This role install and configures Fail2ban.
Ansible 2.10 or newer.
- Debian - 11 (Bullseye)
- Debian - 12 (Bookworm)
- Ubuntu - 20.04 (Focal Fossa)
- Ubuntu - 22.04 (Jammy Jellyfish)
| Variable | Required | Default | Choices | Comments |
|---|---|---|---|---|
| fail2ban_dependencies | yes | [fail2ban] |
list | |
| fail2ban_configuration | yes | {} |
dict | Local main configuration. |
| fail2ban_jails | yes | {} |
dict | Local jail configuration. |
| fail2ban_filters | yes | {} |
dict | Custom filters configuration. |
| fail2ban_actions | yes | {} |
dict | Custom actions configuration. |
None
- hosts: all
roles:
- role: ansible-role-fail2ban
fail2ban_configuration:
Definition:
loglevel: WARNING
fail2ban_jails:
DEFAULT:
ignoreip: 127.0.0.1/8
nginx-badbots:
enabled: 'true'
action: nginx-deny-host[name = nginx-http-auth, port = http, protocol = tcp]
port: http
filter: nginx-badbots
logpath: /var/log/nginx_error.log
maxretry: 5
findtime: 600
fail2ban_filters:
nginx-badbots:
Definition:
_daemon: nginx-badbots
failregex: |
^ \[error\] \d+#\d+: .* access forbidden by rule, client: <HOST>, .*$
FastCGI sent in stderr: "Primary script unknown" .*, client: <HOST>
ignoreregex: ''
fail2ban_actions:
nginx-deny-host:
Definition:
actionban: |
sed -i "/deny <ip>;/d" <file>
echo "deny <ip>;" >> <file>
systemctl reload nginx
actionunban: |
sed -i "/deny <ip>;/d" <file>
systemctl reload nginx
Init:
file: /etc/nginx/hosts.deny
molecule test
MIT