robertdebock / ansible-role-fail2ban Goto Github PK

View Code? Open in Web Editor NEW

56.0 4.0 27.0 301 KB

Install and configure fail2ban on your system.

Home Page: https://robertdebock.nl/

License: Apache License 2.0

ansible fail2ban installer package molecule tox playbook security

ansible-role-fail2ban's Issues

No support for multiple values in jail.local ini file

Describe the bug

I try to add multiple actions in one section in jail. It is not possible in current role form.

Playbook

Please paste the playbook you are using. (Consider requirements.yml and
optionally the command you've invoked.)

---
    - role: robertdebock.fail2ban
      become: true
      vars:
        fail2ban_filterd_path: "../fail2ban/filters/"
        fail2ban_jail_configuration:
          - section: syslog-sftp
            option: action
            value: |
              iptables-allports[actname=sshd,name=sshd,protocol=all]
                       iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

Output

It will constantly multiple last line (add it with each playbook execution):

 action = iptables-allports[actname=sshd,name=sshd,protocol=all]
          iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]
 
+         iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

Environment

Control node OS: [e.g. Debian 9] (cat /etc/os-release): MacOS on M1
Control node Ansible version: [e.g. 2.9.1] (ansible --version): 2.15.1
Managed node OS: [e.g. CentOS 7] (cat /etc/os-release): "Ubuntu 22.04.2 LTS"

Please consider sponsoring me.

Whitelisted IP adresses are not ignored.

Whitelisted IP addresses are not ignored by fail2ban

IP addresses added to the ignoreips variable are not being ignored by fail2ban. Running fail2ban-client get sshd ignoreip returns nothings.

The ignoreip line belongs in jail.local, not fail2ban.local. as detailed in the jail.conf default configuration.

Environment

Control node OS: MacOS 13.6
Control node Ansible version: 2.5.14
Managed node OS: Debian 12

Custom configuration in .local file instead of jail.conf

Is your feature request related to a problem? Please describe.
This role modifies the jail.conf file for customisation. This file gets overwritten with every update.

Describe the solution you'd like
According to fail2ban the recommended approach would be to provide customisations in jail.local or jail.d/customisation.local file. Switching jail.conf to jail.local in main.yml should do the trick.

Describe alternatives you've considered
It might be worth considering putting in a template customisation.local file with sane defaults which the user can switch with their own. This could be done by playbook pathing. The file name could be provided in a variable, that way the user won't have to modify the role.

Additional context
N/A

Error in readme

"Provides Postfix for your system"

Shouldn't this be "Provides fail2ban"?

Configuration?

Describe the bug
It seems the role doesn't configure anything. Is it a WIP?

It installs fail2ban and enables the service.

How to configure a jail

Hi,

Could you please point me in the right direction as to how to configure a jail (ssh for example) using this role?

Thanks!

Check mode don't work

Hi when i use my playbook to install your role thje check mode failed on this task , it could be cool to make it work in check mode to be sure to what changes will be made

TASK [robertdebock.fail2ban : test if fail2ban_jail_configuration is set correctly] *******************************************************************************************************************************************************************************************************************************************
fatal: [192.168.1.X]: FAILED! => {}

MSG:

The conditional check 'item.value | length > 0' failed. The error was: Unexpected templating type error occurred on ({% if item.value | length > 0 %} True {% else %} False {% endif %}): object of type 'bool' has no len()

Feature request: copy filters in filterd

Proposed feature

Add a new step in the playbook to copy filters in filterd folder.

Rationale

For the moment, if you specify a filter in your jail local conf, it will fail as the filters do not exist.

I will propose a PR for that.

Improve your examples for newbie users

Proposed feature

Your examples could be enhanced to allow newer users to get started with your library.

Rationale

Anyone starting with Ansible is likely to be coming from shell scripts and so their first playbooks are likely to be a long list of tasks that operate steps already defined in their scripts. At some point, as they look for example code they will come across your library, but to use it they need to understand the basics for ansible-galaxy and find a way to merge tasks and roles into a single playbook.

Additional context

After some hunting around the way to combine tasks and roles turned out to be simple - but you have to find an example. It would be helpful if your notes included such an example. For fail2ban it is as simple as the following task

- name: install fail2ban via a role wrapped as a task
  import_role:
    name: robertdebock.fail2ban

robertdebock / ansible-role-fail2ban Goto Github PK

ansible-role-fail2ban's Issues

Describe the bug

Playbook

Output

Environment

Whitelisted IP addresses are not ignored by fail2ban

Environment

Proposed feature

Rationale

Proposed feature

Rationale

Additional context

Recommend Projects

Recommend Topics

Recommend Org