From 035ea3c7dbe80c92c59635f710076c586c7394c8 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Wed, 30 Oct 2013 21:47:29 +0100 Subject: Configure fail2ban. --- roles/common/templates/etc/fail2ban/jail.local.j2 | 45 +++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 roles/common/templates/etc/fail2ban/jail.local.j2 (limited to 'roles/common/templates') diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 new file mode 100644 index 0000000..818ec88 --- /dev/null +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -0,0 +1,45 @@ +# {{ ansible_managed }} +# Do NOT edit this file directly! + +[DEFAULT] + +# Destination email address used solely for the interpolations in +# jail.{conf,local} configuration files. +destemail = admin@fripost.org + +action = %(action_)s + +# +# JAILS +# + +[ssh] + +enabled = true +port = {{ ansible_ssh_port|default('22') }} +filter = sshd +logpath = /var/log/auth.log +maxretry = 5 + +[ssh-ddos] + +enabled = true +port = {{ ansible_ssh_port|default('22') }} +filter = sshd-ddos +logpath = /var/log/auth.log +maxretry = 2 + + +# Generic filter for pam. Has to be used with action which bans all ports +# such as iptables-allports, shorewall +[pam-generic] + +enabled = true +# pam-generic filter can be customized to monitor specific subset of 'tty's +filter = pam-generic +# port actually must be irrelevant but lets leave it all for some possible uses +port = all +banaction = iptables-allports +port = anyport +logpath = /var/log/auth.log +maxretry = 6 -- cgit v1.2.3