2019-10-26 16:36:07 +02:00
|
|
|
---
|
|
|
|
#file - roles/common/defaults/main.yml
|
|
|
|
|
roles/common: Fix fail2ban ignoreip
According to jail.conf we actually need to separate multiple values
with spaces instead of commas. On some versions of fail2ban this is
a fatal error:
> CRITICAL Unhandled exception in Fail2Ban:
> Traceback (most recent call last):
> File "/usr/lib/python3/dist-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook
> run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/fail2ban/server/filtersystemd.py", line 246, in run
> *self.formatJournalEntry(logentry))
> File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 432, in processLineAndAdd
> if self.inIgnoreIPList(ip, log_ignore=True):
> File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 371, in inIgnoreIPList
> "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group())
> File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 928, in addr2bin
> return struct.unpack("!L", socket.inet_aton(ipstring))[0]
> OSError: illegal IP address string passed to inet_aton
This affects (at least) fail2ban 0.9.3 on Ubuntu 16.04, but I never
noticed.
2021-08-12 14:24:50 +02:00
|
|
|
# add a dummy API key for AbuseIPDB.com (override with real one in host_vars)
|
|
|
|
abuseipdb_api_key: dummy
|
2019-10-26 16:36:07 +02:00
|
|
|
fail2ban_maxretry: 6
|
|
|
|
# 1 hour in seconds
|
|
|
|
fail2ban_findtime: 3600
|
|
|
|
# 2 weeks in seconds
|
|
|
|
fail2ban_bantime: 1209600
|
roles/common: Fix fail2ban ignoreip
According to jail.conf we actually need to separate multiple values
with spaces instead of commas. On some versions of fail2ban this is
a fatal error:
> CRITICAL Unhandled exception in Fail2Ban:
> Traceback (most recent call last):
> File "/usr/lib/python3/dist-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook
> run(*args, **kwargs)
> File "/usr/lib/python3/dist-packages/fail2ban/server/filtersystemd.py", line 246, in run
> *self.formatJournalEntry(logentry))
> File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 432, in processLineAndAdd
> if self.inIgnoreIPList(ip, log_ignore=True):
> File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 371, in inIgnoreIPList
> "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group())
> File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 928, in addr2bin
> return struct.unpack("!L", socket.inet_aton(ipstring))[0]
> OSError: illegal IP address string passed to inet_aton
This affects (at least) fail2ban 0.9.3 on Ubuntu 16.04, but I never
noticed.
2021-08-12 14:24:50 +02:00
|
|
|
fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
|
2019-10-26 16:36:07 +02:00
|
|
|
|
2023-08-10 22:09:03 +02:00
|
|
|
# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
|
|
|
|
# before re-configuring the SSH daemon to disable passwords.
|
|
|
|
ssh_password_authentication: disabled
|
|
|
|
|
2019-10-26 16:36:07 +02:00
|
|
|
# vim: set ts=2 sw=2:
|