From 1204730924436ef9e1c7c49c9557837f9a5ed0e8 Mon Sep 17 00:00:00 2001 From: clarkzjw Date: Wed, 8 Feb 2023 00:40:09 -0800 Subject: fork https://github.com/mattsta/mailweb --- .../roles/fail2ban/files/fail2ban/fail2ban.local | 0 .../files/fail2ban/filter.d/postfix-rspamd.conf | 11 ++++ ansible/roles/fail2ban/files/fail2ban/jail.local | 59 ++++++++++++++++++++++ ansible/roles/fail2ban/handlers/main.yml | 5 ++ ansible/roles/fail2ban/tasks/main.yml | 28 ++++++++++ 5 files changed, 103 insertions(+) create mode 100644 ansible/roles/fail2ban/files/fail2ban/fail2ban.local create mode 100644 ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf create mode 100644 ansible/roles/fail2ban/files/fail2ban/jail.local create mode 100644 ansible/roles/fail2ban/handlers/main.yml create mode 100644 ansible/roles/fail2ban/tasks/main.yml (limited to 'ansible/roles/fail2ban') diff --git a/ansible/roles/fail2ban/files/fail2ban/fail2ban.local b/ansible/roles/fail2ban/files/fail2ban/fail2ban.local new file mode 100644 index 0000000..e69de29 diff --git a/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf new file mode 100644 index 0000000..311936b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/filter.d/postfix-rspamd.conf @@ -0,0 +1,11 @@ +[INCLUDES] +before = common.conf + +[Definition] +_daemon = postfix/cleanup +_port = (?::\d+)? + +# Line looks like: +# Jul 4 16:40:22 mailmash postfix/cleanup[14378]: F3FECD008FA: milter-reject: END-OF-MESSAGE from fixed-187-188-96-153.totalplay.net[187.188.96.153]: 5.7.1 Spam message rejected; from= to= proto=ESMTP helo= +failregex = milter-reject: END-OF-MESSAGE from [a-z0-9.-]+\[\]: 5.7.1 Spam message rejected +ignoreregex = diff --git a/ansible/roles/fail2ban/files/fail2ban/jail.local b/ansible/roles/fail2ban/files/fail2ban/jail.local new file mode 100644 index 0000000..5b77b5b --- /dev/null +++ b/ansible/roles/fail2ban/files/fail2ban/jail.local @@ -0,0 +1,59 @@ +[DEFAULT] +# For 'banaction' you can use any action defined in /etc/fail2ban/action.d/ +# including things like iptables, iptables-ipset, nftables-*, ... +banaction = hostsdeny +banaction_allports = hostsdeny + +# Blocking decision making is fully logged in /var/log/fail2ban.log +# Current blocking can be viewed with: +# fail2ban-client status +# fail2ban-client status [service] + +# You can unban IPs with +# fail2ban-client unban ... +# +# Or unban just for one service/jail +# fail2ban-client set unban + +# Go away for a long time +bantime = 34d + + +# DEBUGGING +# You can debug fail2ban behavior by running it in the foreground with +# client debug and server debug logging: +# fail2ban-client -vvvvvvvvvv --loglevel DEBUG -f -x start +# In another terminal: +# tail -F /var/log/fail2ban.log +# +# It helps to delete the persistent save db before fail2ban is started +# in debug mode too: +# rm /var/lib/fail2ban/fail2ban.sqlite3 + + +# And we're always watching +# If you're testing/debugging your auth and failing your own logins +# either by mistake or intentionally, you'll want to either decrease +# the findtime, decrease the bantime, increase the maxretry time, +# or just disable fail2ban for [findtime] after your testing. +findtime = 6h + +# Quick and done +maxretry = 5 + +[sshd] +# Disable sshd since we don't have public ssh access to these servers +enabled = false + +[postfix] +enabled = true +mode = aggressive +findtime = 7d # watch out for bad long-term trickle tricksters + +[postfix-rspamd] +enabled = true +findtime = 7d +maxretry = 3 + +[dovecot] +enabled = true diff --git a/ansible/roles/fail2ban/handlers/main.yml b/ansible/roles/fail2ban/handlers/main.yml new file mode 100644 index 0000000..d83f78d --- /dev/null +++ b/ansible/roles/fail2ban/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart fail2ban + service: + name: fail2ban + state: restarted diff --git a/ansible/roles/fail2ban/tasks/main.yml b/ansible/roles/fail2ban/tasks/main.yml new file mode 100644 index 0000000..6d8e237 --- /dev/null +++ b/ansible/roles/fail2ban/tasks/main.yml @@ -0,0 +1,28 @@ +--- +# dovecot is configured to respect the fail2ban deny decisions +# A failed login is recorded as: +# dovecot[]: imap-login: access(tcpwrap): Client refused (rip=) +- name: install fail2ban + apt: + name: fail2ban + state: latest + install_recommends: false + +- name: copy fail2ban config + copy: + src: fail2ban/ + dest: /etc/fail2ban/ + mode: preserve + notify: + - restart fail2ban + + +# verify everything is running +- name: verify services are running in dependency order + service: + name: "{{ item }}" + enabled: yes + state: started + loop: + - fail2ban + -- cgit v1.2.3