refactor ♻️: Refactor and reformat text for better readability
This commit refactors the code by improving text formatting and structure to enhance readability, ensuring that the content and functionality remain unchanged.
This commit is contained in:
@@ -1,6 +1,8 @@
|
||||
# Fail2Ban Integration with Proxmox Firewall
|
||||
|
||||
This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE environment, integrating it with the **Proxmox firewall** for cluster-aware IP banning. It supports both single-node and clustered Proxmox setups.
|
||||
This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE
|
||||
environment, integrating it with the **Proxmox firewall** for cluster-aware
|
||||
IP banning. It supports both single-node and clustered Proxmox setups.
|
||||
|
||||
---
|
||||
|
||||
@@ -13,7 +15,8 @@ This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE enviro
|
||||
- SSH protection
|
||||
- Proxmox GUI / AD login protection
|
||||
- Progressive ban escalation (recidive jail)
|
||||
- Deploys a **cluster-aware Fail2Ban action** (`proxmox-fw`) for Proxmox firewall integration.
|
||||
- Deploys a **cluster-aware Fail2Ban action** (`proxmox-fw`) for Proxmox
|
||||
firewall integration.
|
||||
- Ensures safe firewall updates without affecting Corosync ports (5404/5405).
|
||||
- Supports single-node Fail2Ban using `iptables-multiport`.
|
||||
- Enables and starts the Fail2Ban service.
|
||||
@@ -32,7 +35,8 @@ This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE enviro
|
||||
|
||||
## Variables
|
||||
|
||||
The playbook uses the following variables (can be defined in a `vars` file or inventory group vars):
|
||||
The playbook uses the following variables (can be defined in a `vars` file or
|
||||
inventory group vars):
|
||||
|
||||
| Variable | Description | Default / Notes |
|
||||
|----------|-------------|----------------|
|
||||
@@ -75,19 +79,25 @@ ansible-playbook -i inventory fail2ban-proxmox.yml -e "f2b_unban_ip=1.2.3.4"
|
||||
## How It Works
|
||||
|
||||
- Detects Proxmox – ensures the playbook runs only on Proxmox VE hosts.
|
||||
- Cluster safety checks – verifies /etc/pve/.members and corosync.conf for quorum.
|
||||
- Installs Fail2Ban – ensures /etc/fail2ban/jail.local exists and applies configuration.
|
||||
- Cluster-aware action – for clustered nodes, Fail2Ban bans are added to Proxmox firewall and compiled immediately (pve-firewall compile).
|
||||
- Single-node fallback – uses iptables-multiport for nodes not in a cluster.
|
||||
- Corosync protection – prevents firewall rules from dropping cluster communication ports (5404/5405).
|
||||
- Cluster safety checks – verifies /etc/pve/.members and corosync.conf
|
||||
for quorum.
|
||||
- Installs Fail2Ban – ensures /etc/fail2ban/jail.local exists and applies
|
||||
configuration.
|
||||
- Cluster-aware action – for clustered nodes, Fail2Ban bans are added to
|
||||
Proxmox firewall and compiled immediately (pve-firewall compile).
|
||||
- Single-node fallback – uses iptables-multiport for nodes not in
|
||||
a cluster.
|
||||
- Corosync protection – prevents firewall rules from dropping cluster
|
||||
communication ports (5404/5405).
|
||||
|
||||
## Notes & Safety
|
||||
|
||||
- The playbook does not copy jail.conf, only manages jail.local.
|
||||
- Firewall rules for clustered nodes are only modified if quorum exists.
|
||||
- pve-firewall compile is called safely (>/dev/null 2>&1 || true) to prevent playbook failure on minor compilation warnings.
|
||||
- pve-firewall compile is called safely (>/dev/null 2>&1 || true)
|
||||
to prevent playbook failure on minor compilation warnings.
|
||||
- Manual unban is supported via f2b_unban_ip variable.
|
||||
- Always verify that the Proxmox firewall is enabled when using cluster-wide bans.
|
||||
- Always verify that the Proxmox firewall is enabled when using cluster-wide bans.
|
||||
|
||||
## License
|
||||
|
||||
|
||||
Reference in New Issue
Block a user