diff --git a/host_vars/debian-test-awx-ct.yaml b/host_vars/debian-test-awx-ct.yaml index ff88832..92f408f 100644 --- a/host_vars/debian-test-awx-ct.yaml +++ b/host_vars/debian-test-awx-ct.yaml @@ -1,7 +1,7 @@ --- -bantime: "10m" -maxretry: "10" -findtime: "10m" +bantime: "604800" +maxretry: "4" +findtime: "604800" jails: - name: sshd enabled: true diff --git a/roles/config-fail2ban/templates/jail.j2 b/roles/config-fail2ban/templates/jail.j2 index 55ff8ec..69a8295 100644 --- a/roles/config-fail2ban/templates/jail.j2 +++ b/roles/config-fail2ban/templates/jail.j2 @@ -33,8 +33,6 @@ port = {{ jail.port | join(' ') }} maxretry = {{ jail.maxretry }} bantime = {{ jail.bantime }} findtime = {{ jail.findtime }} -banaction = nftables-multiport -banaction_allports = nftables-allports action = {{ jail.action }} {% endfor %} #+++++++++++++++++++++++++++++++++++++ diff --git a/roles/config-fail2ban/templates/jail2.j2 b/roles/config-fail2ban/templates/jail2.j2 new file mode 100644 index 0000000..8a5b636 --- /dev/null +++ b/roles/config-fail2ban/templates/jail2.j2 @@ -0,0 +1,83 @@ +# Custom fail2ban conf + +#+++++++++++++++++++++++++++++++++++++ + +# 31536000 ; year +# 18144000 ; 30days +# 604800 ; 1 week +# 86400 ; 1 day +# 3600 ; 1 hour + +#+++++++++++++++++++++++++++++++++++++ + +[INCLUDES] + +# +# INCLUDES +# + +before = paths-debian.conf + +#+++++++++++++++++++++++++++++++++++++ + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# +# OPTIONS CONF DEFAULT +# + +# ignorecommand = +bantime = {{ bantime }} +findtime = {{ findtime }} +maxretry = {{ maxretry }} +maxmatches = %(maxretry)s +backend = auto +usedns = warn +logencoding = auto +enabled = false +mode = normal +filter = %(__name__)s[mode=%(mode)s] +destemail = sysadmin@verdnatura.es +sender = root@ +mta = mail +protocol = tcp +chain = +port = 0:65535 +fail2ban_agent = Fail2Ban/%(fail2ban_version)s +banaction = nftables-multiport +banaction_allports = nftables-allports +action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] +action_mw = %(action_)s + %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] +action_mwl = %(action_)s + %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] +action_xarf = %(action_)s + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"] +action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"] +action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] +action_abuseipdb = abuseipdb +action = %(action_mwl)s + +#+++++++++++++++++++++++++++++++++++++ + +# +# JAILS +# + +{% for jail in jails %} +#+++++++++++++++++++++++++++++++++++++ +[{{ jail.name }}] +enabled = {{ jail.enabled }} +filter = {{ jail.filter }} +logpath = {{ jail.logpath }} +port = {{ jail.port | join(' ') }} +maxretry = {{ jail.maxretry }} +bantime = {{ jail.bantime }} +findtime = {{ jail.findtime }} +action = {{ jail.action }} +{% endfor %} +#+++++++++++++++++++++++++++++++++++++