implement fail2ban role and deploy to orion

fail2ban role now protects postfix, dovecot and sshd. other roles can drop configuration files into /etc/fail2ban/jail.d/*.local to enable fail2ban to monitor it's service.

implement fail2ban role and deploy to orion
fail2ban role now protects postfix, dovecot and sshd. other roles can drop configuration files into /etc/fail2ban/jail.d/*.local to enable fail2ban to monitor it's service.
61d48f11 · Phillip Smith · 8e33fb5a · 61d48f11 · 61d48f11 · 61d48f11
Commit 61d48f11 authored Oct 25, 2019 by Phillip Smith
--- a/host_vars/orion.archlinux.org/misc
+++ b/host_vars/orion.archlinux.org/misc
@@ -22,3 +22,8 @@ zabbix_agent_templates:
  - Template App Borg Backup
  - Template App Nginx
  - Template App Archive
+
+fail2ban_jails:
+  sshd: true
+  postfix: true
+  dovecot: true
--- a/playbooks/orion.yml
+++ b/playbooks/orion.yml
@@ -29,3 +29,4 @@
    - { role: archive, archive_domain: "archive.archlinux.org", archive_dir: "/srv/archive", tags: ['archive'] }
    - { role: hefur, ftp_iso_dir: '/srv/ftp/iso', tags: ['torrenttracker']}
    - wkd
+    - { role: fail2ban, tags: ["fail2ban"] }
--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -99,6 +99,16 @@
    - archwiki-question-updater.service
    - archwiki-memcached.service

+- name: install fail2ban rate-limit filter
+  template: src=fail2ban.filter.j2 dest=/etc/fail2ban/filter.d/nginx-dos.local owner=root group=root mode=0644
+  tags:
+    - fail2ban
+
+- name: install fail2ban rate-limit jail
+  template: src=fail2ban.jail.j2 dest=/etc/fail2ban/jail.d/nginx-dos.local owner=root group=root mode=0644
+  tags:
+    - fail2ban
+
 - name: start and enable archwiki runjobs timer
  service: name="archwiki-runjobs.timer" enabled=yes state=started


--- a/roles/fail2ban/templates/nginx-dos.conf
+++ b/roles/fail2ban/templates/nginx-dos.conf
+#
+# {{ansible_managed}}
+#
+
 [Definition]
 # Option:  failregex
 # Notes.:  Regexp to catch a generic call from an IP address.

--- a/roles/fail2ban/defaults/main.yml
+++ b/roles/fail2ban/defaults/main.yml
+# by default all jails are disabled
+# override this variable in a host/group file to define which jails to enable
+fail2ban_jails:
+  sshd: false
+  postfix: false
+  dovecot: false
+
+# use variables for these directives so they can be overridden at a host or
+# group level as required. note that there cannot be a space between the
+# integer and the unit (eg "15min" == good, "15 min" == bad).
+# refer to `man jail.conf`
+fail2ban_findtime: 15min
+fail2ban_bantime: 1day
+fail2ban_maxretry: 5
--- a/roles/fail2ban/handlers/main.yml
+++ b/roles/fail2ban/handlers/main.yml
+- name: restart fail2ban
+  systemd:
+    name: fail2ban
+    state: restarted
+
+- name: reload fail2ban jails
+  shell: type fail2ban-server > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null || true) || true
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
---
-
 - name: install fail2ban
-  pacman: name=fail2ban state=present
+  package:
+    name: "fail2ban"
+    state: "present"
+  notify:
+    - restart fail2ban
+
+- name: install systemd unit override file
+  template:
+    src: "fail2ban.service.j2"
+    dest: "/etc/systemd/system/fail2ban.service.d/override.conf"
+    owner: "root"
+    group: "root"
+    mode: 0644
+
+- name: install local config files
+  template:
+    src: "{{item}}.j2"
+    dest: "/etc/fail2ban/{{item}}"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  with_items:
+    - "fail2ban.local"
+    - "jail.local"
+  notify:
+    - restart fail2ban
+
+- name: install firewallcmd-allports.local
+  template:
+    src: "firewallcmd-allports.local.j2"
+    dest: "/etc/fail2ban/action.d/firewallcmd-allports.local"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  notify:
+    - restart fail2ban

- name: install jail.local
-  template: src=jail.local.j2 dest=/etc/fail2ban/jail.local owner=root group=root mode=0644
+- name: install sshd jail
+  when: fail2ban_jails.sshd
+  template:
+    src: "sshd.jail.j2"
+    dest: "/etc/fail2ban/jail.d/sshd.local"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  notify:
+    - reload fail2ban jails

