bee/beepi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fail2forward

Browse Source
This commit is contained in:
bee
2026-05-31 00:10:02 +02:00
parent fdc99031dd
commit 85cf6f5533
8 changed files with 79 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.vscode/tasks.json
Vendored
+10
View File
@@ -70,6 +70,16 @@
"panel": "dedicated" "panel": "dedicated"
} }
}, },
{
"label": "Deploy: fail2ban-ingress",
"type": "shell",
"command": "make deploy-fail2ban-ingress",
"group": "build",
"presentation": {
"reveal": "always",
"panel": "dedicated"
}
},
{ {
"label": "Deploy: mail", "label": "Deploy: mail",
"type": "shell", "type": "shell",
playbooks/fail2ban-ingress/fail2ban-ingress.yml
+25 -2
View File
@@ -13,6 +13,31 @@
name: fail2forward name: fail2forward
create_home: true create_home: true
- name: Create .ssh
ansible.builtin.file:
name: /home/fail2forward/.ssh
owner: fail2forward
group: fail2forward
state: directory
mode: '0655'
- name: Create authorized_keys
ansible.builtin.copy:
content: "command=\"/usr/local/bin/fail2forward\",no-pty,no-agent-forwarding,no-X11-forwarding,no-port-forwarding,restrict \
{{ lookup('ansible.builtin.file', '../fail2ban/fail2forward_id_rsa.pub') }}"
owner: fail2forward
group: fail2forward
dest: /home/fail2forward/.ssh/authorized_keys
mode: '0644'
- name: Copy fail2forward script
ansible.builtin.template:
src: fail2forward.j2
dest: /usr/local/bin/fail2forward
owner: root
group: root
mode: '0755'
- name: Copy jail.local - name: Copy jail.local
ansible.builtin.template: ansible.builtin.template:
src: jail.local.j2 src: jail.local.j2
@@ -20,9 +45,7 @@
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: Restart fail2ban
handlers:
- name: Restart fail2ban - name: Restart fail2ban
ansible.builtin.service: ansible.builtin.service:
name: fail2ban name: fail2ban
playbooks/fail2ban-ingress/fail2forward.j2
+17
View File
@@ -0,0 +1,17 @@
#!/bin/bash
set -euo pipefail
case "$SSH_ORIGINAL_COMMAND" in
"ban "*)
ip="${SSH_ORIGINAL_COMMAND#ban }"
[[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
exec fail2ban-client set sshd banip "$ip"
;;
"unban "*)
ip="${SSH_ORIGINAL_COMMAND#unban }"
[[ "$ip" =~ ^[0-9.]+$|^[0-9a-fA-F:]+$ ]] || { echo "bad ip"; exit 1; }
exec fail2ban-client set sshd unbanip "$ip"
;;
*)
echo "denied" >&2; exit 1
;;
esac
playbooks/fail2ban-ingress/jail.local.j2
+2 -17
View File
@@ -8,20 +8,5 @@ bantime.multipliers = 1 5 30 60 300 720 1440 2880
[sshd] [sshd]
enabled = true enabled = true
port = ssh,2222,4444 port = ssh
backend = systemd
[nginx-http-auth]
enabled = true
[nginx-limit-req]
enabled = true
[postfix]
enabled = true
port = smtp,submission
logpath = /opt/beeserver/mail/mail-logs/mail.log
[dovecot]
enabled = true
port = imaps,pop3s
logpath = /opt/beeserver/mail/mail-logs/mail.log
playbooks/fail2ban/fail2ban.yml
+8 -2
View File
@@ -36,9 +36,15 @@
owner: root owner: root
group: root group: root
mode: '0644' mode: '0644'
notify: Restart fail2ban
handlers: - name: Copy forward.conf
ansible.builtin.template:
src: forward.conf.j2
dest: /etc/fail2ban/action.d/forward.conf
owner: root
group: root
mode: '0644'
- name: Restart fail2ban - name: Restart fail2ban
ansible.builtin.service: ansible.builtin.service:
name: fail2ban name: fail2ban
playbooks/fail2ban/fail2forward_id_rsa.pub
+1
View File
@@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpbmyeKy5UjpTrLJk/QYzagg4MHfBV0/wPsAicn9jzxiK3Pqtn4zTCLchBis5Cfoc1aQCqUSp3X6CCjO5FIU0uaMAQPrZneecpSyDbNGkJuUM7JE2dY2pvMSdPpwzR54aauW56/HhtTARVZwgFOKwjcBaf3Fv98qiAzTTqGJjSJOZ6nFiuPm0PQ40867bUFLHuIJJBJVg3PHy+k0mUIsA8yF3ksSQOgyms2Iy54G6hL8ynpDoiLilbc4iYpBAyKjFCHx3Si1LIIH/hp2znexuzLRK68G7a919sEw+OT1h2gJLBnA6G36UwR4rVIQkNdScuM2WzggqGIdgbK8lOSCXf ansible-generated on beepi
playbooks/fail2ban/forward.conf.j2
+12
View File
@@ -0,0 +1,12 @@
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = sudo -u fail2forward ssh -i ~fail2forward/.ssh/id_rsa -o BatchMode=yes -o ConnectTimeout=5 -o ServerAliveInterval=5 <forward_user>@<forward_host> ban <ip>
actionunban = sudo -u fail2forward ssh -i ~fail2forward/.ssh/id_rsa -o BatchMode=yes -o ConnectTimeout=5 -o ServerAliveInterval=5 <forward_user>@<forward_host> unban <ip>
[Init]
forward_host = animeistrash.org
forward_user = fail2forward
playbooks/fail2ban/jail.local.j2
+4
View File
@@ -5,6 +5,10 @@ maxretry = 5
banaction = ufw banaction = ufw
bantime.increment = true bantime.increment = true
bantime.multipliers = 1 5 30 60 300 720 1440 2880 bantime.multipliers = 1 5 30 60 300 720 1440 2880
ignoreip = 81.217.198.106
action = %(action_)s
forward
[sshd] [sshd]
enabled = true enabled = true