# {{ ansible_managed }} # Do NOT edit this file directly! [DEFAULT] # Destination email address used solely for the interpolations in # jail.{conf,local} configuration files. destemail = admin@fripost.org # Specify chain where jumps would need to be added in iptables-* actions chain = fail2ban # Choose default action. action = %(action_)s # Don't ban ourselves. ignoreip = 127.0.0.0/8 {{ groups.all | sort | join(' ') }} # # JAILS # # There is no risk to lock ourself out, since traffic between our machines goes # through IPSec, and these packets are accepted before having a chance to enter # fail2ban's chain. # [ssh] enabled = true port = {{ ansible_ssh_port|default('22') }} filter = sshd logpath = /var/log/auth.log maxretry = 5 [ssh-ddos] enabled = true port = {{ ansible_ssh_port|default('22') }} filter = sshd-ddos logpath = /var/log/auth.log maxretry = 2 # Generic filter for pam. Has to be used with action which bans all ports # such as iptables-allports, shorewall [pam-generic] enabled = true # pam-generic filter can be customized to monitor specific subset of 'tty's filter = pam-generic # port actually must be irrelevant but lets leave it all for some possible uses port = all banaction = iptables-allports port = anyport logpath = /var/log/auth.log maxretry = 6 {% if 'MX' in group_names %} [postfix] enabled = true port = smtp filter = postfix logpath = /var/log/mail.log maxretry = 10 {% endif %} {% if 'IMAP' in group_names %} [dovecot] enabled = true port = imap2,imap3,imaps,pop3,pop3s filter = dovecot logpath = /var/log/mail.log {% endif %} {% if 'MSA' in group_names %} [sasl] enabled = true port = submission filter = sasl logpath = /var/log/mail.warn {% endif %} {% if 'webmail' in group_names %} [roundcube] enabled = true port = http,https filter = roundcube logpath = /var/log/roundcube/errors {% endif %} # vim: set filetype=dosini :