first commit

2024-11-28 00:01:14 +03:00
commit 989693564a
17 changed files with 525 additions and 0 deletions
--- a/README.md
+++ b/README.md
@@ -0,0 +1,193 @@
+# Fail2ban
+
+Role which installs and configures Fail2ban.
+
+## Role usage
+
+The role should be used after other roles installing software which needs protection.
+
+## Deploy example (do not copy blindly!)
+
+```yaml
+roles:
+    - role: fail2ban
+      fail2ban_ignores_ips: ['10.0.0.0/8']
+      fail2ban_enable_ignorecommand: true
+      fail2ban_custom_ipset_lists: [whitelist, whitelist6]
+      fail2ban_recidive_ignore_jails: [some-jail, another-jail]
+      fail2ban_filters: [
+        { name: nginx-req-limits,
+          failregex: [ '^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "[^"]+", client: <HOST>' ],
+          ignoreregex: []
+        },
+        { name: nginx-con-limits,
+          failregex: [ '^\s*\[error\] \d+#\d+: \*\d+ limiting connections by zone "[^"]+", client: <HOST>' ],
+          ignoreregex: []
+        },
+        { name: multiple-regexps-example,
+          failregex: [ 'some-fail-regexp1', 'some-fail-regexp2' ],
+          ignoreregex: [ 'some-ignore-regexp1', 'some-ignore-regexp2' ]
+        }
+      ]
+      fail2ban_sshd:
+        maxretry: 5
+        bantime: 3600
+        findtime: 600
+      fail2ban_services: [
+        { name: nginx-req-limits,
+          filter: nginx-req-limits,
+          port: 'http,https',
+          logpath: '/var/log/nginx/*error.log',
+          bantime: 600,
+          findtime: 300,
+          maxretry: 5
+        },
+        { name: nginx-con-limits,
+          filter: nginx-con-limits,
+          port: 'http,https',
+          logpath: '/var/log/nginx/*error.log',
+          bantime: 600,
+          findtime: 300,
+          maxretry: 5
+        }
+      ]
+      fail2ban_containers: [
+        { name: web-prod,
+          logpath: /tmp/web-prod.log
+        },
+        { name: backend-prod,
+          logpath: /tmp/backend-prod.log,
+          bantime: 9000
+        }
+      ]
+```
+
+## About available parameters
+
+### Main params
+
+| Param | Default | Description |
+| -------- | -------- | -------- |
+| `fail2ban_setup` | `full` | - |
+| `fail2ban_defaults` | see defaults/main.yml | controls default bantime, findtime and maxretry params |
+| `fail2ban_ignores_ips` | - | controls list of IP's to ignore (see ignoreip fail2ban param) |
+| `fail2ban_alerts` | see defaults/main.yml | control on alert-sending, just in case if we'll need it anywhere |
+| `fail2ban_filters` | - | describes the filters to create, more details below |
+| `fail2ban_services` | - | describes the custom jails to create, more details below |
+| `fail2ban_containers` | - | params for sshd-jails for LXC containers, more details below |
+| `fail2ban_blocktype` | `DROP` | we want to drop packets instead of rejecting them. Do not change this without a reason |
+| `fail2ban_role_test_mode` | - | could be used for test purposes only, do not use it in production playbooks |
+| `fail2ban_enable_ignorecommand` | `false` | enables ignorecommand options in jail.local and checking script generation |
+| `fail2ban_default_ipset_lists` | `[whitelist, whitelist6]` | describes the default ipset lists for checking script |
+| `fail2ban_custom_ipset_lists` | `[]` | describes the custom ipset lists for checking script |
+| `fail2ban_dummy_logs` | `false` | Whether to create dummy logs to avoid service failing to start due to absence of any jail logs. |
+| `fail2ban_dummy_log_path` | `/var/log/fail2ban-dummy.log` | Path to dummy log (will be automatically created). |
+| `fail2ban_recidive_ignore_jails` | `[]` | List of jails that need to be ignored by recidive jail. |
+
+### Jail generation
+
+#### SSH jails
+
+Our common sshd jail is generated automatically if openssh-server package was found during role setup. By default it will look like this:
+
+```plaintext
+[sshd]
+enabled    = true
+ports      = 22
+maxretry   = 3
+bantime    = 7200
+findtime   = 1800
+```
+
+If needed, default params for this jail could be overwritten from playbook with **fail2ban_sshd** variable, for example:
+
+#### SSH jails for LXC containers
+
+```yaml
+      fail2ban_sshd:
+        maxretry: 5
+        bantime: 3600
+        findtime: 600
+```
+
+Jails for LXC containers are being created only if **fail2ban_containers** list is not empty. You can control any param of this jail from playbook, for example:
+
+```yaml
+      fail2ban_containers: [
+        { name: web-prod,
+          logpath: /mnt/data/containers/web-prod/var/log/auth.log.log
+        },
+        { name: backend-prod,
+          logpath: /mnt/data/containers/backend-prod/var/log/auth.log,
+          bantime: 9000,
+          findtime: 600
+        }
+      ]
+```
+
+Make sure to set "logpath" variable, role can't guess the correct path by itself!
+
+#### Custom jails
+
+Could be created with **services** list, usage example:
+
+```yaml
+      fail2ban_services: [
+        { name: nginx-req-limits,
+          filter: nginx-req-limits,
+          port: 'http,https',
+          logpath: '/var/log/nginx/*error.log',
+          bantime: 600,
+          findtime: 300,
+          maxretry: 5
+        },
+        { name: nginx-con-limits,
+          filter: nginx-con-limits,
+          port: 'http,https',
+          logpath: '/var/log/nginx/*error.log',
+          bantime: 600,
+          findtime: 300,
+          maxretry: 5
+        }
+      ]
+```
+
+You can describe any key-value pairs here. **name** is mandatory for jail creation.
+
+### Custom filters creation
+
+Can be done with **filters** variable. For example:
+
+```yaml
+      fail2ban_filters: [
+        { name: nginx-req-limits,
+          failregex: [ '^\s*\[error\] \d+#\d+: \*\d+ limiting requests, excess: [\d\.]+ by zone "[^"]+", client: <HOST>' ],
+          ignoreregex: []
+        },
+        { name: nginx-con-limits,
+          failregex: [ '^\s*\[error\] \d+#\d+: \*\d+ limiting connections by zone "[^"]+", client: <HOST>' ],
+          ignoreregex: []
+        },
+        { name: multiple-regexps-example,
+          failregex: [ 'some-fail-regexp1', 'some-fail-regexp2' ],
+          ignoreregex: [ 'some-ignore-regexp1', 'some-ignore-regexp2' ]
+        }
+      ]
+```
+
+You can describe any key-value pairs here. **name** is mandatory for filter creation.
+
+### Checking ip in ipset lists
+
+Fail2ban can use external command to dynamically check if IP should be ingored. Option fail2ban_enable_ignorecommand enables it. External script will check the IP’s presence in every ipset list from fail2ban_default_ipset_lists and fail2ban_custom_ipset_lists. If IP will be found in any list given - fail2ban will ignore it, if not - IP will be placed in appropriate jail.
+
+## Useful links
+
+- [Official wiki](https://www.fail2ban.org/wiki/index.php/Main_Page)
+- [Documentation on ubuntu.ru](https://help.ubuntu.ru/wiki/fail2ban)
+
+## TODO
+
+- update readme
+- remove syslog user creation (leave in test mode only maybe)
+- move names and paths from check_ip_script template to vars