Add fail2ban

This commit is contained in:
Erik Stambaugh 2022-01-08 15:00:39 -08:00
parent 2dbf15a844
commit 513d80d76c
7 changed files with 68 additions and 7 deletions

View file

@ -11,21 +11,25 @@ setup:
$(eval INSTANCE := $(shell terraform output instance_id | sed -e 's/"//g')) $(eval INSTANCE := $(shell terraform output instance_id | sed -e 's/"//g'))
$(eval PUBLIC_IP := $(shell terraform output public_ip | sed -e 's/"//g')) $(eval PUBLIC_IP := $(shell terraform output public_ip | sed -e 's/"//g'))
$(eval BUCKET := $(shell terraform output bucket | sed -e 's/"//g')) $(eval BUCKET := $(shell terraform output bucket | sed -e 's/"//g'))
$(eval MYIP := $(shell terraform output myip | sed -e 's/"//g'))
chmod 600 privkey.pem chmod 600 privkey.pem
ansible: setup templates: setup
timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done'
$(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)"
sed \ sed \
-e 's/{{INSTANCE}}/$(INSTANCE)/' \ -e 's/{{INSTANCE}}/$(INSTANCE)/' \
-e 's/{{PUBLIC_IP}}/$(PUBLIC_IP)/' \ -e 's/{{PUBLIC_IP}}/$(PUBLIC_IP)/' \
-e 's/{{BUCKET}}/$(BUCKET)/' \ -e 's/{{BUCKET}}/$(BUCKET)/' \
-e 's/{{MYIP}}/$(MYIP)/' \
inventory.tmpl.ini > inventory.ini inventory.tmpl.ini > inventory.ini
ansible: templates
timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done'
$(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)"
ansible-playbook -i inventory.ini --private-key privkey.pem -l nextcloud site.yaml ansible-playbook -i inventory.ini --private-key privkey.pem -l nextcloud site.yaml
terraform: terraform:
terraform init terraform init
terraform apply terraform apply
.PHONY: setup ansible terraform .PHONY: setup ansible terraform templates

View file

@ -1,4 +1,4 @@
[nextcloud] [nextcloud]
nextcloud ansible_host={{INSTANCE}} ansible_user=ubuntu hostname=nextcloud public_ip={{PUBLIC_IP}} bucket={{BUCKET}} nextcloud ansible_host={{INSTANCE}} ansible_user=ubuntu hostname=nextcloud public_ip={{PUBLIC_IP}} bucket={{BUCKET}} myip={{MYIP}}
[nextcloud:vars] [nextcloud:vars]
ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p\"" ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p\""

View file

@ -223,5 +223,8 @@ output "nameservers" {
output "bucket" { output "bucket" {
value = module.s3_bucket.s3_bucket_id value = module.s3_bucket.s3_bucket_id
} }
output "myip" {
value = "${chomp(data.http.myip.body)}"
}

View file

@ -0,0 +1,5 @@
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

View file

@ -0,0 +1,10 @@
[nextcloud]
backend = auto
enabled = true
port = 0:65535
protocol = tcp
filter = nextcloud
maxretry = 3
bantime = 1w
findtime = 43200
logpath = /srv/nextcloud/www/data/nextcloud.log

View file

@ -17,6 +17,7 @@
vars: vars:
packages: packages:
- openssl - openssl
- fail2ban
# -- # --
@ -56,7 +57,7 @@
chdir: /srv/nextcloud/letsencrypt/etc chdir: /srv/nextcloud/letsencrypt/etc
when: dhparams.stat.exists == False when: dhparams.stat.exists == False
# --- ## docker configuration
- name: nextcloud docker-compose - name: nextcloud docker-compose
template: template:
@ -89,7 +90,8 @@
chdir: /srv/nextcloud chdir: /srv/nextcloud
when: nginxconf.changed or certbotnginx.changed when: nginxconf.changed or certbotnginx.changed
# ---
## nextcloud config.php edits
- name: edit config.php - name: edit config.php
lineinfile: lineinfile:
@ -110,6 +112,33 @@
command: docker restart nextcloud command: docker restart nextcloud
when: configphp.changed when: configphp.changed
## Set up Fail2ban
- name: fail2ban filter configuration
copy:
src: files/fail2ban.nextcloud.conf
dest: /etc/fail2ban/filter.d/nextcloud.conf
register: fail2filter
- name: fail2ban jail configuration
template:
src: templates/fail2ban.jail.local
dest: /etc/fail2ban/jail.d/jail.local
register: fail2jail
- name: nextcloud jail configuration
copy:
src: files/fail2ban.nextcloud.local
dest: /etc/fail2ban/jail.d/nextcloud.local
register: fail2nc
- name: restart fail2ban
service:
name: fail2ban
state: restarted
when: fail2filter.changed or fail2jail.changed or fail2nc.changed
# --- # ---
- name: do some cleanup - name: do some cleanup

View file

@ -0,0 +1,10 @@
[DEFAULT]
# include our IP addresses in the ignore list
ignoreip = 127.0.0.1/8 172.16.0.0/16 {{public_ip}}/32 {{myip}}/32
# suffer not a rando to access
bantime = 1w
maxretry = 5