Default variables

General fail2ban configuration

fail2ban_loglevel

Log verbosity valid values : CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: ERROR

fail2ban_loglevel: 'WARNING'
fail2ban_logtarget

Where to save logs: a file, STDOUT, STDERR, SYSLOG

fail2ban_logtarget: '/var/log/fail2ban.log'

Default configuration for all jails

fail2ban_ignoreip

List of IP addresses or CIDR networks which should be ignored by fail2ban

fail2ban_ignoreip: []
fail2ban_ignoreip_default

List of default IP addresses or CIDR networks which should be ignored by fail2ban

fail2ban_ignoreip_default: [ '127.0.0.0/8' ]
fail2ban_findtime

Length of time in seconds between bad login attempts to consider for banning (by default, 10 minutes)

fail2ban_findtime: '{{ (60 * 10) }}'
fail2ban_maxretry

Maximum number of bad login attempts in the given findtime to trigger a ban

fail2ban_maxretry: '3'
fail2ban_bantime

Length of time in seconds for the ban to persist (by default, 2 hours)

fail2ban_bantime: '{{ (60 * 60 * 2) }}'
fail2ban_backend

Method which fail2ban uses to get notified about new entries in log files

fail2ban_backend: 'auto'
fail2ban_mta

Default mail notification method

fail2ban_mta: 'sendmail'
fail2ban_destemail

Recipient address of e-mail notifications

fail2ban_destemail: 'root@{{ ansible_domain }}'
fail2ban_banaction

Default "response mode" to use for banning. By default, fail2ban will add IP addresses to custom iptables recent list and REJECT connections.

fail2ban_banaction: 'iptables-xt_recent-echo-reject'
fail2ban_protocol

Protocol type to filter in iptables: tcp, udp, icmp, all

fail2ban_protocol: 'tcp'
fail2ban_chain

iptables chain to add the rules in

fail2ban_chain: 'INPUT'
fail2ban_position

Position in the iptables chain at which fail2ban will add its rules. Default is based on firewall generated by debops.ferm role, which at the moment has these entries in INPUT chain:

  1. Accept connections from lo interface
  2. Filter ICMP floods (jump to separate chain)
  3. Drop INVALID packets
  4. Accept ESTABILISHED and RELATED packets
  5. Filter SYN floods (jump to separate chain)

This option works only with ban actions that support it.

fail2ban_position: '6'
fail2ban_action

Action performed by fail2ban when IP address is banned. See list of default actions below.

fail2ban_action: 'action_'
fail2ban_default_actions

Dict with set of named actions to perform when a ban is executed.

fail2ban_default_actions:

  # Block an IP address in the firewall
  'action_': |
    %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]

  # Block an IP address in the firewall and send a notification about the
  # offender taken from ``whois``
  'action_mw': |
    %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]
    %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

  # Block an IP address in the firewall and send a notification about the
  # offender taken from ``whois`` and relevant log entries
  'action_mwl': |
    %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]
    %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
fail2ban_custom_actions

Dict with custom set of named actions to perform when a ban is executed.

fail2ban_custom_actions: {}
fail2ban_actions

List of dicts which define custom local fail2ban actions.

fail2ban_actions: []
fail2ban_filters

List of dicts which define custom local fail2ban filters.

fail2ban_filters: []

List of fail2ban jails

fail2ban_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for all hosts in the cluster.

fail2ban_jails:
  - name: 'ssh'
    enabled: 'true'
fail2ban_group_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for specific groups of hosts in the cluster.

fail2ban_group_jails: []
fail2ban_host_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for specific hosts in the cluster.

fail2ban_host_jails: []
fail2ban_dependent_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for use by other Ansible roles.

fail2ban_dependent_jails: []