From 51ea7eca6ca198606a71c107bb67d64186761456 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 4 Nov 2013 08:25:54 +0100 Subject: wibble --- roles/common/files/etc/network/if-up.d/ipsec | 4 ++-- roles/common/files/usr/local/sbin/update-firewall.sh | 4 ++-- roles/common/templates/etc/fail2ban/jail.local.j2 | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) (limited to 'roles') diff --git a/roles/common/files/etc/network/if-up.d/ipsec b/roles/common/files/etc/network/if-up.d/ipsec index a43af6c..db9f979 100755 --- a/roles/common/files/etc/network/if-up.d/ipsec +++ b/roles/common/files/etc/network/if-up.d/ipsec @@ -42,8 +42,8 @@ case "$MODE" in # been SNAT'ed from $ipsec, and didn't have a xfrm # association. Hence we nullroute it to avoid to leak data # intented to be tunneled through IPSec. /!\ The priority - # must be >220 (strongSwan IPSec's policy) since xfrm lookup - # must take precedence. + # must be >220 (which the one used by strongSwan IPSec) since + # xfrm lookup must take precedence. /bin/ip rule add fwmark "$secmark" table 666 priority 666 || true /bin/ip route add prohibit default table 666 || true ;; diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh index 1c57646..2e16711 100755 --- a/roles/common/files/usr/local/sbin/update-firewall.sh +++ b/roles/common/files/usr/local/sbin/update-firewall.sh @@ -34,7 +34,7 @@ secmark=0xA99 # must match that in /etc/network/if-up.d/ipsec secproto=esp # must match /etc/ipsec.conf; ESP is the default (vs AH/IPComp) fail2ban_re='^(\[[0-9]+:[0-9]+\]\s+)?-A fail2ban-\S' -IPSec_re=" -m policy --dir (in|out) --pol ipsec .* --proto $secproto -j ACCEPT$" +IPSec_re=" -m policy --dir (in|out) --pol ipsec --reqid [0-9]+ --proto $secproto -j ACCEPT$" declare -A rss=() tables=() usage() { @@ -193,7 +193,7 @@ run() { grep -E -- "$fail2ban_re" "$old" || true fi >> "$new" - if [ -n "$ifsec" ]; then + if [ -n "$ipsec" ]; then # (Host-to-host) IPSec tunnels come first. TODO: test IPSec with IPv6. grep -E -- "$IPSec_re" "$old" >> "$new" || true diff --git a/roles/common/templates/etc/fail2ban/jail.local.j2 b/roles/common/templates/etc/fail2ban/jail.local.j2 index 1cbcd88..0dcab8d 100644 --- a/roles/common/templates/etc/fail2ban/jail.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.local.j2 @@ -20,8 +20,8 @@ action = %(action_)s [ssh] enabled = true -port = {{ ansible_ssh_port|default('22') }} -filter = sshd +port = {{ ansible_ssh_port|default('22') }} +filter = sshd logpath = /var/log/auth.log maxretry = 5 @@ -40,7 +40,7 @@ maxretry = 2 enabled = true # pam-generic filter can be customized to monitor specific subset of 'tty's -filter = pam-generic +filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports -- cgit v1.2.3