This role sets up fail2ban.
An apt-based system with fail2ban in a configured repository.
The role can be used in combination with the nginx role.
| Name | Required/Default | Description |
|---|---|---|
fail2ban_bantime |
3600 |
Time to ban hosts. Can be overwritten for individual jails. |
fail2ban_findtime |
600 |
If a hosts exceeds fail2ban_maxretry violations within this timeframe it will get banned. Can be overwritten for individual jails. |
fail2ban_maxretry |
3 |
Maximum violations until ban. Can be overwritten for individual jails. |
fail2ban_enabled |
False |
Whether to enable all jails by default. |
fail2ban_backend |
systemd |
Default backend used to read logs and detect violations. |
fail2ban_logencoding |
auto |
|
fail2ban_ignoreip |
["127.0.0.1/8"] |
List of IPs that must not get banned. |
fail2ban_jails is a dict where the key corresponds to the jail name and the value is an object with the following attributes:
| Name | Required/Default | Description |
|---|---|---|
ports |
✔️ | List of port numbers to check. Is only considered by certain filters. Numbers or names of well-defined ports (e.g. ssh, http, sftp) are allowed. |
logpath |
✔️ | Logfile to check. |
backend |
{{ fail2ban_backend }} |
Backend e.g. systemd or auto |
enabled |
{{ fail2ban_enabled }} |
Enables/Disables the jail. |
maxretry |
{{ fail2ban_maxretry }} |
Maximum violations until ban. |
bantime |
{{ fail2ban_bantime }} |
Time to ban hosts. |
findtime |
{{ fail2ban_findtime }} |
If a hosts exceeds fail2ban_maxretry or respectively maxretry violations within this timeframe it will get banned. |
filters |
✖️ | Name of the filter to be applied. |
action |
✖️ | Name of the action to be applied if a filter matches. |
fail2ban_jails:
wordpress:
ports: [ http, https ]
filter: wordpress
action: nginx
logpath: "%(nginx_error_log)s"
backend: "%(default_backend)s"
enabled: True
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.