From 32a1d2708f6e432ea4b886ab622ea41ae9eb0b0b Mon Sep 17 00:00:00 2001 From: phil Date: Sat, 11 Mar 2023 21:35:10 +0100 Subject: [PATCH] Add fail2ban configuration --- README.md | 6 +++++- files/fail2ban/filter.d/nginx-req-limit.conf | 15 +++++++++++++++ files/fail2ban/jail.d/nginx-req-limit.conf | 11 +++++++++++ handlers/main.yaml | 11 ++++++++--- tasks/fail2ban.yml | 11 +++++++++++ tasks/main.yaml | 5 +++++ 6 files changed, 55 insertions(+), 4 deletions(-) create mode 100644 files/fail2ban/filter.d/nginx-req-limit.conf create mode 100644 files/fail2ban/jail.d/nginx-req-limit.conf create mode 100644 tasks/fail2ban.yml diff --git a/README.md b/README.md index c44cc94..47b6456 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,11 @@ Nginx ===== -Role to install Nginx. +A role to install and configure Nginx. + +## Dependencies + +Run this role after you have installed fail2ban. ## Variables diff --git a/files/fail2ban/filter.d/nginx-req-limit.conf b/files/fail2ban/filter.d/nginx-req-limit.conf new file mode 100644 index 0000000..5ad99b1 --- /dev/null +++ b/files/fail2ban/filter.d/nginx-req-limit.conf @@ -0,0 +1,15 @@ +# Managed by Ansible + +# Fail2Ban configuration file +# +# supports: ngx_http_limit_req_module module + +[Definition] + +failregex = limiting requests, excess:.* by zone.*client: + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff --git a/files/fail2ban/jail.d/nginx-req-limit.conf b/files/fail2ban/jail.d/nginx-req-limit.conf new file mode 100644 index 0000000..e81e751 --- /dev/null +++ b/files/fail2ban/jail.d/nginx-req-limit.conf @@ -0,0 +1,11 @@ +# Managed by Ansible + +[nginx-req-limit] + +enabled = true +filter = nginx-req-limit +action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] +logpath = /var/log/nginx/*error.log +findtime = 600 +bantime = 7200 +maxretry = 10 diff --git a/handlers/main.yaml b/handlers/main.yaml index 945a12e..d44eb01 100644 --- a/handlers/main.yaml +++ b/handlers/main.yaml @@ -1,14 +1,19 @@ - name: restart munin-node - service: + ansible.builtin.service: name: munin-node state: restarted - name: reload nginx - service: + ansible.builtin.service: name: nginx state: reloaded - name: reload monit - service: + ansible.builtin.service: name: monit state: reloaded + +- name: reload fail2ban + ansible.builtin.service: + name: fail2ban + state: reloaded diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml new file mode 100644 index 0000000..ab16d5e --- /dev/null +++ b/tasks/fail2ban.yml @@ -0,0 +1,11 @@ +--- +- name: "Fail2ban | Copy configuration" + ansible.builtin.copy: + src: "fail2ban/{{ item }}" + dest: "/etc/fail2ban/{{ item }}" + mode: 0644 + notify: reload fail2ban + loop: + - "filter.d/nginx-req-limit.conf" + - "jail.d/nginx-req-limit.conf" + \ No newline at end of file diff --git a/tasks/main.yaml b/tasks/main.yaml index 848579a..4e310bc 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -10,3 +10,8 @@ - name: "Enable monitoring" ansible.builtin.import_tasks: monitoring.yml tags: monitoring + +- name: "Configure fail2ban" + ansible.builtin.import_tasks: fail2ban.yml + tags: fail2ban +