Commit 0c40d331 authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Add fail2ban for apollo

This bans all requests exceeding 1/min in a time period of 30 minutes.
This might be too harse and can be adjusted later.
parent 51cc96d8
......@@ -53,3 +53,4 @@
- { role: grafana, tags: ["grafana"] }
- { role: archwiki, tags: ["archwiki"] }
- { role: conf.archlinux.org }
- { role: fail2ban }
---
- name: install fail2ban
pacman: name=fail2ban state=present
- name: install jail.local
template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=0644
- name: install nginx-dos filter
template: src=nginx-dos.conf dest=/etc/fail2ban/filter.d/nginx-dos.conf owner=root group=root mode=0644
- name: start and enable fail2ban service
service: name=fail2ban.service enabled=yes state=started
[wiki-nginx-dos]
enabled = true
filter = nginx-dos
action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
logpath = /var/log/nginx/wiki.archlinux.org/access.log
# 300 pages in 30 minutes
findtime = 1800
bantime = 3600
maxretry = 300
[Definition]
# Option: failregex
# Notes.: Regexp to catch a generic call from an IP address.
# Values: TEXT
#
failregex = ^<HOST> .*"(GET|POST).*HTTP.*"
# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment