Ansible common role
From Notes_Wiki
<yambe:breadcrumb>Ansible_roles|Ansible roles</yambe:breadcrumb>
ansible common role
It makes sense to group things that need to be done on all machines in one single ansible role (named common here).
To create such role use following steps.
Create roles/common/{handlers,meta,tasks,templates} folders using:
mkdir -p roles/common/{handlers,meta,tasks,templates}
Create handlers/main.yaml file with following contents:
--- - name: restart fail2ban service: name=fail2ban state=restarted - name: rebuild newaliases shell: newaliases
Create meta/main.yaml with following contents:
--- dependencies: - role: common_vars
This is useful only if there is another role with name common_vars for global variables
Create tasks/main.yaml as follows:
--- - name: Ensure that denyhosts is not installed yum: name=denyhosts state=absent - name: Configure epel-release repository yum: name=epel-release state=latest - name: Install fail2ban package yum: name=fail2ban state=latest notify: - restart fail2ban - name: Replace fail2ban configuration file with template template: src=jail.conf dest=/etc/fail2ban/jail.conf notify: - restart fail2ban - name: Ensure fail2ban is configured to run on start-up service: name=fail2ban state=started enabled=yes - name: add root alias pointing to logs@lists.admin.iiit.ac.in lineinfile: "dest=/etc/aliases regexp='root: ' line='root: saurabh@sbarjatiya.com' state=present mode=0644" notify: - rebuild newaliases - name: Install logwatch package yum: name=logwatch state=latest - name: Configure log rotation for 52 weeks lineinfile: dest=/etc/logrotate.conf regexp="^rotate [0-9]*" line="rotate 52"
Remember to replace saurabh@sbarjatiya.com with corresponding log email ID for the organization. Mailing lists which can keep archives of log messages are preferred.
Finally create templates/jain.conf with following contents:
# Fail2Ban jail base specification file # # HOW TO ACTIVATE JAILS: # # YOU SHOULD NOT MODIFY THIS FILE. # # It will probably be overwitten or improved in a distribution update. # # Provide customizations in a jail.local file or a jail.d/customisation.local. # For example to change the default bantime for all jails and to enable the # ssh-iptables jail the following (uncommented) would appear in the .local file. # See man 5 jail.conf for details. # # [DEFAULT] # bantime = 3600 # # [ssh-iptables] # enabled = true # Comments: use '#' for comment lines and ';' (following a space) for inline comments # The DEFAULT allows a global definition of the options. They can be overridden # in each jail afterwards. [DEFAULT] # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not # ban a host which matches an address in this list. Several addresses can be # defined using space separator. ignoreip = 127.0.0.1/8 # External command that will take an tagged arguments to ignore, e.g. <ip>, # and return true if the IP is to be ignored. False otherwise. # # ignorecommand = /path/to/command <ip> ignorecommand = # "bantime" is the number of seconds that a host is banned. bantime = 3600 # A host is banned if it has generated "maxretry" during the last "findtime" # seconds. findtime = 600 # "maxretry" is the number of failures before a host get banned. maxretry = 3 # "backend" specifies the backend used to get files modification. # Available options are "pyinotify", "gamin", "polling" and "auto". # This option can be overridden in each jail as well. # # pyinotify: requires pyinotify (a file alteration monitor) to be installed. # If pyinotify is not installed, Fail2ban will use auto. # gamin: requires Gamin (a file alteration monitor) to be installed. # If Gamin is not installed, Fail2ban will use auto. # polling: uses a polling algorithm which does not require external libraries. # auto: will try to use the following backends, in order: # pyinotify, gamin, polling. backend = auto # "usedns" specifies if jails should trust