Browse Source

add ansible playbook

master
Vladimir Smagin 1 month ago
parent
commit
b639cff142
9 changed files with 153 additions and 1 deletions
  1. +1
    -1
      README.md
  2. +11
    -0
      ansible/ansible.cfg
  3. +5
    -0
      ansible/group_vars/fail2ban.yml
  4. +5
    -0
      ansible/install.yml
  5. +3
    -0
      ansible/inventory.ini
  6. +57
    -0
      ansible/roles/fail2ban/tasks/main.yml
  7. +10
    -0
      ansible/roles/fail2ban/templates/ip-blocker-set.sh
  8. +53
    -0
      ansible/roles/fail2ban/templates/iptables-multiport.conf
  9. +8
    -0
      ansible/roles/fail2ban/templates/jail.local

+ 1
- 1
README.md View File

@@ -1,7 +1,7 @@
# ip-blocker

My own IP storage for fail2ban. Written to blacklist fucking botnets bruteforcing my servers.
It centalize information about blocks across all my servers in one single watch tower.
It centralize information about blocks across all my servers in one single watch tower.

# Installation



+ 11
- 0
ansible/ansible.cfg View File

@@ -0,0 +1,11 @@
[defaults]
nocows = 1
log_path=/tmp/fail2ban-deploy.log
host_key_checking = False
deprecation_warnings = False
retry_files_save_path = /tmp/

[ssh_connection]
ssh_args = -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ForwardAgent=yes
pipelining = True
control_path = /tmp/ansible-ssh-%%h-%%p-%%r

+ 5
- 0
ansible/group_vars/fail2ban.yml View File

@@ -0,0 +1,5 @@
watchtower: http://my-watchtower.ru:34534
get_ip_script_directory: /opt
bantime: 86400
findtime: 600
maxretry: 3

+ 5
- 0
ansible/install.yml View File

@@ -0,0 +1,5 @@

- name: Configure target OS
hosts: fail2ban
roles:
- fail2ban

+ 3
- 0
ansible/inventory.ini View File

@@ -0,0 +1,3 @@
[fail2ban]

boroda ansible_host=192.168.1.9 ansible_user=root

+ 57
- 0
ansible/roles/fail2ban/tasks/main.yml View File

@@ -0,0 +1,57 @@
# Ubuntu and Debian installation

- name: Install fail2ban on Debian-like
apt:
name: "{{ item }}"
state: latest
with_items:
- fail2ban
- curl
when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'

# Redhat and Centos installation

- name: Install fail2ban on Redhat-like
yum:
name: "{{ item }}"
state: latest
with_items:
- fail2ban
- curl
when: ansible_distribution == 'CentOS' or ansible_distribution == 'Red Hat Enterprise Linux'

# Configuration

- name: Install new multiport config
template:
src: iptables-multiport.conf
dest: /etc/fail2ban/action.d/iptables-multiport.conf

- name: Install jail.local
template:
src: "jail.local"
dest: "/etc/fail2ban/jail.local"

- name: Install API IP list request script
template:
src: "ip-blocker-set.sh"
dest: "{{ get_ip_script_directory }}/ip-blocker-set.sh"

- name: Set script permissions
file:
dest: "{{ get_ip_script_directory }}/ip-blocker-set.sh"
mode: 0755

# RUN FOREST! RUN!

- name: Restart fail2ban
service:
name: fail2ban
state: restarted
enabled: true

- name: Set cron tasks
cron:
name: "fail2ban get IP list"
job: "{{ get_ip_script_directory }}/ip-blocker-set.sh"
state: "present"

+ 10
- 0
ansible/roles/fail2ban/templates/ip-blocker-set.sh View File

@@ -0,0 +1,10 @@
#!/bin/bash
source /etc/profile
IFS=$'\n'

# block ssh
IPs=$(curl -s {{ watchtower }}/list/sshd/1)
for ip in $IPs
do
fail2ban-client set sshd banip $ip
done

+ 53
- 0
ansible/roles/fail2ban/templates/iptables-multiport.conf View File

@@ -0,0 +1,53 @@
# Fail2Ban configuration file
#
# Author: Cyril Jaquier
# Modified by Yaroslav Halchenko for multiport banning
#

[INCLUDES]

before = iptables-common.conf

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart = <iptables> -N f2b-<name>
<iptables> -A f2b-<name> -j <returntype>
<iptables> -I <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -m multiport --dports <port> -j f2b-<name>
<actionflush>
<iptables> -X f2b-<name>

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
/usr/bin/curl -s {{ watchtower }}/set/`hostname`/<name>/<ip>/<protocol>/<port>

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
# command is executed with Fail2Ban user rights.
# Tags: See jail.conf(5) man page
# Values: CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]


+ 8
- 0
ansible/roles/fail2ban/templates/jail.local View File

@@ -0,0 +1,8 @@
[DEFAULT]
bantime = {{ bantime }}
findtime = {{ findtime }}
maxretry = {{ maxretry }}
banaction = iptables-multiport

[sshd]
enabled = true

Loading…
Cancel
Save