roles/common: Wire up fail2ban

The nftables support works easily and creates the table, chains, and
sets on demand.
This commit is contained in:
Alan Orth 2021-07-26 22:07:31 +03:00
parent 3b053167b1
commit 14814aa5d9
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
2 changed files with 7 additions and 2 deletions

View File

@ -2,8 +2,13 @@
enabled = true
# See: /etc/fail2ban/filter.d/sshd.conf
filter = sshd
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=') %}
# Integrate with nftables
banaction=nftables[type=allports]
{% else %}
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
backend = systemd
maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }}

View File

@ -2,14 +2,14 @@
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ProtectSystem=strict
{% else %}
{# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full
{% endif %}
NoNewPrivileges=yes
{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log