Default variables: configuration¶
some of debops.fail2ban
default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
fail2ban_actions¶
List of local fail2ban
actions that should be present or absent when configuring
fail2ban
. Each action is defined as a YAML dict with the following keys:
name
- Required. Name of the filter.
ban
- Required. Command executed when banning an IP. Take care that the command is executed
with
fail2ban
user rights. check
- Optional. Command executed once before each
ban
command. filename
- Optional. Alternative name of the action configuration file.
start
- Optional. Command executed once at the start of
fail2ban
. state
- Optional. If
present
, the action will be created when configuringfail2ban
. Ifabsent
, the action will be removed when configuringfail2ban
. stop
- Optional. Command executed once at the end of
fail2ban
. unban
- Optional. Command executed when unbanning an IP. Take care that the command is executed
with
fail2ban
user rights.
fail2ban_filters¶
List of local fail2ban
filters that should be present or absent when configuring
fail2ban
. Each filter is defined as a YAML dict with the following keys:
name
- Required. Name of the filter.
after
- Optional. Specify an additional filter configuration file that
fail2ban
will read after reading this filter configuration filer. before
- Optional. Specify an additional filter configuration file that
fail2ban
will read before reading this filter configuration file. definitions
- Optional. Custom definitions used by the filter.
failregex
- Required. A string of regular expression(s) used by the filter to detect
break-in attempts. You can have the filter try to match multiple regular
expressions by using the
|
character (the YAML literal style operator). Each regular expression should be on its own line. Refer to the examples section. filename
- Optional. Alternative name of the filter configuration file. If not specified, it
will use the
name
of the filter. ignoreregex
- Optional. Regular expression(s) used to filter out invalid break-in attempts. You can have the filter try to match multiple regular expressions. Each regular expression should be on its own line.
state
- Optional. If
present
, the filter will be created when configuringfail2ban
. Ifabsent
, the filter will be removed when configuringfail2ban
.
Refer to the fail2ban
filter wiki for more information.
fail2ban_jails¶
Jails are defined in the form of dicts, where dict keys are the option names and dict values are option values. You can specify values either as strings or YAML lists, in which case elements of the list will be separated by commas.
Some keys have a special meaning:
name
- Jail name, used as a section header and part of the filename. Required.
filename
- Alternative file name, optional.
comment
- A commented text added before the given jail
delete
- If this option is present and
True
, file which defines a given jail will be deleted ignoreip
- List of IP addresses or CIDR subnets which should be ignored by
fail2ban
action
- It should be a name of a default or custom action, which will be used by
fail2ban
Other options are the same as normal fail2ban
jail configuration options.
Refer to default /etc/fail2ban/jail.conf
or fail2ban wiki for possible
options.
Examples:¶
Jails
Enable ssh
jail and configure it to send mail messages about banned hosts:
fail2ban_jails:
- name: 'ssh'
enabled: 'true'
action: 'action_mw'
Enable dovecot
jail with custom filename and send mail notifications to
postmaster:
fail2ban_jails:
- name: 'dovecot'
filename: '50_dovecot'
enabled: 'true'
destemail: 'postmaster@{{ ansible_domain }}'
Filters
Add custom local filter web-auth
with multiple failregex
rules:
fail2ban_filters:
- name: web-auth
failregex: |
Authentication failure for .* from <HOST>
Failed [-/\w]+ for .* from <HOST>
ROOT LOGIN REFUSED .* FROM <HOST>
state: present
Add custom local filter root-auth
with a single failregex
rule:
fail2ban_filters:
- name: root-auth
failregex: 'Authentication failure for .* from <HOST>'
state: present