common/fail2ban: cleanup/standardize fail2ban configuration:

- do not repeat jail options that are already defined in `jail.conf`, in jail.d/*conf` - gitea/jellyfin: do not disable gitea/jellyfin jails if the corresponding service is disabled - prevent missing/not-yet-creat log files from causing failban reloads/restart to fail (e.g. when a service is initially deployed with `*_enable_service: no`) by creating a placeholder/empty log file and adding the the list of `logpath` for each service (related fail2ban/fail2ban#2756, fail2ban/fail2ban#1379) - do not enable the `pam-generic` jail by default as no service uses it - use values provided in `fail2ban_default_maxretry` (default 5), `fail2ban_default_findtime` (10min) and `fail2ban_default_bantime` (1 year) for all jails - only ban offenders on HTTP/HTTPS ports for auth failures on web applications. This way it is still possible to log in via SSH to unban an IP if the controller IP gets banned by mistake - standardize order of instalaltion/configuration tasks
nodiscc · Aug 3, 2023 · d8db069 · d8db069
1 parent f0b6f17
commit d8db069
Show file tree

Hide file tree

Showing 15 changed files with 80 additions and 81 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -28,15 +28,21 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/).
 - apache: log requests from localhost to the default vhost with the `localhost:` prefix (for example `http://127.0.0.1/server-status` requests from netdata)
 - apache: log requests from other hosts to the default vhost with the `default:` prefix (for example bad bots and scanners accessing the server by IP address)
 - apache: serve a `403 Forbidden` response to for requests the default virtualhost (except those from localhost)
+- common/fail2ban: use values provided in `fail2ban_default_maxretry` (default 5), `fail2ban_default_findtime` (10min) and `fail2ban_default_bantime` (1 year) for all jails
+- common/fail2ban: do not enable the `pam-generic` jail by default as no service uses it
+- common/fail2ban/all roles: only ban offenders on HTTP/HTTPS ports (not all ports) for authentication failures on web applications
+- gitea/jellyfin/fail2ban: do not disable gitea/jellyfin jails if the corresponding service is disabled
 - gitea: update to [v1.20.2](https://github.com/go-gitea/gitea/releases/tag/v1.20.2)
 - matrix: update element-web to [v1.11.37](https://github.com/vector-im/element-web/releases/tag/v1.11.37)
 - netdata: harden/standardize permissions on postgres collector configuration file
+- cleanup: common/fail2ban: standardize comments/task order, do not repeat jail options that are already defined in `jail.conf`, in `jail.d/*conf`
 - improve check mode support before first actual deployment
 - update documentation
 
 **Fixed:**
 - apache: fix apache not loading new/updated Let's Encrypt/`mod_md` certificates automatically every minute
 - apache: fix duplicated access logs to `access.log`/`other_vhosts_access.log`, only log to `access.log`
+- common/fail2ban/all roles: prevent missing/not-yet-created log files from causing failban reloads/restart to fail (e.g. when a service is initially deployed with `*_enable_service: no`)
 - monitoring_netdata/needrestart: fix automatic reboot not triggered by cron job when ABI-compatible kernel upgrades are pending
 
 [Full changes since v1.16.0](https://gitlab.com/nodiscc/xsrv/-/compare/1.16.0...1.17.0)

diff --git a/roles/apache/templates/etc_fail2ban_jail.d_apache.conf.j2 b/roles/apache/templates/etc_fail2ban_jail.d_apache.conf.j2
@@ -1,5 +1,7 @@
-# fail2ban apache jails
-
 [apache-auth]
-enabled  = true
-port     = http,https
+# apache basic auth login failures
+# other options defined in /etc/fail2ban/jail.conf
+enabled = true
+logpath  = %(apache_error_log)s
+           /var/lib/fail2ban/emptylog.log
+port    = http,https
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
@@ -1,3 +1,10 @@
+- name: install fail2ban
+  apt:
+    state: present
+    package:
+      - fail2ban
+      - ipset
+
 - name: create fail2ban configuration directories
   file:
     path: "{{ item }}"
@@ -8,21 +15,6 @@
     - "/etc/fail2ban/jail.d"
     - "/etc/fail2ban/filter.d"
 
