From 035ea3c7dbe80c92c59635f710076c586c7394c8 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Wed, 30 Oct 2013 21:47:29 +0100
Subject: Configure fail2ban.

---
 roles/common/handlers/main.yml                    |  3 ++
 roles/common/tasks/fail2ban.yml                   | 10 +++++
 roles/common/tasks/main.yml                       |  1 +
 roles/common/templates/etc/fail2ban/jail.local.j2 | 45 +++++++++++++++++++++++
 4 files changed, 59 insertions(+)
 create mode 100644 roles/common/tasks/fail2ban.yml
 create mode 100644 roles/common/templates/etc/fail2ban/jail.local.j2

(limited to 'roles')

diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index 17fbfb2..e23e099 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -15,3 +15,6 @@
 
 - name: Update rkhunter's data file
   command: /usr/bin/rkhunter --propupd
+
+- name: Restart fail2ban
+  service: name=fail2ban state=restarted
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
new file mode 100644
index 0000000..64283df
--- /dev/null
+++ b/roles/common/tasks/fail2ban.yml
@@ -0,0 +1,10 @@
+- name: Install fail2ban
+  apt: pkg=fail2ban
+
+- name: Configure fail2ban
+  template: src=etc/fail2ban/jail.local.j2
+            dest=/etc/fail2ban/jail.local
+            owner=root group=root
+            mode=0644
+  notify:
+    - Restart fail2ban
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 1d57812..a2b7aad 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -5,3 +5,4 @@
 - include: firewall.yml tags=firewall,iptables
 - include: samhain.yml  tags=samhain
 - include: rkhunter.yml tags=rkhunter
+- include: fail2ban.yml tags=fail2ban
diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2
new file mode 100644
index 0000000..818ec88
--- /dev/null
+++ b/roles/common/templates/etc/fail2ban/jail.local.j2
@@ -0,0 +1,45 @@
+# {{ ansible_managed }}
+# Do NOT edit this file directly!
+
+[DEFAULT]
+
+# Destination email address used solely for the interpolations in
+# jail.{conf,local} configuration files.
+destemail = admin@fripost.org
+
+action = %(action_)s
+
+#
+# JAILS
+#
+
+[ssh]
+
+enabled  = true
+port	 = {{ ansible_ssh_port|default('22') }}
+filter	 = sshd
+logpath  = /var/log/auth.log
+maxretry = 5
+
+[ssh-ddos]
+
+enabled  = true
+port     = {{ ansible_ssh_port|default('22') }}
+filter   = sshd-ddos
+logpath  = /var/log/auth.log
+maxretry = 2
+
+
+# Generic filter for pam. Has to be used with action which bans all ports
+# such as iptables-allports, shorewall
+[pam-generic]
+
+enabled   = true
+# pam-generic filter can be customized to monitor specific subset of 'tty's
+filter	  = pam-generic
+# port actually must be irrelevant but lets leave it all for some possible uses
+port      = all
+banaction = iptables-allports
+port      = anyport
+logpath   = /var/log/auth.log
+maxretry  = 6
-- 
cgit v1.2.3