mirror of
https://github.com/frappe/bench.git
synced 2024-11-11 15:51:03 +00:00
[fix] provision to setup maxretry, bantime and findtime explicitly for fail2ban
This commit is contained in:
parent
9c15073297
commit
18ded16b52
@ -48,7 +48,7 @@ def check_uid():
|
|||||||
|
|
||||||
def cmd_requires_root():
|
def cmd_requires_root():
|
||||||
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts',
|
if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts',
|
||||||
'print', 'firewall', 'ssh-port', 'role'):
|
'print', 'firewall', 'ssh-port', 'role', 'fail2ban'):
|
||||||
return True
|
return True
|
||||||
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production',
|
if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production',
|
||||||
'install'):
|
'install'):
|
||||||
|
@ -49,7 +49,11 @@ def install_nginx(user=None):
|
|||||||
setup_sudoers(user)
|
setup_sudoers(user)
|
||||||
|
|
||||||
@click.command('fail2ban')
|
@click.command('fail2ban')
|
||||||
def install_failtoban():
|
@click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP.")
|
||||||
|
@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds.")
|
||||||
|
@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.')
|
||||||
|
def install_failtoban(**kwargs):
|
||||||
|
extra_vars.update(kwargs)
|
||||||
run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars, tag='fail2ban')
|
run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars, tag='fail2ban')
|
||||||
|
|
||||||
install.add_command(install_prerequisites)
|
install.add_command(install_prerequisites)
|
||||||
|
@ -208,6 +208,13 @@ def setup_roles(role, **kwargs):
|
|||||||
else:
|
else:
|
||||||
run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars)
|
run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars)
|
||||||
|
|
||||||
|
@click.command('fail2ban')
|
||||||
|
@click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP. Default is 6 seconds" )
|
||||||
|
@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds. Default is 600 seconds")
|
||||||
|
@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban. Default is 600 seconds')
|
||||||
|
def setup_nginx_proxy_jail(**kwargs):
|
||||||
|
from bench.utils import run_playbook
|
||||||
|
run_playbook('prerequisites/setup_nginx_proxy_jail.yml', extra_vars=kwargs)
|
||||||
|
|
||||||
setup.add_command(setup_sudoers)
|
setup.add_command(setup_sudoers)
|
||||||
setup.add_command(setup_nginx)
|
setup.add_command(setup_nginx)
|
||||||
@ -229,4 +236,5 @@ setup.add_command(remove_domain)
|
|||||||
setup.add_command(sync_domains)
|
setup.add_command(sync_domains)
|
||||||
setup.add_command(setup_firewall)
|
setup.add_command(setup_firewall)
|
||||||
setup.add_command(set_ssh_port)
|
setup.add_command(set_ssh_port)
|
||||||
setup.add_command(setup_roles)
|
setup.add_command(setup_roles)
|
||||||
|
setup.add_command(setup_nginx_proxy_jail)
|
@ -1,2 +1,5 @@
|
|||||||
---
|
---
|
||||||
fail2ban_nginx_access_log: /var/log/nginx/access.log
|
fail2ban_nginx_access_log: /var/log/nginx/access.log
|
||||||
|
maxretry: 6
|
||||||
|
bantime: 600
|
||||||
|
findtime: 600
|
@ -0,0 +1,11 @@
|
|||||||
|
- name: Configure fail2ban jail options
|
||||||
|
hosts: localhost
|
||||||
|
become: yes
|
||||||
|
become_user: root
|
||||||
|
vars_files:
|
||||||
|
- ../defaults/main.yml
|
||||||
|
tasks:
|
||||||
|
- name: Setup jail
|
||||||
|
template: src="../templates/nginx-proxy-jail.conf.j2" dest="/etc/fail2ban/jail.d/nginx-proxy.conf"
|
||||||
|
- name: restart service
|
||||||
|
service: name=fail2ban state=restarted
|
@ -4,5 +4,6 @@ enabled = true
|
|||||||
filter = nginx-proxy
|
filter = nginx-proxy
|
||||||
logpath = {{ fail2ban_nginx_access_log }}
|
logpath = {{ fail2ban_nginx_access_log }}
|
||||||
action = iptables-multiport[name=NoNginxProxy, port="http,https"]
|
action = iptables-multiport[name=NoNginxProxy, port="http,https"]
|
||||||
maxretry = 2
|
maxretry = {{ maxretry }}
|
||||||
bantime = 86400
|
bantime = {{ bantime }}
|
||||||
|
findtime = {{ findtime }}
|
2
playbooks/prerequisites/setup_nginx_proxy_jail.yml
Normal file
2
playbooks/prerequisites/setup_nginx_proxy_jail.yml
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
---
|
||||||
|
- include: ../prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml
|
Loading…
Reference in New Issue
Block a user