first commit

templates/action_iptables-multiport-fw.j2

@@ -0,0 +1,23 @@
+{% raw %}[INCLUDES]
+
+before = iptables-blocktype.conf
+
+[Definition]
+
+actionstart = iptables -N fail2ban-<name>
+              iptables -A fail2ban-<name> -j RETURN
+              iptables -I <fwchain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+actionstop = iptables -D <fwchain> -p <protocol> -m multiport --dports <port> -j fail2ban-<name>
+             iptables -F fail2ban-<name>
+             iptables -X fail2ban-<name>
+actioncheck = iptables -n -L <fwchain> | grep -q 'fail2ban-<name>[ \t]'
+actionban = iptables -I fail2ban-<name> 1 -s <ip> -j <blocktype>
+actionunban = iptables -D fail2ban-<name> -s <ip> -j <blocktype>
+
+[Init]
+
+name = default
+port = ssh
+protocol = tcp
+fwchain = FORWARD
+{% endraw %}

templates/check-ip_conf.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+check_ip_lists=({% for list in fail2ban_default_ipset_lists %} {{ list }} {% endfor %}{% for list in fail2ban_custom_ipset_lists %} {{ list }} {% endfor %})

templates/custom-filter.j2

@@ -0,0 +1,31 @@
+[Definition]
+
+{% for key, value in item.items() %}
+{% if key != 'name' and key == 'failregex' %}
+failregex = {% for item in value %}
+{% if item == value|first %}
+{{ item }}
+{% else %}
+{{ item|indent(12, True) }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+{% for key, value in item.items() %}
+{% if key != 'name' and key == 'ignoreregex' %}
+ignoreregex = {% for item in value %}
+{% if item == value|first %}
+{{ item }}
+{% else %}
+{{ item|indent(14, True) }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
+
+{% for key, value in item.items() %}
+{% if key != 'name' and key != 'failregex' and key != 'ignoreregex' %}
+{{ key }} = {{ value }}
+{% endif %}
+{% endfor %}

templates/fail2ban-check-ip.j2

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+target_ip=$1
+check_ip_config='/usr/local/etc/scripts/custom.fail2ban-check-ip.conf'
+
+test -s "${check_ip_config}" && . "${check_ip_config}"
+function check_ip_in_ipset() {
+  for list in "${check_ip_lists[@]}"; do
+    /sbin/ipset save "${list}" | grep -qE "${target_ip}" && return 0
+  done
+  return 1
+}
+
+check_ip_in_ipset

templates/jail.j2

@@ -0,0 +1,60 @@
+[DEFAULT]
+{{ "%-13s = %s"|format('bantime', fail2ban_defaults.bantime | default('7200', true)) }}
+{{ "%-13s = %s"|format('findtime', fail2ban_defaults.findtime | default('600', true)) }}
+{{ "%-13s = %s"|format('maxretry', fail2ban_defaults.maxretry | default('3', true)) }}
+{% if fail2ban_alerts.enabled %}
+{{ "%-13s = %s"|format('sendername', fail2ban_alerts.from) }}
+{{ "%-13s = %s"|format('destemail', fail2ban_alerts.email) }}
+{{ "%-13s = %s"|format('action', '%(action_mwl)s') }}
+{% endif %}
+{{ "%-13s = %s %s"|format('ignoreip', '127.0.0.1/8', fail2ban_ignores_ips|join(' ')) }}
+{% if fail2ban_enable_ignorecommand %}
+{{ "%-13s = %s"|format('ignorecommand', '/usr/local/sbin/custom.fail2ban-check-ip <ip>') }}
+{% endif %}
+{% if 'openssh-server' in ansible_facts.packages %}
+
+[sshd]
+{{ "%-10s = %s"|format('enabled', fail2ban_sshd.enabled | default('true', true)) }}
+{{ "%-10s = %s"|format('ports', fail2ban_sshd.ports | default('22', true)) }}
+{{ "%-10s = %s"|format('maxretry', fail2ban_sshd.maxretry | default(fail2ban_defaults.maxretry, true)) }}
+{{ "%-10s = %s"|format('bantime', fail2ban_sshd.bantime | default(fail2ban_defaults.bantime, true)) }}
+{{ "%-10s = %s"|format('findtime', fail2ban_sshd.findtime | default('1800', true)) }}
+{% endif %}
+{% if fail2ban_containers is defined and fail2ban_containers|length %}
+{% for container in fail2ban_containers %}
+
+[sshd-lxc-{{ container.name }}]
+{{ "%-10s = %s"|format('enabled', container.enabled | default('true', true)) }}
+{{ "%-10s = %s"|format('logpath', container.logpath | mandatory) }}
+{% if fail2ban_dummy_logs %}
+{{ fail2ban_dummy_log_path|indent(13, True) }}
+{% endif %}
+{{ "%-10s = %s"|format('filter', container.filter | default('sshd', true)) }}
+{{ "%-10s = %s"|format('port', container.port | default('22', true)) }}
+{{ "%-10s = %s"|format('backend', container.backend | default('polling', true)) }}
+{{ "%-10s = %s"|format('chain', container.chain | default('FORWARD', true)) }}
+{{ "%-10s = %s"|format('banaction', container.banaction | default('iptables-multiport', true)) }}
+{{ "%-10s = %s"|format('bantime', container.bantime | default('10000', true)) }}
+{{ "%-10s = %s"|format('maxretry', container.maxretry | default('3', true)) }}
+{{ "%-10s = %s"|format('findtime', container.findtime | default('1800', true)) }}
+{% endfor %}
+{% endif %}
+{% if fail2ban_services is defined and fail2ban_services|length %}
+{% for service in fail2ban_services %}
+
+[{{ service.name }}]
+{% if not service.enabled is defined %}
+{{ "%-10s = %s"|format("enabled", "True") }}
+{% endif %}
+{% for key, value in service.items()|sort() %}
+{% if key != 'name' %}
+{% if key == 'logpath' and fail2ban_dummy_logs %}
+{{ "%-10s = %s"|format(key, value) }}
+{{ fail2ban_dummy_log_path|indent(13, True) }}
+{% else %}
+{{ "%-10s = %s"|format(key, value) }}
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}

templates/systemd-override.j2

@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=/usr/bin/touch {{ fail2ban_dummy_log_path }}

templates/testfile.j2

@@ -0,0 +1 @@
+This file is needed for role testing.