diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5112ae2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,9 @@ +.DS_Store +.AppleDouble +.LSOverride +Icon +._* +.Spotlight-V100 +.Trashes +.vagrant +test diff --git a/.travis.yml b/.travis.yml new file mode 100644 index 0000000..9b90639 --- /dev/null +++ b/.travis.yml @@ -0,0 +1,12 @@ +--- +language: python +python: "2.7" +before_install: + - sudo apt-get update -qq + - sudo apt-get install -qq python-apt python-pycurl +install: + - pip install ansible==1.5.0 +script: + - echo localhost > inventory + - ansible-playbook --syntax-check -i inventory test.yml + - ansible-playbook -i inventory test.yml --connection=local --sudo diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..09506df --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License + +Copyright (c) 2014 Pieterjan Vandaele + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..305bbf6 --- /dev/null +++ b/README.md @@ -0,0 +1,54 @@ +## Ansibles - fail2ban [![Build Status](https://travis-ci.org/Ansibles/fail2ban.png)](https://travis-ci.org/Ansibles/fail2ban) + +Ansible role which installs and configures fail2ban, a utility that watches logs for failed login attempts and blocks repeat offenders with firewall rules. + + +#### Requirements & Dependencies +- Tested on Ansible 1.4 or higher. + + +#### Variables + +- `fail2ban_loglevel` - sets the loglevel output (1 = ERROR, 2 = WARN, 3 = INFO, 4 = DEBUG; default is 3) +- `fail2ban_logtarget1` - set the log target. This could be a file, SYSLOG, STDERR or STDOUT +- `fail2ban_syslog_target` +- `fail2ban_syslog_facility` +- `fail2ban_socket` - sets the socket file, which is used to communicate with the daemon + +- `fail2ban_ignoreip` - which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions +- `fail2ban_bantime` - sets the bantime +- `fail2ban_maxretry` - maximum number of retries before the host is put into jail +- `fail2ban_backend` - specifies the backend used to get files modification +- `fail2ban_email` - email address which can be used in the interpolation of the `fail2ban_services` +- `fail2ban_banaction` - sets the global/default banaction (can be overriden on a per role basis) +- `fail2ban_mta` - email action +- `fail2ban_protocol` - sets the default protocol +- `fail2ban_chain` - specifies the chain where jumps would need to be added in iptables-* actions +- `fail2ban_action` - default action + +For each of the services you wish to protect/put a jail or ban up for, you need to add it to the `fail2ban_services` list of hashes: + +```yaml +fail2ban_services: + - name: ssh + enabled: true + port: ssh + filter: sshd + logpath: /var/log/auth.log + maxretry: 6 + protocol: tcp (optional) + action: action_ (optional) + banaction: "iptables-multiport" (optional) +``` + +There's a list of [service examples](services_examples.md) to help you. + + +#### License + +Licensed under the MIT License. See the LICENSE file for details. + + +#### Feedback, bug-reports, requests, ... + +Are [welcome](https://github.com/ansibles/fail2ban/issues)! diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..5ca72d8 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,28 @@ +# file: fail2ban/defaults/main.yml + +fail2ban_loglevel: 3 +fail2ban_logtarget: "/var/log/fail2ban.log" +fail2ban_syslog_target: "/var/log/fail2ban.log" +fail2ban_syslog_facility: 1 +fail2ban_socket: /var/run/fail2ban/fail2ban.sock + +fail2ban_ignoreip: "127.0.0.1/8" +fail2ban_bantime: 600 +fail2ban_maxretry: 3 +fail2ban_backend: "auto" +fail2ban_destemail: "root@localhost" +fail2ban_banaction: "iptables-multiport" +fail2ban_mta: "sendmail" +fail2ban_protocol: "tcp" +fail2ban_chain: "INPUT" +fail2ban_action: "action_" + +fail2ban_auth_log: "/var/log/auth.log" + +fail2ban_services: + - name: ssh + enabled: true + port: ssh + filter: sshd + logpath: /var/log/auth.log + maxretry: 6 diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..09f30cf --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,6 @@ +# file: fail2ban/handlers/main.yml + +- name: restart fail2ban + service: + name: fail2ban + state: restarted diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..a96bc40 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,16 @@ +# file: fail2ban/meta/main.yml + +galaxy_info: + author: pjan vandaele + company: Ansibles + description: + min_ansible_version: 1.4 + license: