From 14814aa5d9b8972f116083fd0c6c7e4fa259f9bf Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Mon, 26 Jul 2021 22:07:31 +0300 Subject: [PATCH] roles/common: Wire up fail2ban The nftables support works easily and creates the table, chains, and sets on demand. --- roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 | 5 +++++ .../etc/systemd/system/fail2ban.service.d/override.conf.j2 | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 index 14e1e26..9df015f 100644 --- a/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 +++ b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2 @@ -2,8 +2,13 @@ enabled = true # See: /etc/fail2ban/filter.d/sshd.conf filter = sshd +{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=') %} +# Integrate with nftables +banaction=nftables[type=allports] +{% else %} # Integrate with firewalld and ipsets banaction = firewallcmd-ipset +{% endif %} backend = systemd maxretry = {{ fail2ban_maxretry }} findtime = {{ fail2ban_findtime }} diff --git a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 index 268bd48..7e9fd50 100644 --- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 +++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 @@ -2,14 +2,14 @@ PrivateDevices=yes PrivateTmp=yes ProtectHome=read-only -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} +{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %} ProtectSystem=strict {% else %} {# Older systemd versions don't have ProtectSystem=strict #} ProtectSystem=full {% endif %} NoNewPrivileges=yes -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %} +{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %} ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/log/fail2ban.log