robertdebock / ansible-role-fail2ban Goto Github PK

View Code? Open in Web Editor NEW

56.0 4.0 27.0 298 KB

Install and configure fail2ban on your system.

Home Page: https://robertdebock.nl/

License: Apache License 2.0

ansible fail2ban installer package molecule tox playbook security

ansible-role-fail2ban's Introduction

Ansible role fail2ban

Install and configure fail2ban on your system.

GitHub	GitLab	Downloads	Version

Example Playbook

This example is taken from molecule/default/converge.yml and is tested on each push, pull request and release.

---
- name: Converge
  hosts: all
  become: true
  gather_facts: true

  roles:
    - role: robertdebock.fail2ban

The machine needs to be prepared. In CI this is done using molecule/default/prepare.yml:

---
- name: Prepare
  hosts: all
  become: true
  gather_facts: false

  roles:
    - role: robertdebock.bootstrap
    - role: robertdebock.epel

Also see a full explanation and example on how to use these roles.

Role Variables

The default values for the variables are set in defaults/main.yml:

---
# defaults file for fail2ban

fail2ban_loglevel: INFO
fail2ban_logtarget: /var/log/fail2ban.log

fail2ban_ignoreself: "true"
fail2ban_ignoreips:
  - "127.0.0.1/8 ::1"

# In seconds
fail2ban_bantime: 600
fail2ban_findtime: 600

fail2ban_maxretry: 5
fail2ban_destemail: root@localhost
fail2ban_sender: root@{{ ansible_fqdn }}

fail2ban_configuration: []
#  - option: loglevel
#    value: "INFO"
#    section: Definition

fail2ban_jail_configuration: []
#  - option: ignoreself
#    value: "true"
#    section: DEFAULT

# Path to directory containing filters to copy in filter.d
# fail2ban_filterd_path:

Requirements

pip packages listed in requirements.txt.

State of used roles

The following roles are used to prepare a system. You can prepare your system in another way.

Requirement	GitHub	GitLab
robertdebock.bootstrap
robertdebock.epel

Context

This role is a part of many compatible roles. Have a look at the documentation of these roles for further information.

Here is an overview of related roles:

Compatibility

This role has been tested on these container images:

container	tags
EL	8, 9
Debian	all
Fedora	all
Ubuntu	all

The minimum version of Ansible required is 2.12, tests have been done to:

The previous version.
The current version.
The development version.

If you find issues, please register them in GitHub.

Author Information

robertdebock

Please consider sponsoring me.

ansible-role-fail2ban's People

Contributors

Stargazers

Watchers

ansible-role-fail2ban's Issues

Feature request: copy filters in filterd

Proposed feature

Add a new step in the playbook to copy filters in filterd folder.

Rationale

For the moment, if you specify a filter in your jail local conf, it will fail as the filters do not exist.

I will propose a PR for that.

Configuration?

Describe the bug
It seems the role doesn't configure anything. Is it a WIP?

It installs fail2ban and enables the service.

Error in readme

"Provides Postfix for your system"

Shouldn't this be "Provides fail2ban"?

Whitelisted IP adresses are not ignored.

Whitelisted IP addresses are not ignored by fail2ban

IP addresses added to the ignoreips variable are not being ignored by fail2ban. Running fail2ban-client get sshd ignoreip returns nothings.

The ignoreip line belongs in jail.local, not fail2ban.local. as detailed in the jail.conf default configuration.

Environment

Control node OS: MacOS 13.6
Control node Ansible version: 2.5.14
Managed node OS: Debian 12

No support for multiple values in jail.local ini file

Describe the bug

I try to add multiple actions in one section in jail. It is not possible in current role form.

Playbook

Please paste the playbook you are using. (Consider requirements.yml and
optionally the command you've invoked.)

---
    - role: robertdebock.fail2ban
      become: true
      vars:
        fail2ban_filterd_path: "../fail2ban/filters/"
        fail2ban_jail_configuration:
          - section: syslog-sftp
            option: action
            value: |
              iptables-allports[actname=sshd,name=sshd,protocol=all]
                       iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

Output

It will constantly multiple last line (add it with each playbook execution):

 action = iptables-allports[actname=sshd,name=sshd,protocol=all]
          iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]
 
+         iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

Environment

Control node OS: [e.g. Debian 9] (cat /etc/os-release): MacOS on M1
Control node Ansible version: [e.g. 2.9.1] (ansible --version): 2.15.1
Managed node OS: [e.g. CentOS 7] (cat /etc/os-release): "Ubuntu 22.04.2 LTS"

Please consider sponsoring me.

How to configure a jail

Hi,

Could you please point me in the right direction as to how to configure a jail (ssh for example) using this role?

Thanks!

Custom configuration in .local file instead of jail.conf

Is your feature request related to a problem? Please describe.
This role modifies the jail.conf file for customisation. This file gets overwritten with every update.

Describe the solution you'd like
According to fail2ban the recommended approach would be to provide customisations in jail.local or jail.d/customisation.local file. Switching jail.conf to jail.local in main.yml should do the trick.

Describe alternatives you've considered
It might be worth considering putting in a template customisation.local file with sane defaults which the user can switch with their own. This could be done by playbook pathing. The file name could be provided in a variable, that way the user won't have to modify the role.

Additional context
N/A

Improve your examples for newbie users

Proposed feature

Your examples could be enhanced to allow newer users to get started with your library.

Rationale

Anyone starting with Ansible is likely to be coming from shell scripts and so their first playbooks are likely to be a long list of tasks that operate steps already defined in their scripts. At some point, as they look for example code they will come across your library, but to use it they need to understand the basics for ansible-galaxy and find a way to merge tasks and roles into a single playbook.

Additional context

After some hunting around the way to combine tasks and roles turned out to be simple - but you have to find an example. It would be helpful if your notes included such an example. For fail2ban it is as simple as the following task

- name: install fail2ban via a role wrapped as a task
  import_role:
    name: robertdebock.fail2ban

Check mode don't work

Hi when i use my playbook to install your role thje check mode failed on this task , it could be cool to make it work in check mode to be sure to what changes will be made

TASK [robertdebock.fail2ban : test if fail2ban_jail_configuration is set correctly] *******************************************************************************************************************************************************************************************************************************************
fatal: [192.168.1.X]: FAILED! => {}

MSG:

The conditional check 'item.value | length > 0' failed. The error was: Unexpected templating type error occurred on ({% if item.value | length > 0 %} True {% else %} False {% endif %}): object of type 'bool' has no len()

robertdebock / ansible-role-fail2ban Goto Github PK

ansible-role-fail2ban's Introduction

ansible-role-fail2ban's People

Contributors

Stargazers

Watchers

Forkers

ansible-role-fail2ban's Issues

Proposed feature

Rationale

Whitelisted IP addresses are not ignored by fail2ban

Environment

Describe the bug

Playbook

Output

Environment

Proposed feature

Rationale

Additional context

Recommend Projects

Recommend Topics

Recommend Org