Commit Graph

9 Commits

Author SHA1 Message Date
067adcd9f5
roles/common: rework fail2ban tasks
We can only run fail2ban when we have logs to monitor. When a host
is running Caddy we don't have logs, so fail2ban doesn't have any-
thing to monitor out of the box. For now I will restrict the task
to hosts running nginx.
2023-08-23 21:59:28 +03:00
17736a4f14
roles/common: run ansible-lint --write 2023-08-23 21:33:22 +03:00
34be0013b7
Remove Debian 10 support 2022-09-11 09:21:08 +03:00
1da0da53ec
roles: use longer format for when conditionals
When the condition is an AND we can use this more succinct format.
2022-09-10 23:12:49 +03:00
ffe7a872dd
roles: strict truthy values
According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/
2022-09-10 22:33:19 +03:00
587bd6dcdd roles: use fully qualified module names 2022-09-10 18:35:27 +03:00
98cc3a8c2e
Add nginx filter for fail2ban
Some hosts can use fail2ban's nginx-botsearch filter to ban anyone
making requests to non-existent files like wp-login.php. There is
no reason to request such files naively and anyone found doing so
can be banned immediately.

In theory I should report them to AbuseIPDB.com, but that will take
a little more wiring up.
2021-08-01 09:56:43 +03:00
919fbbbcd9
roles/common: Make sure fail2ban is started 2019-10-26 17:14:28 +02:00
0605f70f2e
roles/common: Add support for fail2ban
This is active banning of IPs that are brute forcing login attempts
to SSH, versus the passive banning of 10,000 abusive IPs from the
abuseipdb.com blacklist. For now I am banning IPs that fail to log
in successfully more than twelve times in a one-hour period, but
these settings might change, and I can override them at the group
and host level if needed.

Currently this works for CentOS 7, Ubuntu 16.04, and Ubuntu 18.04,
with minor differences in the systemd configuration due to older
versions on some distributions.

You can see the status of the jail like this:

    # fail2ban-client status sshd
    Status for the jail: sshd
    |- Filter
    |  |- Currently failed: 0
    |  |- Total failed:     0
    |  `- Journal matches:  _SYSTEMD_UNIT=sshd.service + _COMM=sshd
    `- Actions
       |- Currently banned: 1
       |- Total banned:     1
       `- Banned IP list:   106.13.112.20

You can unban IPs like this:

    # fail2ban-client set sshd unbanip 106.13.112.20
2019-10-26 16:36:07 +02:00