3 files changed, 70 insertions, 0 deletions
diff --git a/ansible/roles/fail2ban/files/fail2ban/fail2ban.local b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local
diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
new file mode 100644
index 0000000..311936b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
@@ -0,0 +1,11 @@
+[INCLUDES]
+before = common.conf
+[Definition]
+_daemon = postfix/cleanup
+_port = (?::\d+)?
+# Line looks like:
+# Jul  4 16:40:22 mailmash postfix/cleanup[14378]: F3FECD008FA: milter-reject: END-OF-MESSAGE from fixed-187-188-96-153.totalplay.net[187.188.96.153]: 5.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fixed-187-188-96-153.totalplay.net>
+failregex = milter-reject: END-OF-MESSAGE from [a-z0-9.-]+\[<HOST>\]: 5.7.1 Spam message rejected
+ignoreregex =
diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local
new file mode 100644
index 0000000..5b77b5b
--- /dev/null
+++ b/ansible/roles/fail2ban/files/fail2ban/jail.local
@@ -0,0 +1,59 @@
+[DEFAULT]
+# For 'banaction' you can use any action defined in /etc/fail2ban/action.d/
+# including things like iptables, iptables-ipset, nftables-*, ...
+banaction = hostsdeny
+banaction_allports = hostsdeny
+# Blocking decision making is fully logged in /var/log/fail2ban.log
+# Current blocking can be viewed with:
+# fail2ban-client status
+# fail2ban-client status [service]
+# You can unban IPs with
+# fail2ban-client unban <ip>...
+#
+# Or unban just for one service/jail
+# fail2ban-client set <jail> unban <ip>
+# Go away for a long time
+bantime  = 34d
+# DEBUGGING
+# You can debug fail2ban behavior by running it in the foreground with
+# client debug and server debug logging:
+# fail2ban-client -vvvvvvvvvv --loglevel DEBUG -f -x start
+# In another terminal:
+# tail -F /var/log/fail2ban.log
+#
+# It helps to delete the persistent save db before fail2ban is started
+# in debug mode too:
+# rm /var/lib/fail2ban/fail2ban.sqlite3
+# And we're always watching
+# If you're testing/debugging your auth and failing your own logins
+# either by mistake or intentionally, you'll want to either decrease
+# the findtime, decrease the bantime, increase the maxretry time,
+# or just disable fail2ban for [findtime] after your testing.
+findtime = 6h
+# Quick and done
+maxretry = 5
+[sshd]
+# Disable sshd since we don't have public ssh access to these servers
+enabled = false
+[postfix]
+enabled = true
+mode = aggressive
+findtime = 7d # watch out for bad long-term trickle tricksters
+[postfix-rspamd]
+enabled = true
+findtime = 7d
+maxretry = 3
+[dovecot]
+enabled = true

diff --git a/ansible/roles/fail2ban/files/fail2ban/fail2ban.local b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local


diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf new file mode 100644 index 0000000..311936b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf
@@ -0,0 +1,11 @@
	1	[INCLUDES]
	2	before = common.conf
	3
	4	[Definition]
	5	_daemon = postfix/cleanup
	6	_port = (?::\d+)?
	7
	8	# Line looks like:
	9	# Jul 4 16:40:22 mailmash postfix/cleanup[14378]: F3FECD008FA: milter-reject: END-OF-MESSAGE from fixed-187-188-96-153.totalplay.net[187.188.96.153]: 5.7.1 Spam message rejected; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<fixed-187-188-96-153.totalplay.net>
	10	failregex = milter-reject: END-OF-MESSAGE from [a-z0-9.-]+\[<HOST>\]: 5.7.1 Spam message rejected
	11	ignoreregex =


diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local new file mode 100644 index 0000000..5b77b5b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/jail.local
@@ -0,0 +1,59 @@
	1	[DEFAULT]
	2	# For 'banaction' you can use any action defined in /etc/fail2ban/action.d/
	3	# including things like iptables, iptables-ipset, nftables-*, ...
	4	banaction = hostsdeny
	5	banaction_allports = hostsdeny
	6
	7	# Blocking decision making is fully logged in /var/log/fail2ban.log
	8	# Current blocking can be viewed with:
	9	# fail2ban-client status
	10	# fail2ban-client status [service]
	11
	12	# You can unban IPs with
	13	# fail2ban-client unban <ip>...
	14	#
	15	# Or unban just for one service/jail
	16	# fail2ban-client set <jail> unban <ip>
	17
	18	# Go away for a long time
	19	bantime = 34d
	20
	21
	22	# DEBUGGING
	23	# You can debug fail2ban behavior by running it in the foreground with
	24	# client debug and server debug logging:
	25	# fail2ban-client -vvvvvvvvvv --loglevel DEBUG -f -x start
	26	# In another terminal:
	27	# tail -F /var/log/fail2ban.log
	28	#
	29	# It helps to delete the persistent save db before fail2ban is started
	30	# in debug mode too:
	31	# rm /var/lib/fail2ban/fail2ban.sqlite3
	32
	33
	34	# And we're always watching
	35	# If you're testing/debugging your auth and failing your own logins
	36	# either by mistake or intentionally, you'll want to either decrease
	37	# the findtime, decrease the bantime, increase the maxretry time,
	38	# or just disable fail2ban for [findtime] after your testing.
	39	findtime = 6h
	40
	41	# Quick and done
	42	maxretry = 5
	43
	44	[sshd]
	45	# Disable sshd since we don't have public ssh access to these servers
	46	enabled = false
	47
	48	[postfix]
	49	enabled = true
	50	mode = aggressive
	51	findtime = 7d # watch out for bad long-term trickle tricksters
	52
	53	[postfix-rspamd]
	54	enabled = true
	55	findtime = 7d
	56	maxretry = 3
	57
	58	[dovecot]
	59	enabled = true