From 84d2e1b5f4d0fc0b540050f22b51e90c6de7fe09 Mon Sep 17 00:00:00 2001 From: Mischa ter Smitten Date: Wed, 11 Jan 2017 23:09:07 +0100 Subject: [PATCH] Improved defaults and documentation --- README.md | 23 +++++++++-------------- defaults/main.yml | 8 +------- templates/etc/fail2ban/jail.local.j2 | 2 +- 3 files changed, 11 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 9e69fe0..1e54880 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ ## fail2ban -[![Build Status](https://travis-ci.org/Oefenweb/ansible-fail2ban.svg?branch=master)](https://travis-ci.org/Oefenweb/ansible-fail2ban) [![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-fail2ban-blue.svg)](https://galaxy.ansible.com/list#/roles/1435) +[![Build Status](https://travis-ci.org/Oefenweb/ansible-fail2ban.svg?branch=master)](https://travis-ci.org/Oefenweb/ansible-fail2ban) [![Ansible Galaxy](http://img.shields.io/badge/ansible--galaxy-fail2ban-blue.svg)](https://galaxy.ansible.com/tersmitten/fail2ban) Set up fail2ban in Debian-like systems. @@ -36,15 +36,8 @@ None - `fail2ban_services` [default see `defaults/main.yml`]: Service definitions - `fail2ban_services.{n}.name` [required]: Service name (e.g. `ssh`) - `fail2ban_services.{n}.enabled` [default: `true`]: Whether or not enabled -- `fail2ban_services.{n}.port` [optional]: Sets the port -- `fail2ban_services.{n}.filter` [optional]: Name of the filter to be used by the jail to detect matches. Each single match by a filter increments the counter within the jail -- `fail2ban_services.{n}.logpath` [optional]: Path to the log file which is provided to the filter -- `fail2ban_services.{n}.maxretry` [optional]: Maximum number of retries before the host is put into jail -- `fail2ban_services.{n}.protocol` [optional]: Sets the protocol -- `fail2ban_services.{n}.findtime` [optional]: The counter is set to zero if no match is found within `findtime` seconds -- `fail2ban_services.{n}.bantime` [optional]: Duration (in seconds) for IP to be banned for. Negative number for `permanent` ban -- `fail2ban_services.{n}.action` [optional]: Sets the action -- `fail2ban_services.{n}.banaction` [optional]: Sets the banaction +- `fail2ban_services.{n}.*` [optional]: Name of the option +- `fail2ban_services.{n}.*.*` [optional]: Value of the option ## Dependencies @@ -69,10 +62,12 @@ None roles: - fail2ban vars: - - name: sshd - port: 2222 - maxretry: 5 - bantime: -1 + fail2ban_services: + # In Ubuntu 16.04 this is sshd + - name: ssh + port: 2222 + maxretry: 5 + bantime: -1 ``` ##### Add custom filters (from outside the role) diff --git a/defaults/main.yml b/defaults/main.yml index 09aa9ab..d322ed4 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -23,10 +23,4 @@ fail2ban_chain: INPUT fail2ban_action: '%(action_)s' fail2ban_services: - - name: ssh - enabled: true - port: ssh - filter: sshd - logpath: /var/log/auth.log - maxretry: 6 - findtime: 600 + - name: "{{ 'sshd' if (ansible_distribution == 'Ubuntu' and ansible_distribution_version | version_compare('16.04', '>=')) else 'ssh' }}" diff --git a/templates/etc/fail2ban/jail.local.j2 b/templates/etc/fail2ban/jail.local.j2 index 590abc2..c5e984f 100644 --- a/templates/etc/fail2ban/jail.local.j2 +++ b/templates/etc/fail2ban/jail.local.j2 @@ -107,7 +107,7 @@ action = {{ fail2ban_action }} enabled = {{ service.enabled | default(true) | bool | to_json }} {% for option, value in service.iteritems() %} {% if option not in ['name', 'enabled'] %} -{{ option }}={{ value }} +{{ option }} = {{ value }} {% endif %} {% endfor %}