Add fail2ban for traefik

Remote action coming soon
2021-03-28 13:05:31 +01:00 · 2021-03-28 13:05:31 +01:00 · 6973fb536f
commit 6973fb536f
parent 8398a2df21
17 changed files with 103 additions and 1 deletions
--- a/ansible/host_vars/casey.yml
+++ b/ansible/host_vars/casey.yml
@ -1 +1,2 @@
 nebula_is_lighthouse: true
+ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}
--- a/ansible/host_vars/pve-docker.yml
+++ b/ansible/host_vars/pve-docker.yml
@ -3,3 +3,5 @@ private_ip: "{{ pve_hosts.pve_docker.ip }}"
 traefik_provider_jellyfin: true
 traefik_provider_homeassistant: true
 traefik_provider_grafana: true
+
+with_fail2ban: true
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -8,6 +8,7 @@
  roles:
    - gateway
    - nebula
+    - fail2ban_ssh

 - hosts:
    - pve
--- a/ansible/roles/base/defaults/main.yml
+++ b/ansible/roles/base/defaults/main.yml
@ -0,0 +1 @@
+ssh_extra_allowed_users: ""
--- a/ansible/roles/base/files/sshd_config
+++ b/ansible/roles/base/files/sshd_config
@ -2,7 +2,7 @@
 # Change to a high/odd port if this server is exposed to the internet directly
 Port {{ ssh_port }}

-AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %}
+AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}

 # Bind to all interfaces (change to specific interface if needed)
 ListenAddress 0.0.0.0
--- a/ansible/roles/fail2ban_ssh/defaults/main.yml
+++ b/ansible/roles/fail2ban_ssh/defaults/main.yml
@ -0,0 +1 @@
+f2b_user: f2b
--- a/ansible/roles/fail2ban_ssh/files/f2b-entrypoint.sh
+++ b/ansible/roles/fail2ban_ssh/files/f2b-entrypoint.sh
@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -e
+
+# Remove `-c` argument
+shift
+
+sudo fail2ban-client $@
--- a/ansible/roles/fail2ban_ssh/tasks/main.yml
+++ b/ansible/roles/fail2ban_ssh/tasks/main.yml
@ -0,0 +1,27 @@
+- name: Make user
+  user:
+    name: "{{ f2b_user }}"
+    comment: "{{ name }}"
+    shell: /home/{{ f2b_user }}/f2b-entrypoint.sh
+    system: false
+  become: true
+
+- name: Give user sudo access to client
+  lineinfile:
+    path: /etc/sudoers
+    line: "{{ f2b_user }} ALL=(ALL) NOPASSWD: /usr/bin/fail2ban-client"
+  become: true
+
+- name: Allow custom shell
+  lineinfile:
+    path: /etc/shells
+    line: /home/{{ f2b_user }}/f2b-entrypoint.sh
+  become: true
+
+- name: Create entrypoint
+  template:
+    src: files/f2b-entrypoint.sh
+    dest: /home/{{ f2b_user }}/f2b-entrypoint.sh
+    mode: 0755
+  become: true
+  register: sshd_config
--- a/ansible/roles/traefik/defaults/main.yml
+++ b/ansible/roles/traefik/defaults/main.yml
@ -3,3 +3,4 @@ traefik_provider_homeassistant: false
 traefik_provider_grafana: false

 with_traefik_pages: false
+with_fail2ban: false
--- a/ansible/roles/traefik/files/docker-compose.yml
+++ b/ansible/roles/traefik/files/docker-compose.yml
@ -8,5 +8,6 @@ services:
      - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - /tmp/traefik-logs:/var/log/traefik
      - ./traefik:/etc/traefik
    restart: unless-stopped
--- a/ansible/roles/traefik/files/fail2ban/traefik-filter.conf
+++ b/ansible/roles/traefik/files/fail2ban/traefik-filter.conf
@ -0,0 +1,4 @@
+[Definition]
+failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" .+$
+ignoreregex =
+mode = normal
--- a/ansible/roles/traefik/files/fail2ban/traefik-jail.conf
+++ b/ansible/roles/traefik/files/fail2ban/traefik-jail.conf
@ -0,0 +1,9 @@
+[traefik]
+enabled  = true
+bantime  = 6000
+findtime = 600
+maxretry = 5
+filter   = traefik
+logpath = /tmp/traefik-logs/access.log
+port     = http,https
+ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
--- a/ansible/roles/traefik/files/logrotate.conf
+++ b/ansible/roles/traefik/files/logrotate.conf
@ -0,0 +1,8 @@
+/tmp/traefik-logs/access.log {
+  daily
+  rotate 7
+  missingok
+  compress
+  nodateext
+  notifempty
+}
--- a/ansible/roles/traefik/files/traefik.yml
+++ b/ansible/roles/traefik/files/traefik.yml
@ -77,3 +77,9 @@ tls:

 pilot:
  dashboard: false
+
+accessLog:
+  filePath: "/var/log/traefik/access.log"
+  filters:
+    statusCodes:
+      - "400-600"
--- a/ansible/roles/traefik/handlers/main.yml
+++ b/ansible/roles/traefik/handlers/main.yml
@ -2,3 +2,9 @@
  shell:
    chdir: /opt/traefik
    cmd: "{{ docker_update_command }}"
+
+- name: restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  become: true
--- a/ansible/roles/traefik/tasks/fail2ban.yml
+++ b/ansible/roles/traefik/tasks/fail2ban.yml
@ -0,0 +1,15 @@
+- name: Create jail
+  template:
+    src: files/fail2ban/traefik-jail.conf
+    dest: /etc/fail2ban/jail.d/traefik.conf
+    mode: 0644
+  become: true
+  notify: restart fail2ban
+
+- name: Create filter
+  template:
+    src: files/fail2ban/traefik-filter.conf
+    dest: /etc/fail2ban/filter.d/traefik.conf
+    mode: 0644
+  become: true
+  notify: restart fail2ban
--- a/ansible/roles/traefik/tasks/main.yml
+++ b/ansible/roles/traefik/tasks/main.yml
@ -77,3 +77,14 @@
  notify: restart traefik
  when: traefik_provider_grafana
  become: true
+
+- name: logrotate config
+  template:
+    src: files/logrotate.conf
+    dest: /etc/logrotate.d/traefik
+    mode: "0600"
+  become: true
+
+- name: fail2ban
+  include: fail2ban.yml
+  when: with_fail2ban