diff --git a/meta/fail2ban.md b/meta/fail2ban.md index 7165647..85783d2 100644 --- a/meta/fail2ban.md +++ b/meta/fail2ban.md @@ -38,21 +38,22 @@ IP banning. It supports both single-node and clustered Proxmox setups. The playbook uses the following variables (can be defined in a `vars` file or inventory group vars): -| Variable | Description | Default / Notes | -|----------|-------------|----------------| -| `f2b_bantime` | Default ban time for repeated failures | e.g., `600s` | -| `f2b_findtime` | Time window to check failures | e.g., `1200s`| -| `f2b_maxretry` | Maximum retries before ban | e.g., `5` | -| `f2b_bantime_increment` | Incremental ban time (recidive) | e.g., `true` | -| `f2b_bantime_factor` | Factor for incremental ban | e.g., `2` | -| `f2b_bantime_max` | Maximum ban time | e.g., `7d` | -| `f2b_recidive_bantime` | Ban time for recidive jail | e.g., `3600` | -| `f2b_recidive_findtime` | Findtime for recidive jail | e.g., `86400` | -| `f2b_recidive_maxretry` | Max retry for recidive jail | e.g., `3` | -| `f2b_ipset_name` | Name of Proxmox IPSet used for banned IPs | e.g., `f2b-blacklist` | -| `f2b_unban_ip` | Optional IP to unban manually | Leave undefined if not needed | +| Variable | Description | Default | +|--------------------------|-------------------------------------|------------------| +| `f2b_bantime` | Ban per tentativi falliti | `600s` | +| `f2b_findtime` | Finestra per contare i fallimenti | `1200s` | +| `f2b_maxretry` | Tentativi prima del ban | `5` | +| `f2b_bantime_increment` | Abilita ban incrementale | `true` | +| `f2b_bantime_factor` | Fattore aumento ban | `2` | +| `f2b_bantime_max` | Durata massima del ban | `7d` | +| `f2b_recidive_bantime` | Ban per recidiva | `3600` | +| `f2b_recidive_findtime` | Finestra recidiva | `86400` | +| `f2b_recidive_maxretry` | Tentativi recidiva | `3` | +| `f2b_ipset_name` | Nome IPSet per IP bannati | `f2b-blacklist` | +| `f2b_unban_ip` | IP da sbloccare | `""` | -> All `clustered` and `pmxcfs_running` checks default to `false` to prevent errors on non-clustered or single-node setups. +> All `clustered` and `pmxcfs_running` checks default to `false` to prevent +> errors on non-clustered or single-node setups. --- @@ -97,8 +98,9 @@ ansible-playbook -i inventory fail2ban-proxmox.yml -e "f2b_unban_ip=1.2.3.4" - pve-firewall compile is called safely (>/dev/null 2>&1 || true) to prevent playbook failure on minor compilation warnings. - Manual unban is supported via f2b_unban_ip variable. -- Always verify that the Proxmox firewall is enabled when using cluster-wide bans. +- Always verify that the Proxmox firewall is enabled when using + cluster-wide bans. ## License -MIT License \ No newline at end of file +MIT License diff --git a/tasks/fail2ban.yml b/tasks/fail2ban.yml index 23a224f..cc814e7 100644 --- a/tasks/fail2ban.yml +++ b/tasks/fail2ban.yml @@ -8,7 +8,7 @@ ################################################# - name: fail2ban | Detect Proxmox - stat: + ansible.builtin.stat: path: /usr/bin/pveversion register: pve_installed @@ -80,7 +80,6 @@ - name: fail2ban | Configure Fail2Ban jails ansible.builtin.blockinfile: dest: /etc/fail2ban/jail.local - create: true marker: "# {mark} ANSIBLE MANAGED BLOCK - PROXMOX" block: | # jail.conf (default) @@ -238,7 +237,7 @@ # Deploy cluster-aware Fail2Ban action ################################################# -- name: fail2ban-fw | Deploy proxmox-fw action +- name: fail2ban | Deploy proxmox-fw action ansible.builtin.copy: dest: /etc/fail2ban/action.d/proxmox-fw.conf owner: root