baseline_fail2ban¶
The cake function baseline_fail2ban installs fail2ban, scans log files (e.g. /var/log/apache/error.log) and bans IPs that show malicious activity.
Without any further jails defined, the role will only setup the "sshd" jail.
Information¶
| Key | Value |
|---|---|
| Playbook path | plays/baseline/fail2ban.yml |
| Role | https://git.blunix.com/ansible-roles/role-fail2ban |
| Tags | https://git.blunix.com/ansible-roles/role-fail2ban/-/tags |
| Defaults | https://git.blunix.com/ansible-roles/role-fail2ban/-/blob/master/defaults/main.yml |
| Config file | Description |
|---|---|
Example¶
Define a fail2ban jail, action and filter to protect a OpenVPN installation:
inventory/group_vars/tool_prod_openvpn.yml:
fail2ban_jails_custom:
- name: openvpn
vars:
openvpn:
enabled: 'true'
filter: openvpn
maxretry: 6
port: 1194
fail2ban_actions_custom:
- name: test
vars:
includes:
before: iptables-common.conf
Definition:
actionstart: 'echo start'
actionflush: 'echo flush'
actionstop: '/bin/mytool --my-args'
actionban: 'logger banned something'
actionunban: 'logger unbanned something'
Init: {}
fail2ban_filters_custom:
# From http://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN
- name: openvpn
vars:
Definition:
ignoreregex: ''
failregex: |
^ TLS Error: incoming packet authentication failed from \[AF_INET\]<HOST>:\d+$
^ <HOST>:\d+ Connection reset, restarting
^ <HOST>:\d+ TLS Auth Error
^ <HOST>:\d+ TLS Error: TLS handshake failed$
^ <HOST>:\d+ VERIFY ERROR
#fail2ban_filters_download:
# - name: myfilter
# url: https://download.example.com/myfilter
Usage¶
Show status:
fail2ban-client status
Ban IP:
fail2ban-client set <jail name> banip <IP>
Unban IP:
fail2ban-client unban <IP>
Show jail status and list banned IPs:
fail2ban-client status <jail name>