Ansible Role linuxfabrik.lfops.fail2ban

This role installs and configures fail2ban.

This role provides two additional filters:

• apache-dos: Matches all incoming requests to Apache. Can be used to limit the number of allowed requests per client.
• portscan: Instantly blocks an IP if it accesses a non-permitted port. Note that this requires an iptables firewall with logging (for example, fwbuilder).

Available since LFOps 2.0.0.

Dependent Roles

Any LFOps playbook that installs this role runs these for you. Optional ones can be disabled via the playbook's skip variables.

• The python3-policycoreutils module must be installed (required for the SELinux Ansible tasks) (role: linuxfabrik.lfops.policycoreutils).
• On RHEL-compatible systems, the EPEL repository must be enabled (role: linuxfabrik.lfops.repo_epel).
• On RHEL-compatible systems, the nis_enabled SELinux boolean must be enabled (role: linuxfabrik.lfops.selinux).

Tags

fail2ban

• Installs and configures fail2ban.
• Triggers: fail2ban.service restart.

fail2ban:state

• Manages the state of the fail2ban service.
• Triggers: none.

Optional Role Variables

fail2ban__jail_default_action

• The default action. This will be used in all jails which do not overwrite it.
• Type: String.
• Default: fail2ban__jail_default_banaction

fail2ban__jail_default_banaction

• The default banaction, which will be executed as defined in fail2ban__jail_default_action (assuming the jail does not overwrite it).
• Type: String.
• Default: 'iptables-multiport'

fail2ban__jail_default_ignoreip

• List of IP addresses (in CIDR notation) that will be ignored from all jails (assuming the jail does not overwrite it).
• Type: List.
• Default: []

fail2ban__jail_default_rocketchat_hook

• The incoming Rocket.Chat hook which will be used to send a notification on bans. For this to work rocketchat has to be in the action, have a look at fail2ban__jail_default_action (example below).
• Type: String.
• Default: ''

fail2ban__jail_portscan_allowed_ports

• A list of ports which are allowed to be accessed. IPs accessing these ports will not be blocked. Note: This setting is for the portscan jail.
• Type: List.
• Default: [22]

fail2ban__jail_portscan_bantime

• The ban duration for the portscan jail.
• Type: String.
• Default: '8h'

fail2ban__jail_portscan_server_ips

• A list of IP addresses of the server. Only traffic destined for these IPs will be considered. This prevents accidental banning due to traffic which is passing by the server, but not destined for it. Note: This setting is for the portscan jail.
• Type: List.
• Default: '{{ ansible_facts["all_ipv4_addresses"] }}'

fail2ban__jail_sshd_bantime

• The ban duration for the sshd jail.
• Type: String.
• Default: '7d'

fail2ban__jails__group_var / fail2ban__jails__host_var

• The fail2ban jail definition. For the usage in host_vars / group_vars (can only be used in one group at a time).
• Type: List of dictionaries.
• Default: z10-portscan, z10-sshd

• Subkeys:

  • template:

    • Mandatory. Name of the Jinja template source file to use. Have a look at the possible options here, or raw.
    • Type: String.

  • filename:

    • Mandatory. Destination filename in jail.d/, and normally is equal to the name of the source template used. Will be suffixed with .conf.
    • Type: String.

  • state:

    • Mandatory. State of the jail. Possible options: absent, present.
    • Type: String.

  • raw:

    • Optional. Raw content for the jail.
    • Type: String.

fail2ban__service_enabled

• Enables or disables the fail2ban service, analogous to systemctl enable/disable --now.
• Type: Bool.
• Default: true

Example:

# optional
fail2ban__jail_default_action: |-
  %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
  rocketchat[name=%(__name__)s, rocketchat-hook="%(rocketchat-hook)s"]
fail2ban__jail_default_banaction: 'iptables-multiport'
fail2ban__jail_default_ignoreip:
  - '192.0.2.1/32' # ansible deployment host
fail2ban__jail_default_rocketchat_hook: ''
fail2ban__jail_portscan_allowed_ports:
  - 22
fail2ban__jail_portscan_bantime: '8h'
fail2ban__jail_portscan_server_ips:
  - '192.0.2.5'
  - '198.51.100.100'
fail2ban__jail_sshd_bantime: '7d'
fail2ban__jails__host_var:
  - filename: 'z10-apache-dos'
    state: 'absent'
    template: 'apache-dos'
  - filename: 'z20-custom-apache-dos'
    state: 'present'
    template: 'raw'
    raw: |-
      [apache-dos]
      bantime  = 5m
      enabled  = true
      findtime = 10s
      logpath  = /var/log/httpd/*access?log
      maxretry = 600
      port     = http,https
fail2ban__service_enabled: true

License

The Unlicense

Author Information

Linuxfabrik GmbH, Zurich