Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
common/fail2ban: cleanup/standardize fail2ban configuration:
- do not repeat jail options that are already defined in `jail.conf`, in jail.d/*conf` - gitea/jellyfin: do not disable gitea/jellyfin jails if the corresponding service is disabled - prevent missing/not-yet-creat log files from causing failban reloads/restart to fail (e.g. when a service is initially deployed with `*_enable_service: no`) by creating a placeholder/empty log file and adding the the list of `logpath` for each service (related fail2ban/fail2ban#2756, fail2ban/fail2ban#1379) - do not enable the `pam-generic` jail by default as no service uses it - use values provided in `fail2ban_default_maxretry` (default 5), `fail2ban_default_findtime` (10min) and `fail2ban_default_bantime` (1 year) for all jails - only ban offenders on HTTP/HTTPS ports for auth failures on web applications. This way it is still possible to log in via SSH to unban an IP if the controller IP gets banned by mistake - standardize order of instalaltion/configuration tasks
- Loading branch information
Showing
15 changed files
with
80 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,7 @@ | ||
# fail2ban apache jails | ||
|
||
[apache-auth] | ||
enabled = true | ||
port = http,https | ||
# apache basic auth login failures | ||
# other options defined in /etc/fail2ban/jail.conf | ||
enabled = true | ||
logpath = %(apache_error_log)s | ||
/var/lib/fail2ban/emptylog.log | ||
port = http,https |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
8 changes: 0 additions & 8 deletions
8
roles/common/templates/etc_fail2ban_jail.d_pam-generic.conf.j2
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,12 +1,4 @@ | ||
# Fail2ban OpenSSH server jails | ||
|
||
[sshd] | ||
# openssh server auth failures | ||
# To use more aggressive sshd modes set filter parameter "mode" in jail.local: | ||
# normal (default), ddos, extra or aggressive (combines all). | ||
# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details. | ||
mode = normal | ||
enabled = true | ||
filter = sshd | ||
logpath = %(sshd_log)s | ||
backend = %(sshd_backend)s | ||
# openssh server login failures | ||
# other options defined in /etc/fail2ban/jail.conf | ||
enabled = true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,7 @@ | ||
{% if gitea_enable_service %} | ||
# fail2ban gitea jails | ||
[gitea-auth] | ||
# gitea login failures | ||
enabled = true | ||
filter = gitea-auth | ||
port = https,http | ||
logpath = {{ gitea_user_home }}/log/gitea.log | ||
maxretry = 10 | ||
findtime = 3600 | ||
{% endif %} | ||
enabled = true | ||
filter = gitea-auth | ||
logpath = {{ gitea_user_home }}/log/gitea.log | ||
/var/lib/fail2ban/emptylog.log | ||
port = https,http |
8 changes: 4 additions & 4 deletions
8
roles/jellyfin/templates/etc_fail2ban_jail.d_jellyfin.conf.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
{% if jellyfin_enable_service %} | ||
[jellyfin] | ||
# jellyfin login failures | ||
enabled = true | ||
filter = jellyfin-auth | ||
maxretry = 5 | ||
filter = jellyfin-auth | ||
logpath = /var/log/jellyfin/jellyfin*.log | ||
{% endif %} | ||
/var/lib/fail2ban/emptylog.log | ||
port = https,http |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,7 @@ | ||
[prosody] | ||
# prosody (jitsi) login failures | ||
enabled = true | ||
filter = prosody-auth | ||
logpath = /var/log/prosody/prosody*.log | ||
logpath = /var/log/prosody/prosody*.log | ||
/var/lib/fail2ban/emptylog.log | ||
port = https,http |
4 changes: 4 additions & 0 deletions
4
roles/mail_dovecot/templates/etc_fail2ban_jail.d_dovecot.conf.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,7 @@ | ||
[dovecot] | ||
# dovecot login failures | ||
# other options defined in /etc/fail2ban/jail.conf | ||
enabled = true | ||
logpath = %(dovecot_log)s | ||
/var/lib/fail2ban/emptylog.log | ||
port = imaps |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,7 @@ | ||
# Fail2ban mumble jails | ||
|
||
[murmur] | ||
# AKA mumble-server | ||
enabled = true | ||
port = {{ mumble_port }} | ||
# actions and logpath are defined in /etc/fail2ban/jail.conf | ||
# mumble-server login failures | ||
# other options defined in /etc/fail2ban/jail.conf | ||
enabled = true | ||
logpath = /var/log/mumble-server/mumble-server.log | ||
/var/lib/fail2ban/emptylog.log | ||
port = {{ mumble_port }} |
7 changes: 3 additions & 4 deletions
7
roles/nextcloud/templates/etc_fail2ban_jail.d_nextcloud.conf.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,7 @@ | ||
# fail2ban Nextcloud jails | ||
|
||
[nextcloud-auth] | ||
# Nextcloud login failures | ||
# nextcloud login failures | ||
enabled = true | ||
filter = nextcloud-auth | ||
port = https,http | ||
logpath = /var/nextcloud/data/nextcloud.log | ||
/var/lib/fail2ban/emptylog.log | ||
port = https,http |
13 changes: 6 additions & 7 deletions
13
roles/shaarli/templates/etc_fail2ban_jail.d_shaarli.conf.j2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,7 @@ | ||
# Fail2ban shaarli jails | ||
|
||
[shaarli-auth] | ||
# Shaarli login failures | ||
enabled = true | ||
filter = shaarli-auth | ||
port = https,http | ||
logpath = {{ shaarli_install_dir }}/data/log.txt | ||
# shaarli login failures | ||
enabled = true | ||
filter = shaarli-auth | ||
logpath = {{ shaarli_install_dir }}/data/log.txt | ||
/var/lib/fail2ban/emptylog.log | ||
port = https,http |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,8 @@ | ||
[tt-rss] | ||
# Fail2ban jail for tt-rss failed logins | ||
# tt-rss login failures | ||
# LOG_DESTINATION must be set to '' (log to php/webserver error log) in tt-rss config.php | ||
enabled = true | ||
filter = tt-rss-auth | ||
filter = tt-rss-auth | ||
logpath = /var/log/apache2/error.log | ||
findtime = 600 | ||
maxretry = 3 | ||
/var/lib/fail2ban/emptylog.log | ||
port = https,http |