ansible-fail2ban's Introduction

ansible-fail2ban

A role to install and configure fail2ban on a target host.

Requirements

Ansible version

Minimum required ansible version is 2.0.

Role Variables

Variables conditionally loaded

Add jails with custom filters.

Example below bans IP if too many requests give a 403 using a custom filter and custom ban action

- role: fail2ban
  fail2ban_jails:
      - name: kinto_auth  # nginx 403 for kinto fails
        enabled: 'true'
        filter: kinto-auth
        action: nginx-blacklist
        logpath: /var/log/nginx/kinto_nginx_access.log
  fail2ban_filters: # custom filters
      - name: kinto-auth
        failregex: '<HOST> - .* \[.*\] ".*" 403 \d+ ".*" ".*" ".*"'
  fail2ban_actions: # Custom actions, all keys optionnal
      - name: nginx-blacklist
        actionstart:
            - echo "" > /etc/nginx/ip_blacklist.conf # Unban all before starting
            - touch /var/run/fail2ban/fail2ban.dummy
            - printf %%b "<init>\n" >> /var/run/fail2ban/fail2ban.dummy
        actionstop:
            - echo "" > /etc/nginx/ip_blacklist.conf # Unban all before stopping
            - systemctl reload openresty
            - rm -f /var/run/fail2ban/fail2ban.dummy
        actioncheck:
            - echo "ok"
        actionban:
            - echo "<ip> 0;" >> /etc/nginx/ip_blacklist.conf
            - systemctl reload openresty
        actionunban:
            - sed -i "/$(echo "<ip>" | sed 's/\./\\\./g') 0;/d" /etc/nginx/ip_blacklist.conf
            - systemctl reload openresty
        init:
            init: "something"

Default vars

Defaults from defaults/main.yml.

# defaults file for fail2ban

# service
fail2ban_svc_state: started
fail2ban_svc_enabled: yes

fail2ban_pkg_state: latest
fail2ban_use_firewalld: no

# defaults
fail2ban_jail_default:
  bantime: 600
  maxretry: 3
  banaction: iptables-multiport

# fail2ban_sshd
fail2ban_jails:
  - name: sshd
    enabled: 'true'
    maxretry: '5'

Installation

Install with Ansible Galaxy

ansible-galaxy install archf.fail2ban

Basic usage is:

- hosts: all
  roles:
    - role: archf.fail2ban

Install with git

If you do not want a global installation, clone it into your roles_path.

git clone [email protected]:archf/ansible-fail2ban.git /path/to/roles_path

But I often add it as a submdule in a given playbook_dir repository.

git submodule add [email protected]:archf/ansible-fail2ban.git <playbook_dir>/roles/fail2ban

As the role is not managed by Ansible Galaxy, you do not have to specify the github user account.

Basic usage is:

- hosts: all
  roles:
  - role: fail2ban

Ansible role dependencies

None.

License

MIT.

Author Information

Felix Archambault.

Role stack

This role was carefully selected to be part an ultimate deck of roles to manage your infrastructure.

All roles' documentation is wrapped in this convenient guide.

This README was generated using ansidoc. This tool is available on pypi!

pip3 install ansidoc

# validate by running a dry-run (will output result to stdout)
ansidoc --dry-run <rolepath>

# generate you role readme file
ansidoc <rolepath>

You can even use it programatically from sphinx. Check it out.

ansible-fail2ban's People

Contributors

Watchers

ansible-fail2ban's Issues

Includes configuration in jail.local template prevents fail2ban from starting

The [INCLUDES] section in the jail.local template breaks fail2ban from starting here on Debian Wheezy:

[....] Restarting authentication failure monitor: fail2banTraceback (most recent call last):
  File "/usr/bin/fail2ban-client", line 404, in <module>
    if client.start(sys.argv):
  File "/usr/bin/fail2ban-client", line 373, in start
    return self.__processCommand(args)
  File "/usr/bin/fail2ban-client", line 183, in __processCommand
    ret = self.__readConfig()
  File "/usr/bin/fail2ban-client", line 378, in __readConfig
    ret = self.__configurator.getOptions()
  File "/usr/share/fail2ban/client/configurator.py", line 68, in getOptions
    return self.__jails.getOptions(jail)
  File "/usr/share/fail2ban/client/jailsreader.py", line 67, in getOptions
    ret = jail.getOptions()
  File "/usr/share/fail2ban/client/jailreader.py", line 73, in getOptions
    self.__opts = ConfigReader.getOptions(self, self.__name, opts)
  File "/usr/share/fail2ban/client/configreader.py", line 87, in getOptions
    v = self.get(sec, option[1])
  File "/usr/lib/python2.7/ConfigParser.py", line 623, in get
    return self._interpolate(section, option, value, d)
  File "/usr/lib/python2.7/ConfigParser.py", line 691, in _interpolate
    self._interpolate_some(option, L, rawval, section, vars, 1)
  File "/usr/lib/python2.7/ConfigParser.py", line 726, in _interpolate_some
    section, map, depth + 1)
  File "/usr/lib/python2.7/ConfigParser.py", line 723, in _interpolate_some
    option, section, rest, var)
ConfigParser.InterpolationMissingOptionError: Bad value substitution:
    section: [INCLUDES]
    option : action
    key    : port
    rawval : ", protocol="%(protocol)s", chain="%(chain)s"]

 failed!

Removing the section "fixes" the error. I can't really figure out why it's blowing up here, anyone got any idea?

Recommend Projects