library/roles/fail2ban: add two new jails: DDOS control for apache and nginx.
This commit is contained in:
parent
383e8ba256
commit
1ad7b44a05
|
@ -7,8 +7,6 @@
|
||||||
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes
|
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes
|
||||||
tags: [ 'r_software', 'r_repo' ]
|
tags: [ 'r_software', 'r_repo' ]
|
||||||
|
|
||||||
#
|
|
||||||
# This does not work. It resolves dependecies badly and/or installs the right version only for one of the packages
|
|
||||||
- name: Install a specific version of the R base package
|
- name: Install a specific version of the R base package
|
||||||
apt: pkg={{ item }} state={{ r_packages_state }}
|
apt: pkg={{ item }} state={{ r_packages_state }}
|
||||||
with_items: r_base_packages_list
|
with_items: r_base_packages_list
|
||||||
|
|
|
@ -6,21 +6,25 @@
|
||||||
f2b_ban_time: 86400
|
f2b_ban_time: 86400
|
||||||
f2b_findtime: 600
|
f2b_findtime: 600
|
||||||
f2b_maxretry: 5
|
f2b_maxretry: 5
|
||||||
|
f2b_ddos_findtime: 120
|
||||||
|
f2b_ddos_maxretry: 200
|
||||||
f2b_default_backend: auto
|
f2b_default_backend: auto
|
||||||
f2b_usedns: warn
|
f2b_usedns: warn
|
||||||
f2b_dest_email: 'sysadmin@{{ domain_name }}'
|
f2b_dest_email: 'sysadmin@{{ domain_name }}'
|
||||||
f2b_sender_email: 'denyhosts@{{ domain_name }}'
|
f2b_sender_email: 'sysadmin@{{ domain_name }}'
|
||||||
f2b_default_banaction: iptables-multiport
|
f2b_default_banaction: iptables-multiport
|
||||||
# Default action: ban. Not send email
|
# Default action: ban. Not send email
|
||||||
f2b_default_action: action_
|
f2b_default_action: action_
|
||||||
f2b_default_iptableschain: INPUT
|
f2b_default_iptableschain: INPUT
|
||||||
f2b_ssh_enabled: true
|
f2b_ssh_enabled: true
|
||||||
f2b_ssh_ddos_enabled: true
|
f2b_ssh_ddos_enabled: true
|
||||||
|
f2b_apache_ddos_enabled: false
|
||||||
f2b_apache_auth_enabled: false
|
f2b_apache_auth_enabled: false
|
||||||
f2b_apache_noscript_enabled: false
|
f2b_apache_noscript_enabled: false
|
||||||
f2b_apache_overflow_enabled: false
|
f2b_apache_overflow_enabled: false
|
||||||
f2b_php_url_popen: false
|
f2b_php_url_popen: false
|
||||||
f2b_nginx_auth_enabled: false
|
f2b_nginx_auth_enabled: false
|
||||||
|
f2b_nginx_ddos_enabled: false
|
||||||
f2b_vsftpd_enabled: false
|
f2b_vsftpd_enabled: false
|
||||||
f2b_vsftpd_logpath: /var/log/vsftpd.log
|
f2b_vsftpd_logpath: /var/log/vsftpd.log
|
||||||
f2b_recidive_enabled: true
|
f2b_recidive_enabled: true
|
||||||
|
|
|
@ -0,0 +1,30 @@
|
||||||
|
---
|
||||||
|
- name: Install the fail2ban custom jail file
|
||||||
|
template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
|
||||||
|
notify: Restart fail2ban
|
||||||
|
tags: fail2ban
|
||||||
|
|
||||||
|
- name: Install the fail2ban apache ddos filter
|
||||||
|
template: src=apache-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/apache-ddos-filter.conf owner=root group=root mode=0444
|
||||||
|
when: f2b_apache_ddos_enabled
|
||||||
|
notify: Restart fail2ban
|
||||||
|
tags: [ 'fail2ban', 'f2b_apache_ddos' ]
|
||||||
|
|
||||||
|
- name: Install the fail2ban apache ddos rule
