From 98cc3a8c2eeee3e56733fde91d7cae1a2cc5dd63 Mon Sep 17 00:00:00 2001
From: Alan Orth <alan.orth@gmail.com>
Date: Sun, 1 Aug 2021 09:56:43 +0300
Subject: [PATCH] Add nginx filter for fail2ban

Some hosts can use fail2ban's nginx-botsearch filter to ban anyone
making requests to non-existent files like wp-login.php. There is
no reason to request such files naively and anyone found doing so
can be banned immediately.

In theory I should report them to AbuseIPDB.com, but that will take
a little more wiring up.
---
 group_vars/web                                  |  8 ++++++++
 roles/common/tasks/fail2ban.yml                 |  5 +++++
 .../etc/fail2ban/jail.d/nginx.local.j2          | 17 +++++++++++++++++
 3 files changed, 30 insertions(+)
 create mode 100644 group_vars/web
 create mode 100644 roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2

diff --git a/group_vars/web b/group_vars/web
new file mode 100644
index 0000000..474b9cf
--- /dev/null
+++ b/group_vars/web
@@ -0,0 +1,8 @@
+---
+# file: group_vars/web
+
+# all hosts run fail2ban with the sshd filter, but some can use other filters
+extra_fail2ban_filters:
+  - nginx
+
+# vim: set ts=2 sw=2:
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
index a6e2eb2..cf36d34 100644
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -4,6 +4,11 @@
   template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
   notify: restart fail2ban
 
+- name: Configure fail2ban nginx filter
+  when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters"
+  template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
+  notify: restart fail2ban
+
 - name: Create fail2ban service override directory
   file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
 
diff --git a/roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2 b/roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2
new file mode 100644
index 0000000..8051798
--- /dev/null
+++ b/roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2
@@ -0,0 +1,17 @@
+[nginx]
+enabled   = true
+# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
+filter    = nginx-botsearch
+{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
+# Integrate with nftables
+banaction=nftables[type=allports]
+{% else %}
+# Integrate with firewalld and ipsets
+banaction = firewallcmd-ipset
+{% endif %}
+logpath   = /var/log/nginx/*-access.log
+# Try to find a non-existent wp-login.php once and get banned. Tough luck.
+maxretry  = 1
+findtime  = {{ fail2ban_findtime }}
+bantime   = {{ fail2ban_bantime }}
+ignoreip  = {{ fail2ban_ignoreip }}