summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'ansible/roles/fail2ban')
-rw-r--r--ansible/roles/fail2ban/files/fail2ban/fail2ban.local0
-rw-r--r--ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf11
-rw-r--r--ansible/roles/fail2ban/files/fail2ban/jail.local59
-rw-r--r--ansible/roles/fail2ban/handlers/main.yml5
-rw-r--r--ansible/roles/fail2ban/tasks/main.yml28
5 files changed, 103 insertions, 0 deletions
diff --git a/ansible/roles/fail2ban/files/fail2ban/fail2ban.local b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
new file mode 100644
index 0000000..311936b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
@@ -0,0 +1,11 @@
1[INCLUDES]
2before = common.conf
3
4[Definition]
5_daemon = postfix/cleanup
6_port = (?::\d+)?
7
8# Line looks like:
9# Jul 4 16:40:22 mailmash postfix/cleanup[14378]: F3FECD008FA: milter-reject: END-OF-MESSAGE from fixed-187-188-96-153.totalplay.net[187.188.96.153]: 5.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fixed-187-188-96-153.totalplay.net>
10failregex = milter-reject: END-OF-MESSAGE from [a-z0-9.-]+\[<HOST>\]: 5.7.1 Spam message rejected
11ignoreregex =
diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local
new file mode 100644
index 0000000..5b77b5b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/jail.local
@@ -0,0 +1,59 @@
1[DEFAULT]
2# For 'banaction' you can use any action defined in /etc/fail2ban/action.d/
3# including things like iptables, iptables-ipset, nftables-*, ...
4banaction = hostsdeny
5banaction_allports = hostsdeny
6
7# Blocking decision making is fully logged in /var/log/fail2ban.log
8# Current blocking can be viewed with:
9# fail2ban-client status
10# fail2ban-client status [service]
11
12# You can unban IPs with
13# fail2ban-client unban <ip>...
14#
15# Or unban just for one service/jail
16# fail2ban-client set <jail> unban <ip>
17
18# Go away for a long time
19bantime = 34d
20
21
22# DEBUGGING
23# You can debug fail2ban behavior by running it in the foreground with
24# client debug and server debug logging:
25# fail2ban-client -vvvvvvvvvv --loglevel DEBUG -f -x start
26# In another terminal:
27# tail -F /var/log/fail2ban.log
28#
29# It helps to delete the persistent save db before fail2ban is started
30# in debug mode too:
31# rm /var/lib/fail2ban/fail2ban.sqlite3
32
33
34# And we're always watching
35# If you're testing/debugging your auth and failing your own logins
36# either by mistake or intentionally, you'll want to either decrease
37# the findtime, decrease the bantime, increase the maxretry time,
38# or just disable fail2ban for [findtime] after your testing.
39findtime = 6h
40
41# Quick and done
42maxretry = 5
43
44[sshd]
45# Disable sshd since we don't have public ssh access to these servers
46enabled = false
47
48[postfix]
49enabled = true
50mode = aggressive
51findtime = 7d # watch out for bad long-term trickle tricksters
52
53[postfix-rspamd]
54enabled = true
55findtime = 7d
56maxretry = 3
57
58[dovecot]
59enabled = true
diff --git a/ansible/roles/fail2ban/handlers/main.yml b/ansible/roles/fail2ban/handlers/main.yml
new file mode 100644
index 0000000..d83f78d
--- /dev/null
+++ b/ansible/roles/fail2ban/handlers/main.yml
@@ -0,0 +1,5 @@
1---
2- name: restart fail2ban
3 service:
4 name: fail2ban
5 state: restarted
diff --git a/ansible/roles/fail2ban/tasks/main.yml b/ansible/roles/fail2ban/tasks/main.yml
new file mode 100644
index 0000000..6d8e237
--- /dev/null
+++ b/ansible/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,28 @@
1---
2# dovecot is configured to respect the fail2ban deny decisions
3# A failed login is recorded as:
4# dovecot[<pid>]: imap-login: access(tcpwrap): Client refused (rip=<ip>)
5- name: install fail2ban
6 apt:
7 name: fail2ban
8 state: latest
9 install_recommends: false
10
11- name: copy fail2ban config
12 copy:
13 src: fail2ban/
14 dest: /etc/fail2ban/
15 mode: preserve
16 notify:
17 - restart fail2ban
18
19
20# verify everything is running
21- name: verify services are running in dependency order
22 service:
23 name: "{{ item }}"
24 enabled: yes
25 state: started
26 loop:
27 - fail2ban
28
Powered by cgit v1.2.3 (git 2.41.0)