- name: install nginx-dos filter
-  template: src=nginx-dos.conf dest=/etc/fail2ban/filter.d/nginx-dos.conf owner=root group=root mode=0644
+- name: install postfix jail
+  when: fail2ban_jails.postfix
+  template:
+    src: "postfix.jail.j2"
+    dest: "/etc/fail2ban/jail.d/postfix.local"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  notify:
+    - reload fail2ban jails

- name: start and enable fail2ban service
-  service: name=fail2ban.service enabled=yes state=started
+- name: install dovecot jail
+  when: fail2ban_jails.dovecot
+  template:
+    src: "dovecot.jail.j2"
+    dest: "/etc/fail2ban/jail.d/dovecot.local"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  notify:
+    - reload fail2ban jails

+- name: start and enable service
+  systemd:
+    name: "fail2ban.service"
+    enabled: yes
+    state: started
+    daemon-reload: yes
--- a/roles/fail2ban/templates/dovecot.jail.j2
+++ b/roles/fail2ban/templates/dovecot.jail.j2
+#
+# {{ansible_managed}}
+#
+
+[dovecot]
+enabled = true
+findtime = 3600 ; 1 hour
+maxretry = 8
--- a/roles/fail2ban/templates/fail2ban.local.j2
+++ b/roles/fail2ban/templates/fail2ban.local.j2
+#
+# {{ansible_managed}}
+#
+
+[Definition]
+
+# reduce logging verbosity by default; if we need to debug we can set it
+# temporarily higher by using: fail2ban-client set loglevel INFO
+loglevel = WARNING
+
+# we need to override the default pid path to /run instead of /var/run
+pidfile = /run/fail2ban/fail2ban.pid
--- a/roles/fail2ban/templates/fail2ban.service.j2
+++ b/roles/fail2ban/templates/fail2ban.service.j2
+# the user journal files exceeds MaxNOFiles so increase the
+# maximum number of open files
+# Refer: https://github.com/fail2ban/fail2ban/issues/2208
+
+[Service]
+LimitNOFILE=8192
--- a/roles/fail2ban/templates/firewallcmd-allports.local.j2
+++ b/roles/fail2ban/templates/firewallcmd-allports.local.j2
+#
+# {{ansible_managed}}
+#
+
+# creates the requisite chains in firewalld when fail2ban starts instead
+# of creating them on first use (ie, when first IP is banned)
+[Definition]
+actionstart_on_demand = false
--- a/roles/fail2ban/templates/jail.local.j2
+++ b/roles/fail2ban/templates/jail.local.j2
-[wiki-nginx-dos]
-enabled = true
-filter = nginx-dos
-action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
-logpath = /var/log/nginx/wiki.archlinux.org/access.log
-# 400 pages in 30 minutes
-findtime = 1800
-bantime = 1d
-maxretry = 400
+#
+# {{ansible_managed}}
+#
+
+[DEFAULT]
+findtime = {{fail2ban_findtime}}
+bantime  = {{fail2ban_bantime}}
+maxretry = {{fail2ban_maxretry}}
+
+# don't trust dns
+usedns = no
+
+# if f2b ever needs to send emails, send them to root and make sure the sender
+# address clearly identifies the host the message originated from
+destemail = root
+sender = fail2ban@{{ansible_fqdn}}
+
+# use firewalld to manage bans - if we don't specify this, then fail2ban will
+# default to use iptables, which we don't want as our systems are running
+# firewalld with nftables backend.
+#
+# check current rules added to firewalld while fail2ban is running:
+#   firewall-cmd --direct --get-all-rules
+# useful runtime commands include:
+#   fail2ban-client set <JAIL> banip <IP>
+#   fail2ban-cleint set <JAIL> unbanip <IP>
+#   fail2ban-client set unban <IP>
+#   fail2ban-client set unban --all
+# see `fail2ban-client help` for full list of runtime commands
+banaction = firewallcmd-allports
--- a/roles/fail2ban/templates/postfix.jail.j2
+++ b/roles/fail2ban/templates/postfix.jail.j2
+#
+# {{ansible_managed}}
+#
+
+[postfix]
+mode = aggressive
+enabled = true
+findtime = 3600 ; 1 hour
+maxretry = 8
--- a/roles/fail2ban/templates/sshd.jail.j2
+++ b/roles/fail2ban/templates/sshd.jail.j2
+#
+# {{ansible_managed}}
+#
+
+[sshd]
+enabled = true