diff options
Diffstat (limited to 'ansible/roles/fail2ban')
-rw-r--r-- | ansible/roles/fail2ban/files/fail2ban/fail2ban.local | 0 | ||||
-rw-r--r-- | ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf | 11 | ||||
-rw-r--r-- | ansible/roles/fail2ban/files/fail2ban/jail.local | 59 | ||||
-rw-r--r-- | ansible/roles/fail2ban/handlers/main.yml | 5 | ||||
-rw-r--r-- | ansible/roles/fail2ban/tasks/main.yml | 28 |
5 files changed, 103 insertions, 0 deletions
diff --git a/ansible/roles/fail2ban/files/fail2ban/fail2ban.local b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local | |||
diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf new file mode 100644 index 0000000..311936b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf | |||
@@ -0,0 +1,11 @@ | |||
1 | [INCLUDES] | ||
2 | before = common.conf | ||
3 | |||
4 | [Definition] | ||
5 | _daemon = postfix/cleanup | ||
6 | _port = (?::\d+)? | ||
7 | |||
8 | # Line looks like: | ||
9 | # Jul 4 16:40:22 mailmash postfix/cleanup[14378]: F3FECD008FA: milter-reject: END-OF-MESSAGE from fixed-187-188-96-153.totalplay.net[187.188.96.153]: 5.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fixed-187-188-96-153.totalplay.net> | ||
10 | failregex = milter-reject: END-OF-MESSAGE from [a-z0-9.-]+\[<HOST>\]: 5.7.1 Spam message rejected | ||
11 | ignoreregex = | ||
diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local new file mode 100644 index 0000000..5b77b5b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/jail.local | |||
@@ -0,0 +1,59 @@ | |||
1 | [DEFAULT] | ||
2 | # For 'banaction' you can use any action defined in /etc/fail2ban/action.d/ | ||
3 | # including things like iptables, iptables-ipset, nftables-*, ... | ||
4 | banaction = hostsdeny | ||
5 | banaction_allports = hostsdeny | ||
6 | |||
7 | # Blocking decision making is fully logged in /var/log/fail2ban.log | ||
8 | # Current blocking can be viewed with: | ||
9 | # fail2ban-client status | ||
10 | # fail2ban-client status [service] | ||
11 | |||
12 | # You can unban IPs with | ||
13 | # fail2ban-client unban <ip>... | ||
14 | # | ||
15 | # Or unban just for one service/jail | ||
16 | # fail2ban-client set <jail> unban <ip> | ||
17 | |||
18 | # Go away for a long time | ||
19 | bantime = 34d | ||
20 | |||
21 | |||
22 | # DEBUGGING | ||
23 | # You can debug fail2ban behavior by running it in the foreground with | ||
24 | # client debug and server debug logging: | ||
25 | # fail2ban-client -vvvvvvvvvv --loglevel DEBUG -f -x start | ||
26 | # In another terminal: | ||
27 | # tail -F /var/log/fail2ban.log | ||
28 | # | ||
29 | # It helps to delete the persistent save db before fail2ban is started | ||
30 | # in debug mode too: | ||
31 | # rm /var/lib/fail2ban/fail2ban.sqlite3 | ||
32 | |||
33 | |||
34 | # And we're always watching | ||
35 | # If you're testing/debugging your auth and failing your own logins | ||
36 | # either by mistake or intentionally, you'll want to either decrease | ||
37 | # the findtime, decrease the bantime, increase the maxretry time, | ||
38 | # or just disable fail2ban for [findtime] after your testing. | ||
39 | findtime = 6h | ||
40 | |||
41 | # Quick and done | ||
42 | maxretry = 5 | ||
43 | |||
44 | [sshd] | ||
45 | # Disable sshd since we don't have public ssh access to these servers | ||
46 | enabled = false | ||
47 | |||
48 | [postfix] | ||
49 | enabled = true | ||
50 | mode = aggressive | ||
51 | findtime = 7d # watch out for bad long-term trickle tricksters | ||
52 | |||
53 | [postfix-rspamd] | ||
54 | enabled = true | ||
55 | findtime = 7d | ||
56 | maxretry = 3 | ||
57 | |||
58 | [dovecot] | ||
59 | enabled = true | ||
diff --git a/ansible/roles/fail2ban/handlers/main.yml b/ansible/roles/fail2ban/handlers/main.yml new file mode 100644 index 0000000..d83f78d --- /dev/null +++ b/ansible/roles/fail2ban/handlers/main.yml | |||
@@ -0,0 +1,5 @@ | |||
1 | --- | ||
2 | - name: restart fail2ban | ||
3 | service: | ||
4 | name: fail2ban | ||
5 | state: restarted | ||
diff --git a/ansible/roles/fail2ban/tasks/main.yml b/ansible/roles/fail2ban/tasks/main.yml new file mode 100644 index 0000000..6d8e237 --- /dev/null +++ b/ansible/roles/fail2ban/tasks/main.yml | |||
@@ -0,0 +1,28 @@ | |||
1 | --- | ||
2 | # dovecot is configured to respect the fail2ban deny decisions | ||
3 | # A failed login is recorded as: | ||
4 | # dovecot[<pid>]: imap-login: access(tcpwrap): Client refused (rip=<ip>) | ||
5 | - name: install fail2ban | ||
6 | apt: | ||
7 | name: fail2ban | ||
8 | state: latest | ||
9 | install_recommends: false | ||
10 | |||
11 | - name: copy fail2ban config | ||
12 | copy: | ||
13 | src: fail2ban/ | ||
14 | dest: /etc/fail2ban/ | ||
15 | mode: preserve | ||
16 | notify: | ||
17 | - restart fail2ban | ||
18 | |||
19 | |||
20 | # verify everything is running | ||
21 | - name: verify services are running in dependency order | ||
22 | service: | ||
23 | name: "{{ item }}" | ||
24 | enabled: yes | ||
25 | state: started | ||
26 | loop: | ||
27 | - fail2ban | ||
28 | |||