From: David Galloway Date: Fri, 17 Jun 2016 00:00:18 +0000 (-0400) Subject: gateway: Add fail2ban support X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=00e8e4bd2477c13322329eee62c5461f65ec1268;p=ceph-cm-ansible.git gateway: Add fail2ban support Signed-off-by: David Galloway --- diff --git a/roles/gateway/defaults/main.yml b/roles/gateway/defaults/main.yml index 5fdb3fe8..2ef0f5f0 100644 --- a/roles/gateway/defaults/main.yml +++ b/roles/gateway/defaults/main.yml @@ -12,3 +12,15 @@ openvpn_data_dir: /etc/openvpn/data gw_allow_http: "true" gw_allow_https: "true" + +# fail2ban-specific vars +gw_f2b_ignoreip: "127.0.0.1/8" +gw_f2b_bantime: "43200" # 12hrs +gw_f2b_findtime: "600" # 10min +gw_f2b_maxretry: "5" + +gw_f2b_services: + sshd: + enabled: "true" + port: "ssh" + logpath: "%(sshd_log)s" diff --git a/roles/gateway/handlers/main.yml b/roles/gateway/handlers/main.yml index b6612c4a..9ddda09d 100644 --- a/roles/gateway/handlers/main.yml +++ b/roles/gateway/handlers/main.yml @@ -4,3 +4,15 @@ service: name: network state: restarted + +# Restart fail2ban +- name: restart fail2ban + service: + name: fail2ban + state: restarted + +# Reload fail2ban +- name: reload fail2ban + service: + name: fail2ban + state: reloaded diff --git a/roles/gateway/tasks/fail2ban.yml b/roles/gateway/tasks/fail2ban.yml new file mode 100644 index 00000000..82ae7547 --- /dev/null +++ b/roles/gateway/tasks/fail2ban.yml @@ -0,0 +1,41 @@ +--- +- name: Write fail2ban defaults conf file + template: + src: templates/f2b.jail.local.j2 + dest: /etc/fail2ban/jail.local + notify: restart fail2ban + +# Set a var equal to our ansible_managed var since ansible_managed +# can't be called directly in the next task. +# See https://github.com/ansible/ansible/issues/11317 +- name: Set f2b_grep_var to ansible_managed string + set_fact: + f2b_grep_var: "This file is managed by ansible, don't make changes here - they will be overwritten." + +# Remove all service files in case a malformed config was previously shipped. +# Malformed service files cause fail2ban to not start. +- name: Clean up ansible-written service conf files + shell: for file in $(grep -l {{ f2b_grep_var|quote }} /etc/fail2ban/jail.d/*); do rm -vf $file; done + register: f2b_rm_out + +# Show what files were deleted +- debug: var=f2b_rm_out.stdout + +- name: Write fail2ban service conf files + template: + src: templates/f2b.service.j2 + dest: "/etc/fail2ban/jail.d/{{ item.key }}.local" + with_dict: "{{ gw_f2b_services }}" + notify: reload fail2ban + +- name: Make sure fail2ban service is running + service: + name: fail2ban + state: started + +- name: Check fail2ban status + shell: fail2ban-client status + register: fail2ban_status + +# Show fail2ban status +- debug: var=fail2ban_status.stdout_lines diff --git a/roles/gateway/tasks/main.yml b/roles/gateway/tasks/main.yml index 372fd87b..9629f6dd 100644 --- a/roles/gateway/tasks/main.yml +++ b/roles/gateway/tasks/main.yml @@ -20,6 +20,11 @@ tags: - firewall +# Configure fail2ban +- include: fail2ban.yml + tags: + - fail2ban + - name: Ensure data directory exists file: path: "{{ openvpn_data_dir }}" diff --git a/roles/gateway/templates/f2b.jail.local.j2 b/roles/gateway/templates/f2b.jail.local.j2 new file mode 100644 index 00000000..335483bc --- /dev/null +++ b/roles/gateway/templates/f2b.jail.local.j2 @@ -0,0 +1,8 @@ +# +# {{ ansible_managed }} +# +[DEFAULT] +ignoreip = {{ gw_f2b_ignoreip }} +bantime = {{ gw_f2b_bantime }} +findtime = {{ gw_f2b_findtime }} +maxretry = {{ gw_f2b_maxretry }} diff --git a/roles/gateway/templates/f2b.service.j2 b/roles/gateway/templates/f2b.service.j2 new file mode 100644 index 00000000..863305b2 --- /dev/null +++ b/roles/gateway/templates/f2b.service.j2 @@ -0,0 +1,9 @@ +# +# {{ ansible_managed }} +# +[{{ item.key }}] +enabled = {{ item.value.enabled }} +port = {{ item.value.port }} +{% if item.value.logpath is defined %} +logpath = {{ item.value.logpath }} +{% endif %} diff --git a/roles/gateway/vars/packages.yml b/roles/gateway/vars/packages.yml index 145afd66..aea1867b 100644 --- a/roles/gateway/vars/packages.yml +++ b/roles/gateway/vars/packages.yml @@ -7,6 +7,7 @@ packages: - ipmitool - git - fail2ban + - fail2ban-firewalld ## VPN-specific stuff - openvpn - easy-rsa