-- name: install fail2ban
-  apt:
-    state: present
-    package:
-      - fail2ban
-      - ipset
-
-- name: start and enable fail2ban
-  service:
-    name: "fail2ban"
-    state: started
-    enabled: yes
-  ignore_errors: "{{ ansible_check_mode }}"
-  tags: services
-
 - name: copy fail2ban global configuration
   template:
     src: "{{ item.src }}"
@@ -31,16 +23,20 @@
   with_items:
     - { src: 'etc_fail2ban_jail.local.j2', dest: '/etc/fail2ban/jail.local' }
     - { src: 'etc_fail2ban_fail2ban.local.j2', dest: '/etc/fail2ban/fail2ban.local' }
+    - { src: 'var_lib_fail2ban_emptylog.log.j2', dest: '/var/lib/fail2ban/emptylog.log' }
   notify: restart fail2ban
 
-- name: copy fail2ban jails configuration
+- name: copy fail2ban sshd jail configuration
   template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
+    src: etc_fail2ban_jail.d_sshd.conf.j2
+    dest: /etc/fail2ban/jail.d/sshd.conf
     mode: "0600"
-  with_items:
-    - { src: 'etc_fail2ban_jail.d_sshd.conf.j2', dest: '/etc/fail2ban/jail.d/sshd.conf' }
-    - { src: 'etc_fail2ban_jail.d_pam-generic.conf.j2', dest: '/etc/fail2ban/jail.d/pam-generic.conf' }
+  notify: reload fail2ban
+
+- name: migration/1.17.0 - remove files from old versions of the role
+  file:
+    path: /etc/fail2ban/jail.d/pam-generic.conf
+    state: absent
   notify: reload fail2ban
 
