From 32a1d2708f6e432ea4b886ab622ea41ae9eb0b0b Mon Sep 17 00:00:00 2001
From: phil <phil@systemausfall.org>
Date: Sat, 11 Mar 2023 21:35:10 +0100
Subject: [PATCH] Add fail2ban configuration

---
 README.md                                    |  6 +++++-
 files/fail2ban/filter.d/nginx-req-limit.conf | 15 +++++++++++++++
 files/fail2ban/jail.d/nginx-req-limit.conf   | 11 +++++++++++
 handlers/main.yaml                           | 11 ++++++++---
 tasks/fail2ban.yml                           | 11 +++++++++++
 tasks/main.yaml                              |  5 +++++
 6 files changed, 55 insertions(+), 4 deletions(-)
 create mode 100644 files/fail2ban/filter.d/nginx-req-limit.conf
 create mode 100644 files/fail2ban/jail.d/nginx-req-limit.conf
 create mode 100644 tasks/fail2ban.yml

diff --git a/README.md b/README.md
index c44cc94..47b6456 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,11 @@
 Nginx
 =====
 
-Role to install Nginx.
+A role to install and configure Nginx.
+
+## Dependencies
+
+Run this role after you have installed fail2ban.
 
 ## Variables
 
diff --git a/files/fail2ban/filter.d/nginx-req-limit.conf b/files/fail2ban/filter.d/nginx-req-limit.conf
new file mode 100644
index 0000000..5ad99b1
--- /dev/null
+++ b/files/fail2ban/filter.d/nginx-req-limit.conf
@@ -0,0 +1,15 @@
+# Managed by Ansible
+
+# Fail2Ban configuration file
+#
+# supports: ngx_http_limit_req_module module
+
+[Definition]
+
+failregex = limiting requests, excess:.* by zone.*client: <HOST>
+
+# Option: ignoreregex
+# Notes.: regex to ignore. If this regex matches, the line is ignored.
+# Values: TEXT
+#
+ignoreregex =
diff --git a/files/fail2ban/jail.d/nginx-req-limit.conf b/files/fail2ban/jail.d/nginx-req-limit.conf
new file mode 100644
index 0000000..e81e751
--- /dev/null
+++ b/files/fail2ban/jail.d/nginx-req-limit.conf
@@ -0,0 +1,11 @@
+# Managed by Ansible
+
+[nginx-req-limit]
+
+enabled = true
+filter = nginx-req-limit
+action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp]
+logpath = /var/log/nginx/*error.log
+findtime = 600
+bantime = 7200
+maxretry = 10
diff --git a/handlers/main.yaml b/handlers/main.yaml
index 945a12e..d44eb01 100644
--- a/handlers/main.yaml
+++ b/handlers/main.yaml
@@ -1,14 +1,19 @@
 - name: restart munin-node
-  service:
+  ansible.builtin.service:
     name: munin-node
     state: restarted
 
 - name: reload nginx
-  service:
+  ansible.builtin.service:
     name: nginx
     state: reloaded
 
 - name: reload monit
-  service:
+  ansible.builtin.service:
     name: monit
     state: reloaded
+
+- name: reload fail2ban
+  ansible.builtin.service:
+    name: fail2ban
+    state: reloaded
diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml
new file mode 100644
index 0000000..ab16d5e
--- /dev/null
+++ b/tasks/fail2ban.yml
@@ -0,0 +1,11 @@
+---
+- name: "Fail2ban | Copy configuration"
+  ansible.builtin.copy:
+    src: "fail2ban/{{ item }}"
+    dest: "/etc/fail2ban/{{ item }}"
+    mode: 0644
+  notify: reload fail2ban
+  loop:
+    - "filter.d/nginx-req-limit.conf"
+    - "jail.d/nginx-req-limit.conf"
+  
\ No newline at end of file
diff --git a/tasks/main.yaml b/tasks/main.yaml
index 848579a..4e310bc 100644
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -10,3 +10,8 @@
 - name: "Enable monitoring"
   ansible.builtin.import_tasks: monitoring.yml
   tags: monitoring
+
+- name: "Configure fail2ban"
+  ansible.builtin.import_tasks: fail2ban.yml
+  tags: fail2ban
+