From 0fe24ed42da531807df56d383c29b83fc9c1954b Mon Sep 17 00:00:00 2001 From: Tiago Carrondo Date: Sun, 6 Mar 2022 15:01:27 +0000 Subject: [PATCH] f2b role files --- roles/fail2ban/files/recidive | 6 +++++ roles/fail2ban/files/ssh | 5 ++++ roles/fail2ban/handlers/main.yml | 7 ++++++ roles/fail2ban/tasks/main.yml | 39 +++++++++++++++++++++++++++++ roles/fail2ban/templates/default.j2 | 26 +++++++++++++++++++ 5 files changed, 83 insertions(+) create mode 100644 roles/fail2ban/files/recidive create mode 100644 roles/fail2ban/files/ssh create mode 100644 roles/fail2ban/handlers/main.yml create mode 100644 roles/fail2ban/tasks/main.yml create mode 100644 roles/fail2ban/templates/default.j2 diff --git a/roles/fail2ban/files/recidive b/roles/fail2ban/files/recidive new file mode 100644 index 0000000..3843bdf --- /dev/null +++ b/roles/fail2ban/files/recidive @@ -0,0 +1,6 @@ +[recidive] +enabled = true +filter = recidive +logpath = /var/log/fail2ban.log +action = iptables-allports[name=recidive] + sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] diff --git a/roles/fail2ban/files/ssh b/roles/fail2ban/files/ssh new file mode 100644 index 0000000..a7fc236 --- /dev/null +++ b/roles/fail2ban/files/ssh @@ -0,0 +1,5 @@ +[ssh] +enabled = true +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] +logpath = /var/log/auth.log diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml new file mode 100644 index 0000000..3009251 --- /dev/null +++ b/roles/fail2ban/handlers/main.yml @@ -0,0 +1,7 @@ +--- +# handlers file for fail2ban +- name: reload fail2ban + service: + name: fail2ban + state: reloaded + enabled: yes diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml new file mode 100644 index 0000000..4b106d1 --- /dev/null +++ b/roles/fail2ban/tasks/main.yml @@ -0,0 +1,39 @@ +--- +# tasks file for fail2ban +- name: Instalação fail2ban + become: true + apt: + name: + - fail2ban + state: present + update_cache: yes + cache_valid_time: 86400 + force_apt_get: yes + +- name: Apply fail2ban default config + become: true + template: + src: default.j2 + dest: /etc/fail2ban/jail.d/00-default.conf + mode: 0644 + notify: + - reload fail2ban + +- name: Copy fail2ban jails + become: true + copy: + src: '{{ item }}' + dest: /etc/fail2ban/jail.d/{{ item }}.conf + mode: 0644 + with_items: + - recidive + - ssh + notify: + - reload fail2ban + +- name: Start service fail2ban, if not started + become: true + service: + name: fail2ban.service + state: started + enabled: yes diff --git a/roles/fail2ban/templates/default.j2 b/roles/fail2ban/templates/default.j2 new file mode 100644 index 0000000..8366acf --- /dev/null +++ b/roles/fail2ban/templates/default.j2 @@ -0,0 +1,26 @@ +[DEFAULT] +ignoreip = 127.0.0.1/8 +bantime = 604800 ; 1 week +findtime = 86400 ; 1 day +maxretry = 3 +backend = auto +usedns = warn +destemail = direccao@ansol.org +sendername = Fail2Ban +banaction = iptables-multiport +mta = sendmail +protocol = tcp +chain = INPUT + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"] + +# ban & send an e-mail with whois report and relevant log lines to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"] + +action = %(action_)s