Add fail2ban for traefik
Remote action coming soon
This commit is contained in:
parent
8398a2df21
commit
6973fb536f
17 changed files with 103 additions and 1 deletions
|
@ -1 +1,2 @@
|
||||||
nebula_is_lighthouse: true
|
nebula_is_lighthouse: true
|
||||||
|
ssh_extra_allowed_users: f2b@{{ nebula.cidr }} f2b@{{ pve_hosts.internal_cidr }}
|
||||||
|
|
|
@ -3,3 +3,5 @@ private_ip: "{{ pve_hosts.pve_docker.ip }}"
|
||||||
traefik_provider_jellyfin: true
|
traefik_provider_jellyfin: true
|
||||||
traefik_provider_homeassistant: true
|
traefik_provider_homeassistant: true
|
||||||
traefik_provider_grafana: true
|
traefik_provider_grafana: true
|
||||||
|
|
||||||
|
with_fail2ban: true
|
||||||
|
|
|
@ -8,6 +8,7 @@
|
||||||
roles:
|
roles:
|
||||||
- gateway
|
- gateway
|
||||||
- nebula
|
- nebula
|
||||||
|
- fail2ban_ssh
|
||||||
|
|
||||||
- hosts:
|
- hosts:
|
||||||
- pve
|
- pve
|
||||||
|
|
1
ansible/roles/base/defaults/main.yml
Normal file
1
ansible/roles/base/defaults/main.yml
Normal file
|
@ -0,0 +1 @@
|
||||||
|
ssh_extra_allowed_users: ""
|
|
@ -2,7 +2,7 @@
|
||||||
# Change to a high/odd port if this server is exposed to the internet directly
|
# Change to a high/odd port if this server is exposed to the internet directly
|
||||||
Port {{ ssh_port }}
|
Port {{ ssh_port }}
|
||||||
|
|
||||||
AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %}
|
AllowUsers {% if ansible_hostname in pve_hosts %}{{ user }}@{{ pve_hosts.internal_cidr }}{% endif %} {% if ansible_hostname in nebula.clients %}{{ user }}@{{ nebula.cidr }}{% endif %} {{ ssh_extra_allowed_users }}
|
||||||
|
|
||||||
# Bind to all interfaces (change to specific interface if needed)
|
# Bind to all interfaces (change to specific interface if needed)
|
||||||
ListenAddress 0.0.0.0
|
ListenAddress 0.0.0.0
|
||||||
|
|
1
ansible/roles/fail2ban_ssh/defaults/main.yml
Normal file
1
ansible/roles/fail2ban_ssh/defaults/main.yml
Normal file
|
@ -0,0 +1 @@
|
||||||
|
f2b_user: f2b
|
8
ansible/roles/fail2ban_ssh/files/f2b-entrypoint.sh
Normal file
8
ansible/roles/fail2ban_ssh/files/f2b-entrypoint.sh
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Remove `-c` argument
|
||||||
|
shift
|
||||||
|
|
||||||
|
sudo fail2ban-client $@
|
27
ansible/roles/fail2ban_ssh/tasks/main.yml
Normal file
27
ansible/roles/fail2ban_ssh/tasks/main.yml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
- name: Make user
|
||||||
|
user:
|
||||||
|
name: "{{ f2b_user }}"
|
||||||
|
comment: "{{ name }}"
|
||||||
|
shell: /home/{{ f2b_user }}/f2b-entrypoint.sh
|
||||||
|
system: false
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Give user sudo access to client
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/sudoers
|
||||||
|
line: "{{ f2b_user }} ALL=(ALL) NOPASSWD: /usr/bin/fail2ban-client"
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Allow custom shell
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/shells
|
||||||
|
line: /home/{{ f2b_user }}/f2b-entrypoint.sh
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: Create entrypoint
|
||||||
|
template:
|
||||||
|
src: files/f2b-entrypoint.sh
|
||||||
|
dest: /home/{{ f2b_user }}/f2b-entrypoint.sh
|
||||||
|
mode: 0755
|
||||||
|
become: true
|
||||||
|
register: sshd_config
|
|
@ -3,3 +3,4 @@ traefik_provider_homeassistant: false
|
||||||
traefik_provider_grafana: false
|
traefik_provider_grafana: false
|
||||||
|
|
||||||
