From f7e87ea7be83bfe350d5060819ff74f35e089f57 Mon Sep 17 00:00:00 2001 From: Alan Orth Date: Thu, 12 Aug 2021 15:24:50 +0300 Subject: [PATCH] roles/common: Fix fail2ban ignoreip According to jail.conf we actually need to separate multiple values with spaces instead of commas. On some versions of fail2ban this is a fatal error: > CRITICAL Unhandled exception in Fail2Ban: > Traceback (most recent call last): > File "/usr/lib/python3/dist-packages/fail2ban/server/jailthread.py", line 66, in run_with_except_hook > run(*args, **kwargs) > File "/usr/lib/python3/dist-packages/fail2ban/server/filtersystemd.py", line 246, in run > *self.formatJournalEntry(logentry)) > File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 432, in processLineAndAdd > if self.inIgnoreIPList(ip, log_ignore=True): > File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 371, in inIgnoreIPList > "(?<=b)1+", bin(DNSUtils.addr2bin(s[1]))).group()) > File "/usr/lib/python3/dist-packages/fail2ban/server/filter.py", line 928, in addr2bin > return struct.unpack("!L", socket.inet_aton(ipstring))[0] > OSError: illegal IP address string passed to inet_aton This affects (at least) fail2ban 0.9.3 on Ubuntu 16.04, but I never noticed. --- roles/common/defaults/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 59ba41b..f4dd2f4 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -1,11 +1,13 @@ --- #file - roles/common/defaults/main.yml +# add a dummy API key for AbuseIPDB.com (override with real one in host_vars) +abuseipdb_api_key: dummy fail2ban_maxretry: 6 # 1 hour in seconds fail2ban_findtime: 3600 # 2 weeks in seconds fail2ban_bantime: 1209600 -fail2ban_ignoreip: 127.0.0.1/8,172.26.0.0/16,192.168.5.0/24 +fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24 # vim: set ts=2 sw=2: