alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:5913786a2fd82dd69aebf23a770c426de6566fa2
Branches Tags
alanorth:master alanorth:debian13 alanorth:alpine
..
compare: alanorth:d51f8fefaa731360f7aea015e5d08616432b0fa1
Branches Tags
alanorth:debian13 alanorth:master alanorth:alpine

3 Commits
5913786a2f ... d51f8fefaa

Author SHA1 Message Date
Alan Orth
d51f8fefaa roles/common: minor configuration of Debian 13 SSH 
Tweak some of the new OpenSSH per-source penalty settings on Debian
13. For now only adjusting the source network masks and reusing the
list of IPs to exempt from fail2ban.

These being built in makes them easier to use, but I think I will
end up sticking with fail2ban for the heavy lifting because it per-
sists across restarts of the daemon, whereas OpenSSH's doesn't. I
will monitor OpenSSH on Debian 13 to see how to best use it along
side fail2ban.
 2025-09-23 10:33:24 +03:00
Alan Orth
9ff6e19135 roles/common: use 127.0.0.0/8 for fail2ban ignoreip 
We can re-use our fail2ban ignoreip setting for Debian 13's OpenSSH
PerSourcePenaltyExemptList, but OpenSSH is more strict with regards
to masks not being applied to the host portion. I had never noticed
that fail2ban's default was applying the mask on the host portion!
 2025-09-23 10:33:23 +03:00
Alan Orth
4680999680 roles/common: sshd overrides for Debian 13 2025-09-23 10:33:23 +03:00
1 changed files with 31 additions and 4 deletions
Expand all files Collapse all files

35
roles/common/tasks/nftables.yml
View File

@@ -9,6 +9,7 @@
mode: "0644"
notify:
- Restart nftables
- Restart fail2ban
- name: Create /etc/nftables extra config directory
ansible.builtin.file:
@@ -19,14 +20,17 @@
- name: Copy extra nftables configuration files
ansible.builtin.copy:
src: firehol_level1-ipv4.nft
dest: /etc/nftables/firehol_level1-ipv4.nft
src: "{{ item.src }}"
dest: /etc/nftables/{{ item.src }}
owner: root
group: root
mode: "0644"
force: false
force: "{{ item.force }}"
loop:
- { src: firehol_level1-ipv4.nft, force: false }
notify:
- Restart nftables
- Restart fail2ban
- name: Copy nftables update scripts
ansible.builtin.template:
@@ -36,6 +40,27 @@
owner: root
group: root
- name: Remove deprecated data and scripts
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /etc/nftables/spamhaus-ipv4.nft
- /etc/nftables/spamhaus-ipv6.nft
- /etc/nftables/abuseipdb-ipv4.nft
- /etc/nftables/abuseipdb-ipv6.nft
- /etc/nftables/abusech-ipv4.nft
- /usr/local/bin/update-abusech-nftables.sh
- /usr/local/bin/update-spamhaus-nftables.sh
- /etc/systemd/system/update-abusech-nftables.service
- /etc/systemd/system/update-abusech-nftables.timer
- /etc/systemd/system/update-spamhaus-nftables.service
- /etc/systemd/system/update-spamhaus-nftables.timer
- /usr/local/bin/aggregate-cidr-addresses.pl
notify:
- Restart nftables
- Restart fail2ban
- name: Copy nftables systemd units
ansible.builtin.copy:
src: "{{ item }}"
@@ -56,9 +81,11 @@
- name: Start and enable nftables update timers
ansible.builtin.systemd_service:
name: update-firehol-nftables.timer
name: "{{ item }}"
state: started
enabled: true
loop:
- update-firehol-nftables.timer
- name: Start and enable nftables
ansible.builtin.systemd_service: