Compare commits
9 Commits
dev
...
4b80cfe531
| Author | SHA1 | Date | |
|---|---|---|---|
| 4b80cfe531 | |||
| 9adb8f8d2a | |||
| f63c643cc6 | |||
| 94726374ea | |||
| 6f27f0c47c | |||
| d36e7c34bf | |||
| 6458a4e0cf | |||
| 2e570f6808 | |||
| 1929ad13af |
@@ -94,6 +94,7 @@
|
||||
backend = systemd
|
||||
banaction = {% if (clustered.stat.exists | default(false)) %} proxmox-fw{% else %} iptables-multiport{% endif %}
|
||||
ignoreip = 127.0.0.1/8 192.168.2.0/24
|
||||
# {% if pmxcfs_running.stat.exists %} {{ corosync_networks | join(' ') }}{% endif %}
|
||||
|
||||
#################################################
|
||||
# SSH
|
||||
@@ -152,16 +153,10 @@
|
||||
{{
|
||||
'/etc/pve/firewall/cluster.fw'
|
||||
if clustered.stat.exists
|
||||
else '/etc/pve/nodes/' + pve_node + '/host.fw'
|
||||
else '/etc/pve/nodes/' + pve_node + '.fw'
|
||||
}}
|
||||
when: pve_installed.stat.exists | default(false)
|
||||
|
||||
- name: fail2ban | Show firewall config path
|
||||
ansible.builtin.debug:
|
||||
msg: >
|
||||
WARNING: Proxmox firewall config path is: {{ pve_firewall_config}}
|
||||
when: pve_firewall_config is defined
|
||||
|
||||
#################################################
|
||||
# Detect firewall configuration
|
||||
#################################################
|
||||
@@ -178,19 +173,15 @@
|
||||
register: fw_content
|
||||
when: fw_stat.stat.exists | default(false)
|
||||
|
||||
- name: fail2ban | Debug config contents
|
||||
ansible.builtin.debug:
|
||||
msg: >
|
||||
{{ fw_content }}
|
||||
when: fw_stat.stat.exists | default(false)
|
||||
|
||||
- name: fail2ban | Determine if firewall enabled
|
||||
ansible.builtin.set_fact:
|
||||
pve_firewall_enabled: >-
|
||||
{{
|
||||
fw_stat.stat.exists and
|
||||
(fw_content.content | b64decode)
|
||||
is search('^enable:\s*1$', multiline=True)
|
||||
(fw_stat.stat.exists | default(false)) and
|
||||
(
|
||||
(fw_content.content | default('') | b64decode)
|
||||
is search('enable:\s*1')
|
||||
)
|
||||
}}
|
||||
|
||||
- name: fail2ban | Warn if firewall not enabled
|
||||
@@ -288,35 +279,35 @@
|
||||
enabled: true
|
||||
state: started
|
||||
|
||||
# #################################################
|
||||
# # List banned IPs cluster-wide
|
||||
# #################################################
|
||||
#################################################
|
||||
# List banned IPs cluster-wide
|
||||
#################################################
|
||||
|
||||
# - name: fail2ban | Get banned IPs from Proxmox IPSet
|
||||
# ansible.builtin.command: pve-firewall ipset list {{ f2b_ipset_name }}
|
||||
# register: banned_ips
|
||||
# changed_when: false
|
||||
# failed_when: false
|
||||
- name: fail2ban | Get banned IPs from Proxmox IPSet
|
||||
ansible.builtin.command: pve-firewall ipset list {{ f2b_ipset_name }}
|
||||
register: banned_ips
|
||||
changed_when: false
|
||||
failed_when: false
|
||||
|
||||
# - name: fail2ban | Show banned IPs
|
||||
# ansible.builtin.debug:
|
||||
# msg: >
|
||||
# Current banned IPs (cluster-wide):
|
||||
# {{ banned_ips.stdout_lines | default([]) }}
|
||||
- name: fail2ban | Show banned IPs
|
||||
ansible.builtin.debug:
|
||||
msg: >
|
||||
Current banned IPs (cluster-wide):
|
||||
{{ banned_ips.stdout_lines | default([]) }}
|
||||
|
||||
# #################################################
|
||||
# # Manual unban
|
||||
# #################################################
|
||||
#################################################
|
||||
# Manual unban
|
||||
#################################################
|
||||
|
||||
# - name: fail2ban | Unban specific IP
|
||||
# ansible.builtin.command: >
|
||||
# pve-firewall ipset del {{ f2b_ipset_name }} {{ f2b_unban_ip }}
|
||||
# when: f2b_unban_ip is defined and f2b_unban_ip | length > 0
|
||||
# register: unban_result
|
||||
# changed_when: "'removed' in unban_result.stdout or unban_result.rc == 0"
|
||||
# failed_when: false
|
||||
- name: fail2ban | Unban specific IP
|
||||
ansible.builtin.command: >
|
||||
pve-firewall ipset del {{ f2b_ipset_name }} {{ f2b_unban_ip }}
|
||||
when: f2b_unban_ip is defined and f2b_unban_ip | length > 0
|
||||
register: unban_result
|
||||
changed_when: "'removed' in unban_result.stdout or unban_result.rc == 0"
|
||||
failed_when: false
|
||||
|
||||
# - name: fail2ban | Report unban result
|
||||
# ansible.builtin.debug:
|
||||
# msg: "Unbanned IP {{ f2b_unban_ip }}"
|
||||
# when: f2b_unban_ip | length > 0
|
||||
- name: fail2ban | Report unban result
|
||||
ansible.builtin.debug:
|
||||
msg: "Unbanned IP {{ f2b_unban_ip }}"
|
||||
when: f2b_unban_ip | length > 0
|
||||
|
||||
Reference in New Issue
Block a user