Set up fail2ban for nginx, move IPFS gateway to proxy role

2022-11-22 21:16:27 +01:00
parent 7f545404b1
commit d06f5d7723
33 changed files with 1528 additions and 100 deletions
--- a/cookbooks/fail2ban/attributes/default.rb
+++ b/cookbooks/fail2ban/attributes/default.rb
@@ -0,0 +1,81 @@
+#
+# Cookbook:: fail2ban
+# Attributes:: default
+#
+# Copyright:: 2013-2018, Chef Software, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the 'License');
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an 'AS IS' BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# fail2ban.conf configuration options
+default['fail2ban']['loglevel'] = 'INFO'
+default['fail2ban']['logtarget'] = '/var/log/fail2ban.log'
+default['fail2ban']['syslogsocket'] = 'auto'
+default['fail2ban']['socket'] = '/var/run/fail2ban/fail2ban.sock'
+default['fail2ban']['pidfile'] = '/var/run/fail2ban/fail2ban.pid'
+default['fail2ban']['dbfile'] = '/var/lib/fail2ban/fail2ban.sqlite3'
+default['fail2ban']['dbpurgeage'] = 86_400
+
+# jail.conf configuration options
+default['fail2ban']['ignoreip'] = '127.0.0.1/8'
+default['fail2ban']['findtime'] = 600
+default['fail2ban']['bantime'] = 300
+default['fail2ban']['maxretry'] = 5
+default['fail2ban']['backend'] = 'polling'
+default['fail2ban']['email'] = 'root@localhost'
+default['fail2ban']['sendername'] = 'Fail2Ban'
+default['fail2ban']['action'] = 'action_'
+default['fail2ban']['banaction'] = 'iptables-multiport'
+default['fail2ban']['mta'] = 'sendmail'
+default['fail2ban']['protocol'] = 'tcp'
+default['fail2ban']['chain'] = 'INPUT'
+# Create and copy/past your Slack webhook in the following attribute and you'll
+# get Slack message on banning/unbanning IP like this:
+# [hostname] Banned 🇳🇬 217.117.13.12 in the jail sshd after 5 attempts
+#
+# A Slack webhook looks like this:
+# https://hooks.slack.com/services/A123BCD4E/FG5HI6KLM/7n8opqrsT9UVWxyZ0AbCdefG
+default['fail2ban']['slack_webhook'] = nil
+# Then setting the Slack channel name without the hashtag (#)
+default['fail2ban']['slack_channel'] = 'general'
+
+# Using attributes to specify the fail2ban filters is now deprecated in favor
+# of the fail2ban_filter resource which provides a more Chef native way of defining
+# individual filters in recipes using resources
+# format: { name: { failregex: '', ignoreregex: ''} }
+default['fail2ban']['filters'] = {}
+
+case node['platform_family']
+when 'rhel', 'fedora', 'amazon'
+  default['fail2ban']['auth_log'] = '/var/log/secure'
+when 'debian'
+  default['fail2ban']['auth_log'] = '/var/log/auth.log'
+end
+
+# Using attributes to specify the fail2ban jails is now deprecated in favor
+# of the fail2ban_filter resource which provides a more Chef native way of defining
+# individual filters in recipes using resources
+default['fail2ban']['services'] = {
+  'ssh' => {
+    'enabled' => 'true',
+    'port' => 'ssh',
+    'filter' => 'sshd',
+    'logpath' => node['fail2ban']['auth_log'],
+    'maxretry' => '6',
+  },
+}
+
+if platform_family?('rhel', 'fedora', 'amazon')
+  default['fail2ban']['services']['ssh-iptables'] = {
+    'enabled' => false,
+  }
+end