Initial commit of PVC Ansible role

2023-09-01 15:42:19 -04:00
commit 6dfaf433dc
92 changed files with 4709 additions and 0 deletions
--- a/roles/base/templates/etc/fail2ban/action.d/route.conf.j2
+++ b/roles/base/templates/etc/fail2ban/action.d/route.conf.j2
@ -0,0 +1,15 @@
+# fail2ban action - route
+
+[Definition]
+actionban   = ip route add <blocktype> <ip>
+actionunban = ip route del <blocktype> <ip>
+actioncheck =
+actionstart =
+actionstop =
+
+[Init]
+
+# Option:  blocktype
+# Note:    Type can be blackhole, unreachable and prohibit. Unreachable and prohibit correspond to the ICMP reject messages.
+# Values:  STRING
+blocktype = blackhole
--- a/roles/base/templates/etc/fail2ban/filter.d/sshd.conf.j2
+++ b/roles/base/templates/etc/fail2ban/filter.d/sshd.conf.j2
@ -0,0 +1,50 @@
+# Fail2Ban filter for openssh
+# {{ ansible_managed }}
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+[Definition]
+
+_daemon = sshd
+
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error|failed) for .* from <HOST>( via \S+)?\s*$
+            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+            ^%(__prefix_line)sFailed \S+ for (?P<cond_inv>invalid user )?(?P<user>(?P<cond_user>\S+)|(?(cond_inv)(?:(?! from ).)*?|[^:]+)) from <HOST>(?: port \d+)?(?: ssh\d*)?(?(cond_user):|(?:(?:(?! from ).)*)$)
+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .*? from <HOST>(?: port \d+)?\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+            ^%(__prefix_line)s(?:error: )?Received disconnect from <HOST>: 3: .*: Auth fail(?: \[preauth\])?$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+            ^%(__prefix_line)s(error: )?maximum authentication attempts exceeded for .* from <HOST>(?: port \d*)?(?: ssh\d*)? \[preauth\]$
+            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
+            ^%(__prefix_line)sUnable to negotiate with <HOST> .*$
+
+ignoreregex = 
+
+[Init]
+
+# "maxlines" is number of log lines to buffer for multi-line regex searches
+maxlines = 10
+
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
+
+# DEV Notes:
+#
+#   "Failed \S+ for .*? from <HOST>..." failregex uses non-greedy catch-all because
+#   it is coming before use of <HOST> which is not hard-anchored at the end as well,
+#   and later catch-all's could contain user-provided input, which need to be greedily
+#   matched away first.
+#
+# Author: Cyril Jaquier, Yaroslav Halchenko, Petr Voralek, Daniel Black
+
--- a/roles/base/templates/etc/fail2ban/jail.d/sshd.conf.j2
+++ b/roles/base/templates/etc/fail2ban/jail.d/sshd.conf.j2
@ -0,0 +1,30 @@
+# Fail2Ban configuration file
+#
+# Author: Wolfgang Karall (based on sshd.conf from Cyril Jaquier)
+#
+
+[INCLUDES]
+
+# Read common prefixes. If any customizations available -- read them from
+# common.local
+before = common.conf
+
+
+[Definition]
+
+_daemon = sshd
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = ^%(__prefix_line)sUnable to negotiate with <HOST> .*$
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = ^%(__prefix_line)sDid not receive identification string from .*$
--- a/roles/base/templates/etc/fail2ban/jail.d/sshd.local.j2
+++ b/roles/base/templates/etc/fail2ban/jail.d/sshd.local.j2
@ -0,0 +1,11 @@
+[DEFAULT]
+maxretry    = 3
+bantime     = 14400
+ignoreip    = 127.0.0.0/8 10.0.0.0/8 198.55.48.48/28
+
+[ssh]
+enabled     = true
+filter      = sshd
+action      = route
+logpath     = /var/log/auth.log
+