sakibmoon.fail2ban
Role Name
=========
An Ansible role for installing and managing Fail2ban.
Requirements
Ansible version 2.6 or newer.
Installation
Ansible Galaxy
Run ansible-galaxy install sakibmoon.fail2ban.
Git
Run git clone https://github.com/sakibmoon/ansible-role-fail2ban.git.
Basic Usage
To install and enable Fail2ban with SSH protection:
- hosts: servers
vars:
fail2ban_services:
- name: "sshd"
enabled: "true"
port: "ssh"
filter: "sshd"
logpath: "/var/log/auth.log"
maxretry: 6
roles:
- sakibmoon.fail2ban
See Role Variables and Example Playbook for more complex usage and options.
Role Variables
Service Monitor Options
fail2ban_services
A list of services to be monitored by Fail2ban. Each entry must include the service name and log path, along with any other settings you want to change.
Options for services:
name: Name of the service.logpath: Path to the service's logs.port: Comma-separated ports to monitor.enabled: Whether to enable this protection.
Action List
fail2ban_actionlist
A list of actions to create, saved in /etc/fail2ban/action.d/. Each action can include the following:
name: The action's name, which will be the filename.sections: A list of sections such asDefinition,Init, etc., that contain various options.file_ext: (Optional) The file extension can be eitherlocalorconf. Default islocal.
Example:
fail2ban_actionlist:
- name: toy-action1
sections:
- name: Definition
options:
- name: actionstart
value: "ActionStart value"
- name: actionflush
value: "Actionflush value"
- name: Init
options:
- name: timeout
value: "timeout value"
file_ext: "local"
Filter List
fail2ban_filterlist
A list of filters to create, also saved in /etc/fail2ban/action.d/ and formatted similarly to the action list.
Fail2ban Configuration Options
| Variable Name | Fail2ban Option Name | Option Values | Default Value | Description |
|---|---|---|---|---|
fail2ban_confpath |
[FILE] |
/etc/fail2ban/fail2ban.local |
Path for Fail2ban configuration. | |
fail2ban_loglevel |
loglevel |
CRITICAL, ERROR, WARNING, INFO, DEBUG |
ERROR for version > 0.8.x, 1 for 0.8.x |
Sets log level output. |
fail2ban_logtarget |
logtarget |
[FILE], STDOUT, STDERR, SYSLOG |
/var/log/fail2ban.log |
Sets the log output target. |
fail2ban_syslogsocket |
syslogsocket |
auto, [FILE] |
auto |
Specifies the syslog socket file. |
fail2ban_socket |
socket |
[FILE] |
/var/run/fail2ban/fail2ban.sock |
Socket file for communication with the daemon. |
fail2ban_pidfile |
pidfile |
[FILE] |
/var/run/fail2ban/fail2ban.pid |
PID file to store the process ID of Fail2ban. |
fail2ban_dbfile |
dbfile |
None, :memory:, [FILE] |
/var/lib/fail2ban/fail2ban.sqlite3 |
File for Fail2ban persistent data. |
fail2ban_dbpurgeage |
dbpurgeage |
[SECONDS] |
86400 |
Age at which bans should be removed. |
fail2ban_dbmaxmatches |
dbmaxmatches |
[INT] |
20 |
Maximum matches stored per ticket. |
fail2ban_stacksize |
stacksize |
[SIZE] |
0 |
Stack size for threads, must be >= 0 or at least 32 KiB. |
Global Jail Configuration Options
| Variable Name | Fail2ban Option Name | Option Values | Default Value | Description |
|---|---|---|---|---|
fail2ban_jailpath |
[FILE] |
/etc/fail2ban/jail.local |
File for default Fail2ban jail configuration. | |
fail2ban_ignoreself |
ignoreself |
boolean, true, false |
true |
Prevents banning own IP addresses. |
fail2ban_ignoreip |
ignoreip |
List of IPs | IPs that should not be banned. | |
fail2ban_ignorecommand |
ignorecommand |
/path/to/command |
Command to ignore specified IPs. | |
fail2ban_ignorecache |
ignorecache |
disabled |
Cache parameters for ignore checks. | |
fail2ban_bantime |
bantime |
[SECONDS] |
600 |
Duration of the ban (seconds). |
fail2ban_findtime |
findtime |
[SECONDS] |
600 |
Time interval for counting failures. |
fail2ban_maxretry |
maxretry |
[INT] |
5 |
Number of failures before banning. |
fail2ban_backend |
backend |
pyinotify, gamin, polling, systemd, auto |
auto |
Backend for file modification detection. |
fail2ban_usedns |
usedns |
yes, warn, no, raw |
warn |
Trust hostnames in logs. |
fail2ban_logencoding |
logencoding |
auto, ascii, utf-8, etc. |
auto |
Encoding for log files. |
fail2ban_mode |
mode |
normal, ddos, extra, aggressive |
normal |
Mode of the filter. |
fail2ban_filter |
filter |
filter name | %(__name__)s[mode=%(mode)s] |
The filter used by the jail. |
fail2ban_logtimezone |
logtimezone |
UTC, UTC+0200, GMT-0100, etc. |
Forces timezone for log lines without one. | |
fail2ban_banaction |
banaction |
iptables, etc. |
iptables-multiport |
Default action for banning. |
fail2ban_banaction_allports |
banaction_allports |
iptables, etc. |
iptables-allports |
Action for "allports" jails. |
fail2ban_action |
action |
%(action_)s |
Default action to choose. | |
fail2ban_failregex |
failregex |
Python Regular Expression |
Regex for filtering failures. | |
fail2ban_ignoreregex |
ignoreregex |
Regex for ignoring certain log lines. | ||
fail2ban_maxmatches |
maxmatches |
[INT] |
Max number of matched log lines held in memory. |
Dependencies
No dependencies.
Supported Platforms
This role is compatible with any Redhat or Debian based Linux distribution. It's been tested on:
- CentOS 8
- CentOS 7
- Ubuntu 18.04
- Ubuntu 16.04
- Debian 10
- Debian 9
Example Playbook
The following playbook installs and enables Fail2ban and adds an SSH protection jail:
- hosts: servers
vars:
fail2ban_services:
- name: "sshd"
enabled: "true"
port: "ssh"
filter: "sshd"
logpath: "/var/log/auth.log"
maxretry: 6
roles:
- sakibmoon.fail2ban
License
MIT License.
Author Information
This role was created by sakibmoon in 2020.
Informazioni sul progetto
An ansible role to install and manage Fail2ban
Installa
ansible-galaxy install sakibmoon.fail2banLicenza
mit
Download
609
Proprietario