update template jail.local

2023-10-27 10:01:03 +02:00 · 2023-10-27 10:01:03 +02:00 · 718b6e32ce
parent e6e6d14670
commit 718b6e32ce
3 changed files with 86 additions and 5 deletions
--- a/host_vars/debian-test-awx-ct.yaml
+++ b/host_vars/debian-test-awx-ct.yaml
@ -1,7 +1,7 @@
 ---
-bantime: "10m"
-maxretry: "10"
-findtime: "10m"
+bantime: "604800"
+maxretry: "4"
+findtime: "604800"
 jails:
  - name: sshd
    enabled: true
--- a/roles/config-fail2ban/templates/jail.j2
+++ b/roles/config-fail2ban/templates/jail.j2
@ -33,8 +33,6 @@ port = {{ jail.port | join(' ') }}
 maxretry = {{ jail.maxretry }}
 bantime = {{ jail.bantime }}
 findtime = {{ jail.findtime }}
-banaction = nftables-multiport
-banaction_allports = nftables-allports
 action = {{ jail.action }}
 {% endfor %}
 #+++++++++++++++++++++++++++++++++++++
--- a/roles/config-fail2ban/templates/jail2.j2
+++ b/roles/config-fail2ban/templates/jail2.j2
@ -0,0 +1,83 @@
+# Custom fail2ban conf
+
+#+++++++++++++++++++++++++++++++++++++
+
+# 31536000 ; year
+# 18144000 ; 30days
+# 604800   ; 1 week
+# 86400    ; 1 day
+# 3600     ; 1 hour
+
+#+++++++++++++++++++++++++++++++++++++
+
+[INCLUDES]
+
+#
+# INCLUDES
+#
+
+before = paths-debian.conf
+
+#+++++++++++++++++++++++++++++++++++++
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT] 
+
+#
+# OPTIONS CONF DEFAULT
+#
+
+# ignorecommand =
+bantime = {{ bantime }}
+findtime = {{ findtime }}
+maxretry = {{ maxretry }}
+maxmatches = %(maxretry)s
+backend = auto
+usedns = warn
+logencoding = auto
+enabled = false
+mode = normal
+filter = %(__name__)s[mode=%(mode)s]
+destemail = sysadmin@verdnatura.es
+sender = root@<fq-hostname>
+mta = mail
+protocol = tcp
+chain = <known/chain>
+port = 0:65535
+fail2ban_agent = Fail2Ban/%(fail2ban_version)s
+banaction = nftables-multiport
+banaction_allports = nftables-allports
+action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mw = %(action_)s
+            %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mwl = %(action_)s
+             %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+action_xarf = %(action_)s
+             xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
+action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
+                %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
+action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
+action_abuseipdb = abuseipdb
+action = %(action_mwl)s
+
+#+++++++++++++++++++++++++++++++++++++
+
+#
+# JAILS
+#
+
+{% for jail in jails %}
+#+++++++++++++++++++++++++++++++++++++
+[{{ jail.name }}]
+enabled = {{ jail.enabled }}
+filter = {{ jail.filter }}
+logpath = {{ jail.logpath }}
+port = {{ jail.port | join(' ') }}
+maxretry = {{ jail.maxretry }}
+bantime = {{ jail.bantime }}
+findtime = {{ jail.findtime }}
+action = {{ jail.action }}
+{% endfor %}
+#+++++++++++++++++++++++++++++++++++++