search

robertdebock / ansible-role-fail2ban

Install and configure fail2ban on your system.
https://robertdebock.nl/
Apache License 2.0
62 stars 29 forks source link

Feat: allow a permanent ban #9

Closed Pandemonium1986 closed 3 years ago

Pandemonium1986 commented 3 years ago

name: Allow a permanent ban about: According to the fail2ban documentation it is possible to make a permanent ban by setting a negative value to "bantime". See Jail_Options

Describe the change First of all I simply changed the assertion test to allow the value -1 and only -1 in order to guarantee a permanent ban.

- fail2ban_bantime >= -1 and fail2ban_bantime !=0

In a second step I noticed a bad use of the run_once. If a test fails, it is only executed for the first machine. This means that only the first machine can be taken out of the execution pool, whereas the assert file should stop the execution of the role (this is my point of view). So I modify it to perfom assert on local machine, but delegate_to imposes an import instead of an include. Based on the code in the tasks/main.yml file I don't think an include is necessary. import vs include

- name: include assert.yml
  import_tasks: assert.yml
  run_once: yes
  delegate_to: localhost

Testing Simply have two managed nodes and configure fail2ban_bantime = -1 :-)

- name:                              Configuration for ansible lab
  hosts:                              node1:node2
  become:                             true
  tasks:
    - name:                           Upgrade all packages
      dnf:
        name:                         "*"
        state:                        latest
    - name:                           Ensure fail2ban is installed
      import_role:
        name:                         robertdebock.fail2ban
      vars:
        fail2ban_bantime:             -1
robertdebock commented 3 years ago

Thanks, both changes look like a good improvement, I'll likely change the run_once on all roles.