with_traefik_pages: false
|
with_traefik_pages: false
|
||||||
|
with_fail2ban: false
|
||||||
|
|
|
@ -8,5 +8,6 @@ services:
|
||||||
- CF_DNS_API_TOKEN={{ cloudflare_api_token }}
|
- CF_DNS_API_TOKEN={{ cloudflare_api_token }}
|
||||||
volumes:
|
volumes:
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
- /var/run/docker.sock:/var/run/docker.sock:ro
|
||||||
|
- /tmp/traefik-logs:/var/log/traefik
|
||||||
- ./traefik:/etc/traefik
|
- ./traefik:/etc/traefik
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
4
ansible/roles/traefik/files/fail2ban/traefik-filter.conf
Normal file
4
ansible/roles/traefik/files/fail2ban/traefik-filter.conf
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
[Definition]
|
||||||
|
failregex = ^<HOST> \- \S+ \[\] \"(GET|POST|HEAD) .+\" .+$
|
||||||
|
ignoreregex =
|
||||||
|
mode = normal
|
9
ansible/roles/traefik/files/fail2ban/traefik-jail.conf
Normal file
9
ansible/roles/traefik/files/fail2ban/traefik-jail.conf
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
[traefik]
|
||||||
|
enabled = true
|
||||||
|
bantime = 6000
|
||||||
|
findtime = 600
|
||||||
|
maxretry = 5
|
||||||
|
filter = traefik
|
||||||
|
logpath = /tmp/traefik-logs/access.log
|
||||||
|
port = http,https
|
||||||
|
ignoreip = {{ wireguard.cidr }},{{ nebula.cidr }},{{ pve_hosts.internal_cidr }}
|
8
ansible/roles/traefik/files/logrotate.conf
Normal file
8
ansible/roles/traefik/files/logrotate.conf
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
/tmp/traefik-logs/access.log {
|
||||||
|
daily
|
||||||
|
rotate 7
|
||||||
|
missingok
|
||||||
|
compress
|
||||||
|
nodateext
|
||||||
|
notifempty
|
||||||
|
}
|
|
@ -77,3 +77,9 @@ tls:
|
||||||
|
|
||||||
pilot:
|
pilot:
|
||||||
dashboard: false
|
dashboard: false
|
||||||
|
|
||||||
|
accessLog:
|
||||||
|
filePath: "/var/log/traefik/access.log"
|
||||||
|
filters:
|
||||||
|
statusCodes:
|
||||||
|
- "400-600"
|
||||||
|
|
|
@ -2,3 +2,9 @@
|
||||||
shell:
|
shell:
|
||||||
chdir: /opt/traefik
|
chdir: /opt/traefik
|
||||||
cmd: "{{ docker_update_command }}"
|
cmd: "{{ docker_update_command }}"
|
||||||
|
|
||||||
|
- name: restart fail2ban
|
||||||
|
service:
|
||||||
|
name: fail2ban
|
||||||
|
state: restarted
|
||||||
|
become: true
|
||||||
|
|
15
ansible/roles/traefik/tasks/fail2ban.yml
Normal file
15
ansible/roles/traefik/tasks/fail2ban.yml
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
- name: Create jail
|
||||||
|
template:
|
||||||
|
src: files/fail2ban/traefik-jail.conf
|
||||||
|
dest: /etc/fail2ban/jail.d/traefik.conf
|
||||||
|
mode: 0644
|
||||||
|
become: true
|
||||||
|
notify: restart fail2ban
|
||||||
|
|
||||||
|
- name: Create filter
|
||||||
|
template:
|
||||||
|
src: files/fail2ban/traefik-filter.conf
|
||||||
|
dest: /etc/fail2ban/filter.d/traefik.conf
|
||||||
|
mode: 0644
|
||||||
|
become: true
|
||||||
|
notify: restart fail2ban
|
|
@ -77,3 +77,14 @@
|
||||||
notify: restart traefik
|
notify: restart traefik
|
||||||
when: traefik_provider_grafana
|
when: traefik_provider_grafana
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
|
- name: logrotate config
|
||||||
|
template:
|
||||||
|
src: files/logrotate.conf
|
||||||
|
dest: /etc/logrotate.d/traefik
|
||||||
|
mode: "0600"
|
||||||
|
become: true
|
||||||
|
|
||||||
|
- name: fail2ban
|
||||||
|
include: fail2ban.yml
|
||||||
|
when: with_fail2ban
|
||||||
|
|
Loading…
Reference in a new issue