to monitor specific subset of 'tty's -filter = pam-generic -# port actually must be irrelevant but lets leave it all for some possible uses -port = anyport -banaction = iptables-allports -logpath = /var/log/auth.log -maxretry = 6 +[sshd] +enabled = true -{% if 'MX' in group_names %} [postfix] +enabled = {{ 'MX' in group_names }} -enabled = true -port = smtp -filter = postfix -logpath = /var/log/mail.log -maxretry = 10 -{% endif %} - - -{% if 'IMAP' in group_names %} [dovecot] +enabled = {{ 'IMAP' in group_names }} -enabled = true -port = imap2,imaps,pop3,pop3s,sieve -filter = dovecot -logpath = /var/log/mail.log -{% endif %} - - -{% if 'MSA' in group_names %} -[sasl] - -enabled = true -port = submission,submissions -filter = postfix-sasl -logpath = /var/log/mail.warn -{% endif %} - +[postfix-sasl] +enabled = {{ 'MSA' in group_names }} -{% if 'webmail' in group_names %} -[roundcube] +[roundcube-auth] +enabled = {{ 'webmail' in group_names }} +# XXX Bullseye: logpath = /var/log/roundcube/errors.log -enabled = true -port = http,https -filter = roundcube -logpath = /var/log/roundcube/errors -{% endif %} +[nextcloud] +enabled = {{ 'nextcloud' in group_names }} +port = http,https +filter = nextcloud +logpath = /var/log/nextcloud/nextcloud.log # vim: set filetype=dosini : -- cgit v1.2.3