debops.fail2ban default variables

General fail2ban configuration

fail2ban_loglevel

Log verbosity valid values : CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: WARNING

fail2ban_loglevel: 'WARNING'
fail2ban_logtarget

Where to save logs: a file, STDOUT, STDERR, SYSLOG

fail2ban_logtarget: '/var/log/fail2ban.log'
fail2ban_dbpurgeage

Age at which bans should be purged from the database (by default, 86400 ; 24h)

fail2ban_dbpurgeage: '{{ (60 * 60 * 24) }}'

Default configuration for all jails

fail2ban_ignoreip

List of IP addresses or CIDR networks which should be ignored by fail2ban

fail2ban_ignoreip: []
fail2ban_group_ignoreip

List of IP addresses or CIDR networks which should be ignored by fail2ban in a specific Ansible inventory group.

fail2ban_group_ignoreip: []
fail2ban_host_ignoreip

List of IP addresses or CIDR networks which should be ignored by fail2ban on a specific hosts in the Ansible inventory.

fail2ban_host_ignoreip: []
fail2ban_ignoreip_default

List of default IP addresses or CIDR networks which should be ignored by fail2ban

fail2ban_ignoreip_default: [ '127.0.0.0/8' ]
fail2ban_findtime

Length of time in seconds between bad login attempts to consider for banning (by default, 10 minutes)

fail2ban_findtime: '{{ (60 * 10) }}'
fail2ban_maxretry

Maximum number of bad login attempts in the given findtime to trigger a ban

fail2ban_maxretry: '3'
fail2ban_bantime

Length of time in seconds for the ban to persist (by default, 2 hours)

fail2ban_bantime: '{{ (60 * 60 * 2) }}'
fail2ban_backend

Method which fail2ban uses to get notified about new entries in log files

fail2ban_backend: 'auto'
fail2ban_mta

Default mail notification method

fail2ban_mta: 'sendmail'
fail2ban_destemail

Recipient address of e-mail notifications

fail2ban_destemail: 'root@{{ ansible_domain }}'
fail2ban_banaction

Default "response mode" to use for banning. By default, fail2ban will add IP addresses to custom iptables recent list and REJECT connections.

fail2ban_banaction: 'iptables-xt_recent-echo-reject'
fail2ban_protocol

Protocol type to filter in iptables: tcp, udp, icmp, all

fail2ban_protocol: 'tcp'
fail2ban_chain

iptables chain to add the rules in

fail2ban_chain: 'INPUT'
fail2ban_position

Position in the iptables chain at which fail2ban will add its rules. Default is based on firewall generated by debops.ferm role, which at the moment has these entries in INPUT chain:

  1. Accept connections from lo interface

  2. Filter ICMP floods (jump to separate chain)

  3. Drop INVALID packets

  4. Accept ESTABILISHED and RELATED packets

  5. Filter SYN floods (jump to separate chain)

This option works only with ban actions that support it.

fail2ban_position: '6'
fail2ban_bantime_distribution_map

Dictionary for release to default bantime for banning IPs

fail2ban_bantime_distribution_map:
  'focal': "7200"
fail2ban_action

Action performed by fail2ban when IP address is banned. See list of default actions below.

fail2ban_action: 'action_'
fail2ban_action_distribution_map

Dictionary for release to default action for banning IPs

fail2ban_action_distribution_map:
  'focal': '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s"]'
fail2ban_default_actions

Dict with set of named actions to perform when a ban is executed.

fail2ban_default_actions:

  # Block an IP address in the firewall
  'action_': |
    {{ fail2ban_action_distribution_map[ansible_distribution_release]
    if ansible_distribution_release in fail2ban_action_distribution_map.keys()
    else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}

  # Block an IP address in the firewall and send a notification about the
  # offender taken from ``whois``
  'action_mw': |
    {{ fail2ban_action_distribution_map[ansible_distribution_release]
    if ansible_distribution_release in fail2ban_action_distribution_map.keys()
    else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
    %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]

  # Block an IP address in the firewall and send a notification about the
  # offender taken from ``whois`` and relevant log entries
  'action_mwl': |
    {{ fail2ban_action_distribution_map[ansible_distribution_release]
    if ansible_distribution_release in fail2ban_action_distribution_map.keys()
    else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
    %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
fail2ban_custom_actions

Dict with custom set of named actions to perform when a ban is executed.

fail2ban_custom_actions: {}
fail2ban_actions

List of dicts which define custom local fail2ban actions.

fail2ban_actions: []
fail2ban_filters

List of dicts which define custom local fail2ban filters. See fail2ban_filters for more details.

fail2ban_filters: []
fail2ban_usedns

Specifies if jails should trust hostnames in logs. Available options are yes, warn, no and raw.

fail2ban_usedns: 'warn'

List of fail2ban jails

fail2ban_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for all hosts in the cluster.

fail2ban_jails:
  - name: '{{ fail2ban_ssh_jail_name }}'
    enabled: 'true'
fail2ban_ssh_jail_name

Most distributions already pre-configure a SSH jail. If the default SSH jail is enabled in fail2ban_jails make sure the name corresponds with the distributions jail.conf to leverage possible logpath and other service specific configurations.

fail2ban_ssh_jail_name: '{{ fail2ban_ssh_jail_distribution_map[ansible_distribution_release]
                            if ansible_distribution_release in fail2ban_ssh_jail_distribution_map.keys()
                            else "sshd" }}'
fail2ban_ssh_jail_distribution_map

Dictionary for release to default SSH jail name mappings.

fail2ban_ssh_jail_distribution_map:
  'trusty': 'ssh'
  'jessie': 'ssh'
fail2ban_group_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for specific groups of hosts in the cluster.

fail2ban_group_jails: []
fail2ban_host_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for specific hosts in the cluster.

fail2ban_host_jails: []
fail2ban_dependent_jails

List of dicts which define fail2ban jails. See fail2ban_jails for more details. This list is meant for use by other Ansible roles.

fail2ban_dependent_jails: []