From 1ad7b44a055b5c646e9b1cb2ad2e73bed15a6c73 Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Sun, 29 Nov 2015 20:25:29 +0100 Subject: [PATCH] library/roles/fail2ban: add two new jails: DDOS control for apache and nginx. --- R/tasks/main.yml | 2 -- fail2ban/defaults/main.yml | 6 +++- fail2ban/tasks/fail2ban-rules.yml | 30 +++++++++++++++++++ fail2ban/tasks/fail2ban.yml | 7 +---- fail2ban/tasks/main.yml | 2 ++ fail2ban/templates/apache-ddos-filter.conf.j2 | 7 +++++ fail2ban/templates/apache-ddos-jail.conf.j2 | 8 +++++ fail2ban/templates/nginx-ddos-filter.conf.j2 | 7 +++++ fail2ban/templates/nginx-ddos-jail.conf.j2 | 8 +++++ 9 files changed, 68 insertions(+), 9 deletions(-) create mode 100644 fail2ban/tasks/fail2ban-rules.yml create mode 100644 fail2ban/templates/apache-ddos-filter.conf.j2 create mode 100644 fail2ban/templates/apache-ddos-jail.conf.j2 create mode 100644 fail2ban/templates/nginx-ddos-filter.conf.j2 create mode 100644 fail2ban/templates/nginx-ddos-jail.conf.j2 diff --git a/R/tasks/main.yml b/R/tasks/main.yml index 22f50cd9..12333322 100644 --- a/R/tasks/main.yml +++ b/R/tasks/main.yml @@ -7,8 +7,6 @@ apt_repository: repo='deb http://cran.rstudio.com/bin/linux/ubuntu {{ ansible_distribution_release }}/' state={{ r_install_cran_repo }} update_cache=yes tags: [ 'r_software', 'r_repo' ] -# -# This does not work. It resolves dependecies badly and/or installs the right version only for one of the packages - name: Install a specific version of the R base package apt: pkg={{ item }} state={{ r_packages_state }} with_items: r_base_packages_list diff --git a/fail2ban/defaults/main.yml b/fail2ban/defaults/main.yml index b5e01294..bbba150a 100644 --- a/fail2ban/defaults/main.yml +++ b/fail2ban/defaults/main.yml @@ -6,21 +6,25 @@ f2b_ban_time: 86400 f2b_findtime: 600 f2b_maxretry: 5 +f2b_ddos_findtime: 120 +f2b_ddos_maxretry: 200 f2b_default_backend: auto f2b_usedns: warn f2b_dest_email: 'sysadmin@{{ domain_name }}' -f2b_sender_email: 'denyhosts@{{ domain_name }}' +f2b_sender_email: 'sysadmin@{{ domain_name }}' f2b_default_banaction: iptables-multiport # Default action: ban. Not send email f2b_default_action: action_ f2b_default_iptableschain: INPUT f2b_ssh_enabled: true f2b_ssh_ddos_enabled: true +f2b_apache_ddos_enabled: false f2b_apache_auth_enabled: false f2b_apache_noscript_enabled: false f2b_apache_overflow_enabled: false f2b_php_url_popen: false f2b_nginx_auth_enabled: false +f2b_nginx_ddos_enabled: false f2b_vsftpd_enabled: false f2b_vsftpd_logpath: /var/log/vsftpd.log f2b_recidive_enabled: true diff --git a/fail2ban/tasks/fail2ban-rules.yml b/fail2ban/tasks/fail2ban-rules.yml new file mode 100644 index 00000000..43483055 --- /dev/null +++ b/fail2ban/tasks/fail2ban-rules.yml @@ -0,0 +1,30 @@ +--- +- name: Install the fail2ban custom jail file + template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444 + notify: Restart fail2ban + tags: fail2ban + +- name: Install the fail2ban apache ddos filter + template: src=apache-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/apache-ddos-filter.conf owner=root group=root mode=0444 + when: f2b_apache_ddos_enabled + notify: Restart fail2ban + tags: [ 'fail2ban', 'f2b_apache_ddos' ] + +- name: Install the fail2ban apache ddos rule + template: