From 1ce237e53f062c77874f0f94ac5817772134b8c8 Mon Sep 17 00:00:00 2001 From: Dennis Micky Jensen Date: Mon, 20 Jul 2015 19:26:06 +0200 Subject: [PATCH 1/3] Added more complete support for findtime, and corrected role name in vagrant test inventory --- README.md | 2 ++ defaults/main.yml | 2 ++ templates/etc/fail2ban/jail.local.j2 | 4 ++++ tests/vagrant.yml | 2 +- 4 files changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4011c43..d278e6f 100644 --- a/README.md +++ b/README.md @@ -20,6 +20,7 @@ None - `fail2ban_ignoreips`: [default: `[127.0.0.1/8]`]: Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions - `fail2ban_bantime`: [default: `600`]: Sets the bantime - `fail2ban_maxretry`: [default: `3`]: Maximum number of retries before the host is put into jail +- `fail2ban_findtime`: [default: `600`]: A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime` (can be overriden on a per role basis) - `fail2ban_backend`: [default: `auto`]: Specifies the backend used to get files modification - `fail2ban_email`: [default: `root@localhost`]: Email address which can be used in the interpolation of the `fail2ban_services` - `fail2ban_banaction`: [default: `iptables-multiport`]: Sets the global/default banaction (can be overriden on a per role basis) @@ -43,6 +44,7 @@ fail2ban_services: protocol: tcp (optional) action: action_ (optional) banaction: iptables-multiport (optional) + findtime: 600 (optional) ``` ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index 2393812..9ff9f51 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,6 +11,7 @@ fail2ban_ignoreips: - 127.0.0.1/8 fail2ban_bantime: 600 fail2ban_maxretry: 3 +fail2ban_findtime: 600 fail2ban_backend: auto fail2ban_destemail: root@localhost fail2ban_banaction: iptables-multiport @@ -26,3 +27,4 @@ fail2ban_services: filter: sshd logpath: /var/log/auth.log maxretry: 6 + findtime: 600 diff --git a/templates/etc/fail2ban/jail.local.j2 b/templates/etc/fail2ban/jail.local.j2 index ec14ab6..f4b8556 100644 --- a/templates/etc/fail2ban/jail.local.j2 +++ b/templates/etc/fail2ban/jail.local.j2 @@ -23,6 +23,7 @@ ignoreip = {{ fail2ban_ignoreips | join(' ') }} bantime = {{ fail2ban_bantime }} maxretry = {{ fail2ban_maxretry }} +findtime = {{ fail2ban_findtime }} # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". @@ -103,6 +104,9 @@ maxretry = {{ service.maxretry }} {% if service.protocol is defined %} protocol = {{ service.protocol }} {% endif %} +{% if service.findtime is defined %} +findtime = {{ service.findtime }} +{% endif %} {% if service.action is defined %} action = %({{ service.action }})s {% endif %} diff --git a/tests/vagrant.yml b/tests/vagrant.yml index 2d9c4da..1ed0f07 100644 --- a/tests/vagrant.yml +++ b/tests/vagrant.yml @@ -4,4 +4,4 @@ remote_user: vagrant sudo: true roles: - - fail2ban + - ansible-fail2ban From 3c25c527277440cce6cdfd0334abe0709d0414cd Mon Sep 17 00:00:00 2001 From: Dennis Micky Jensen Date: Mon, 20 Jul 2015 19:36:25 +0200 Subject: [PATCH 2/3] Doc elaboration --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d278e6f..ffed067 100644 --- a/README.md +++ b/README.md @@ -20,7 +20,7 @@ None - `fail2ban_ignoreips`: [default: `[127.0.0.1/8]`]: Which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions - `fail2ban_bantime`: [default: `600`]: Sets the bantime - `fail2ban_maxretry`: [default: `3`]: Maximum number of retries before the host is put into jail -- `fail2ban_findtime`: [default: `600`]: A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime` (can be overriden on a per role basis) +- `fail2ban_findtime`: [default: `600`]: A host is banned if it has generated `fail2ban_maxretry` during the last `fail2ban_findtime` (this can be overriden for each service) - `fail2ban_backend`: [default: `auto`]: Specifies the backend used to get files modification - `fail2ban_email`: [default: `root@localhost`]: Email address which can be used in the interpolation of the `fail2ban_services` - `fail2ban_banaction`: [default: `iptables-multiport`]: Sets the global/default banaction (can be overriden on a per role basis) From 1a961798920e598ba43b02eae9b6df8f569dc246 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Tue, 21 Jul 2015 10:20:41 +0200 Subject: [PATCH 3/3] Consistency changes --- .travis.yml | 1 + README.md | 2 +- Vagrantfile | 24 ++++++++++++++++++++++++ defaults/main.yml | 2 +- handlers/main.yml | 2 +- meta/main.yml | 18 +++++++++++++----- tasks/main.yml | 2 +- tests/test.yml | 2 +- tests/vagrant.yml | 4 ++-- vars/main.yml | 2 +- 10 files changed, 46 insertions(+), 13 deletions(-) diff --git a/.travis.yml b/.travis.yml index 6a7f330..8553e94 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,6 +4,7 @@ python: "2.7" env: - ANSIBLE_VERSION=latest + - ANSIBLE_VERSION=1.9.2 - ANSIBLE_VERSION=1.9.1 - ANSIBLE_VERSION=1.9.0.1 - ANSIBLE_VERSION=1.8.4 diff --git a/README.md b/README.md index ffed067..22f5a74 100644 --- a/README.md +++ b/README.md @@ -87,7 +87,7 @@ MIT #### Author Information -Mischa ter Smitten (based on work of Ansibles) +Mischa ter Smitten (based on work of [ANXS](https://github.com/ANXS)) #### Feedback, bug-reports, requests, ... diff --git a/Vagrantfile b/Vagrantfile index ac62ad4..674e590 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -30,6 +30,30 @@ boxes = [ :cpu => "50", :ram => "256" }, + { + :name => "debian-6010", + :box => "opscode-debian-6.0.10", + :url => "http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-6.0.10_chef-provisionerless.box", + :ip => '10.0.0.13', + :cpu => "50", + :ram => "256" + }, + { + :name => "debian-78", + :box => "opscode-debian-7.8", + :url => "http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-7.8_chef-provisionerless.box", + :ip => '10.0.0.14', + :cpu => "50", + :ram => "256" + }, + { + :name => "debian-81", + :box => "opscode-debian-8.1", + :url => "http://opscode-vm-bento.s3.amazonaws.com/vagrant/virtualbox/opscode_debian-8.1_chef-provisionerless.box", + :ip => '10.0.0.15', + :cpu => "50", + :ram => "256" + }, ] Vagrant.configure("2") do |config| diff --git a/defaults/main.yml b/defaults/main.yml index 9ff9f51..6086c52 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,5 @@ ---- # defaults file for fail2ban +--- fail2ban_loglevel: 3 fail2ban_logtarget: /var/log/fail2ban.log fail2ban_syslog_target: /var/log/fail2ban.log diff --git a/handlers/main.yml b/handlers/main.yml index 0541764..6a24115 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,5 +1,5 @@ ---- # handlers file for fail2ban +--- - name: restart fail2ban service: name: fail2ban diff --git a/meta/main.yml b/meta/main.yml index b2a5eeb..53ff1c2 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,5 +1,5 @@ ---- # meta file for fail2ban +--- galaxy_info: author: Mischa ter Smitten company: Oefenweb.nl B.V. @@ -7,9 +7,17 @@ galaxy_info: license: MIT min_ansible_version: 1.4 platforms: - - name: Ubuntu - versions: - - all + - name: Ubuntu + versions: + - lucid + - precise + - trusty + - name: Debian + versions: + - squeeze + - wheezy + - jessie categories: - - system + - system + - networking dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index d83a4c5..539da15 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,5 +1,5 @@ ---- # tasks file for fail2ban +--- - name: install apt: name: fail2ban diff --git a/tests/test.yml b/tests/test.yml index 13e7158..b9558e1 100644 --- a/tests/test.yml +++ b/tests/test.yml @@ -1,5 +1,5 @@ ---- # test file for fail2ban +--- - hosts: localhost remote_user: root roles: diff --git a/tests/vagrant.yml b/tests/vagrant.yml index 1ed0f07..dc6dc86 100644 --- a/tests/vagrant.yml +++ b/tests/vagrant.yml @@ -1,7 +1,7 @@ ---- # test file for fail2ban +--- - hosts: all remote_user: vagrant sudo: true roles: - - ansible-fail2ban + - fail2ban diff --git a/vars/main.yml b/vars/main.yml index decceaa..c640ebe 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,2 @@ ---- # vars file for fail2ban +---