diff --git a/files/fail2ban/filter.conf b/files/fail2ban/filter.conf new file mode 100644 index 0000000..3d2f8ae --- /dev/null +++ b/files/fail2ban/filter.conf @@ -0,0 +1,5 @@ +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" diff --git a/handlers/main.yml b/handlers/main.yml index bda725b..14298dd 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -23,3 +23,8 @@ - name: start php-fpm-socket command: systemctl start php-fpm@*.socket --all + +- name: restart fail2ban + service: + name: fail2ban + state: restarted diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml new file mode 100644 index 0000000..d724c57 --- /dev/null +++ b/tasks/fail2ban.yml @@ -0,0 +1,12 @@ +--- +- name: "fail2ban | {{ instance.name }} | Kopiere Filter" + copy: + src: fail2ban/filter.conf + dest: /etc/fail2ban/filter.d/nextcloud.conf + notify: restart fail2ban + +- name: "fail2ban | {{ instance.name }} | Kopiere Jail" + template: + src: fail2ban/jail.conf.j2 + dest: /etc/fail2ban/jail.d/nextcloud-{{ instance.user }}.conf + notify: restart fail2ban diff --git a/tasks/main.yml b/tasks/main.yml index d8f1c65..0ec8e4a 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -27,3 +27,6 @@ - import_tasks: fixes.yml tags: fixes + +- import_tasks: fail2ban.yml + tags: fail2ban diff --git a/templates/fail2ban/jail.conf.j2 b/templates/fail2ban/jail.conf.j2 new file mode 100644 index 0000000..36d2d12 --- /dev/null +++ b/templates/fail2ban/jail.conf.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + +[nextcloud-{{ instance.user }}] +backend = auto +enabled = true +port = 80,443 +protocol = tcp +filter = nextcloud +maxretry = 3 +bantime = 86400 +findtime = 43200 +logpath = {{ nextcloud_root }}/{{ instance.name }}/data/nextcloud.log