summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorclarkzjw <[email protected]>2023-02-08 00:40:09 -0800
committerclarkzjw <[email protected]>2023-02-08 00:40:09 -0800
commit1204730924436ef9e1c7c49c9557837f9a5ed0e8 (patch)
tree129d79dfd11245751cee6d4082ff5d2f6e941610 /ansible/roles/fail2ban/files
parent9635ac4dedf69de5bff65785bcc16bef80b52d75 (diff)
downloadmail-master.tar.gz
fork https://github.com/mattsta/mailwebHEADmaster
Diffstat (limited to 'ansible/roles/fail2ban/files')
-rw-r--r--ansible/roles/fail2ban/files/fail2ban/fail2ban.local0
-rw-r--r--ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf11
-rw-r--r--ansible/roles/fail2ban/files/fail2ban/jail.local59
3 files changed, 70 insertions, 0 deletions
diff --git a/ansible/roles/fail2ban/files/fail2ban/fail2ban.local b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
new file mode 100644
index 0000000..311936b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
@@ -0,0 +1,11 @@
1[INCLUDES]
2before = common.conf
3
4[Definition]
5_daemon = postfix/cleanup
6_port = (?::\d+)?
7
8# Line looks like:
9# Jul 4 16:40:22 mailmash postfix/cleanup[14378]: F3FECD008FA: milter-reject: END-OF-MESSAGE from fixed-187-188-96-153.totalplay.net[187.188.96.153]: 5.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fixed-187-188-96-153.totalplay.net>
10failregex = milter-reject: END-OF-MESSAGE from [a-z0-9.-]+\[<HOST>\]: 5.7.1 Spam message rejected
11ignoreregex =
diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local
new file mode 100644
index 0000000..5b77b5b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/jail.local
@@ -0,0 +1,59 @@
1[DEFAULT]
2# For 'banaction' you can use any action defined in /etc/fail2ban/action.d/
3# including things like iptables, iptables-ipset, nftables-*, ...
4banaction = hostsdeny
5banaction_allports = hostsdeny
6
7# Blocking decision making is fully logged in /var/log/fail2ban.log
8# Current blocking can be viewed with:
9# fail2ban-client status
10# fail2ban-client status [service]
11
12# You can unban IPs with
13# fail2ban-client unban <ip>...
14#
15# Or unban just for one service/jail
16# fail2ban-client set <jail> unban <ip>
17
18# Go away for a long time
19bantime = 34d
20
21
22# DEBUGGING
23# You can debug fail2ban behavior by running it in the foreground with
24# client debug and server debug logging:
25# fail2ban-client -vvvvvvvvvv --loglevel DEBUG -f -x start
26# In another terminal:
27# tail -F /var/log/fail2ban.log
28#
29# It helps to delete the persistent save db before fail2ban is started
30# in debug mode too:
31# rm /var/lib/fail2ban/fail2ban.sqlite3
32
33
34# And we're always watching
35# If you're testing/debugging your auth and failing your own logins
36# either by mistake or intentionally, you'll want to either decrease
37# the findtime, decrease the bantime, increase the maxretry time,
38# or just disable fail2ban for [findtime] after your testing.
39findtime = 6h
40
41# Quick and done
42maxretry = 5
43
44[sshd]
45# Disable sshd since we don't have public ssh access to these servers
46enabled = false
47
48[postfix]
49enabled = true
50mode = aggressive
51findtime = 7d # watch out for bad long-term trickle tricksters
52
53[postfix-rspamd]
54enabled = true
55findtime = 7d
56maxretry = 3
57
58[dovecot]
59enabled = true
Powered by cgit v1.2.3 (git 2.41.0)