search

debops / ansible-fail2ban

Install and configure fail2ban service
GNU General Public License v3.0
38 stars 15 forks source link

Support custom actions and filters #3

Closed carlalexander closed 8 years ago

carlalexander commented 8 years ago

I'm doing more research on how to add DDOS protection to WordPress role. It seems like using fail2ban to scan and ban at the firewall level seems like the best option.

I've been looking at the filters that come included with the role. Besides apache-badbots, the other ones don't really look for what I need to. I figure there should be support for custom actions and filters. Right now, you add some manually, but that's not possible for everyone. :smile:

drybjed commented 8 years ago

Umm, apache-badbots?

The problem with that is that you want to have some kind of data source for the files you want to configure on the remote hosts, so that Ansible knows what to template/copy over. One way would be to include the filters with the debops.fail2ban role which makes adding custom ones complicated. Another way would be to specify a directory/directories from where Ansible can copy files. I suppose it depends on the scope you would like to have - install all fiters on all hosts, or provide some flexibility with where you want what rules. debops.secret could be used for this, I suppose. What ideas do you have about including custom filters?

carlalexander commented 8 years ago

I just assumed they could be passed as a dependency like when I want to set a custom jail. Something like:

- role: 'debops.fail2ban`
  fail2ban_filters: 
    - name: 'filter_name'
      failregex: ''
      ignoreregex: ''
      state: 'present'

This creates a filter at /etc/fail2ban/filter.d/filter_name.local. Not sure if that makes sense. Otherwise, if you have a better solution to handle this. I figured this was something to add to the role instead of doing it myself.

drybjed commented 8 years ago

Passing the filters using a list of dicts sounds good, you will probably use the role through a custom playbook, right?

carlalexander commented 8 years ago

It'd be a dependency of the main WordPress application role.

drybjed commented 8 years ago

@carlalexander OK, so you can pass custom filters/actions that way. If you have time, you could try making a PR for debops.fail2ban, otherwise I'll probably get around to it sometime later.

carlalexander commented 8 years ago

Yep, I'll look at a PR. Just wanted to run it by you first. :wink:

carlalexander commented 8 years ago

I think the PR covered this issue well enough. I'll open another one if I need to do further changes.