Initial commit

Author: pjan

.gitignore

@@ -0,0 +1,9 @@
+.DS_Store
+.AppleDouble
+.LSOverride
+Icon
+._*
+.Spotlight-V100
+.Trashes
+.vagrant
+test

.travis.yml

@@ -0,0 +1,12 @@
+---
+language: python
+python: "2.7"
+before_install:
+ - sudo apt-get update -qq
+ - sudo apt-get install -qq python-apt python-pycurl
+install:
+  - pip install ansible==1.5.0
+script:
+  - echo localhost > inventory
+  - ansible-playbook --syntax-check -i inventory test.yml
+  - ansible-playbook -i inventory test.yml --connection=local --sudo

LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2014 Pieterjan Vandaele
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -0,0 +1,54 @@
+## Ansibles - fail2ban [![Build Status](https://travis-ci.org/Ansibles/fail2ban.png)](https://travis-ci.org/Ansibles/fail2ban)
+
+Ansible role which installs and configures fail2ban, a utility that watches logs for failed login attempts and blocks repeat offenders with firewall rules.
+
+
+#### Requirements & Dependencies
+- Tested on Ansible 1.4 or higher.
+
+
+#### Variables
+
+- `fail2ban_loglevel` - sets the loglevel output (1 = ERROR, 2 = WARN, 3 = INFO, 4 = DEBUG; default is 3)
+- `fail2ban_logtarget1` - set the log target. This could be a file, SYSLOG, STDERR or STDOUT
+- `fail2ban_syslog_target`
+- `fail2ban_syslog_facility`
+- `fail2ban_socket` - sets the socket file, which is used to communicate with the daemon
+
+- `fail2ban_ignoreip` - which IP address/CIDR mask/DNS host should be ignored from fail2ban's actions
+- `fail2ban_bantime` - sets the bantime
+- `fail2ban_maxretry` - maximum number of retries before the host is put into jail
+- `fail2ban_backend` - specifies the backend used to get files modification
+- `fail2ban_email` - email address which can be used in the interpolation of the `fail2ban_services`
+- `fail2ban_banaction` - sets the global/default banaction (can be overriden on a per role basis)
+- `fail2ban_mta` - email action
+- `fail2ban_protocol` - sets the default protocol
+- `fail2ban_chain` - specifies the chain where jumps would need to be added in iptables-* actions
+- `fail2ban_action` - default action
+
+For each of the services you wish to protect/put a jail or ban up for, you need to add it to the `fail2ban_services` list of hashes:
+
+```yaml
+fail2ban_services:
+  - name: ssh
+    enabled: true
+    port: ssh
+    filter: sshd
+    logpath: /var/log/auth.log
+    maxretry: 6
+    protocol: tcp                       (optional)
+    action: action_                     (optional)
+    banaction: "iptables-multiport"     (optional)
+```
+
+There's a list of [service examples](services_examples.md) to help you.
+
+
+#### License
+
+Licensed under the MIT License. See the LICENSE file for details.
+
+
+#### Feedback, bug-reports, requests, ...
+
+Are [welcome](https://github.com/ansibles/fail2ban/issues)!

defaults/main.yml

@@ -0,0 +1,28 @@
+# file: fail2ban/defaults/main.yml
+
+fail2ban_loglevel: 3
+fail2ban_logtarget: "/var/log/fail2ban.log"
+fail2ban_syslog_target: "/var/log/fail2ban.log"
+fail2ban_syslog_facility: 1
+fail2ban_socket: /var/run/fail2ban/fail2ban.sock
+
+fail2ban_ignoreip: "127.0.0.1/8"
+fail2ban_bantime: 600
+fail2ban_maxretry: 3
+fail2ban_backend: "auto"
+fail2ban_destemail: "root@localhost"
+fail2ban_banaction: "iptables-multiport"
+fail2ban_mta: "sendmail"
+fail2ban_protocol: "tcp"
+fail2ban_chain: "INPUT"
+fail2ban_action: "action_"
+
+fail2ban_auth_log: "/var/log/auth.log"
+
+fail2ban_services:
+  - name: ssh
+    enabled: true
+    port: ssh
+    filter: sshd
+    logpath: /var/log/auth.log
+    maxretry: 6

handlers/main.yml

@@ -0,0 +1,6 @@
+# file: fail2ban/handlers/main.yml
+
+- name: restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted

meta/main.yml

@@ -0,0 +1,16 @@
+# file: fail2ban/meta/main.yml
+
+galaxy_info:
+  author: pjan vandaele
+  company: Ansibles
+  description:
+  min_ansible_version: 1.4
+  license: MIT
+  platforms:
+  - name: Ubuntu
+    versions:
+    - all
+  categories:
+  - system
+
+dependencies: []

