EOX GitLab Instance

Skip to content
Snippets Groups Projects

Repositionning of the fail2ban configuration with nftables from wireguard to...

Merged Nicolas Baudoin requested to merge fail2ban-ext_srv into main
3 files
+ 21
1
Compare changes
  • Side-by-side
  • Inline
Files
3
+ 44
0
---
# The unban script will allow fail2ban to delete rules from nftables by finding their handles
- name: Create an unban script for Fail2Ban to work with nftables
template:
src: nftables_unban.j2
dest: /usr/local/bin/nftables_unban
mode: '0755'
# The date script will generate the correct path for the log
- name: Create date script for Fail2Ban logpath
template:
src: current_date_logpath.j2
dest: /usr/local/bin/current_date_logpath
mode: '0755'
- name: Ensure the custom sshd line is present in fail2ban filter configuration for sshd
ansible.builtin.lineinfile:
path: /etc/fail2ban/filter.d/sshd.conf
insertafter: '^\[iI\]\(?:llegal|nvalid\) user <F-USER>.*?</F-USER> from <HOST>%\(__suff\)s$'
line: '[iI](?:llegal|nvalid) user <F-USER>.*?</F-USER> from <HOST>%(__suff)s$'
state: present
# Updating fail2ban to be able to work with the way our nftables work
- name: Deploy custom nftables action for Fail2Ban
template:
src: nftables-allports.conf.j2
dest: /etc/fail2ban/action.d/nftables-allports.conf
- name: Ensure fail2ban jail configuration is correct
template:
src: fail2ban_jail.j2
dest: /etc/fail2ban/jail.d/jail.local
owner: root
group: root
mode: '0644'
notify: Reload fail2ban
# Necessary for changing the log file to be analyzed everytime at midnight
- name: Add cron job to update the logpath at midnight and reload Fail2Ban
cron:
name: "Update logpath and reload fail2ban at midnight"
minute: "0"
hour: "0"
job: "/usr/local/bin/current_date_logpath && systemctl reload fail2ban"
Loading