Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Fail2ban settings extensible #1177

Merged
merged 4 commits into from
May 11, 2020
Merged

Make Fail2ban settings extensible #1177

merged 4 commits into from
May 11, 2020

Conversation

raph-topo
Copy link
Contributor

@raph-topo raph-topo commented Apr 22, 2020
edited
Loading

add the ability to add custom services in group_vars/;
add the ability to include custom filters in a new fail2ban-filters/ folder;
inspired from the nginx-includes task in wordpress-setup role.

  • custom services
  • custom filters
  • readme
  • changelog
  • docs

@raph-topo raph-topo closed this Apr 22, 2020
@raph-topo raph-topo deleted the feature/make_fail2ban_extensible branch April 22, 2020 21:32
@raph-topo raph-topo restored the feature/make_fail2ban_extensible branch April 22, 2020 21:33
@raph-topo raph-topo reopened this Apr 22, 2020
@raph-topo
Copy link
Contributor Author

A use case would be adding services and filters to integrate the WP-Fail2ban plugin.

@swalkinshaw
Copy link
Member

Thanks for the suggestion and use case. By default, every variable in Ansible can be overridden in group_vars as it takes precedence. So right now, without this PR, you could do the following:

# group_vars/all/fail2ban.yml

fail2ban_services:
  - name: ssh
    port: ssh
    filter: sshd
    logpath: /var/log/auth.log
  - name: postfix
    port: smtp,ssmtp
    filter: postfix
    logpath: /var/log/mail.log

The README in the role points this out: https://github.com/roots/trellis/blob/5de70af75e24d0c00826f079532099728361179a/roles/fail2ban/README.md#example-playbook

The one very minor downside here is you need to include the default ssh entry. If you don't it will be removed.

Nginx includes warrant their own extra solution for one main reason: they are templates which can't just be represented in a YAML data structure like these fail2ban services can.

This seems like it would solve your use case; can you confirm that? If so, I'd prefer just using these default features of Ansible in this case instead of adding an extra feature.

@raph-topo
Copy link
Contributor Author

raph-topo commented Apr 23, 2020
edited
Loading

The one very minor downside here is you need to include the default ssh entry. If you don't it will be removed.

Indeed, and people might miss or forget that and inadvertently deactivate the ssh filter. So I believe it is safer to make it extensible by default instead of just replaceable.
Also, having a _default and a _custom allows Trellis to add services through without conflicts.

This seems like it would solve your use case; can you confirm that?

For the services part yes, for the filters part no. They still have to be copied over to the servers, which I introduce in the second commit d7f8733

For the WP Fail2ban, 3 filters and 3 services have to be added.

If this convinces you, should I also edit the Fail2ban Readme and add this to the docs in Digging deeper or Security?

@raph-topo
Copy link
Contributor Author

By the forums, it seems people bumped into this already without being able to configure Fail2ban as expected.

@swalkinshaw
Copy link
Member

Ah thank you, that makes sense! I didn't know about the filters.

Yes updating the README + docs would be great. Thank you 😄

@raph-topo
Copy link
Contributor Author

raph-topo commented May 7, 2020
edited
Loading

This PR should be ready, but I am still working on roots/docs. But I am blocked by an unexpected behavior described in #1181.

raph-topo added 4 commits May 10, 2020 23:11
@raph-topo
Make Fail2ban services list extensible
8fa441b 
enable adding custom services in 'group_vars/';
rename default list to 'fail2ban_services_default';
create 'fail2ban_services_default';
combine 'default' & 'custom'.
@raph-topo
Make Fail2ban filters pluggable
0997eaf 
enable adding custom Fail2ban filters;
task style inspired from 'nginx-includes' task in 'wordpress-setup' role;
add tasks to copy Fail2ban filter configurations;
set default folder 'fail2ban-filters'.
@raph-topo
Improve the README
beaff2e 
Add new variables and their description.
Explain how to add services and filters in `group_vars` and `fail2ban_filters` respectively.
@raph-topo
Update CHANGELOG
2fbed9d
@raph-topo
Copy link
Contributor Author

Rebased to HEAD.
OK for merge of this PR.

@swalkinshaw
Copy link
Member

🎉 thank you this is great. Tested it out and works as expected.

@swalkinshaw swalkinshaw merged commit 161c29f into roots:master May 11, 2020
@raph-topo raph-topo deleted the feature/make_fail2ban_extensible branch May 11, 2020 12:42
@raph-topo raph-topo mentioned this pull request May 25, 2020
Closed
@SteelWagstaff SteelWagstaff mentioned this pull request Aug 31, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@raph-topo @swalkinshaw