|
||||||
|
template: src=apache-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/apache-ddos-jail.conf owner=root group=root mode=0444
|
||||||
|
when: f2b_apache_ddos_enabled
|
||||||
|
notify: Restart fail2ban
|
||||||
|
tags: [ 'fail2ban', 'f2b_apache_ddos' ]
|
||||||
|
|
||||||
|
- name: Install the fail2ban nginx ddos filter
|
||||||
|
template: src=nginx-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/nginx-ddos-filter.conf owner=root group=root mode=0444
|
||||||
|
when: f2b_nginx_ddos_enabled
|
||||||
|
notify: Restart fail2ban
|
||||||
|
tags: [ 'fail2ban', 'f2b_apache_ddos' ]
|
||||||
|
|
||||||
|
- name: Install the fail2ban nginx ddos rule
|
||||||
|
template: src=nginx-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/nginx-ddos-jail.conf owner=root group=root mode=0444
|
||||||
|
when: f2b_nginx_ddos_enabled
|
||||||
|
notify: Restart fail2ban
|
||||||
|
tags: [ 'fail2ban', 'f2b_apache_ddos' ]
|
||||||
|
|
|
@ -1,13 +1,8 @@
|
||||||
---
|
---
|
||||||
- name: install fail2ban on ubuntu >= 14.04 and debian >= 8
|
- name: Install fail2ban on ubuntu >= 14.04 and debian >= 8
|
||||||
apt: pkg={{ item }} state=installed
|
apt: pkg={{ item }} state=installed
|
||||||
with_items: f2b_packages
|
with_items: f2b_packages
|
||||||
tags: fail2ban
|
tags: fail2ban
|
||||||
|
|
||||||
- name: Install the fail2ban custom jail file
|
|
||||||
template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
|
|
||||||
notify: Restart fail2ban
|
|
||||||
tags: fail2ban
|
|
||||||
|
|
||||||
- name: Ensure that fail2ban is enabled and running
|
- name: Ensure that fail2ban is enabled and running
|
||||||
service: name=fail2ban state=started enabled=yes
|
service: name=fail2ban state=started enabled=yes
|
||||||
|
|
|
@ -1,3 +1,5 @@
|
||||||
---
|
---
|
||||||
- include: fail2ban.yml
|
- include: fail2ban.yml
|
||||||
when: has_fail2ban
|
when: has_fail2ban
|
||||||
|
- include: fail2ban-rules.yml
|
||||||
|
when: has_fail2ban
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# regex derived from the apache-bot one
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST).*
|
||||||
|
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,8 @@
|
||||||
|
[http-get-dos]
|
||||||
|
enabled = {{ f2b_apache_ddos_enabled }}
|
||||||
|
port = http,https
|
||||||
|
filter = apache-ddos-filter
|
||||||
|
logpath = /var/log/apache*/*access*log
|
||||||
|
maxretry = {{ f2b_ddos_maxretry }}
|
||||||
|
findtime = {{ f2b_ddos_findtime }}
|
||||||
|
bantime = {{ f2b_ban_time }}
|
|
@ -0,0 +1,7 @@
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# regex derived from the apache-bot one
|
||||||
|
|
||||||
|
failregex = ^<HOST> -.*"(GET|POST).*
|
||||||
|
|
||||||
|
ignoreregex =
|
|
@ -0,0 +1,8 @@
|
||||||
|
[nginx-get-dos]
|
||||||
|
enabled = {{ f2b_nginx_ddos_enabled }}
|
||||||
|
port = http,https
|
||||||
|
filter = nginx-ddos-filter
|
||||||
|
logpath = /var/log/nginx/*access.log
|
||||||
|
maxretry = {{ f2b_ddos_maxretry }}
|
||||||
|
findtime = {{ f2b_ddos_findtime }}
|
||||||
|
bantime = {{ f2b_ban_time }}
|
Loading…
Reference in New Issue