The firewalld direct interface is deprecated and will be removed in a
future release[1]. Recently IPv4 connectivity inside docker containers
on our runners broke and after some troubleshooting, the issue was
pinpointed to the start of the fail2ban service. We also had issues in
the past where sometimes firewalld had to be restarted after boot before
network connectivity worked in libvirt on our runners.

The issuse may be due to a bug in the way fail2ban use the direct
interface, a bug in firewalld or a combination thereof. Let's just avoid
the direct interface altogether and create a clean separation, with
firewalld handling the blocking and fail2ban maintaining the ipset.

[1] https://firewalld.org/documentation/man-pages/firewalld.direct.html

Add "noqa no-changed-when" tags to handlers using the command module.
Perhaps it is wrong of ansible-lint to flag these, since handlers are
not the best place to have conditional execution.

Leonidas Spyropoulos authored 2 years ago and Evangelos Foutras committed 2 years ago

Convert the permissions to strings to avoid octal interpretation.

Signed-off-by: Leonidas Spyropoulos <artafinde@archlinux.org>

group_vars/all was enabling just the sshd jail so move this into the
fail2ban role defaults. patchwork, security and wiki were redefining
fail2ban_jails without deviating from the group_vars/all default and
can therefore be dropped.

Fixes: 26f289b7 ("Capitalize the first letter of all task names")

ansible-lint 6.5.0 complains about:

  name: All names should start with an
        uppercase letter. (name[casing])

Add a default rate limit for 20 req/s for the uwsgi endpoint and
automatically ban users who reach this limit. The nginx-limit-req rule
does not ban users who reach the rss limit as these are not likely DoS
attempts.

Leonidas Spyropoulos authored 3 years ago and Jelle van der Waa committed 3 years ago

Signed-off-by: Leonidas Spyropoulos <artafinde@gmail.com>

yaml: truthy value should be one of [false, true] (truthy)
yaml: wrong indentation: expected 4 but found 2 (indentation)
yaml: too few spaces before comment (comments)
yaml: missing starting space in comment (comments)
yaml: too many blank lines (1 > 0) (empty-lines)
yaml: too many spaces after colon (colons)
yaml: comment not indented like content (comments-indentation)
yaml: no new line character at the end of file (new-line-at-end-of-file)
load-failure: Failed to load or parse file
parser-error: couldn't resolve module/action 'hosts'. This often indicates a misspelling, missing collection, or incorrect module path.

fail2ban role now protects postfix, dovecot and sshd. other roles can drop
configuration files into /etc/fail2ban/jail.d/*.local to enable fail2ban to
monitor it's service.

This bans all requests exceeding 1/min in a time period of 30 minutes.
This might be too harse and can be adjusted later.