debops.fail2ban default variables
General fail2ban configuration
- fail2ban_loglevel
Log verbosity valid values : CRITICAL, ERROR, WARNING, NOTICE, INFO, DEBUG. Default: WARNING
fail2ban_loglevel: 'WARNING'
- fail2ban_logtarget
Where to save logs: a file, STDOUT
, STDERR
, SYSLOG
fail2ban_logtarget: '/var/log/fail2ban.log'
- fail2ban_dbpurgeage
Age at which bans should be purged from the database (by default, 86400 ; 24h)
fail2ban_dbpurgeage: '{{ (60 * 60 * 24) }}'
Default configuration for all jails
- fail2ban_ignoreip
List of IP addresses or CIDR networks which should be ignored by fail2ban
fail2ban_ignoreip: []
- fail2ban_group_ignoreip
List of IP addresses or CIDR networks which should be ignored by fail2ban in a specific Ansible inventory group.
fail2ban_group_ignoreip: []
- fail2ban_host_ignoreip
List of IP addresses or CIDR networks which should be ignored by fail2ban on a specific hosts in the Ansible inventory.
fail2ban_host_ignoreip: []
- fail2ban_ignoreip_default
List of default IP addresses or CIDR networks which should be ignored by fail2ban
fail2ban_ignoreip_default: [ '127.0.0.0/8' ]
- fail2ban_findtime
Length of time in seconds between bad login attempts to consider for banning (by default, 10 minutes)
fail2ban_findtime: '{{ (60 * 10) }}'
- fail2ban_maxretry
Maximum number of bad login attempts in the given findtime
to trigger
a ban
fail2ban_maxretry: '3'
- fail2ban_bantime
Length of time in seconds for the ban to persist (by default, 2 hours)
fail2ban_bantime: '{{ (60 * 60 * 2) }}'
- fail2ban_backend
Method which fail2ban uses to get notified about new entries in log files
fail2ban_backend: 'auto'
- fail2ban_mta
Default mail notification method
fail2ban_mta: 'sendmail'
- fail2ban_destemail
Recipient address of e-mail notifications
fail2ban_destemail: 'root@{{ ansible_domain }}'
- fail2ban_banaction
Default "response mode" to use for banning. By default, fail2ban will add IP
addresses to custom iptables
recent list and REJECT
connections.
fail2ban_banaction: 'iptables-xt_recent-echo-reject'
- fail2ban_protocol
Protocol type to filter in iptables
: tcp
, udp
, icmp
, all
fail2ban_protocol: 'tcp'
- fail2ban_chain
iptables
chain to add the rules in
fail2ban_chain: 'INPUT'
- fail2ban_position
Position in the iptables
chain at which fail2ban
will add its rules.
Default is based on firewall generated by debops.ferm
role, which at the
moment has these entries in INPUT
chain:
Accept connections from
lo
interfaceFilter
ICMP
floods (jump to separate chain)Drop
INVALID
packetsAccept
ESTABILISHED
andRELATED
packetsFilter
SYN
floods (jump to separate chain)
This option works only with ban actions that support it.
fail2ban_position: '6'
- fail2ban_bantime_distribution_map
Dictionary for release to default bantime for banning IPs
fail2ban_bantime_distribution_map:
'focal': "7200"
- fail2ban_action
Action performed by fail2ban
when IP address is banned. See list of
default actions below.
fail2ban_action: 'action_'
- fail2ban_action_distribution_map
Dictionary for release to default action for banning IPs
fail2ban_action_distribution_map:
'focal': '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s"]'
- fail2ban_default_actions
Dict with set of named actions to perform when a ban is executed.
fail2ban_default_actions:
# Block an IP address in the firewall
'action_': |
{{ fail2ban_action_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_action_distribution_map.keys()
else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
# Block an IP address in the firewall and send a notification about the
# offender taken from ``whois``
'action_mw': |
{{ fail2ban_action_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_action_distribution_map.keys()
else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
%(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
# Block an IP address in the firewall and send a notification about the
# offender taken from ``whois`` and relevant log entries
'action_mwl': |
{{ fail2ban_action_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_action_distribution_map.keys()
else '%(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s", position="%(position)s", bantime="%(bantime)s"]' }}
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
- fail2ban_custom_actions
Dict with custom set of named actions to perform when a ban is executed.
fail2ban_custom_actions: {}
- fail2ban_actions
List of dicts which define custom local fail2ban
actions.
fail2ban_actions: []
- fail2ban_filters
List of dicts which define custom local fail2ban
filters. See
fail2ban_filters for more details.
fail2ban_filters: []
- fail2ban_usedns
Specifies if jails should trust hostnames in logs.
Available options are yes
, warn
, no
and raw
.
fail2ban_usedns: 'warn'
List of fail2ban jails
- fail2ban_jails
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for all hosts in the cluster.
fail2ban_jails:
- name: '{{ fail2ban_ssh_jail_name }}'
enabled: 'true'
- fail2ban_ssh_jail_name
Most distributions already pre-configure a SSH jail. If the default SSH jail
is enabled in fail2ban_jails
make sure the name corresponds with the
distributions jail.conf
to leverage possible logpath
and other
service specific configurations.
fail2ban_ssh_jail_name: '{{ fail2ban_ssh_jail_distribution_map[ansible_distribution_release]
if ansible_distribution_release in fail2ban_ssh_jail_distribution_map.keys()
else "sshd" }}'
- fail2ban_ssh_jail_distribution_map
Dictionary for release to default SSH jail name mappings.
fail2ban_ssh_jail_distribution_map:
'trusty': 'ssh'
'jessie': 'ssh'
- fail2ban_group_jails
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for specific groups of hosts in the cluster.
fail2ban_group_jails: []
- fail2ban_host_jails
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for specific hosts in the cluster.
fail2ban_host_jails: []
- fail2ban_dependent_jails
List of dicts which define fail2ban
jails. See fail2ban_jails for
more details. This list is meant for use by other Ansible roles.
fail2ban_dependent_jails: []