src=apache-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/apache-ddos-jail.conf owner=root group=root mode=0444 + when: f2b_apache_ddos_enabled + notify: Restart fail2ban + tags: [ 'fail2ban', 'f2b_apache_ddos' ] + +- name: Install the fail2ban nginx ddos filter + template: src=nginx-ddos-filter.conf.j2 dest=/etc/fail2ban/filter.d/nginx-ddos-filter.conf owner=root group=root mode=0444 + when: f2b_nginx_ddos_enabled + notify: Restart fail2ban + tags: [ 'fail2ban', 'f2b_apache_ddos' ] + +- name: Install the fail2ban nginx ddos rule + template: src=nginx-ddos-jail.conf.j2 dest=/etc/fail2ban/jail.d/nginx-ddos-jail.conf owner=root group=root mode=0444 + when: f2b_nginx_ddos_enabled + notify: Restart fail2ban + tags: [ 'fail2ban', 'f2b_apache_ddos' ] + diff --git a/fail2ban/tasks/fail2ban.yml b/fail2ban/tasks/fail2ban.yml index f529b141..75266361 100644 --- a/fail2ban/tasks/fail2ban.yml +++ b/fail2ban/tasks/fail2ban.yml @@ -1,13 +1,8 @@ --- -- name: install fail2ban on ubuntu >= 14.04 and debian >= 8 +- name: Install fail2ban on ubuntu >= 14.04 and debian >= 8 apt: pkg={{ item }} state=installed with_items: f2b_packages tags: fail2ban -- name: Install the fail2ban custom jail file - template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=444 - notify: Restart fail2ban - tags: fail2ban - - name: Ensure that fail2ban is enabled and running service: name=fail2ban state=started enabled=yes diff --git a/fail2ban/tasks/main.yml b/fail2ban/tasks/main.yml index 33aa9aeb..5f9f82f9 100644 --- a/fail2ban/tasks/main.yml +++ b/fail2ban/tasks/main.yml @@ -1,3 +1,5 @@ --- - include: fail2ban.yml when: has_fail2ban +- include: fail2ban-rules.yml + when: has_fail2ban diff --git a/fail2ban/templates/apache-ddos-filter.conf.j2 b/fail2ban/templates/apache-ddos-filter.conf.j2 new file mode 100644 index 00000000..66539f6e --- /dev/null +++ b/fail2ban/templates/apache-ddos-filter.conf.j2 @@ -0,0 +1,7 @@ +[Definition] + +# regex derived from the apache-bot one + +failregex = ^ -.*"(GET|POST).* + +ignoreregex = diff --git a/fail2ban/templates/apache-ddos-jail.conf.j2 b/fail2ban/templates/apache-ddos-jail.conf.j2 new file mode 100644 index 00000000..8c4aa088 --- /dev/null +++ b/fail2ban/templates/apache-ddos-jail.conf.j2 @@ -0,0 +1,8 @@ +[http-get-dos] +enabled = {{ f2b_apache_ddos_enabled }} +port = http,https +filter = apache-ddos-filter +logpath = /var/log/apache*/*access*log +maxretry = {{ f2b_ddos_maxretry }} +findtime = {{ f2b_ddos_findtime }} +bantime = {{ f2b_ban_time }} diff --git a/fail2ban/templates/nginx-ddos-filter.conf.j2 b/fail2ban/templates/nginx-ddos-filter.conf.j2 new file mode 100644 index 00000000..66539f6e --- /dev/null +++ b/fail2ban/templates/nginx-ddos-filter.conf.j2 @@ -0,0 +1,7 @@ +[Definition] + +# regex derived from the apache-bot one + +failregex = ^ -.*"(GET|POST).* + +ignoreregex = diff --git a/fail2ban/templates/nginx-ddos-jail.conf.j2 b/fail2ban/templates/nginx-ddos-jail.conf.j2 new file mode 100644 index 00000000..92afaff2 --- /dev/null +++ b/fail2ban/templates/nginx-ddos-jail.conf.j2 @@ -0,0 +1,8 @@ +[nginx-get-dos] +enabled = {{ f2b_nginx_ddos_enabled }} +port = http,https +filter = nginx-ddos-filter +logpath = /var/log/nginx/*access.log +maxretry = {{ f2b_ddos_maxretry }} +findtime = {{ f2b_ddos_findtime }} +bantime = {{ f2b_ban_time }}