diff --git a/bench/cli.py b/bench/cli.py index 3d14cffe..830e144a 100755 --- a/bench/cli.py +++ b/bench/cli.py @@ -48,7 +48,7 @@ def check_uid(): def cmd_requires_root(): if len(sys.argv) > 2 and sys.argv[2] in ('production', 'sudoers', 'lets-encrypt', 'fonts', - 'print', 'firewall', 'ssh-port', 'role'): + 'print', 'firewall', 'ssh-port', 'role', 'fail2ban'): return True if len(sys.argv) >= 2 and sys.argv[1] in ('patch', 'renew-lets-encrypt', 'disable-production', 'install'): diff --git a/bench/commands/install.py b/bench/commands/install.py index 4a9168a8..4c9459e8 100644 --- a/bench/commands/install.py +++ b/bench/commands/install.py @@ -49,7 +49,11 @@ def install_nginx(user=None): setup_sudoers(user) @click.command('fail2ban') -def install_failtoban(): +@click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP.") +@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds.") +@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban.') +def install_failtoban(**kwargs): + extra_vars.update(kwargs) run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars, tag='fail2ban') install.add_command(install_prerequisites) diff --git a/bench/commands/setup.py b/bench/commands/setup.py index aac60462..adff7ecb 100755 --- a/bench/commands/setup.py +++ b/bench/commands/setup.py @@ -208,6 +208,13 @@ def setup_roles(role, **kwargs): else: run_playbook('prerequisites/install_roles.yml', extra_vars=extra_vars) +@click.command('fail2ban') +@click.option('--maxretry', default=6, help="Number of matches (i.e. value of the counter) which triggers ban action on the IP. Default is 6 seconds" ) +@click.option('--bantime', default=600, help="The counter is set to zero if no match is found within 'findtime' seconds. Default is 600 seconds") +@click.option('--findtime', default=600, help='Duration (in seconds) for IP to be banned for. Negative number for "permanent" ban. Default is 600 seconds') +def setup_nginx_proxy_jail(**kwargs): + from bench.utils import run_playbook + run_playbook('prerequisites/setup_nginx_proxy_jail.yml', extra_vars=kwargs) setup.add_command(setup_sudoers) setup.add_command(setup_nginx) @@ -229,4 +236,5 @@ setup.add_command(remove_domain) setup.add_command(sync_domains) setup.add_command(setup_firewall) setup.add_command(set_ssh_port) -setup.add_command(setup_roles) \ No newline at end of file +setup.add_command(setup_roles) +setup.add_command(setup_nginx_proxy_jail) \ No newline at end of file diff --git a/playbooks/prerequisites/roles/fail2ban/defaults/main.yml b/playbooks/prerequisites/roles/fail2ban/defaults/main.yml index 3feadba7..5aae2800 100644 --- a/playbooks/prerequisites/roles/fail2ban/defaults/main.yml +++ b/playbooks/prerequisites/roles/fail2ban/defaults/main.yml @@ -1,2 +1,5 @@ --- -fail2ban_nginx_access_log: /var/log/nginx/access.log \ No newline at end of file +fail2ban_nginx_access_log: /var/log/nginx/access.log +maxretry: 6 +bantime: 600 +findtime: 600 \ No newline at end of file diff --git a/playbooks/prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml b/playbooks/prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml new file mode 100644 index 00000000..4d2ede07 --- /dev/null +++ b/playbooks/prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml @@ -0,0 +1,11 @@ +- name: Configure fail2ban jail options + hosts: localhost + become: yes + become_user: root + vars_files: + - ../defaults/main.yml + tasks: + - name: Setup jail + template: src="../templates/nginx-proxy-jail.conf.j2" dest="/etc/fail2ban/jail.d/nginx-proxy.conf" + - name: restart service + service: name=fail2ban state=restarted \ No newline at end of file diff --git a/playbooks/prerequisites/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 b/playbooks/prerequisites/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 index 23a1dfc7..c351773b 100644 --- a/playbooks/prerequisites/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 +++ b/playbooks/prerequisites/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 @@ -4,5 +4,6 @@ enabled = true filter = nginx-proxy logpath = {{ fail2ban_nginx_access_log }} action = iptables-multiport[name=NoNginxProxy, port="http,https"] -maxretry = 2 -bantime = 86400 \ No newline at end of file +maxretry = {{ maxretry }} +bantime = {{ bantime }} +findtime = {{ findtime }} \ No newline at end of file diff --git a/playbooks/prerequisites/setup_nginx_proxy_jail.yml b/playbooks/prerequisites/setup_nginx_proxy_jail.yml new file mode 100644 index 00000000..05263f87 --- /dev/null +++ b/playbooks/prerequisites/setup_nginx_proxy_jail.yml @@ -0,0 +1,2 @@ +--- +- include: ../prerequisites/roles/fail2ban/tasks/configure_nginx_jail.yml \ No newline at end of file