library/roles/fail2ban: add two new jails: DDOS control for apache and nginx.

2015-11-29 20:25:29 +01:00 · 2015-11-29 20:25:29 +01:00 · 1ad7b44a05
parent 383e8ba256
commit 1ad7b44a05
9 changed files with 68 additions and 9 deletions
--- a/R/tasks/main.yml
+++ b/R/tasks/main.yml
@ -7,8 +7,6 @@
  apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes
  tags: [ 'r_software', 'r_repo' ]

-#
-# This does not work. It resolves dependecies badly and/or installs the right version only for one of the packages
 - name: Install a specific version of the R base package
  apt: pkg={{ item }} state={{ r_packages_state }}
  with_items: r_base_packages_list
--- a/fail2ban/defaults/main.yml
+++ b/fail2ban/defaults/main.yml
@ -6,21 +6,25 @@
 f2b_ban_time: 86400
 f2b_findtime: 600
 f2b_maxretry: 5
+f2b_ddos_findtime: 120
+f2b_ddos_maxretry: 200
 f2b_default_backend: auto
 f2b_usedns: warn
 f2b_dest_email: 'sysadmin@{{ domain_name }}'
-f2b_sender_email: 'denyhosts@{{ domain_name }}'
+f2b_sender_email: 'sysadmin@{{ domain_name }}'
 f2b_default_banaction: iptables-multiport
 # Default action: ban. Not send email
 f2b_default_action: action_
 f2b_default_iptableschain: INPUT
 f2b_ssh_enabled: true
 f2b_ssh_ddos_enabled: true
+f2b_apache_ddos_enabled: false
 f2b_apache_auth_enabled: false
 f2b_apache_noscript_enabled: false
 f2b_apache_overflow_enabled: false
 f2b_php_url_popen: false
 f2b_nginx_auth_enabled: false
+f2b_nginx_ddos_enabled: false
 f2b_vsftpd_enabled: false
 f2b_vsftpd_logpath: /var/log/vsftpd.log
 f2b_recidive_enabled: true
--- a/fail2ban/tasks/fail2ban-rules.yml
+++ b/fail2ban/tasks/fail2ban-rules.yml
@ -0,0 +1,30 @@
+---
+- name: Install the fail2ban custom jail file
+  template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
+  notify: Restart fail2ban
+  tags: fail2ban
+
+- name: Install the fail2ban apache ddos filter
+  template: src=apache-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/apache-ddos-filter.conf owner=root group=root mode=0444
+  when: f2b_apache_ddos_enabled
+  notify: Restart fail2ban
+  tags: [ 'fail2ban', 'f2b_apache_ddos' ]
+
+- name: Install the fail2ban apache ddos rule
+  template: src=apache-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/apache-ddos-jail.conf owner=root group=root mode=0444
+  when: f2b_apache_ddos_enabled
+  notify: Restart fail2ban
+  tags: [ 'fail2ban', 'f2b_apache_ddos' ]
+
+- name: Install the fail2ban nginx ddos filter
+  template: src=nginx-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/nginx-ddos-filter.conf owner=root group=root mode=0444
+  when: f2b_nginx_ddos_enabled
+  notify: Restart fail2ban
+  tags: [ 'fail2ban', 'f2b_apache_ddos' ]
+
+- name: Install the fail2ban nginx ddos rule
+  template: src=nginx-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/nginx-ddos-jail.conf owner=root group=root mode=0444
+  when: f2b_nginx_ddos_enabled
+  notify: Restart fail2ban
+  tags: [ 'fail2ban', 'f2b_apache_ddos' ]
+
--- a/fail2ban/tasks/fail2ban.yml
+++ b/fail2ban/tasks/fail2ban.yml
@ -1,13 +1,8 @@
 ---
- name: install fail2ban on ubuntu >= 14.04 and debian >= 8
+- name: Install fail2ban on ubuntu >= 14.04 and debian >= 8
  apt: pkg={{ item }} state=installed
  with_items: f2b_packages
  tags: fail2ban

- name: Install the fail2ban custom jail file
-  template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
-  notify: Restart fail2ban
-  tags: fail2ban
-
 - name: Ensure that fail2ban is enabled and running
  service: name=fail2ban state=started enabled=yes
--- a/fail2ban/tasks/main.yml
+++ b/fail2ban/tasks/main.yml
@ -1,3 +1,5 @@
 ---
 - include: fail2ban.yml
  when: has_fail2ban
+- include: fail2ban-rules.yml
+  when: has_fail2ban
--- a/fail2ban/templates/apache-ddos-filter.conf.j2
+++ b/fail2ban/templates/apache-ddos-filter.conf.j2
@ -0,0 +1,7 @@
+[Definition]
+
+# regex derived from the apache-bot one
+
+failregex = ^<HOST> -.*"(GET|POST).*
+
+ignoreregex =
--- a/fail2ban/templates/apache-ddos-jail.conf.j2
+++ b/fail2ban/templates/apache-ddos-jail.conf.j2
@ -0,0 +1,8 @@
+[http-get-dos]
+enabled = {{ f2b_apache_ddos_enabled }}
+port = http,https
+filter = apache-ddos-filter
+logpath = /var/log/apache*/*access*log
+maxretry = {{ f2b_ddos_maxretry }}
+findtime = {{ f2b_ddos_findtime }}
+bantime = {{ f2b_ban_time }}
--- a/fail2ban/templates/nginx-ddos-filter.conf.j2
+++ b/fail2ban/templates/nginx-ddos-filter.conf.j2
@ -0,0 +1,7 @@
+[Definition]
+
+# regex derived from the apache-bot one
+
+failregex = ^<HOST> -.*"(GET|POST).*
+
+ignoreregex =
--- a/fail2ban/templates/nginx-ddos-jail.conf.j2
+++ b/fail2ban/templates/nginx-ddos-jail.conf.j2
@ -0,0 +1,8 @@
+[nginx-get-dos]
+enabled = {{ f2b_nginx_ddos_enabled }}
+port = http,https
+filter = nginx-ddos-filter
+logpath = /var/log/nginx/*access.log
+maxretry = {{ f2b_ddos_maxretry }}
+findtime = {{ f2b_ddos_findtime }}
+bantime = {{ f2b_ban_time }}