alanorth
/
ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

roles/common: rework fail2ban tasks 

We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
This commit is contained in:
Alan Orth 2023-08-23 21:59:28 +03:00
parent 84d210cfab
commit 067adcd9f5
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
4 changed files with 23 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
roles/common/handlers/main.yml
View File

@ -25,3 +25,4 @@
ansible.builtin.systemd: ansible.builtin.systemd:
name: fail2ban name: fail2ban
state: restarted state: restarted
when: webserver is defined and webserver == 'nginx'

11
roles/common/tasks/fail2ban.yml
View File

@ -1,4 +1,15 @@
--- ---
- name: Install fail2ban
when:
- ansible_distribution_major_version is version('11', '>=')
- webserver is defined and webserver == 'nginx'
ansible.builtin.package:
name:
- fail2ban
- python3-systemd
state: present
cache_valid_time: 3600
- name: Configure fail2ban sshd filter - name: Configure fail2ban sshd filter
ansible.builtin.template: ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2 src: etc/fail2ban/jail.d/sshd.local.j2

8
roles/common/tasks/firewall_Debian.yml
View File

@ -6,10 +6,8 @@
when: ansible_distribution_major_version is version('11', '>=') when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.package: ansible.builtin.package:
name: name:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl - libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables - nftables
- python3-systemd
- curl # for nftables update scripts - curl # for nftables update scripts
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
@ -109,8 +107,12 @@
state: started state: started
enabled: true enabled: true
# We only install fail2ban on systems running nginx. If the host is running
# Caddy then there are no logs for us to monitor.
- ansible.builtin.include_tasks: fail2ban.yml - ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_major_version is version('9', '>=') when:
- ansible_distribution_major_version is version('9', '>=')
- webserver is defined and webserver == 'nginx'
tags: firewall tags: firewall
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2:

9
roles/common/tasks/firewall_Ubuntu.yml
View File

@ -3,12 +3,11 @@
- block: - block:
- name: Install Ubuntu firewall packages - name: Install Ubuntu firewall packages
when: ansible_distribution_version is version('20.04', '>=')
ansible.builtin.package: ansible.builtin.package:
name: name:
- fail2ban
- libnet-ip-perl # for aggregate-cidr-addresses.pl - libnet-ip-perl # for aggregate-cidr-addresses.pl
- nftables - nftables
- python3-systemd
- curl # for nftables update scripts - curl # for nftables update scripts
state: present state: present
cache_valid_time: 3600 cache_valid_time: 3600
@ -107,8 +106,12 @@
state: started state: started
enabled: true enabled: true
# We only install fail2ban on systems running nginx. If the host is running
# Caddy then there are no logs for us to monitor.
- ansible.builtin.include_tasks: fail2ban.yml - ansible.builtin.include_tasks: fail2ban.yml
when: ansible_distribution_version is version('16.04', '>=') when:
- ansible_distribution_version is version('16.04', '>=')
- webserver is defined and webserver == 'nginx'
tags: firewall tags: firewall
# vim: set sw=2 ts=2: # vim: set sw=2 ts=2: