Skip to content
Snippets Groups Projects
Normal view Permalink
jail.local.j2 1.26 KiB
Newer Older
  • Learn to ignore specific revisions
    • Phillip Smith's avatar
    implement fail2ban role and deploy to orion  
    Phillip Smith committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 
    #
# {{ansible_managed}}
#

[DEFAULT]
findtime = {{fail2ban_findtime}}
bantime  = {{fail2ban_bantime}}
maxretry = {{fail2ban_maxretry}}

# don't trust dns
usedns = no

# if f2b ever needs to send emails, send them to root and make sure the sender
# address clearly identifies the host the message originated from
destemail = root
sender = fail2ban@{{ansible_fqdn}}

# use firewalld to manage bans - if we don't specify this, then fail2ban will
# default to use iptables, which we don't want as our systems are running
# firewalld with nftables backend.
#
# check current rules added to firewalld while fail2ban is running:
#   firewall-cmd --direct --get-all-rules
# useful runtime commands include:
#   fail2ban-client set <JAIL> banip <IP>
#   fail2ban-cleint set <JAIL> unbanip <IP>
#   fail2ban-client set unban <IP>
#   fail2ban-client set unban --all
# see `fail2ban-client help` for full list of runtime commands
    Kristian Klausen's avatar
    fail2ban: Use a managed firewalld ipset  
    Kristian Klausen committed
    30 
    banaction = firewallcmd-ipset-allports
    Phillip Smith (fukawi2)'s avatar
    fail2ban: add inventory hosts to ignoreip (whitelist)  
    Phillip Smith (fukawi2) committed
    31 32 33 34 35 36 37 38 
    
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ::1
{% for host in groups['all'] %}
    {{ hostvars[host]['inventory_hostname'] }}
{% endfor %}