Skip to content
Extraits de code Groupes Projets
Sélectionner une révision Git
  • 6eb0e7cacc47003605188fd77603578c155d0731
  • 14.0 par défaut
  • 13.0
  • 12.0 protégée
4 résultats

__manifest__.py

Blame
  • jail.local.j2 2,37 Kio
    [INCLUDES]
    before = paths-debian.conf
    
    [DEFAULT]
    # MISC
    ignoreip = 127.0.0.1/8{% if inventory_hostname in groups.docker | default([]) %} 172.16.0.0/12 192.168.0.0/16{% endif %}{% for host in groups.docker_nagios | default([]) %} {{ hostvars[host].ansible_host }}/32{% endfor %}
    
    ignorecommand =
    bantime  = 86400 ; ban for 1 day
    findtime  = 3600 ; search for 1 hour
    maxretry = 3
    maxmatches = %(maxretry)s
    backend = polling
    usedns = warn
    logencoding = auto
    enabled = false
    mode = normal
    filter = %(__name__)s[mode=%(mode)s]
    
    # ACTIONS
    destemail = {{ default_maintenance_email }}
    sender = {{ inventory_hostname|lower }}_server@{{ inventory_hostname|lower }}.server
    mta = sendmail
    protocol = tcp
    chain = INPUT
    port = 0:65535
    fail2ban_agent = Fail2Ban/%(fail2ban_version)s
    banaction = iptables-multiport
    banaction_allports = iptables-allports
    action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
    action = %(action_)s
    
    # JAILS
    [sshd]
    backend = systemd
    enabled = true
    logpath = /var/log/auth.log
    mode    = aggressive
    port    = {{ default_sshd_port }}
    
    {% if inventory_hostname in groups.gitlab | default([]) %}
    [gitlab]
    enabled = true
    logpath = /var/log/gitlab/gitlab-rails/application.log
    port    = http,https
    
    [nginx-http-auth]
    enabled	= true
    logpath = /var/log/gitlab/nginx/*error.log
    port    = http,https
    
    [nginx-botsearch]
    enabled	 = true
    logpath  = /var/log/gitlab/nginx/*error.log
    maxretry = 2
    port     = http,https
    
    {% endif %}
    {% if inventory_hostname in groups.odoo_server | default([]) or inventory_hostname in groups.owncloud_server | default([]) %}
    [nginx-http-auth]
    enabled	= true
    logpath = /var/log/nginx/*error.log
    port    = http,https
    
    [nginx-botsearch]
    enabled	 = true
    logpath  = /var/log/nginx/*error.log
    maxretry = 2
    port     = http,https
    
    {% endif %}
    [recidive]
    banaction = %(banaction_allports)s
    bantime  = 1w
    enabled  = true
    findtime = 1d
    logpath  = /var/log/fail2ban.log
    {% if inventory_hostname in groups.docker | default([]) and inventory_hostname not in groups.docker_nextcloud | default([]) %}
    
    [traefik-auth]
    chain    = FORWARD
    enabled  = true
    {% if docker_userns_remap %}
    logpath  = /var/lib/docker/{{ dockremap_subuid | default("*") }}.{{ dockremap_subgid | default("*") }}/volumes/inverseproxy_logs/_data/access.log
    {% else %}
    logpath  = /var/lib/docker/volumes/inverseproxy_logs/_data/access.log
    {% endif %}
    mode     = aggressive
    port     = http,https
    {% endif %}