robertdebock / ansible-role-fail2ban

Install and configure fail2ban on your system.
https://robertdebock.nl/
Apache License 2.0
62 stars 29 forks source link

No support for multiple values in jail.local ini file #14

Open Morishiri opened 1 year ago

Morishiri commented 1 year ago

Describe the bug

I try to add multiple actions in one section in jail. It is not possible in current role form.

Playbook

Please paste the playbook you are using. (Consider requirements.yml and optionally the command you've invoked.)

---
    - role: robertdebock.fail2ban
      become: true
      vars:
        fail2ban_filterd_path: "../fail2ban/filters/"
        fail2ban_jail_configuration:
          - section: syslog-sftp
            option: action
            value: |
              iptables-allports[actname=sshd,name=sshd,protocol=all]
                       iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

Output

It will constantly multiple last line (add it with each playbook execution):

 action = iptables-allports[actname=sshd,name=sshd,protocol=all]
          iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

+         iptables-allports[actname=sshd-docker,name=sshd-docker,protocol=all,chain=DOCKER]

Environment

Please consider sponsoring me.

roumano commented 1 year ago

I confirm i get similar issue.

I don't think it's possible to fix this issue with the actual module (ini_file)

I've remove the actual ini_file tasks

- name: Configure jail.local
  community.general.ini_file:
  ...

and replace by a template tasks :

- name: Configure jail.local
  ansible.builtin.template:
    src: jail.local.j2
    dest: /etc/fail2ban/jail.local
    mode: "0640"
  notify:
    - Restart fail2ban

Of course, it's need to create the template file templates/jail.local.j2 :

{# Template to create the jail #}
{% for i in fail2ban_jail_configuration %}
[{{ i.name }}]
{% for k in i if k != 'name' %}
{{ k }} = {{ i[k] }}
{% endfor %}
{% endfor %}

And the configuration change also, please found a exemple :

fail2ban_jail_configuration:
  - name: DEFAULT
    ignoreself: 'true'
    destemail: XX@YYY.ZZ
    sender: root@{{ inventory_hostname }}.YYY.ZZ
  - name: guacamole
    enabled: 'true'
    port: 8080
    logpath: /var/log/tomcat9/catalina.out
    filter: guacamole_XXXX
    banaction: iptables-multiport
    maxretry: 2
    bantime: 1m
    findtime: 60m
    action: |
      iptables-guacamole[name="guacamole", port="8080", protocol="tcp"]
               smtp.py[host="smtp.XXX.YY:25", sender="noreply@XXX.YY", dest="XXX@YYY.ZZ,XXX2@YYY.ZZ"]

i removed the tasks assert | Test fail2ban_jail_configuration (in assert.yml ) as the fail2ban_jail_configuration changed but ideally, it's should also be rewriten.

If you think it's the good way for fixing the issue, i can create a PR with these change.