MIT + platforms: + - name: Ubuntu + versions: + - all + categories: + - system + +dependencies: [] diff --git a/services_examples.md b/services_examples.md new file mode 100644 index 0000000..5065af3 --- /dev/null +++ b/services_examples.md @@ -0,0 +1,167 @@ +### Ansibles - fail2ban: List of service examples + +###### ssh/dropbear/... +```yaml + - name: ssh + enabled: true + port: ssh + filter: sshd + logpath: /var/log/auth.log +``` + +###### Generic filter for pam +```yaml +fail2ban_services: + - name: pam-generic + enabled: true + port: all + filter: pam-generic + logpath: /var/log/auth.log + maxretry: 6 + banaction: iptables-allports +``` + +###### xinetd-fail +```yaml +fail2ban_services: + - name: xinetd-fail + enabled: true + port: all + filter: xinetd-fail + logpath: /var/log/daemon.log + maxretry: 2 + banaction: iptables-multiport-log +``` + +###### ssh-ddos +```yaml +fail2ban_services: + - name: ssh-ddos + enabled: true + port: ssh + filter: ssh-ddos + logpath: /var/log/auth.log + maxretry: 6 +``` + +###### apache +```yaml +fail2ban_services: + - name: apache + enabled: true + port: http,https + filter: apache-auth + logpath: /var/log/apache*/*error.log + maxretry: 6 +``` + +###### apache-multiport +```yaml +fail2ban_services: + - name: apache-multiport + enabled: true + port: http,https + filter: apache-auth + logpath: /var/log/apache*/*error.log + maxretry: 6 + banaction: +``` + +###### apache-noscript +```yaml +fail2ban_services: + - name: apache-noscript + enabled: true + port: http,https + filter: apache-noscript + logpath: /var/log/apache*/*error.log + maxretry: 6 +``` + +###### apache-overflows +```yaml +fail2ban_services: + - name: apache-overflows + enabled: true + port: http,https + filter: apache-overflows + logpath: /var/log/apache*/*error.log + maxretry: 2 +``` + +###### vsftpd +```yaml +fail2ban_services: + - name: vsftpd + enabled: true + port: ftp,ftp-data,ftps,ftps-data + filter: vsftpd + logpath: /var/log/vsftpd.log + maxretry: 6 +``` + +###### proftpd +```yaml +fail2ban_services: + - name: proftpd + enabled: true + port: ftp,ftp-data,ftps,ftps-data + filter: proftpd + logpath: /var/log/proftpd/proftpd.log + maxretry: 6 +``` + +###### postfix +```yaml +fail2ban_services: + - name: postfix + enabled: true + port: smtp, ssmtp + filter: postfix + logpath: /var/log/mail.log + maxretry: 6 +``` + +###### couriersmtp +```yaml +fail2ban_services: + - name: couriersmtp + enabled: true + port: smtp,ssmtp + filter: couriersmtp + logpath: /var/log/mail.log + maxretry: 6 +``` + +###### courierauth +```yaml +fail2ban_services: + - name: courierauth + enabled: true + port: smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s + filter: courierlogin + logpath: /var/log/mail.log + maxretry: 6 +``` + +###### sasl +```yaml +fail2ban_services: + - name: sasl + enabled: true + port: smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s + filter: sasl + logpath: /var/log/mail.log + maxretry: 6 +``` + +###### dovecot +```yaml +fail2ban_services: + - name: dovecot + enabled: true + port: smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s + filter: dovecot + logpath: /var/log/mail.log + maxretry: 6 +``` diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..48a7db1 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,31 @@ +# file: fail2ban/tasks/main.yml + +- name: fail2ban | Make sure fail2ban is installed + apt: + pkg: fail2ban + state: latest + +- name: fail2ban | Make sure the fail2ban configuration is up to date + template: + src: etc_fail2ban_fail2ban.conf.j2 + dest: /etc/fail2ban/fail2ban.conf + owner: root + group: root + mode: 0644 + notify: + - restart fail2ban + +- name: fail2ban | Make sure the fail2ban jail configuration is up to date + template: + src: etc_fail2ban_jail.conf.j2 + dest: /etc/fail2ban/jail.conf + owner: root + group: root + mode: 0644 + notify: + - restart fail2ban + +- name: fail2ban | Make sure fail2ban is enabled + service: + name: fail2ban + enabled: yes diff --git a/templates/etc_fail2ban_fail2ban.conf.j2 b/templates/etc_fail2ban_fail2ban.conf.j2 new file mode 100644 index 0000000..09ce66e --- /dev/null +++ b/templates/etc_fail2ban_fail2ban.conf.j2 @@ -0,0 +1,38 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# $Revision$ +# + +[Definition] + +# Option: loglevel +# Notes.: Set the log level output. +# 1 = ERROR +# 2 = WARN +# 3 = INFO +# 4 = DEBUG +# Values: NUM Default: 3 +# +loglevel = {{fail2ban_loglevel}} + +# Option: logtarget +# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. +# Only one log target can be specified. +# Values: STDOUT STDERR SYSLOG file Default: /var/log/fail2ban.log +# +logtarget = {{fail2ban_logtarget}} +{% if fail2ban_logtarget == "SYSLOG" %} +syslog-target = {{fail2ban_syslog_target}} +syslog-facility = {{fail2ban_syslog_facility}} +{% endif %} + +# Option: socket +# Notes.: Set the socket file. This is used to communicate with the daemon. Do +# not remove this file when Fail2ban runs. It will not be possible to +# communicate with the server afterwards. +# Values: FILE Default: /var/run/fail2ban/fail2ban.sock +# +socket = {{fail2ban_socket}} + diff --git a/templates/etc_fail2ban_jail.conf.j2 b/templates/etc_fail2ban_jail.conf.j2 new file mode 100644 index 0000000..6352ba5 --- /dev/null +++ b/templates/etc_fail2ban_jail.conf.j2 @@ -0,0 +1,112 @@ +# Fail2Ban configuration file. +# +# This file was composed for Debian systems from the original one +# provided now under /usr/share/doc/fail2ban/examples/jail.conf +# for additional examples. +# +# To avoid merges during upgrades DO NOT MODIFY THIS FILE +# and rather provide your changes in /etc/fail2ban/jail.local +# +# Author: Yaroslav O. Halchenko +# +# $Revision$ +# + +# The DEFAULT allows a global definition of the options. They can be overridden +# in each jail afterwards. + +[DEFAULT] + +# "ignoreip" can be an IP address, a CIDR mask or a DNS host +ignoreip = {{fail2ban_ignoreip}} +bantime = {{fail2ban_bantime}} +maxretry = {{fail2ban_maxretry}} + +# "backend" specifies the backend used to get files modification. Available +# options are "gamin", "polling" and "auto". +# yoh: For some reason Debian shipped python-gamin didn't work as expected +# This issue left ToDo, so polling is default backend for now +backend = {{fail2ban_backend}} + +# +# Destination email address used solely for the interpolations in +# jail.{conf,local} configuration files. +destemail = {{fail2ban_destemail}} + +# +# ACTIONS +# + +# Default banning action (e.g. iptables, iptables-new, +# iptables-multiport, shorewall, etc) It is used to define +# action_* variables. Can be overridden globally or per +# section within jail.local file +banaction = {{fail2ban_banaction}} + +# email action. Since 0.8.1 upstream fail2ban uses sendmail +# MTA for the mailing. Change mta configuration parameter to mail +# if you want to revert to conventional 'mail'. +mta = {{fail2ban_mta}} + +# Default protocol +protocol = {{fail2ban_protocol}} + +# Specify chain where jumps would need to be added in iptables-* actions +chain = {{fail2ban_chain}} + +# +# Action shortcuts. To be used to define action parameter + +# The simplest action to take: ban only +action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report to the destemail. +action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] + +# ban & send an e-mail with whois report and relevant log lines +# to the destemail. +action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] + +# Choose default action. To change, just override value of 'action' with the +# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local +# globally (section [DEFAULT]) or per specific section +action = %({{fail2ban_action}})s + +# +# JAILS +# + +# Next jails corresponds to the standard configuration in Fail2ban 0.6 which +# was shipped in Debian. Enable any defined here jail by including +# +# [SECTION_NAME] +# enabled = true + +# +# in /etc/fail2ban/jail.local. +# +# Optionally you may override any other parameter (e.g. banaction, +# action, port, logpath, etc) in that section within jail.local + + +{% for service in fail2ban_services %} +[{{service.name}}] + +enabled = {{service.enabled}} +port = {{service.port}} +filter = {{service.filter}} +logpath = {{service.logpath}} +maxretry = {{service.maxretry}} +{% if service.protocol is defined %} +protocol = {{service.protocol}} +{% endif %} +{% if service.action is defined %} +action = %({{service.action}})s +{% endif %} +<% if param['banaction'] %> +banaction = {{service.banaction}} +{% endif %} + +{% endfor %} diff --git a/test.yml b/test.yml new file mode 100644 index 0000000..f364983 --- /dev/null +++ b/test.yml @@ -0,0 +1,5 @@ +- hosts: all + vars_files: + - 'defaults/main.yml' + tasks: + - include: 'tasks/main.yml'