5 files changed, 103 insertions, 0 deletions

diff --git a/ansible/roles/fail2ban/files/fail2ban/fail2ban.local b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
new file mode 100644
index 0000000..311936b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
@@ -0,0 +1,11 @@
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = postfix/cleanup
+_port = (?::\d+)?
+
+# Line looks like:
+# Jul  4 16:40:22 mailmash postfix/cleanup[14378]: F3FECD008FA: milter-reject: END-OF-MESSAGE from fixed-187-188-96-153.totalplay.net[187.188.96.153]: 5.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fixed-187-188-96-153.totalplay.net>
+failregex = milter-reject: END-OF-MESSAGE from [a-z0-9.-]+\[<HOST>\]: 5.7.1 Spam message rejected
+ignoreregex =
diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local
new file mode 100644
index 0000000..5b77b5b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/jail.local
@@ -0,0 +1,59 @@
+[DEFAULT]
+# For 'banaction' you can use any action defined in /etc/fail2ban/action.d/
+# including things like iptables, iptables-ipset, nftables-*, ...
+banaction = hostsdeny
+banaction_allports = hostsdeny
+
+# Blocking decision making is fully logged in /var/log/fail2ban.log
+# Current blocking can be viewed with:
+# fail2ban-client status
+# fail2ban-client status [service]
+
+# You can unban IPs with
+# fail2ban-client unban <ip>...
+#
+# Or unban just for one service/jail
+# fail2ban-client set <jail> unban <ip>
+
+# Go away for a long time
+bantime  = 34d
+
+
+# DEBUGGING
+# You can debug fail2ban behavior by running it in the foreground with
+# client debug and server debug logging:
+# fail2ban-client -vvvvvvvvvv --loglevel DEBUG -f -x start
+# In another terminal:
+# tail -F /var/log/fail2ban.log
+#
+# It helps to delete the persistent save db before fail2ban is started
+# in debug mode too:
+# rm /var/lib/fail2ban/fail2ban.sqlite3
+
+
+# And we're always watching
+# If you're testing/debugging your auth and failing your own logins
+# either by mistake or intentionally, you'll want to either decrease
+# the findtime, decrease the bantime, increase the maxretry time,
+# or just disable fail2ban for [findtime] after your testing.
+findtime = 6h
+
+# Quick and done
+maxretry = 5
+
+[sshd]
+# Disable sshd since we don't have public ssh access to these servers
+enabled = false
+
+[postfix]
+enabled = true
+mode = aggressive
+findtime = 7d # watch out for bad long-term trickle tricksters
+
+[postfix-rspamd]
+enabled = true
+findtime = 7d
+maxretry = 3
+
+[dovecot]
+enabled = true
diff --git a/ansible/roles/fail2ban/handlers/main.yml b/ansible/roles/fail2ban/handlers/main.yml
new file mode 100644
index 0000000..d83f78d
--- /dev/null
+++ b/ansible/roles/fail2ban/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
diff --git a/ansible/roles/fail2ban/tasks/main.yml b/ansible/roles/fail2ban/tasks/main.yml
new file mode 100644
index 0000000..6d8e237
--- /dev/null
+++ b/ansible/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+# dovecot is configured to respect the fail2ban deny decisions
+# A failed login is recorded as:
+# dovecot[<pid>]: imap-login: access(tcpwrap): Client refused (rip=<ip>)
+- name: install fail2ban
+  apt:
+    name: fail2ban
+    state: latest
+    install_recommends: false
+
+- name: copy fail2ban config
+  copy:
+    src: fail2ban/
+    dest: /etc/fail2ban/
+    mode: preserve
+  notify:
+  - restart fail2ban
+
+
+# verify everything is running
+- name: verify services are running in dependency order
+  service:
+    name: "{{ item }}"
+    enabled: yes
+    state: started
+  loop:
+    - fail2ban
+