Default variables: configuration
some of debops.fail2ban
default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
fail2ban_actions
List of local fail2ban
actions that should be present or absent when configuring
fail2ban
. Each action is defined as a YAML dict with the following keys:
name
Required. Name of the filter.
ban
Required. Command executed when banning an IP. Take care that the command is executed with
fail2ban
user rights.check
Optional. Command executed once before each
ban
command.filename
Optional. Alternative name of the action configuration file.
start
Optional. Command executed once at the start of
fail2ban
.state
Optional. If
present
, the action will be created when configuringfail2ban
. Ifabsent
, the action will be removed when configuringfail2ban
.stop
Optional. Command executed once at the end of
fail2ban
.unban
Optional. Command executed when unbanning an IP. Take care that the command is executed with
fail2ban
user rights.
fail2ban_filters
List of local fail2ban
filters that should be present or absent when configuring
fail2ban
. Each filter is defined as a YAML dict with the following keys:
name
Required. Name of the filter.
after
Optional. Specify an additional filter configuration file that
fail2ban
will read after reading this filter configuration filer.before
Optional. Specify an additional filter configuration file that
fail2ban
will read before reading this filter configuration file.definitions
Optional. Custom definitions used by the filter.
failregex
Required. A string of regular expression(s) used by the filter to detect break-in attempts. You can have the filter try to match multiple regular expressions by using the
|
character (the YAML literal style operator). Each regular expression should be on its own line. Refer to the examples section.filename
Optional. Alternative name of the filter configuration file. If not specified, it will use the
name
of the filter.ignoreregex
Optional. Regular expression(s) used to filter out invalid break-in attempts. You can have the filter try to match multiple regular expressions. Each regular expression should be on its own line.
state
Optional. If
present
, the filter will be created when configuringfail2ban
. Ifabsent
, the filter will be removed when configuringfail2ban
.
Refer to the fail2ban
filter wiki for more information.
fail2ban_jails
Jails are defined in the form of dicts, where dict keys are the option names and dict values are option values. You can specify values either as strings or YAML lists, in which case elements of the list will be separated by commas.
Some keys have a special meaning:
name
Jail name, used as a section header and part of the filename. Required.
filename
Alternative file name, optional.
comment
A commented text added before the given jail
delete
If this option is present and
True
, file which defines a given jail will be deletedignoreip
List of IP addresses or CIDR subnets which should be ignored by
fail2ban
action
It should be a name of a default or custom action, which will be used by
fail2ban
Other options are the same as normal fail2ban
jail configuration options.
Refer to default /etc/fail2ban/jail.conf
or fail2ban wiki for possible
options.
Examples:
Jails
Enable ssh
jail and configure it to send mail messages about banned hosts:
fail2ban_jails:
- name: 'ssh'
enabled: 'true'
action: 'action_mw'
Enable dovecot
jail with custom filename and send mail notifications to
postmaster:
fail2ban_jails:
- name: 'dovecot'
filename: '50_dovecot'
enabled: 'true'
destemail: 'postmaster@{{ ansible_domain }}'
Filters
Add custom local filter web-auth
with multiple failregex
rules:
fail2ban_filters:
- name: web-auth
failregex: |
Authentication failure for .* from <HOST>
Failed [-/\w]+ for .* from <HOST>
ROOT LOGIN REFUSED .* FROM <HOST>
state: present
Add custom local filter root-auth
with a single failregex
rule:
fail2ban_filters:
- name: root-auth
failregex: 'Authentication failure for .* from <HOST>'
state: present