 ##### FACTS #####
@@ -62,3 +58,13 @@
 
 - name: apply configuration (flush handlers)
   meta: flush_handlers
+
+##### SERVICES #####
+
+- name: start and enable fail2ban
+  service:
+    name: fail2ban
+    state: started
+    enabled: yes
+  ignore_errors: "{{ ansible_check_mode }}"
+  tags: services
diff --git a/roles/common/templates/etc_fail2ban_jail.d_pam-generic.conf.j2 b/roles/common/templates/etc_fail2ban_jail.d_pam-generic.conf.j2
diff --git a/roles/common/templates/etc_fail2ban_jail.d_sshd.conf.j2 b/roles/common/templates/etc_fail2ban_jail.d_sshd.conf.j2
@@ -1,12 +1,4 @@
-# Fail2ban OpenSSH server jails
-
 [sshd]
-# openssh server auth failures
-# To use more aggressive sshd modes set filter parameter "mode" in jail.local:
-# normal (default), ddos, extra or aggressive (combines all).
-# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.
-mode   = normal
-enabled   = true
-filter    = sshd
-logpath = %(sshd_log)s
-backend = %(sshd_backend)s
+# openssh server login failures
+# other options defined in /etc/fail2ban/jail.conf
+enabled = true
diff --git a/roles/common/templates/etc_fail2ban_jail.local.j2 b/roles/common/templates/etc_fail2ban_jail.local.j2
@@ -12,5 +12,5 @@ bantime   = {{ fail2ban_default_bantime }}
 # destination email address used for banactions 'action_m*' which trigger sending an email
 destemail = root
 # default banning action
-banaction = {{ 'firewallcmd-ipset[actiontype=<allports>]' if (ansible_local.firewalld.ansible_managed is defined and ansible_local.firewalld.ansible_managed) else 'iptables-ipset-proto6-allports' }}
-banaction_allports = {{ 'firewallcmd-ipset[actiontype=<allports>]' if (ansible_local.firewalld.ansible_managed is defined and ansible_local.firewalld.ansible_managed) else 'iptables-ipset-proto6-allports' }}
+banaction = {{ 'firewallcmd-ipset[actiontype=<multiport>]' if (ansible_local.firewalld.ansible_managed is defined and ansible_local.firewalld.ansible_managed) else 'iptables-ipset[type=multiport]' }}
+banaction_allports = {{ 'firewallcmd-ipset[actiontype=<allports>]' if (ansible_local.firewalld.ansible_managed is defined and ansible_local.firewalld.ansible_managed) else 'iptables-ipset[type=allports' }}
diff --git a/roles/common/templates/var_lib_fail2ban_emptylog.log.j2 b/roles/common/templates/var_lib_fail2ban_emptylog.log.j2
diff --git a/roles/gitea/templates/etc_fail2ban_jail.d_gitea.conf.j2 b/roles/gitea/templates/etc_fail2ban_jail.d_gitea.conf.j2
@@ -1,11 +1,7 @@
-{% if gitea_enable_service %}
-# fail2ban gitea jails
 [gitea-auth]
 # gitea login failures
-enabled  = true
-filter   = gitea-auth
-port     = https,http
-logpath  = {{ gitea_user_home }}/log/gitea.log
-maxretry = 10
-findtime = 3600
-{% endif %}
+enabled = true
+filter  = gitea-auth
+logpath = {{ gitea_user_home }}/log/gitea.log
+          /var/lib/fail2ban/emptylog.log
+port    = https,http
diff --git a/roles/jellyfin/templates/etc_fail2ban_jail.d_jellyfin.conf.j2 b/roles/jellyfin/templates/etc_fail2ban_jail.d_jellyfin.conf.j2
@@ -1,7 +1,7 @@
-{% if jellyfin_enable_service %}
 [jellyfin]
+# jellyfin login failures
 enabled = true
-filter = jellyfin-auth
-maxretry = 5
+filter  = jellyfin-auth
 logpath = /var/log/jellyfin/jellyfin*.log
-{% endif %}
+          /var/lib/fail2ban/emptylog.log
+port    = https,http
diff --git a/roles/jitsi/templates/etc_fail2ban_jail.d_prosody.conf.j2 b/roles/jitsi/templates/etc_fail2ban_jail.d_prosody.conf.j2
@@ -1,4 +1,7 @@
 [prosody]
+# prosody (jitsi) login failures
 enabled = true
 filter  = prosody-auth
-logpath = /var/log/prosody/prosody*.log
+logpath = /var/log/prosody/prosody*.log
+          /var/lib/fail2ban/emptylog.log
+port    = https,http
diff --git a/roles/mail_dovecot/templates/etc_fail2ban_jail.d_dovecot.conf.j2 b/roles/mail_dovecot/templates/etc_fail2ban_jail.d_dovecot.conf.j2
@@ -1,3 +1,7 @@
 [dovecot]
+# dovecot login failures
+# other options defined in /etc/fail2ban/jail.conf
 enabled = true
+logpath = %(dovecot_log)s
+          /var/lib/fail2ban/emptylog.log
 port    = imaps
diff --git a/roles/mumble/templates/etc_fail2ban_jail.d_mumble.conf.j2 b/roles/mumble/templates/etc_fail2ban_jail.d_mumble.conf.j2
@@ -1,7 +1,7 @@
-# Fail2ban mumble jails
-
 [murmur]
-# AKA mumble-server
-enabled  = true
-port     = {{ mumble_port }}
-# actions and logpath are defined in /etc/fail2ban/jail.conf
+# mumble-server login failures
+# other options defined in /etc/fail2ban/jail.conf
+enabled = true
+logpath  = /var/log/mumble-server/mumble-server.log
+           /var/lib/fail2ban/emptylog.log
+port    = {{ mumble_port }}
diff --git a/roles/nextcloud/templates/etc_fail2ban_jail.d_nextcloud.conf.j2 b/roles/nextcloud/templates/etc_fail2ban_jail.d_nextcloud.conf.j2
@@ -1,8 +1,7 @@
-# fail2ban Nextcloud jails
-
 [nextcloud-auth]
-# Nextcloud login failures
+# nextcloud login failures
 enabled  = true
 filter   = nextcloud-auth
-port     = https,http
 logpath  = /var/nextcloud/data/nextcloud.log
+           /var/lib/fail2ban/emptylog.log
+port     = https,http
diff --git a/roles/shaarli/templates/etc_fail2ban_jail.d_shaarli.conf.j2 b/roles/shaarli/templates/etc_fail2ban_jail.d_shaarli.conf.j2
@@ -1,8 +1,7 @@
-# Fail2ban shaarli jails
-
 [shaarli-auth]
-# Shaarli login failures
-enabled  = true
-filter   = shaarli-auth
-port     = https,http
-logpath  = {{ shaarli_install_dir }}/data/log.txt
+# shaarli login failures
+enabled = true
+filter  = shaarli-auth
+logpath = {{ shaarli_install_dir }}/data/log.txt
+          /var/lib/fail2ban/emptylog.log
+port    = https,http
diff --git a/roles/tt_rss/templates/etc_fail2ban_jail.d_tt-rss.conf.j2 b/roles/tt_rss/templates/etc_fail2ban_jail.d_tt-rss.conf.j2
@@ -1,8 +1,8 @@
 [tt-rss]
-# Fail2ban jail for tt-rss failed logins
+# tt-rss login failures
 # LOG_DESTINATION must be set to '' (log to php/webserver error log) in tt-rss config.php
 enabled = true
-filter = tt-rss-auth
+filter  = tt-rss-auth
 logpath = /var/log/apache2/error.log
-findtime = 600
-maxretry = 3
+          /var/lib/fail2ban/emptylog.log
+port    = https,http