Performs installation and configuration of Fail2ban service.
Provides an action plugin to facilitate configuration of jails. See below for details.
This role is Work In Progress. See TODO
file for some details.
This role doesn't touch any upstream provided files. All configuration parts
are placed in fail2ban's .local
files.
In RedHat systems, jail.local
is shipped with some goodies picked from
Debian's jail.conf
, to ease management of actions.
Leverages sbitmedia.monit
and
sbitmedia.munin
roles when
available.
For in-depth explanation of action plugins in roles please see sbitmedia.monit's README.
Since Ansible doesn't support action plugins in roles, it is needed to
explicitly add the path to this role's action plugins in ansible.cfg
.
Example:
action_plugins = ./contrib/roles/sbitmedia.monit/action_plugins
:./contrib/roles/sbitmedia.munin/action_plugins
:./contrib/roles/sbitmedia.fail2ban/action_plugins
Happily, action_plugins supports relative paths. Paths are separated by colon
(:
).
Default variables are documented in defaults/main.yml
.
Role variables are set per OS. See: vars/*.yml
.
See also the args accepted by fail2ban_jail
in library/fail2ban_jail
.
Using the role is straightforward, just include it and set overrides as needed.
Following playbook shows several examples of fail2ban_jail
usage.
- hosts: servers
roles:
- sbitmedia.fail2ban
tasks:
# Define a jail.
- fail2ban_jail:
args:
name: ssh-test-jail
enabled: true
filter: sshd
port: ssh
logpath: /var/log/secure
maxretry: 3
bantime: 3600
# Enable a jail defined in jail.conf but disabled.
- fail2ban_jail:
args:
name: ssh-tcpwrapper
enabled: true
There's two ways to leverage this role in your own roles.
-
Hard dependency: add
sbitmedia.fail2ban
as a dependency in your role and start ruling your own checks with no drawbacks at all. -
Soft dependency: use
sbitmedia.fail2ban
when it is available. For this to work, several thing need to happen:
- the role must be included before yours.
- calls to
fail2ban
must be done this way, to avoid syntax errors in Ansible:
- name: Configure fail2ban service in Munin
action: fail2ban_jail
args:
name: ssh
enabled: true
when: fail2ban_service is defined
BSD
Jonathan Araña Cruz - SB IT Media, S.L.