debops.fail2ban default variables¶
General fail2ban configuration¶
-
fail2ban_loglevel
¶
Log verbosity valid values : CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: WARNING
fail2ban_loglevel: 'WARNING'
-
fail2ban_logtarget
¶
Where to save logs: a file, STDOUT
, STDERR
, SYSLOG
fail2ban_logtarget: '/var/log/fail2ban.log'
-
fail2ban_dbpurgeage
¶
Age at which bans should be purged from the database (by default, 86400 ; 24h)
fail2ban_dbpurgeage: '{{ (60 * 60 * 24) }}'
Default configuration for all jails¶
-
fail2ban_ignoreip
¶
List of IP addresses or CIDR networks which should be ignored by fail2ban
fail2ban_ignoreip: []
-
fail2ban_group_ignoreip
¶
List of IP addresses or CIDR networks which should be ignored by fail2ban in a specific Ansible inventory group.
fail2ban_group_ignoreip: []
-
fail2ban_host_ignoreip
¶
List of IP addresses or CIDR networks which should be ignored by fail2ban on a specific hosts in the Ansible inventory.
fail2ban_host_ignoreip: []
-
fail2ban_ignoreip_default
¶
List of default IP addresses or CIDR networks which should be ignored by fail2ban
fail2ban_ignoreip_default: [ '127.0.0.0/8' ]
-
fail2ban_findtime
¶
Length of time in seconds between bad login attempts to consider for banning (by default, 10 minutes)
fail2ban_findtime: '{{ (60 * 10) }}'
-
fail2ban_maxretry
¶
Maximum number of bad login attempts in the given findtime
to trigger
a ban
fail2ban_maxretry: '3'
-
fail2ban_bantime
¶
Length of time in seconds for the ban to persist (by default, 2 hours)
fail2ban_bantime: '{{ (60 * 60 * 2) }}'
-
fail2ban_backend
¶
Method which fail2ban uses to get notified about new entries in log files
fail2ban_backend: 'auto'
-
fail2ban_mta
¶
Default mail notification method
fail2ban_mta: 'sendmail'
-
fail2ban_destemail
¶
Recipient address of e-mail notifications
fail2ban_destemail: 'root@{{ ansible_domain }}'
-
fail2ban_banaction
¶
Default "response mode" to use for banning. By default, fail2ban will add IP
addresses to custom iptables
recent list and REJECT
connections.
fail2ban_banaction: 'iptables-xt_recent-echo-reject'
-
fail2ban_protocol
¶
Protocol type to filter in iptables
: tcp
, udp
, icmp
, all
fail2ban_protocol: 'tcp'
-
fail2ban_chain
¶
iptables
chain to add the rules in
fail2ban_chain: 'INPUT'
-
fail2ban_position
¶
Position in the iptables
chain at which fail2ban
will add its rules.
Default is based on firewall generated by debops.ferm
role, which at the
moment has these entries in INPUT
chain:
- Accept connections from
lo
interface - Filter
ICMP
floods (jump to separate chain) - Drop
INVALID
packets - Accept
ESTABILISHED
andRELATED
packets - Filter
SYN
floods (jump to separate chain)
This option works only with ban actions that support it.
fail2ban_position: '6'
-
fail2ban_bantime_distribution_map
¶
Dictionary for release to default bantime for banning IPs
fail2ban_bantime_distribution_map:
'focal': "7200"
-
fail2ban_action
¶
Action performed by fail2ban
when IP address is banned. See list of
default actions below.
fail2ban_action: 'action_'
-
fail2ban_action_distribution_map
¶
Dictionary for release to default action for banning IPs
fail2ban_action_distribution_map:
'focal': '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s"]'
-
fail2ban_default_actions
¶
Dict with set of named actions to perform when a ban is executed.
fail2ban_default_actions:
# Block an IP address in the firewall
'action_': |
{{ fail2ban_action_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_action_distribution_map.keys()
else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
# Block an IP address in the firewall and send a notification about the
# offender taken from ``whois``
'action_mw': |
{{ fail2ban_action_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_action_distribution_map.keys()
else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# Block an IP address in the firewall and send a notification about the
# offender taken from ``whois`` and relevant log entries
'action_mwl': |
{{ fail2ban_action_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_action_distribution_map.keys()
else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
-
fail2ban_custom_actions
¶
Dict with custom set of named actions to perform when a ban is executed.
fail2ban_custom_actions: {}
-
fail2ban_actions
¶
List of dicts which define custom local fail2ban
actions.
fail2ban_actions: []
-
fail2ban_filters
¶
List of dicts which define custom local fail2ban
filters. See
fail2ban_filters for more details.
fail2ban_filters: []
-
fail2ban_usedns
¶
Specifies if jails should trust hostnames in logs.
Available options are yes
, warn
, no
and raw
.
fail2ban_usedns: 'warn'
List of fail2ban jails¶
-
fail2ban_jails
¶
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for all hosts in the cluster.
fail2ban_jails:
- name: '{{ fail2ban_ssh_jail_name }}'
enabled: 'true'
-
fail2ban_ssh_jail_name
¶
Most distributions already pre-configure a SSH jail. If the default SSH jail
is enabled in fail2ban_jails
make sure the name corresponds with the
distributions jail.conf
to leverage possible logpath
and other
service specific configurations.
fail2ban_ssh_jail_name: '{{ fail2ban_ssh_jail_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_ssh_jail_distribution_map.keys()
else "sshd" }}'
-
fail2ban_ssh_jail_distribution_map
¶
Dictionary for release to default SSH jail name mappings.
fail2ban_ssh_jail_distribution_map:
'trusty': 'ssh'
'jessie': 'ssh'
-
fail2ban_group_jails
¶
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for specific groups of hosts in the cluster.
fail2ban_group_jails: []
-
fail2ban_host_jails
¶
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for specific hosts in the cluster.
fail2ban_host_jails: []
-
fail2ban_dependent_jails
¶
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for use by other Ansible roles.
fail2ban_dependent_jails: []