Set up fail2ban in Debian-like systems.
None
-
fail2ban_loglevel: [default:3, orINFOin newer versions]: Sets the loglevel output (e.g.1 = ERROR,2 = WARN,3 = INFO,4 = DEBUG) -
fail2ban_logtarget: [default:/var/log/fail2ban.log]: Sets the log target. This could be a file, SYSLOG, STDERR or STDOUT -
fail2ban_syslog_target: [default:/var/log/fail2ban.log]: -
fail2ban_syslog_facility: [default:1]: -
fail2ban_socket: [default:/var/run/fail2ban/fail2ban.sock]: Sets the socket file, which is used to communicate with the daemon -
fail2ban_pidfile: [default:/var/run/fail2ban/fail2ban.pid]: Sets the pid file, which is used to to store the process ID of the daemon (Only works onfail2ban >= 0.8.9) -
fail2ban_dbpurgeage: [default:86400]: Sets age at which bans should be purged from the database -
fail2ban_ignoreips: [default:[127.0.0.1/8]]: Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions -
fail2ban_bantime: [default:600]: Sets the bantime -
fail2ban_maxretry: [default:3]: Maximum number of retries before the host is put into jail -
fail2ban_findtime: [default:600]: A host is banned if it has generatedfail2ban_maxretryduring the lastfail2ban_findtime -
fail2ban_backend: [default:auto]: Specifies the backend used to get files modification. For Debian 12,systemdis required -
fail2ban_banaction: [default:iptables-multiport]: Sets the global/default banaction -
fail2ban_banaction_allports: [default:iptables-allports]: Sets the global/default banaction for allports -
fail2ban_mta: [default:sendmail]: Email action -
fail2ban_protocol: [default:tcp]: Sets the default protocol -
fail2ban_chain: [default:INPUT]: Specifies the chain where jumps would need to be added in iptables-* actions -
fail2ban_action: [default:%(action_)s]: Default action. Note that variables (including the actions defined elsewhere in the config files) must be wrapped in python-style%(and)sso they are expanded -
fail2ban_sendername: [default:Fail2ban]: The 'from' name for emails sent by mta actions. NB: Usefail2ban_senderto set the 'from' email address. -
fail2ban_sender: [optional]: The 'from' address for emails sent by mta actions. -
fail2ban_filterd_path: [optional]: Path to directory containing filters to copy (note the trailing slash) -
fail2ban_actiond_path: [optional]: Path to directory containing actions to copy (note the trailing slash) -
fail2ban_jaild_path: [optional]: Path to directory containing jails to copy (note the trailing slash) -
fail2ban_services[default seedefaults/main.yml]: Service definitions -
fail2ban_services.{n}.name[required]: Service name (e.g.ssh) -
fail2ban_services.{n}.enabled[default:true]: Whether or not enabled -
fail2ban_services.{n}.*[optional]: Name of the option -
fail2ban_services.{n}.*.*[optional]: Value of the option
fail2ban_bantime_increment: [default:true]: Increases bantime after being banned beforefail2ban_bantime_factor: [default:1]: Bantime increase factor forbantime_formulaorbantime_multipliersfail2ban_bantime_formula: [default:'ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor']: Formula that will be used to calculate the increased bantime. Note that you can either usebantime_formulaorbantime_multiplierswhilebantime_multiplierstakes precedence.fail2ban_bantime_overalljails: [default:false]: Ban IPs for all jails if multiple are definedfail2ban_bantime_rndtime: [optional]: Option for smart bots that try to access after the bantime immediatelyfail2ban_bantime_multipliers: [optional]: Multiplier to use instead of bantime_formula. For example1 2 4 8 16 32 64. Note for bantime = 600 and bantime_factor=1 this would be600*1*1, 600*1*2...
None
---
- hosts: all
roles:
- oefenweb.fail2ban---
- hosts: all
roles:
- oefenweb.fail2ban
vars:
fail2ban_services:
# In older versions of Fail2Ban this is called ssh
- name: sshd
port: 2222
maxretry: 5
bantime: -1---
- hosts: all
roles:
- oefenweb.fail2ban
vars:
fail2ban_filterd_path: ../../../files/fail2ban/etc/fail2ban/filter.d/
fail2ban_services:
- name: apache-wordpress-logins
port: http,https
filter: apache-wordpress-logins
logpath: /var/log/apache2/access.log
maxretry: 5
findtime: 120MIT
Mischa ter Smitten (based on work of ANXS)
Are welcome!