Project

General

Profile

README

Ansible role to manage Fail2ban

Introduction

This role installs Fail2ban and configure the main parameters.

If is also possible to ask the role to detect installed software and
add network daemon-specific configurations.

Role Logic

In order to allow defining settings at various levels, this role provides extra entrypoints which are
intended to be used with the include_role module. Entrypoints are:
* main (default): install the server and configure common ban parameters
* detect_config: check for installed network services and install specific configuration

At the beginning of your play you could install the server:

- hosts: all
roles:
- fail2ban

If you want to use the autodetection feature, add this at the far end of your play (so that all other services are installed and can be detected):

- hosts: all
tasks:
- include_role:
name: fail2ban
tasks_from: detect_config

Server installation

This feature use the main entrypoint.

The most important thing is to define a whitelist with a list of IPs or CIDRs to avoid banning your own servers.

Once a client has misbehaved maxretry times (default to 3), then it will be banned for bantime seconds (default to 3600).

The ban_action defines what is really done (defaults to '': just ban without sending mail). See Fail2ban documentation for other possible actions.

In case the ban action would send a mail, warn_email would be the recipient.

Detect installed network services

This feature use the detect_config entrypoint.

When the binary of a network daemon has been found on the system, then the related Fail2ban config is installed. It is uninstalled if it is no more present.

The currently supported services are:
* ssh
* apache

Statistics
| Branch: | Revision:

ansible-role-fail2ban @ master

Name Size Revision Age Author Comment
  defaults d45b93a3 over 1 year Marc Dequènes initial version
  files 2a5f83ee over 1 year Marc Dequènes mark conffiles as being managed by Ansible
  handlers d45b93a3 over 1 year Marc Dequènes initial version
  meta a9be27f9 over 1 year Marc Dequènes Switch to Ansible 2.4
  tasks c95280c9 10 months Marc Dequènes support LXC/LXD
  templates 2a5f83ee over 1 year Marc Dequènes mark conffiles as being managed by Ansible
  vars ce43e2af over 1 year Marc Dequènes added a few more services
.gitignore 48 Bytes d45b93a3 over 1 year Marc Dequènes initial version
README.md 1.74 KB d45b93a3 over 1 year Marc Dequènes initial version

Latest revisions

# Date Author Comment
c95280c9 2018-05-27 16:01 Marc Dequènes

support LXC/LXD

a9be27f9 2017-09-22 18:18 Marc Dequènes

Switch to Ansible 2.4

62125562 2017-09-18 20:45 Marc Dequènes

remove irritating trailing spaces

2a5f83ee 2017-08-30 04:47 Marc Dequènes

mark conffiles as being managed by Ansible

56215634 2017-08-30 04:44 Marc Dequènes

also check variables for distribution with major version

ce43e2af 2017-07-25 09:05 Marc Dequènes

added a few more services

91815870 2017-07-11 10:58 Marc Dequènes

Ansible complains 'test_paths' is not defined when including

d45b93a3 2017-06-25 08:35 Marc Dequènes

initial version

View all revisions | View revisions

Also available in: Atom