Add fail2ban

Makefile

@@ -11,21 +11,25 @@ setup:
 	$(eval INSTANCE  := $(shell terraform output instance_id | sed -e 's/"//g'))
 	$(eval PUBLIC_IP := $(shell terraform output public_ip   | sed -e 's/"//g'))
 	$(eval BUCKET    := $(shell terraform output bucket      | sed -e 's/"//g'))
+	$(eval MYIP      := $(shell terraform output myip        | sed -e 's/"//g'))
 	chmod 600 privkey.pem
 
-ansible: setup
-	timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done'
-	$(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)"
+templates: setup
 	sed \
 		-e 's/{{INSTANCE}}/$(INSTANCE)/' \
 		-e 's/{{PUBLIC_IP}}/$(PUBLIC_IP)/' \
 		-e 's/{{BUCKET}}/$(BUCKET)/' \
+		-e 's/{{MYIP}}/$(MYIP)/' \
 		inventory.tmpl.ini > inventory.ini
+
+ansible: templates
+	timeout --foreground 300 bash -c -- 'until $(SSH) $(INSTANCE) "/bin/true"; do sleep 0.5; done'
+	$(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)"
 	ansible-playbook -i inventory.ini --private-key privkey.pem -l nextcloud site.yaml
 
 terraform:
 	terraform init
 	terraform apply
 
-.PHONY: setup ansible terraform
+.PHONY: setup ansible terraform templates
 

inventory.tmpl.ini

@@ -1,4 +1,4 @@
 [nextcloud]
-nextcloud ansible_host={{INSTANCE}} ansible_user=ubuntu hostname=nextcloud public_ip={{PUBLIC_IP}} bucket={{BUCKET}}
+nextcloud ansible_host={{INSTANCE}} ansible_user=ubuntu hostname=nextcloud public_ip={{PUBLIC_IP}} bucket={{BUCKET}} myip={{MYIP}}
 [nextcloud:vars]
 ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p\""

nextcloud.tf

@@ -223,5 +223,8 @@ output "nameservers" {
 output "bucket" {
   value = module.s3_bucket.s3_bucket_id
 }
+output "myip" {
+  value = "${chomp(data.http.myip.body)}"
+}
 
 

roles/nextcloud/files/fail2ban.nextcloud.conf

@@ -0,0 +1,5 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"

roles/nextcloud/files/fail2ban.nextcloud.local

@@ -0,0 +1,10 @@
+[nextcloud]
+backend = auto
+enabled = true
+port = 0:65535
+protocol = tcp
+filter = nextcloud
+maxretry = 3
+bantime = 1w
+findtime = 43200
+logpath = /srv/nextcloud/www/data/nextcloud.log

roles/nextcloud/tasks/main.yaml

@@ -17,6 +17,7 @@
   vars:
     packages:
       - openssl
+      - fail2ban
 
 # --
 
@@ -56,7 +57,7 @@
     chdir: /srv/nextcloud/letsencrypt/etc
   when: dhparams.stat.exists == False
 
-# ---
+## docker configuration
 
 - name: nextcloud docker-compose
   template:
@@ -89,7 +90,8 @@
     chdir: /srv/nextcloud
   when: nginxconf.changed or certbotnginx.changed
 
-# ---
+
+## nextcloud config.php edits
 
 - name: edit config.php
   lineinfile:
@@ -110,6 +112,33 @@
   command: docker restart nextcloud
   when: configphp.changed
 
+
+## Set up Fail2ban
+
+- name: fail2ban filter configuration
+  copy:
+    src: files/fail2ban.nextcloud.conf
+    dest: /etc/fail2ban/filter.d/nextcloud.conf
+  register: fail2filter
+
+- name: fail2ban jail configuration
+  template:
+    src: templates/fail2ban.jail.local
+    dest: /etc/fail2ban/jail.d/jail.local
+  register: fail2jail
+
+- name: nextcloud jail configuration
+  copy:
+    src: files/fail2ban.nextcloud.local
+    dest: /etc/fail2ban/jail.d/nextcloud.local
+  register: fail2nc
+
+- name: restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+  when: fail2filter.changed or fail2jail.changed or fail2nc.changed
+
 # ---
 
 - name: do some cleanup

roles/nextcloud/templates/fail2ban.jail.local

@@ -0,0 +1,10 @@
+[DEFAULT]
+
+# include our IP addresses in the ignore list
+ignoreip = 127.0.0.1/8 172.16.0.0/16 {{public_ip}}/32 {{myip}}/32
+
+# suffer not a rando to access
+bantime  = 1w
+
+maxretry = 5
+