hostnames in logs, # warn when DNS lookups are performed, or ignore all hostnames in logs # # yes: if a hostname is encountered, a DNS lookup will be performed. # warn: if a hostname is encountered, a DNS lookup will be performed, # but it will be logged as a warning. # no: if a hostname is encountered, will not be used for banning, # but it will be logged as info. usedns = warn # This jail corresponds to the standard configuration in Fail2ban. # The mail-whois action send a notification e-mail with a whois request # in the body. [pam-generic] enabled = false filter = pam-generic action = iptables-allports[name=pam,protocol=all] logpath = /var/log/secure [xinetd-fail] enabled = false filter = xinetd-fail action = iptables-allports[name=xinetd,protocol=all] logpath = /var/log/daemon*log [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root@localhost, sender=fail2ban@{{ansible_hostname}}, sendername="Fail2Ban"] logpath = /var/log/secure maxretry = 5 [ssh-ddos] enabled = false filter = sshd-ddos action = iptables[name=SSHDDOS, port=ssh, protocol=tcp] logpath = /var/log/sshd.log maxretry = 2 [dropbear] enabled = false filter = dropbear action = iptables[name=dropbear, port=ssh, protocol=tcp] logpath = /var/log/messages maxretry = 5 [proftpd-iptables] enabled = false filter = proftpd action = iptables[name=ProFTPD, port=ftp, protocol=tcp] sendmail-whois[name=ProFTPD, dest=root@localhost] logpath = /var/log/proftpd/proftpd.log maxretry = 6 [gssftpd-iptables] enabled = false filter = gssftpd action = iptables[name=GSSFTPd, port=ftp, protocol=tcp] sendmail-whois[name=GSSFTPd, dest=root@localhost] logpath = /var/log/daemon.log maxretry = 6 [pure-ftpd] enabled = false filter = pure-ftpd action = iptables[name=pureftpd, port=ftp, protocol=tcp] logpath = /var/log/pureftpd.log maxretry = 6 [wuftpd] enabled = false filter = wuftpd action = iptables[name=wuftpd, port=ftp, protocol=tcp] logpath = /var/log/daemon.log maxretry = 6 [sendmail-auth] enabled = false filter = sendmail-auth action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] logpath = /var/log/mail.log [sendmail-reject] enabled = false filter = sendmail-reject action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp] logpath = /var/log/mail.log # This jail forces the backend to "polling". [sasl-iptables] enabled = false filter = postfix-sasl backend = polling action = iptables[name=sasl, port=smtp, protocol=tcp] sendmail-whois[name=sasl, dest=root@localhost] logpath = /var/log/mail.log # ASSP SMTP Proxy Jail [assp] enabled = false filter = assp action = iptables-multiport[name=assp,port="25,465,587"] logpath = /root/path/to/assp/logs/maillog.txt # Here we use TCP-Wrappers instead of Netfilter/Iptables. "ignoreregex" is # used to avoid banning the user "myuser". [ssh-tcpwrapper] enabled = false filter = sshd action = hostsdeny[daemon_list=sshd] sendmail-whois[name=SSH, dest=root@localhost] ignoreregex = for myuser from logpath = /var/log/sshd.log # Here we use blackhole routes for not requiring any additional kernel support # to store large volumes of banned IPs [ssh-route] enabled = false filter = sshd action = route logpath = /var/log/sshd.log maxretry = 5 # Here we use a combination of Netfilter/Iptables and IPsets # for storing large volumes of banned IPs # # IPset comes in two versions. See ipset -V for which one to use # requires the ipset package and kernel support. [ssh-iptables-ipset4] enabled = false filter = sshd action = iptables-ipset-proto4[name=SSH, port=ssh, protocol=tcp] logpath = /var/log/sshd.log maxretry = 5 [ssh-iptables-ipset6] enabled = false filter = sshd action = iptables-ipset-proto6[name=SSH, port=ssh, protocol=tcp, bantime=600] logpath = /var/log/sshd.log maxretry = 5 # bsd-ipfw is ipfw used by BSD. It uses ipfw tables. # table number must be unique. # # This will create a deny rule for that table ONLY if a rule # for the table doesn't ready exist. # [ssh-bsd-ipfw] enabled = false filter = sshd action = bsd-ipfw[port=ssh,table=1] logpath = /var/log/auth.log maxretry = 5 # This jail demonstrates the use of wildcards in "logpath". # Moreover, it is possible to give other files on a new line. [apache-tcpwrapper] enabled = false filter = apache-auth action = hostsdeny logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 6 [apache-modsecurity] enabled = false filter = apache-modsecurity action = iptables-multiport[name=apache-modsecurity,port="80,443"] logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 2 [apache-overflows] enabled = false filter = apache-overflows action = iptables-multiport[name=apache-overflows,port="80,443"] logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 2 [apache-nohome] enabled = false filter = apache-nohome action = iptables-multiport[name=apache-nohome,port="80,443"] logpath = /var/log/apache*/*error.log /home/www/myhomepage/error.log maxretry = 2 [nginx-http-auth] enabled = false filter = nginx-http-auth action = iptables-multiport[name=nginx-http-auth,port="80,443"] logpath = /var/log/nginx/error.log [squid] enabled = false filter = squid action = iptables-multiport[name=squid,port="80,443,8080"] logpath = /var/log/squid/access.log # The hosts.deny path can be defined with the "file" argument if it is # not in /etc. [postfix-tcpwrapper] enabled = false filter = postfix action = hostsdeny[file=/not/a/standard/path/hosts.deny] sendmail[name=Postfix, dest=root@localhost] logpath = /var/log/postfix.log bantime = 300 [cyrus-imap] enabled = false filter = cyrus-imap action = iptables-multiport[name=cyrus-imap,port="143,993"] logpath = /var/log/mail*log [courierlogin] enabled = false filter = courierlogin action = iptables-multiport[name=courierlogin,port="25,110,143,465,587,993,995"] logpath = /var/log/mail*log [couriersmtp] enabled = false filter = couriersmtp action = iptables-multiport[name=couriersmtp,port="25,465,587"] logpath = /var/log/mail*log [qmail-rbl] enabled = false filter = qmail action = iptables-multiport[name=qmail-rbl,port="25,465,587"] logpath = /service/qmail/log/main/current [sieve] enabled = false filter = sieve action = iptables-multiport[name=sieve,port="25,465,587"] logpath = /var/log/mail*log # Do not ban anybody. Just report information about the remote host. # A notification is sent at most every 600 seconds (bantime). [vsftpd-notification] enabled = false filter = vsftpd action = sendmail-whois[name=VSFTPD, dest=root@localhost] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Same as above but with banning the IP address. [vsftpd-iptables] enabled = false filter = vsftpd action = iptables[name=VSFTPD, port=ftp, protocol=tcp] sendmail-whois[name=VSFTPD, dest=root@localhost] logpath = /var/log/vsftpd.log maxretry = 5 bantime = 1800 # Ban hosts which agent identifies spammer robots crawling the web # for email addresses. The mail outputs are buffered. [apache-badbots] enabled = false filter = apache-badbots action = iptables-multiport[name=BadBots, port="http,https"] sendmail-buffered[name=BadBots, lines=5, dest=root@localhost] logpath = /var/www/*/logs/access_log bantime = 172800 maxretry = 1 # Use shorewall instead of iptables. [apache-shorewall] enabled = false filter = apache-noscript action = shorewall sendmail[name=Postfix, dest=root@localhost] logpath = /var/log/apache2/error_log # Monitor roundcube server [roundcube-iptables] enabled = false filter = roundcube-auth action = iptables-multiport[name=RoundCube, port="http,https"] logpath = /var/log/roundcube/userlogins # Monitor SOGo groupware server [sogo-iptables] enabled = false filter = sogo-auth # without proxy this would be: # port = 20000 action = iptables-multiport[name=SOGo, port="http,https"] logpath = /var/log/sogo/sogo.log [groupoffice] enabled = false filter = groupoffice action = iptables-multiport[name=groupoffice, port="http,https"] logpath = /home/groupoffice/log/info.log [openwebmail] enabled = false filter = openwebmail logpath = /var/log/openwebmail.log action = ipfw sendmail-whois[name=openwebmail, dest=root@localhost] maxretry = 5 [horde] enabled = false filter = horde logpath = /var/log/horde/horde.log action = iptables-multiport[name=horde, port="http,https"] maxretry = 5 # Ban attackers that try to use PHP's URL-fopen() functionality # through GET/POST variables. - Experimental, with more than a year # of usage in production environments. [php-url-fopen] enabled = false action = iptables-multiport[name=php-url-open, port="http,https"] filter = php-url-fopen logpath = /var/www/*/logs/access_log maxretry = 1 [suhosin] enabled = false filter = suhosin action = iptables-multiport[name=suhosin, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 [lighttpd-auth] enabled = false filter = lighttpd-auth action = iptables-multiport[name=lighttpd-auth, port="http,https"] # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 2 # This jail uses ipfw, the standard firewall on FreeBSD. The "ignoreip" # option is overridden in this jail. Moreover, the action "mail-whois" defines # the variable "name" which contains a comma using "". The characters '' are # valid too. [ssh-ipfw] enabled = false filter = sshd action = ipfw[localhost=192.168.0.1] sendmail-whois[name="SSH,IPFW", dest=root@localhost] logpath = /var/log/auth.log ignoreip = 168.192.0.1 # !!! WARNING !!! # Since UDP is connection-less protocol, spoofing of IP and imitation # of illegal actions is way too simple. Thus enabling of this filter # might provide an easy way for implementing a DoS against a chosen # victim. See # http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html # Please DO NOT USE this jail unless you know what you are doing. # # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks UDP traffic for DNS requests. # [named-refused-udp] # # enabled = false # filter = named-refused # action = iptables-multiport[name=Named, port="domain,953", protocol=udp] # sendmail-whois[name=Named, dest=root@localhost] # logpath = /var/log/named/security.log # ignoreip = 168.192.0.1 # IMPORTANT: see filter.d/named-refused for instructions to enable logging # This jail blocks TCP traffic for DNS requests. [named-refused-tcp] enabled = false filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] sendmail-whois[name=Named, dest=root@localhost] logpath = /var/log/named/security.log ignoreip = 168.192.0.1 [nsd] enabled = false filter = nsd action = iptables-multiport[name=nsd-tcp, port="domain", protocol=tcp] iptables-multiport[name=nsd-udp, port="domain", protocol=udp] logpath = /var/log/nsd.log [asterisk] enabled = false filter = asterisk action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] sendmail-whois[name=Asterisk, dest=root@localhost, sender=fail2ban@{{ansible_hostname}}] logpath = /var/log/asterisk/messages maxretry = 10 [freeswitch] enabled = false filter = freeswitch logpath = /var/log/freeswitch.log maxretry = 10 action = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp] iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp] [ejabberd-auth] enabled = false filter = ejabberd-auth logpath = /var/log/ejabberd/ejabberd.log action = iptables[name=ejabberd, port=xmpp-client, protocol=tcp] # Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed ) # use [asterisk] for new jails [asterisk-tcp] enabled = false filter = asterisk action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp] sendmail-whois[name=Asterisk, dest=root@localhost, sender=fail2ban@{{ansible_hostname}}] logpath = /var/log/asterisk/messages maxretry = 10 # Historical support (before https://github.com/fail2ban/fail2ban/issues/37 was fixed ) # use [asterisk] for new jails [asterisk-udp] enabled = false filter = asterisk action = iptables-multiport[name=asterisk-udp, port="5060,5061", protocol=udp] sendmail-whois[name=Asterisk, dest=root@localhost, sender=fail2ban@{{ansible_hostname}}] logpath = /var/log/asterisk/messages maxretry = 10 [mysqld-iptables] enabled = false filter = mysqld-auth action = iptables[name=mysql, port=3306, protocol=tcp] sendmail-whois[name=MySQL, dest=root, sender=fail2ban@{{ansible_hostname}}] logpath = /var/log/mysqld.log maxretry = 5 [mysqld-syslog] enabled = false filter = mysqld-auth action = iptables[name=mysql, port=3306, protocol=tcp] logpath = /var/log/daemon.log maxretry = 5 # Jail for more extended banning of persistent abusers # !!! WARNING !!! # Make sure that your loglevel specified in fail2ban.conf/.local # is not at DEBUG level -- which might then cause fail2ban to fall into # an infinite loop constantly feeding itself with non-informative lines [recidive] enabled = false filter = recidive logpath = /var/log/fail2ban.log action = iptables-allports[name=recidive,protocol=all] sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] bantime = 604800 ; 1 week findtime = 86400 ; 1 day maxretry = 5 # PF is a BSD based firewall [ssh-pf] enabled = false filter = sshd action = pf logpath = /var/log/sshd.log maxretry = 5 [3proxy] enabled = false filter = 3proxy action = iptables[name=3proxy, port=3128, protocol=tcp] logpath = /var/log/3proxy.log [exim] enabled = false filter = exim action = iptables-multiport[name=exim,port="25,465,587"] logpath = /var/log/exim/mainlog [exim-spam] enabled = false filter = exim-spam action = iptables-multiport[name=exim-spam,port="25,465,587"] logpath = /var/log/exim/mainlog [perdition] enabled = false filter = perdition action = iptables-multiport[name=perdition,port="110,143,993,995"] logpath = /var/log/maillog [uwimap-auth] enabled = false filter = uwimap-auth action = iptables-multiport[name=uwimap-auth,port="110,143,993,995"] logpath = /var/log/maillog [osx-ssh-ipfw] enabled = false filter = sshd action = osx-ipfw logpath = /var/log/secure.log maxretry = 5 [ssh-apf] enabled = false filter = sshd action = apf[name=SSH] logpath = /var/log/secure maxretry = 5 [osx-ssh-afctl] enabled = false filter = sshd action = osx-afctl[bantime=600] logpath = /var/log/secure.log maxretry = 5 [webmin-auth] enabled = false filter = webmin-auth action = iptables-multiport[name=webmin,port="10000"] logpath = /var/log/auth.log # dovecot defaults to logging to the mail syslog facility # but can be set by syslog_facility in the dovecot configuration. [dovecot] enabled = false filter = dovecot action = iptables-multiport[name=dovecot, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp] logpath = /var/log/mail.log [dovecot-auth] enabled = false filter = dovecot action = iptables-multiport[name=dovecot-auth, port="pop3,pop3s,imap,imaps,submission,465,sieve", protocol=tcp] logpath = /var/log/secure [solid-pop3d] enabled = false filter = solid-pop3d action = iptables-multiport[name=solid-pop3, port="pop3,pop3s", protocol=tcp] logpath = /var/log/mail.log [selinux-ssh] enabled = false filter = selinux-ssh action = iptables[name=SELINUX-SSH, port=ssh, protocol=tcp] logpath = /var/log/audit/audit.log maxretry = 5 # See the IMPORTANT note in action.d/blocklist_de.conf for when to # use this action # # Report block via blocklist.de fail2ban reporting service API # See action.d/blocklist_de.conf for more information [ssh-blocklist] enabled = false filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=root@localhost, sender=fail2ban@{{ansible_hostname}}, sendername="Fail2Ban"] blocklist_de[email="fail2ban@{{ansible_hostname}}", apikey="xxxxxx", service=%(filter)s] logpath = /var/log/sshd.log maxretry = 20 # consider low maxretry and a long bantime # nobody except your own Nagios server should ever probe nrpe [nagios] enabled = false filter = nagios action = iptables[name=Nagios, port=5666, protocol=tcp] sendmail-whois[name=Nagios, dest=root@localhost, sender=fail2ban@{{ansible_hostname}}, sendername="Fail2Ban"] logpath = /var/log/messages ; nrpe.cfg may define a different log_facility maxretry = 1