fail2forward

2026-05-31 00:10:02 +02:00
parent fdc99031dd
commit 85cf6f5533
8 changed files with 79 additions and 21 deletions
@@ -13,6 +13,31 @@
        name: fail2forward
        create_home: true

+    - name: Create .ssh
+      ansible.builtin.file:
+        name: /home/fail2forward/.ssh
+        owner: fail2forward
+        group: fail2forward
+        state: directory
+        mode: '0655'
+
+    - name: Create authorized_keys
+      ansible.builtin.copy:
+        content: "command=\"/usr/local/bin/fail2forward\",no-pty,no-agent-forwarding,no-X11-forwarding,no-port-forwarding,restrict \
+                  {{ lookup('ansible.builtin.file', '../fail2ban/fail2forward_id_rsa.pub') }}"
+        owner: fail2forward
+        group: fail2forward
+        dest: /home/fail2forward/.ssh/authorized_keys
+        mode: '0644'
+
+    - name: Copy fail2forward script
+      ansible.builtin.template:
+        src: fail2forward.j2
+        dest: /usr/local/bin/fail2forward
+        owner: root
+        group: root
+        mode: '0755'
+
    - name: Copy jail.local
      ansible.builtin.template:
        src: jail.local.j2
@@ -20,9 +45,7 @@
        owner: root
        group: root
        mode: '0644'
-      notify: Restart fail2ban

-  handlers:
    - name: Restart fail2ban
      ansible.builtin.service:
        name: fail2ban
@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euo pipefail
+case "$SSH_ORIGINAL_COMMAND" in
+  "ban "*)
+    ip="${SSH_ORIGINAL_COMMAND#ban }"
+    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
+    exec fail2ban-client set sshd banip "$ip"
+    ;;
+  "unban "*)
+    ip="${SSH_ORIGINAL_COMMAND#unban }"
+    [[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
+    exec fail2ban-client set sshd unbanip "$ip"
+    ;;
+  *)
+    echo "denied" >&2; exit 1
+    ;;
+esac
@@ -8,20 +8,5 @@ bantime.multipliers = 1 5 30 60 300 720 1440 2880

 [sshd]
 enabled = true
-port    = ssh,2222,4444
-
-[nginx-http-auth]
-enabled = true
-
-[nginx-limit-req]
-enabled = true
-
-[postfix]
-enabled  = true
-port     = smtp,submission
-logpath  = /opt/beeserver/mail/mail-logs/mail.log
-
-[dovecot]
-enabled  = true
-port     = imaps,pop3s
-logpath  = /opt/beeserver/mail/mail-logs/mail.log
+port    = ssh
+backend = systemd