blob: b76ffbcc3c3c28ee1b702c11b4dec44406ddf269 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
# {{ ansible_managed }}
# Do NOT edit this file directly!
[DEFAULT]
# Destination email address used solely for the interpolations in
# jail.{conf,local} configuration files.
destemail = admin@fripost.org
# Specify chain where jumps would need to be added in iptables-* actions
chain = fail2ban
# Choose default action.
action = %(action_)s
# Don't ban ourselves.
ignoreip = 127.0.0.0/8 {{ groups.all | sort | join(' ') }}
#
# JAILS
#
# There is no risk to lock ourself out, since traffic between our machines goes
# through IPSec, and these packets are accepted before having a chance to enter
# fail2ban's chain.
#
[ssh]
enabled = true
port = {{ ansible_ssh_port|default('22') }}
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
[ssh-ddos]
enabled = true
port = {{ ansible_ssh_port|default('22') }}
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 2
# Generic filter for pam. Has to be used with action which bans all ports
# such as iptables-allports, shorewall
[pam-generic]
enabled = true
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport
logpath = /var/log/auth.log
maxretry = 6
{% if 'MX' in group_names %}
[postfix]
enabled = true
port = smtp
filter = postfix
logpath = /var/log/mail.log
maxretry = 10
{% endif %}
{% if 'IMAP' in group_names %}
[dovecot]
enabled = true
port = imap2,imap3,imaps,pop3,pop3s
filter = dovecot
logpath = /var/log/mail.log
{% endif %}
{% if 'MSA' in group_names %}
[sasl]
enabled = true
port = submission
filter = sasl
logpath = /var/log/mail.warn
{% endif %}
{% if 'webmail' in group_names %}
[roundcube]
enabled = true
port = http,https
filter = roundcube
logpath = /var/log/roundcube/errors
{% endif %}
|