2
0
mirror of https://github.com/frappe/bench.git synced 2024-11-11 15:51:03 +00:00

[fix] provision to setup maxretry, bantime and findtime explicitly for fail2ban

This commit is contained in:
Saurabh 2017-11-22 15:05:10 +05:30
parent 9c15073297
commit 18ded16b52
7 changed files with 35 additions and 6 deletions

View File

@ -48,7 +48,7 @@ def check_uid():
def cmd_requires_root(): def cmd_requires_root():
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts',
'print', 'firewall', 'ssh-port', 'role'): 'print', 'firewall', 'ssh-port', 'role', 'fail2ban'):
return True return True
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production', if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production',
'install'): 'install'):

View File

@ -49,7 +49,11 @@ def install_nginx(user=None):
setup_sudoers(user) setup_sudoers(user)
@click.command('fail2ban') @click.command('fail2ban')
def install_failtoban(): @click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP.")
@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds.")
@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.')
def install_failtoban(**kwargs):
extra_vars.update(kwargs)
run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars, tag='fail2ban') run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars, tag='fail2ban')
install.add_command(install_prerequisites) install.add_command(install_prerequisites)

View File

@ -208,6 +208,13 @@ def setup_roles(role, **kwargs):
else: else:
run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars) run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars)
@click.command('fail2ban')
@click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP. Default is 6 seconds" )
@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds. Default is 600 seconds")
@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban. Default is 600 seconds')
def setup_nginx_proxy_jail(**kwargs):
from bench.utils import run_playbook
run_playbook('prerequisites/setup_nginx_proxy_jail.yml', extra_vars=kwargs)
setup.add_command(setup_sudoers) setup.add_command(setup_sudoers)
setup.add_command(setup_nginx) setup.add_command(setup_nginx)
@ -229,4 +236,5 @@ setup.add_command(remove_domain)
setup.add_command(sync_domains) setup.add_command(sync_domains)
setup.add_command(setup_firewall) setup.add_command(setup_firewall)
setup.add_command(set_ssh_port) setup.add_command(set_ssh_port)
setup.add_command(setup_roles) setup.add_command(setup_roles)
setup.add_command(setup_nginx_proxy_jail)

View File

@ -1,2 +1,5 @@
--- ---
fail2ban_nginx_access_log: /var/log/nginx/access.log fail2ban_nginx_access_log: /var/log/nginx/access.log
maxretry: 6
bantime: 600
findtime: 600

View File

@ -0,0 +1,11 @@
- name: Configure fail2ban jail options
hosts: localhost
become: yes
become_user: root
vars_files:
- ../defaults/main.yml
tasks:
- name: Setup jail
template: src="../templates/nginx-proxy-jail.conf.j2" dest="/etc/fail2ban/jail.d/nginx-proxy.conf"
- name: restart service
service: name=fail2ban state=restarted

View File

@ -4,5 +4,6 @@ enabled = true
filter = nginx-proxy filter = nginx-proxy
logpath = {{ fail2ban_nginx_access_log }} logpath = {{ fail2ban_nginx_access_log }}
action = iptables-multiport[name=NoNginxProxy, port="http,https"] action = iptables-multiport[name=NoNginxProxy, port="http,https"]
maxretry = 2 maxretry = {{ maxretry }}
bantime = 86400 bantime = {{ bantime }}
findtime = {{ findtime }}

View File

@ -0,0 +1,2 @@
---
- include: ../prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml