mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2025-01-18 08:06:16 +01:00
46 lines
1.4 KiB
Django/Jinja
46 lines
1.4 KiB
Django/Jinja
#
|
|
# {{ansible_managed}}
|
|
#
|
|
|
|
[DEFAULT]
|
|
findtime = {{fail2ban_findtime}}
|
|
bantime = {{fail2ban_bantime}}
|
|
maxretry = {{fail2ban_maxretry}}
|
|
|
|
# ban time multiplier
|
|
bantime.increment = true
|
|
# default factor (causes increment - 1h -> 1d 2d 4d 8d 16d 32d ...):
|
|
bantime.factor = 24
|
|
# max banning time = 5 week:
|
|
bantime.maxtime = 5w
|
|
|
|
# don't trust dns
|
|
usedns = no
|
|
|
|
# if f2b ever needs to send emails, send them to root and make sure the sender
|
|
# address clearly identifies the host the message originated from
|
|
destemail = root
|
|
sender = fail2ban@{{ansible_fqdn}}
|
|
|
|
# use firewalld to manage bans - if we don't specify this, then fail2ban will
|
|
# default to use iptables, which we don't want as our systems are running
|
|
# firewalld with nftables backend.
|
|
#
|
|
# check current rules added to firewalld while fail2ban is running:
|
|
# firewall-cmd --direct --get-all-rules
|
|
# useful runtime commands include:
|
|
# fail2ban-client set <JAIL> banip <IP>
|
|
# fail2ban-cleint set <JAIL> unbanip <IP>
|
|
# fail2ban-client set unban <IP>
|
|
# fail2ban-client set unban --all
|
|
# see `fail2ban-client help` for full list of runtime commands
|
|
banaction = firewallcmd-ipset-allports
|
|
|
|
# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
|
|
# will not ban a host which matches an address in this list. Several addresses
|
|
# can be defined using space (and/or comma) separator.
|
|
ignoreip = 127.0.0.1/8 ::1
|
|
{% for host in groups['all'] %}
|
|
{{ hostvars[host]['inventory_hostname'] }}
|
|
{% endfor %}
|