services_examples.md

@@ -0,0 +1,167 @@
+### Ansibles - fail2ban: List of service examples
+
+###### ssh/dropbear/...
+```yaml
+  - name: ssh
+    enabled: true
+    port: ssh
+    filter: sshd
+    logpath: /var/log/auth.log
+```
+
+###### Generic filter for pam
+```yaml
+fail2ban_services:
+  - name: pam-generic
+    enabled: true
+    port: all
+    filter: pam-generic
+    logpath: /var/log/auth.log
+    maxretry: 6
+    banaction: iptables-allports
+```
+
+###### xinetd-fail
+```yaml
+fail2ban_services:
+  - name: xinetd-fail
+    enabled: true
+    port: all
+    filter: xinetd-fail
+    logpath: /var/log/daemon.log
+    maxretry: 2
+    banaction: iptables-multiport-log
+```
+
+###### ssh-ddos
+```yaml
+fail2ban_services:
+  - name: ssh-ddos
+    enabled: true
+    port: ssh
+    filter: ssh-ddos
+    logpath: /var/log/auth.log
+    maxretry: 6
+```
+
+###### apache
+```yaml
+fail2ban_services:
+  - name: apache
+    enabled: true
+    port: http,https
+    filter: apache-auth
+    logpath: /var/log/apache*/*error.log
+    maxretry: 6
+```
+
+###### apache-multiport
+```yaml
+fail2ban_services:
+  - name: apache-multiport
+    enabled: true
+    port: http,https
+    filter: apache-auth
+    logpath: /var/log/apache*/*error.log
+    maxretry: 6
+    banaction:
+```
+
+###### apache-noscript
+```yaml
+fail2ban_services:
+  - name: apache-noscript
+    enabled: true
+    port: http,https
+    filter: apache-noscript
+    logpath: /var/log/apache*/*error.log
+    maxretry: 6
+```
+
+###### apache-overflows
+```yaml
+fail2ban_services:
+  - name: apache-overflows
+    enabled: true
+    port: http,https
+    filter: apache-overflows
+    logpath: /var/log/apache*/*error.log
+    maxretry: 2
+```
+
+###### vsftpd
+```yaml
+fail2ban_services:
+  - name: vsftpd
+    enabled: true
+    port: ftp,ftp-data,ftps,ftps-data
+    filter: vsftpd
+    logpath: /var/log/vsftpd.log
+    maxretry: 6
+```
+
+###### proftpd
+```yaml
+fail2ban_services:
+  - name: proftpd
+    enabled: true
+    port: ftp,ftp-data,ftps,ftps-data
+    filter: proftpd
+    logpath: /var/log/proftpd/proftpd.log
+    maxretry: 6
+```
+
+###### postfix
+```yaml
+fail2ban_services:
+  - name: postfix
+    enabled: true
+    port: smtp, ssmtp
+    filter: postfix
+    logpath: /var/log/mail.log
+    maxretry: 6
+```
+
+###### couriersmtp
+```yaml
+fail2ban_services:
+  - name: couriersmtp
+    enabled: true
+    port: smtp,ssmtp
+    filter: couriersmtp
+    logpath: /var/log/mail.log
+    maxretry: 6
+```
+
+###### courierauth
+```yaml
+fail2ban_services:
+  - name: courierauth
+    enabled: true
+    port: smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+    filter: courierlogin
+    logpath: /var/log/mail.log
+    maxretry: 6
+```
+
+###### sasl
+```yaml
+fail2ban_services:
+  - name: sasl
+    enabled: true
+    port: smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+    filter: sasl
+    logpath: /var/log/mail.log
+    maxretry: 6
+```
+
+###### dovecot
+```yaml
+fail2ban_services:
+  - name: dovecot
+    enabled: true
+    port: smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
+    filter: dovecot
+    logpath: /var/log/mail.log
+    maxretry: 6
+```

tasks/main.yml

@@ -0,0 +1,31 @@
+# file: fail2ban/tasks/main.yml
+
+- name: fail2ban | Make sure fail2ban is installed
+  apt:
+    pkg: fail2ban
+    state: latest
+
+- name: fail2ban | Make sure the fail2ban configuration is up to date
+  template:
+    src: etc_fail2ban_fail2ban.conf.j2
+    dest: /etc/fail2ban/fail2ban.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart fail2ban
+
+- name: fail2ban | Make sure the fail2ban jail configuration is up to date
+  template:
+    src: etc_fail2ban_jail.conf.j2
+    dest: /etc/fail2ban/jail.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - restart fail2ban
+
+- name: fail2ban | Make sure fail2ban is enabled
+  service:
+    name: fail2ban
+    enabled: yes

templates/etc_fail2ban_fail2ban.conf.j2

@@ -0,0 +1,38 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision$
+#
+
+[Definition]
+
+# Option:  loglevel
+# Notes.:  Set the log level output.
+#          1 = ERROR
+#          2 = WARN
+#          3 = INFO
+#          4 = DEBUG
+# Values:  NUM  Default:  3
+#
+loglevel = {{fail2ban_loglevel}}
+
+# Option:  logtarget
+# Notes.:  Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+#          Only one log target can be specified.
+# Values:  STDOUT STDERR SYSLOG file  Default:  /var/log/fail2ban.log
+#
+logtarget = {{fail2ban_logtarget}}
+{% if fail2ban_logtarget == "SYSLOG" %}
+syslog-target = {{fail2ban_syslog_target}}
+syslog-facility = {{fail2ban_syslog_facility}}
+{% endif %}
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+#         not remove this file when Fail2ban runs. It will not be possible to
+#         communicate with the server afterwards.
+# Values: FILE  Default:  /var/run/fail2ban/fail2ban.sock
+#
+socket = {{fail2ban_socket}}
+