debops / ansible-fail2ban Goto Github PK

I'm still working on #5, but I've been running into this a lot when testing. Ansible says fail2ban restarted correctly when in fact it has not. You can see there's an error if you run service fail2ban restart manually.

Not sure if there's anything we can do about that. It would be good if the playbook could stop if there's an error in the fail2ban config.

I'm trying to lock a version to use in long-term but the last changes in master don't have a tag.

I'm doing more research on how to add DDOS protection to WordPress role. It seems like using fail2ban to scan and ban at the firewall level seems like the best option.

I've been looking at the filters that come included with the role. Besides apache-badbots, the other ones don't really look for what I need to. I figure there should be support for custom actions and filters. Right now, you add some manually, but that's not possible for everyone. 😄

Having this problem on Ubuntu 16.04

fatal: [host.example.com]: FAILED! => {"failed": true, "msg": "lookup plugin (template_src) not found"}
	to retry, use: --limit @/home/user/workspace/server/ansible/playbooks/setup_machines.retry

Ansible version:

  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/user/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609]

Any ideas?

Hi,
When we activate ssh-ddos jail debops.fail2ban generate this in jail.local and failure when we try to reload fail2ban configuration.

[sshd-ddos]
    enabled        = true

debops fail2ban configuration file contains

---

fail2ban_jails:

 - name: 'ssh-ddos'
   enabled: 'true'
   filter: 'sshd-ddos'
   comment: 'Enable default ssh-ddos jail'

Is there a way to configure some options on jails like ports/logpath/... ?

Hey !

I'm deploying fail2ban with Ansible on my Debian 8 VPS, everything works perfectly, but fail2ban installation throws an error, stopping my ansible script :

RUNNING HANDLER [debops.fail2ban : Reload fail2ban] ****************************

fatal: [vps344828.ovh.net]: FAILED! => {"changed": false, "failed": true, "msg": "Unable to reload service fail2ban: Failed to reload fail2ban.service: Job type reload is not applicable for unit fail2ban.service.\n"}

When I launched the script one more time, it works without errors. The issue is that I need to launch twice and I don't know why.

Can you please help me on this ?

Thanks a lot !

I'm using debops.fail2ban role alone, and it gives me this error:

fatal: [default] => Failed to template {{ lookup("template_src", "etc/fail2ban/fail2ban.local.j2")
}}: lookup plugin (template_src) not found

FATAL: all hosts have already failed -- aborting

I'm using ansible 1.9.1

What's the meaning of this errors in fail2ban log?
and why /proc/net/xt_recent is not created with debops fail2ban installation?

ERROR test -e /proc/net/xt_recent/fail2ban-ssh returned 100
ERROR Invariant check failed. Trying to restore a sane environment
ERROR echo / > /proc/net/xt_recent/fail2ban-ssh
iptables -D INPUT -m recent --update --seconds 604800 --name fail2ban-ssh --jump REJECT --reject-with icmp-admin-prohibited returned 100

I want to specify _daemon = sshd in definitions but i don't know how to defines it.
Could you improve your doc with more exemples ?

is it ?
definitions = '_daemon = sshd'

While testing, I was able to consistently lock myself out of the Ubuntu 16.04 cloud images I was testing locally today. My guess at what went wrong is that ansible did not correctly whitelist me. When certain ansible commands failed 3 times within 10 minutes, suddenly it's impossible for me to access my server for 2 hours.

There were some other reports of lock outs here.

What problem is fail2ban for ssh trying to solve?
By default, debops only allows public key authentication for ssh. This means that is basically impossible for a typical Bad Guy to break into ssh. But locking system admins out of the only way they can access their server looks to me like far more of a Denial of Service problem than whatever is targeting port 22.

The default sshd jail fails on Ubuntu 20.04 with the following log: https://gist.github.com/Keridos/800234d58db78c6715f78a94b9a2a6f9

I think this commit broke fail2ban configuration: d56c360

According to journalctl when I restart:
Mar 09 12:26:56 XXX fail2ban[31387]: Starting authentication failure monitor: fail2banWARNING Wrong value for 'loglevel' in 'Definition'. Using default one: '1

In debian jessie fail2ban.conf says:

# Option: loglevel
# Notes.: Set the log level output.
#         1 = ERROR
#         2 = WARN
#         3 = INFO
#         4 = DEBUG
# Values: [ NUM ]  Default: 1

When I setup 3 instead of WARNING, fail2ban start normally. It seems depend of the fail2ban's version.
This is just a warning, Fail2ban start in any case.

Since the changes from #19, fail2ban won't start anymore. That's because the SSH jail in Ubuntu isn't ssh, but sshd. So now, fail2ban just refuses to start since there's no ssh filters on Ubuntu:

Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Found no accessible config files for 'filter.d/ssh' under /etc/fail2ban
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  No section: 'Definition'
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  No section: 'Definition'
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Unable to read the filter
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Errors in jail 'ssh'. Skipping...
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  No file(s) found for glob /var/log/nginx/varnish*access.log
Apr 20 20:36:10 dev fail2ban-client[1266]: ERROR  Failed during configuration: Have not found any log file for wordpress-badbots jail
Apr 20 20:36:10 dev systemd[1]: fail2ban.service: Control process exited, code=exited status=255
Apr 20 20:36:10 dev systemd[1]: Failed to start Fail2Ban Service.

Before it wasn't an issue because it wasn't added to jail.local, but now it is. I'm not even sure if it's necessary for Debian either. Is the jail in jail.conf? It is on Ubuntu.

I would like to specify custom jail by server type. Is it possible to use this jails declaration to promote reuse?

with fail2ban-default.yml that contains specific rules for ssh jails
and fail2ban-nginx.yml that contains specific rules for nginx jails

 vars_files:
    - "{{inventory_dir}}/vars/fail2ban-nginx.yml"
    - "{{inventory_dir}}/vars/fail2ban-default.yml"