From 4d218248faa8576716d079345277543a035f14f8 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 28 Mar 2021 16:06:36 +0100 Subject: [PATCH] Remotely connect to fail2ban to do ports Traefik can affect the edge, so blocks work there and prevent traffic hitting home network. --- ansible/roles/gateway/files/haproxy-fail2ban-jail.conf | 10 ++++++++-- .../roles/traefik/files/fail2ban/remote-action.conf | 6 ++++++ ansible/roles/traefik/files/fail2ban/traefik-jail.conf | 3 ++- ansible/roles/traefik/tasks/fail2ban.yml | 8 ++++++++ 4 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/traefik/files/fail2ban/remote-action.conf diff --git a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf index be58d56..6e059e7 100644 --- a/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf +++ b/ansible/roles/gateway/files/haproxy-fail2ban-jail.conf @@ -1,10 +1,16 @@ [haproxy] enabled = true bantime = 600 -findtime = 60 -maxretry = 15 +findtime = 10 +maxretry = 100 filter = haproxy-basic backend = systemd journalmatch = _COMM=haproxy port = http,https ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} + +[traefik] +enabled = true +filter = haproxy-basic # Not actually used +port = http,https +ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} diff --git a/ansible/roles/traefik/files/fail2ban/remote-action.conf b/ansible/roles/traefik/files/fail2ban/remote-action.conf new file mode 100644 index 0000000..4a8ffe0 --- /dev/null +++ b/ansible/roles/traefik/files/fail2ban/remote-action.conf @@ -0,0 +1,6 @@ +[Definition] +actionban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik banip +actionunban = ssh -p 7743 f2b@{{ nebula.clients.casey.ip }} -i /root/.ssh/f2b/id_ed25519 set traefik unbanip +actioncheck = +actionstart = +actionstop = diff --git a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf index ab6137e..9e3c0aa 100644 --- a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf +++ b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf @@ -1,9 +1,10 @@ [traefik] enabled = true bantime = 6000 -findtime = 600 +findtime = 300 maxretry = 5 filter = traefik logpath = /tmp/traefik-logs/access.log port = http,https ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }} +action = gateway diff --git a/ansible/roles/traefik/tasks/fail2ban.yml b/ansible/roles/traefik/tasks/fail2ban.yml index a767fa5..a576346 100644 --- a/ansible/roles/traefik/tasks/fail2ban.yml +++ b/ansible/roles/traefik/tasks/fail2ban.yml @@ -13,3 +13,11 @@ mode: 0644 become: true notify: restart fail2ban + +- name: Create action + template: + src: files/fail2ban/remote-action.conf + dest: /etc/fail2ban/action.d/gateway.conf + mode: 0644 + become: true + notify: restart fail2ban