library/roles/fail2ban: add two new jails: DDOS control for apache and nginx.

This commit is contained in:
Andrea Dell'Amico 2015-11-29 20:25:29 +01:00
parent 383e8ba256
commit 1ad7b44a05
9 changed files with 68 additions and 9 deletions

View File

@ -7,8 +7,6 @@
apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes
tags: [ 'r_software', 'r_repo' ] tags: [ 'r_software', 'r_repo' ]
#
# This does not work. It resolves dependecies badly and/or installs the right version only for one of the packages
- name: Install a specific version of the R base package - name: Install a specific version of the R base package
apt: pkg={{ item }} state={{ r_packages_state }} apt: pkg={{ item }} state={{ r_packages_state }}
with_items: r_base_packages_list with_items: r_base_packages_list

View File

@ -6,21 +6,25 @@
f2b_ban_time: 86400 f2b_ban_time: 86400
f2b_findtime: 600 f2b_findtime: 600
f2b_maxretry: 5 f2b_maxretry: 5
f2b_ddos_findtime: 120
f2b_ddos_maxretry: 200
f2b_default_backend: auto f2b_default_backend: auto
f2b_usedns: warn f2b_usedns: warn
f2b_dest_email: 'sysadmin@{{ domain_name }}' f2b_dest_email: 'sysadmin@{{ domain_name }}'
f2b_sender_email: 'denyhosts@{{ domain_name }}' f2b_sender_email: 'sysadmin@{{ domain_name }}'
f2b_default_banaction: iptables-multiport f2b_default_banaction: iptables-multiport
# Default action: ban. Not send email # Default action: ban. Not send email
f2b_default_action: action_ f2b_default_action: action_
f2b_default_iptableschain: INPUT f2b_default_iptableschain: INPUT
f2b_ssh_enabled: true f2b_ssh_enabled: true
f2b_ssh_ddos_enabled: true f2b_ssh_ddos_enabled: true
f2b_apache_ddos_enabled: false
f2b_apache_auth_enabled: false f2b_apache_auth_enabled: false
f2b_apache_noscript_enabled: false f2b_apache_noscript_enabled: false
f2b_apache_overflow_enabled: false f2b_apache_overflow_enabled: false
f2b_php_url_popen: false f2b_php_url_popen: false
f2b_nginx_auth_enabled: false f2b_nginx_auth_enabled: false
f2b_nginx_ddos_enabled: false
f2b_vsftpd_enabled: false f2b_vsftpd_enabled: false
f2b_vsftpd_logpath: /var/log/vsftpd.log f2b_vsftpd_logpath: /var/log/vsftpd.log
f2b_recidive_enabled: true f2b_recidive_enabled: true

View File

@ -0,0 +1,30 @@
---
- name: Install the fail2ban custom jail file
template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
notify: Restart fail2ban
tags: fail2ban
- name: Install the fail2ban apache ddos filter
template: src=apache-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/apache-ddos-filter.conf owner=root group=root mode=0444
when: f2b_apache_ddos_enabled
notify: Restart fail2ban
tags: [ 'fail2ban', 'f2b_apache_ddos' ]
- name: Install the fail2ban apache ddos rule
template: src=apache-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/apache-ddos-jail.conf owner=root group=root mode=0444
when: f2b_apache_ddos_enabled
notify: Restart fail2ban
tags: [ 'fail2ban', 'f2b_apache_ddos' ]
- name: Install the fail2ban nginx ddos filter
template: src=nginx-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/nginx-ddos-filter.conf owner=root group=root mode=0444
when: f2b_nginx_ddos_enabled
notify: Restart fail2ban
tags: [ 'fail2ban', 'f2b_apache_ddos' ]
- name: Install the fail2ban nginx ddos rule
template: src=nginx-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/nginx-ddos-jail.conf owner=root group=root mode=0444
when: f2b_nginx_ddos_enabled
notify: Restart fail2ban
tags: [ 'fail2ban', 'f2b_apache_ddos' ]

View File

@ -1,13 +1,8 @@
--- ---
- name: install fail2ban on ubuntu >= 14.04 and debian >= 8 - name: Install fail2ban on ubuntu >= 14.04 and debian >= 8
apt: pkg={{ item }} state=installed apt: pkg={{ item }} state=installed
with_items: f2b_packages with_items: f2b_packages
tags: fail2ban tags: fail2ban
- name: Install the fail2ban custom jail file
template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444
notify: Restart fail2ban
tags: fail2ban
- name: Ensure that fail2ban is enabled and running - name: Ensure that fail2ban is enabled and running
service: name=fail2ban state=started enabled=yes service: name=fail2ban state=started enabled=yes

View File

@ -1,3 +1,5 @@
--- ---
- include: fail2ban.yml - include: fail2ban.yml
when: has_fail2ban when: has_fail2ban
- include: fail2ban-rules.yml
when: has_fail2ban

View File

@ -0,0 +1,7 @@
[Definition]
# regex derived from the apache-bot one
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

View File

@ -0,0 +1,8 @@
[http-get-dos]
enabled = {{ f2b_apache_ddos_enabled }}
port = http,https
filter = apache-ddos-filter
logpath = /var/log/apache*/*access*log
maxretry = {{ f2b_ddos_maxretry }}
findtime = {{ f2b_ddos_findtime }}
bantime = {{ f2b_ban_time }}

View File

@ -0,0 +1,7 @@
[Definition]
# regex derived from the apache-bot one
failregex = ^<HOST> -.*"(GET|POST).*
ignoreregex =

View File

@ -0,0 +1,8 @@
[nginx-get-dos]
enabled = {{ f2b_nginx_ddos_enabled }}
port = http,https
filter = nginx-ddos-filter
logpath = /var/log/nginx/*access.log
maxretry = {{ f2b_ddos_maxretry }}
findtime = {{ f2b_ddos_findtime }}
bantime = {{ f2b_ban_time }}