Oefenweb.fail2ban

Panoramica Versioni Approfondimenti

fail2ban

CI
Ansible Galaxy

This guide shows how to set up fail2ban on Debian-like systems.

Requirements

No special requirements.

Variables

  • fail2ban_loglevel: [default: 3, or INFO in newer versions]: Chooses the log level (e.g. 1 = ERROR, 2 = WARN, 3 = INFO, 4 = DEBUG)

  • fail2ban_logtarget: [default: /var/log/fail2ban.log]: Sets where logs are saved. This could be a file, SYSLOG, STDERR, or STDOUT

  • fail2ban_syslog_target: [default: /var/log/fail2ban.log]:

  • fail2ban_syslog_facility: [default: 1]:

  • fail2ban_socket: [default: /var/run/fail2ban/fail2ban.sock]: Sets the socket file for communication with the daemon

  • fail2ban_pidfile: [default: /var/run/fail2ban/fail2ban.pid]: Sets the PID file to store the daemon's process ID (Only for fail2ban >= 0.8.9)

  • fail2ban_dbpurgeage: [default: 86400]: Sets the time after which bans should be removed from the database

  • fail2ban_ignoreips: [default: [127.0.0.1/8]]: IP addresses/CIDR masks/DNS hosts that will not be affected by fail2ban

  • fail2ban_bantime: [default: 600]: Sets how long an IP is banned

  • fail2ban_maxretry: [default: 3]: Maximum tries before an IP is banned

  • fail2ban_findtime: [default: 600]: IPs are banned if they exceed fail2ban_maxretry attempts in the last fail2ban_findtime

  • fail2ban_backend: [default: auto]: Defines the method used to track file changes. For Debian 12, systemd is needed

  • fail2ban_banaction: [default: iptables-multiport]: Sets the default banning action

  • fail2ban_banaction_allports: [default: iptables-allports]: Sets the default action for all ports

  • fail2ban_mta: [default: sendmail]: Email action

  • fail2ban_protocol: [default: tcp]: Sets the default protocol

  • fail2ban_chain: [default: INPUT]: Specifies the iptables chain for actions

  • fail2ban_action: [default: %(action_)s]: Default action. Variables need to be wrapped in %( and )s to work properly.

  • fail2ban_sendername: [default: Fail2ban]: The sender name for emails from mta actions. Use fail2ban_sender for the 'from' email address.

  • fail2ban_sender: [optional]: The sender email address for mta actions.

  • fail2ban_filterd_path: [optional]: Directory path for filters to copy (make sure to include the trailing slash)

  • fail2ban_actiond_path: [optional]: Directory path for actions to copy (make sure to include the trailing slash)

  • fail2ban_jaild_path: [optional]: Directory path for jails to copy (make sure to include the trailing slash)

  • fail2ban_services [default see defaults/main.yml]: Service definitions

  • fail2ban_services.{n}.name [required]: Name of the service (e.g. ssh)

  • fail2ban_services.{n}.enabled [default: true]: Whether the service is enabled or not

  • fail2ban_services.{n}.* [optional]: Name of the option

  • fail2ban_services.{n}.*.* [optional]: Value of the option

For version >= 0.11.1

  • fail2ban_bantime_increment: [default: true]: Increases the ban time after a ban
  • fail2ban_bantime_factor: [default: 1]: Factor for increasing the ban time
  • fail2ban_bantime_formula: [default: 'ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor']: Formula for calculating the increased ban time. You can use either bantime_formula or bantime_multipliers, but bantime_multipliers will take priority.
  • fail2ban_bantime_overalljails: [default: false]: Applies bans to all jails for multiple definitions
  • fail2ban_bantime_rndtime: [optional]: For smart bots accessing immediately after a ban
  • fail2ban_bantime_multipliers: [optional]: Alternative to bantime_formula. For example, 1 2 4 8 16 32 64. Note: for bantime = 600 and bantime_factor=1, this would be 600*1*1, 600*1*2,...

Dependencies

No dependencies.

Example(s)

Simple

---
- hosts: all
  roles:
    - oefenweb.fail2ban

Enable sshd filter (with custom settings)

---
- hosts: all
  roles:
    - oefenweb.fail2ban
  vars:
    fail2ban_services:
      - name: sshd
        port: 2222
        maxretry: 5
        bantime: -1

Add custom filters (from outside the role)

---
- hosts: all
  roles:
    - oefenweb.fail2ban
  vars:
    fail2ban_filterd_path: ../../../files/fail2ban/etc/fail2ban/filter.d/
    fail2ban_services:
      - name: apache-wordpress-logins
        port: http,https
        filter: apache-wordpress-logins
        logpath: /var/log/apache2/access.log
        maxretry: 5
        findtime: 120

License

MIT

Author Information

Mischa ter Smitten (based on the work of ANXS)

Feedback, bug reports, requests...

Feedback is welcome!

Informazioni sul progetto

Set up fail2ban in Debian-like systems

role system networking
Installa
ansible-galaxy install Oefenweb.fail2ban
GitHub repository
128 stelle
55 fork
10 problemi aperti
Licenza
mit
Download
350k
Proprietario