Default variables: configuration
some of debops.fail2ban default variables have more extensive configuration
than simple strings or lists, here you can find documentation and examples for
them.
fail2ban_actions
List of local fail2ban actions that should be present or absent when configuring
fail2ban. Each action is defined as a YAML dict with the following keys:
nameRequired. Name of the filter.
banRequired. Command executed when banning an IP. Take care that the command is executed with
fail2banuser rights.checkOptional. Command executed once before each
bancommand.filenameOptional. Alternative name of the action configuration file.
startOptional. Command executed once at the start of
fail2ban.stateOptional. If
present, the action will be created when configuringfail2ban. Ifabsent, the action will be removed when configuringfail2ban.stopOptional. Command executed once at the end of
fail2ban.unbanOptional. Command executed when unbanning an IP. Take care that the command is executed with
fail2banuser rights.
fail2ban_filters
List of local fail2ban filters that should be present or absent when configuring
fail2ban. Each filter is defined as a YAML dict with the following keys:
nameRequired. Name of the filter.
afterOptional. Specify an additional filter configuration file that
fail2banwill read after reading this filter configuration filer.beforeOptional. Specify an additional filter configuration file that
fail2banwill read before reading this filter configuration file.definitionsOptional. Custom definitions used by the filter.
failregexRequired. A string of regular expression(s) used by the filter to detect break-in attempts. You can have the filter try to match multiple regular expressions by using the
|character (the YAML literal style operator). Each regular expression should be on its own line. Refer to the examples section.filenameOptional. Alternative name of the filter configuration file. If not specified, it will use the
nameof the filter.ignoreregexOptional. Regular expression(s) used to filter out invalid break-in attempts. You can have the filter try to match multiple regular expressions. Each regular expression should be on its own line.
stateOptional. If
present, the filter will be created when configuringfail2ban. Ifabsent, the filter will be removed when configuringfail2ban.
Refer to the fail2ban filter wiki for more information.
fail2ban_jails
Jails are defined in the form of dicts, where dict keys are the option names and dict values are option values. You can specify values either as strings or YAML lists, in which case elements of the list will be separated by commas.
Some keys have a special meaning:
nameJail name, used as a section header and part of the filename. Required.
filenameAlternative file name, optional.
commentA commented text added before the given jail
deleteIf this option is present and
True, file which defines a given jail will be deletedignoreipList of IP addresses or CIDR subnets which should be ignored by
fail2banactionIt should be a name of a default or custom action, which will be used by
fail2ban
Other options are the same as normal fail2ban jail configuration options.
Refer to default /etc/fail2ban/jail.conf or fail2ban wiki for possible
options.
Examples:
Jails
Enable ssh jail and configure it to send mail messages about banned hosts:
fail2ban_jails:
- name: 'ssh'
enabled: 'true'
action: 'action_mw'
Enable dovecot jail with custom filename and send mail notifications to
postmaster:
fail2ban_jails:
- name: 'dovecot'
filename: '50_dovecot'
enabled: 'true'
destemail: 'postmaster@{{ ansible_domain }}'
Filters
Add custom local filter web-auth with multiple failregex rules:
fail2ban_filters:
- name: web-auth
failregex: |
Authentication failure for .* from <HOST>
Failed [-/\w]+ for .* from <HOST>
ROOT LOGIN REFUSED .* FROM <HOST>
state: present
Add custom local filter root-auth with a single failregex rule:
fail2ban_filters:
- name: root-auth
failregex: 'Authentication failure for .* from <HOST>'
state: present