From 513d80d76c4105c114eca0743d3c969ee3afde51 Mon Sep 17 00:00:00 2001 From: Erik Stambaugh Date: Sat, 8 Jan 2022 15:00:39 -0800 Subject: [PATCH] Add fail2ban --- Makefile | 12 ++++--- inventory.tmpl.ini | 2 +- nextcloud.tf | 3 ++ roles/nextcloud/files/fail2ban.nextcloud.conf | 5 +++ .../nextcloud/files/fail2ban.nextcloud.local | 10 ++++++ roles/nextcloud/tasks/main.yaml | 33 +++++++++++++++++-- roles/nextcloud/templates/fail2ban.jail.local | 10 ++++++ 7 files changed, 68 insertions(+), 7 deletions(-) create mode 100644 roles/nextcloud/files/fail2ban.nextcloud.conf create mode 100644 roles/nextcloud/files/fail2ban.nextcloud.local create mode 100644 roles/nextcloud/templates/fail2ban.jail.local diff --git a/Makefile b/Makefile index b2ebb15..59d5bb1 100644 --- a/Makefile +++ b/Makefile @@ -11,21 +11,25 @@ setup: $(eval INSTANCE := $(shell terraform output instance_id | sed -e 's/"//g')) $(eval PUBLIC_IP := $(shell terraform output public_ip | sed -e 's/"//g')) $(eval BUCKET := $(shell terraform output bucket | sed -e 's/"//g')) + $(eval MYIP := $(shell terraform output myip | sed -e 's/"//g')) chmod 600 privkey.pem -ansible: setup - timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done' - $(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)" +templates: setup sed \ -e 's/{{INSTANCE}}/$(INSTANCE)/' \ -e 's/{{PUBLIC_IP}}/$(PUBLIC_IP)/' \ -e 's/{{BUCKET}}/$(BUCKET)/' \ + -e 's/{{MYIP}}/$(MYIP)/' \ inventory.tmpl.ini > inventory.ini + +ansible: templates + timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done' + $(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)" ansible-playbook -i inventory.ini --private-key privkey.pem -l nextcloud site.yaml terraform: terraform init terraform apply -.PHONY: setup ansible terraform +.PHONY: setup ansible terraform templates diff --git a/inventory.tmpl.ini b/inventory.tmpl.ini index 1e9075d..d138a55 100644 --- a/inventory.tmpl.ini +++ b/inventory.tmpl.ini @@ -1,4 +1,4 @@ [nextcloud] -nextcloud ansible_host={{INSTANCE}} ansible_user=ubuntu hostname=nextcloud public_ip={{PUBLIC_IP}} bucket={{BUCKET}} +nextcloud ansible_host={{INSTANCE}} ansible_user=ubuntu hostname=nextcloud public_ip={{PUBLIC_IP}} bucket={{BUCKET}} myip={{MYIP}} [nextcloud:vars] ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p\"" diff --git a/nextcloud.tf b/nextcloud.tf index 9d0b1b4..3b92d12 100644 --- a/nextcloud.tf +++ b/nextcloud.tf @@ -223,5 +223,8 @@ output "nameservers" { output "bucket" { value = module.s3_bucket.s3_bucket_id } +output "myip" { + value = "${chomp(data.http.myip.body)}" +} diff --git a/roles/nextcloud/files/fail2ban.nextcloud.conf b/roles/nextcloud/files/fail2ban.nextcloud.conf new file mode 100644 index 0000000..3d2f8ae --- /dev/null +++ b/roles/nextcloud/files/fail2ban.nextcloud.conf @@ -0,0 +1,5 @@ +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" diff --git a/roles/nextcloud/files/fail2ban.nextcloud.local b/roles/nextcloud/files/fail2ban.nextcloud.local new file mode 100644 index 0000000..7756fed --- /dev/null +++ b/roles/nextcloud/files/fail2ban.nextcloud.local @@ -0,0 +1,10 @@ +[nextcloud] +backend = auto +enabled = true +port = 0:65535 +protocol = tcp +filter = nextcloud +maxretry = 3 +bantime = 1w +findtime = 43200 +logpath = /srv/nextcloud/www/data/nextcloud.log diff --git a/roles/nextcloud/tasks/main.yaml b/roles/nextcloud/tasks/main.yaml index d161506..635859d 100644 --- a/roles/nextcloud/tasks/main.yaml +++ b/roles/nextcloud/tasks/main.yaml @@ -17,6 +17,7 @@ vars: packages: - openssl + - fail2ban # -- @@ -56,7 +57,7 @@ chdir: /srv/nextcloud/letsencrypt/etc when: dhparams.stat.exists == False -# --- +## docker configuration - name: nextcloud docker-compose template: @@ -89,7 +90,8 @@ chdir: /srv/nextcloud when: nginxconf.changed or certbotnginx.changed -# --- + +## nextcloud config.php edits - name: edit config.php lineinfile: @@ -110,6 +112,33 @@ command: docker restart nextcloud when: configphp.changed + +## Set up Fail2ban + +- name: fail2ban filter configuration + copy: + src: files/fail2ban.nextcloud.conf + dest: /etc/fail2ban/filter.d/nextcloud.conf + register: fail2filter + +- name: fail2ban jail configuration + template: + src: templates/fail2ban.jail.local + dest: /etc/fail2ban/jail.d/jail.local + register: fail2jail + +- name: nextcloud jail configuration + copy: + src: files/fail2ban.nextcloud.local + dest: /etc/fail2ban/jail.d/nextcloud.local + register: fail2nc + +- name: restart fail2ban + service: + name: fail2ban + state: restarted + when: fail2filter.changed or fail2jail.changed or fail2nc.changed + # --- - name: do some cleanup diff --git a/roles/nextcloud/templates/fail2ban.jail.local b/roles/nextcloud/templates/fail2ban.jail.local new file mode 100644 index 0000000..92d1d09 --- /dev/null +++ b/roles/nextcloud/templates/fail2ban.jail.local @@ -0,0 +1,10 @@ +[DEFAULT] + +# include our IP addresses in the ignore list +ignoreip = 127.0.0.1/8 172.16.0.0/16 {{public_ip}}/32 {{myip}}/32 + +# suffer not a rando to access +bantime = 1w + +maxretry = 5 +