From 350836594cdabe9fa3485ed595686bf641f4c736 Mon Sep 17 00:00:00 2001 From: Mark van Driel Date: Wed, 17 Jun 2015 15:14:30 +0200 Subject: [PATCH 1/7] Added filter for WordPress logins on Apache --- README.md | 7 +++++++ files/empty | 0 .../filter.d/apache-wordpress-logins.conf | 18 ++++++++++++++++++ tasks/main.yml | 9 +++++++++ 4 files changed, 34 insertions(+) delete mode 100644 files/empty create mode 100644 files/etc/fail2ban/filter.d/apache-wordpress-logins.conf diff --git a/README.md b/README.md index c56ddfb..095ac5f 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,13 @@ fail2ban_services: protocol: tcp (optional) action: action_ (optional) banaction: iptables-multiport (optional) + - name: apache-wordpress-logins + enabled: true + port: http,https + filter: apache-wordpress-logins + logpath: /var/log/apache2/access.log + maxretry: 5 + findtime: 120 ``` ## Dependencies diff --git a/files/empty b/files/empty deleted file mode 100644 index e69de29..0000000 diff --git a/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf b/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf new file mode 100644 index 0000000..56a3f53 --- /dev/null +++ b/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf @@ -0,0 +1,18 @@ +# Fail2Ban configuration file +# +# Author: Mark van Driel +# +# $Revision: 728 $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match login attempts on WordPress for Apache +# Values: TEXT +failregex = .*] "POST /wp-login.php + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +ignoreregex = diff --git a/tasks/main.yml b/tasks/main.yml index 0048100..0b3b5d1 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -26,6 +26,15 @@ notify: restart fail2ban tags: [configuration, fail2ban, fail2ban-configuration] +- name: copy filters + copy: + src: etc/fail2ban/filter.d/ + dest: /etc/fail2ban/filter.d/ + owner: root + group: root + mode: 0644 + tags: [configuration, fail2ban, fail2ban-filters] + - name: start and enable service service: name: fail2ban From 018ded957b86647b8ec02faa4df916ba7ab2f545 Mon Sep 17 00:00:00 2001 From: Mark van Driel Date: Wed, 17 Jun 2015 16:13:21 +0200 Subject: [PATCH 2/7] Make source paths of filters configurable --- README.md | 4 ++++ defaults/main.yml | 2 ++ tasks/main.yml | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 095ac5f..25d1f42 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,8 @@ None - `fail2ban_chain`: [default: `INPUT`]: Specifies the chain where jumps would need to be added in iptables-* actions - `fail2ban_action`: [default: `action_`]: Default action +- `fail2ban_filterd_paths`: [default: []]: Paths to directories containing filters to copy + For each of the services you wish to protect/put a jail or ban up for, you need to add it to the `fail2ban_services` list of hashes: ```yaml @@ -48,6 +50,8 @@ fail2ban_services: logpath: /var/log/apache2/access.log maxretry: 5 findtime: 120 +fail2ban_filterd_paths: + etc/fail2ban/filter.d/ ``` ## Dependencies diff --git a/defaults/main.yml b/defaults/main.yml index 2393812..881bae3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,6 +19,8 @@ fail2ban_protocol: tcp fail2ban_chain: INPUT fail2ban_action: action_ +fail2ban_filterd_paths: [] + fail2ban_services: - name: ssh enabled: true diff --git a/tasks/main.yml b/tasks/main.yml index 0b3b5d1..0e4156c 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,11 +28,12 @@ - name: copy filters copy: - src: etc/fail2ban/filter.d/ + src: "{{ item }}" dest: /etc/fail2ban/filter.d/ owner: root group: root mode: 0644 + with_items: fail2ban_filterd_paths tags: [configuration, fail2ban, fail2ban-filters] - name: start and enable service From 79f1b4e46bfa1a8f55045a93706f477d11edd433 Mon Sep 17 00:00:00 2001 From: Mark van Driel Date: Thu, 18 Jun 2015 10:26:27 +0200 Subject: [PATCH 3/7] Updated documentation --- files/etc/fail2ban/filter.d/apache-wordpress-logins.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf b/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf index 56a3f53..6740d4c 100644 --- a/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf +++ b/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf @@ -1,9 +1,7 @@ -# Fail2Ban configuration file +# Fail2Ban filter for WordPress logins for Apache # # Author: Mark van Driel # -# $Revision: 728 $ -# [Definition] From a9856eaaa8c85d5256b7335ce71806aaa04f3f40 Mon Sep 17 00:00:00 2001 From: Mark van Driel Date: Fri, 19 Jun 2015 11:14:47 +0200 Subject: [PATCH 4/7] Removed example filter and only allow single path for filters --- README.md | 24 +++++++++++-------- defaults/main.yml | 2 -- files/empty | 0 .../filter.d/apache-wordpress-logins.conf | 16 ------------- tasks/main.yml | 4 ++-- 5 files changed, 16 insertions(+), 30 deletions(-) create mode 100644 files/empty delete mode 100644 files/etc/fail2ban/filter.d/apache-wordpress-logins.conf diff --git a/README.md b/README.md index 25d1f42..559826e 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ None - `fail2ban_chain`: [default: `INPUT`]: Specifies the chain where jumps would need to be added in iptables-* actions - `fail2ban_action`: [default: `action_`]: Default action -- `fail2ban_filterd_paths`: [default: []]: Paths to directories containing filters to copy +- `fail2ban_filterd_path`: [optional]: Path to directory containing filters to copy For each of the services you wish to protect/put a jail or ban up for, you need to add it to the `fail2ban_services` list of hashes: @@ -43,15 +43,6 @@ fail2ban_services: protocol: tcp (optional) action: action_ (optional) banaction: iptables-multiport (optional) - - name: apache-wordpress-logins - enabled: true - port: http,https - filter: apache-wordpress-logins - logpath: /var/log/apache2/access.log - maxretry: 5 - findtime: 120 -fail2ban_filterd_paths: - etc/fail2ban/filter.d/ ``` ## Dependencies @@ -67,6 +58,19 @@ None - fail2ban ``` +Example with filter path: + +```yaml +--- +- hosts: all + roles: + - fail2ban + vars: + - fail2ban_filterd_path: etc/fail2ban/filter.d/ +``` + + + #### License MIT diff --git a/defaults/main.yml b/defaults/main.yml index 881bae3..2393812 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -19,8 +19,6 @@ fail2ban_protocol: tcp fail2ban_chain: INPUT fail2ban_action: action_ -fail2ban_filterd_paths: [] - fail2ban_services: - name: ssh enabled: true diff --git a/files/empty b/files/empty new file mode 100644 index 0000000..e69de29 diff --git a/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf b/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf deleted file mode 100644 index 6740d4c..0000000 --- a/files/etc/fail2ban/filter.d/apache-wordpress-logins.conf +++ /dev/null @@ -1,16 +0,0 @@ -# Fail2Ban filter for WordPress logins for Apache -# -# Author: Mark van Driel -# - -[Definition] - -# Option: failregex -# Notes.: regex to match login attempts on WordPress for Apache -# Values: TEXT -failregex = .*] "POST /wp-login.php - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -ignoreregex = diff --git a/tasks/main.yml b/tasks/main.yml index 0e4156c..b8b4142 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -28,12 +28,12 @@ - name: copy filters copy: - src: "{{ item }}" + src: "{{ fail2ban_filterd_path }}" dest: /etc/fail2ban/filter.d/ owner: root group: root mode: 0644 - with_items: fail2ban_filterd_paths + when: fail2ban_filterd_path is defined tags: [configuration, fail2ban, fail2ban-filters] - name: start and enable service From 85e2a282d1b51647dab0dd82e0f0f305e8316019 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 19 Jun 2015 12:02:02 +0200 Subject: [PATCH 5/7] Improved documentation --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 559826e..4df4ac7 100644 --- a/README.md +++ b/README.md @@ -28,7 +28,7 @@ None - `fail2ban_chain`: [default: `INPUT`]: Specifies the chain where jumps would need to be added in iptables-* actions - `fail2ban_action`: [default: `action_`]: Default action -- `fail2ban_filterd_path`: [optional]: Path to directory containing filters to copy +- `fail2ban_filterd_path`: [optional]: Path to directory containing filters to copy (**note the trailing slash**) For each of the services you wish to protect/put a jail or ban up for, you need to add it to the `fail2ban_services` list of hashes: @@ -49,28 +49,28 @@ fail2ban_services: None -#### Example +#### Example(s) + +##### Simple configuration ```yaml --- - hosts: all roles: - - fail2ban + - fail2ban ``` -Example with filter path: +##### Add custom filters (from outside the role) ```yaml --- - hosts: all roles: - - fail2ban + - fail2ban vars: - - fail2ban_filterd_path: etc/fail2ban/filter.d/ + - fail2ban_filterd_path: ../../../files/fail2ban/etc/fail2ban/filter.d/ ``` - - #### License MIT From 0044e6c42b876864326e274d3d0244bb328a086a Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 19 Jun 2015 12:02:18 +0200 Subject: [PATCH 6/7] Added (missing) notify --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index b8b4142..d523e9d 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -34,6 +34,7 @@ group: root mode: 0644 when: fail2ban_filterd_path is defined + notify: restart fail2ban tags: [configuration, fail2ban, fail2ban-filters] - name: start and enable service From 137d19172b6c296927fcb9b60242dd2ab710f017 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Fri, 19 Jun 2015 16:19:21 +0200 Subject: [PATCH 7/7] Improved documentation --- README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4df4ac7..4011c43 100644 --- a/README.md +++ b/README.md @@ -68,7 +68,15 @@ None roles: - fail2ban vars: - - fail2ban_filterd_path: ../../../files/fail2ban/etc/fail2ban/filter.d/ + fail2ban_filterd_path: ../../../files/fail2ban/etc/fail2ban/filter.d/ + fail2ban_services: + - name: apache-wordpress-logins + enabled: true + port: http,https + filter: apache-wordpress-logins + logpath: /var/log/apache2/access.log + maxretry: 5 + findtime: 120 ``` #### License