Add fail2ban for traefik

Remote action coming soon
This commit is contained in:
Jake Howard 2021-03-28 13:05:31 +01:00
parent 8398a2df21
commit 6973fb536f
Signed by: jake
GPG key ID: 57AFB45680EDD477
17 changed files with 103 additions and 1 deletions

View file

@ -1 +1,2 @@
nebula_is_lighthouse: true nebula_is_lighthouse: true
ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}

View file

@ -3,3 +3,5 @@ private_ip: "{{ pve_hosts.pve_docker.ip }}"
traefik_provider_jellyfin: true traefik_provider_jellyfin: true
traefik_provider_homeassistant: true traefik_provider_homeassistant: true
traefik_provider_grafana: true traefik_provider_grafana: true
with_fail2ban: true

View file

@ -8,6 +8,7 @@
roles: roles:
- gateway - gateway
- nebula - nebula
- fail2ban_ssh
- hosts: - hosts:
- pve - pve

View file

@ -0,0 +1 @@
ssh_extra_allowed_users: ""

View file

@ -2,7 +2,7 @@
# Change to a high/odd port if this server is exposed to the internet directly # Change to a high/odd port if this server is exposed to the internet directly
Port {{ ssh_port }} Port {{ ssh_port }}
AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %} AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}
# Bind to all interfaces (change to specific interface if needed) # Bind to all interfaces (change to specific interface if needed)
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0

View file

@ -0,0 +1 @@
f2b_user: f2b

View file

@ -0,0 +1,8 @@
#!/usr/bin/env bash
set -e
# Remove `-c` argument
shift
sudo fail2ban-client $@

View file

@ -0,0 +1,27 @@
- name: Make user
user:
name: "{{ f2b_user }}"
comment: "{{ name }}"
shell: /home/{{ f2b_user }}/f2b-entrypoint.sh
system: false
become: true
- name: Give user sudo access to client
lineinfile:
path: /etc/sudoers
line: "{{ f2b_user }} ALL=(ALL) NOPASSWD: /usr/bin/fail2ban-client"
become: true
- name: Allow custom shell
lineinfile:
path: /etc/shells
line: /home/{{ f2b_user }}/f2b-entrypoint.sh
become: true
- name: Create entrypoint
template:
src: files/f2b-entrypoint.sh
dest: /home/{{ f2b_user }}/f2b-entrypoint.sh
mode: 0755
become: true
register: sshd_config

View file

@ -3,3 +3,4 @@ traefik_provider_homeassistant: false
traefik_provider_grafana: false traefik_provider_grafana: false
with_traefik_pages: false with_traefik_pages: false
with_fail2ban: false

View file

@ -8,5 +8,6 @@ services:
- CF_DNS_API_TOKEN={{ cloudflare_api_token }} - CF_DNS_API_TOKEN={{ cloudflare_api_token }}
volumes: volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro - /var/run/docker.sock:/var/run/docker.sock:ro
- /tmp/traefik-logs:/var/log/traefik
- ./traefik:/etc/traefik - ./traefik:/etc/traefik
restart: unless-stopped restart: unless-stopped

View file

@ -0,0 +1,4 @@
[Definition]
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" .+$
ignoreregex =
mode = normal

View file

@ -0,0 +1,9 @@
[traefik]
enabled = true
bantime = 6000
findtime = 600
maxretry = 5
filter = traefik
logpath = /tmp/traefik-logs/access.log
port = http,https
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}

View file

@ -0,0 +1,8 @@
/tmp/traefik-logs/access.log {
daily
rotate 7
missingok
compress
nodateext
notifempty
}

View file

@ -77,3 +77,9 @@ tls:
pilot: pilot:
dashboard: false dashboard: false
accessLog:
filePath: "/var/log/traefik/access.log"
filters:
statusCodes:
- "400-600"

View file

@ -2,3 +2,9 @@
shell: shell:
chdir: /opt/traefik chdir: /opt/traefik
cmd: "{{ docker_update_command }}" cmd: "{{ docker_update_command }}"
- name: restart fail2ban
service:
name: fail2ban
state: restarted
become: true

View file

@ -0,0 +1,15 @@
- name: Create jail
template:
src: files/fail2ban/traefik-jail.conf
dest: /etc/fail2ban/jail.d/traefik.conf
mode: 0644
become: true
notify: restart fail2ban
- name: Create filter
template:
src: files/fail2ban/traefik-filter.conf
dest: /etc/fail2ban/filter.d/traefik.conf
mode: 0644
become: true
notify: restart fail2ban

View file

@ -77,3 +77,14 @@
notify: restart traefik notify: restart traefik
when: traefik_provider_grafana when: traefik_provider_grafana
become: true become: true
- name: logrotate config
template:
src: files/logrotate.conf
dest: /etc/logrotate.d/traefik
mode: "0600"
become: true
- name: fail2ban
include: fail2ban.yml
when: with_fail2ban