Jose/ansible_role_proxmox_provision
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

style 💎: Fix table formatting and add code block for list_banned task #46

Merged
Jose merged 8 commits from dev into main 2026-03-01 10:55:12 +01:00
Conversation 1 Commits 8 Files Changed 4 +21 -11
2 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit e44f757b9e - Show all commits

30
meta/fail2ban.md
View File

@@ -1,6 +1,8 @@
# Fail2Ban Integration with Proxmox Firewall
This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE environment, integrating it with the **Proxmox firewall** for cluster-aware IP banning. It supports both single-node and clustered Proxmox setups.
This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE
environment, integrating it with the **Proxmox firewall** for cluster-aware
IP banning. It supports both single-node and clustered Proxmox setups.
---
@@ -13,7 +15,8 @@ This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE enviro
- SSH protection
- Proxmox GUI / AD login protection
- Progressive ban escalation (recidive jail)
- Deploys a **cluster-aware Fail2Ban action** (`proxmox-fw`) for Proxmox firewall integration.
- Deploys a **cluster-aware Fail2Ban action** (`proxmox-fw`) for Proxmox
firewall integration.
- Ensures safe firewall updates without affecting Corosync ports (5404/5405).
- Supports single-node Fail2Ban using `iptables-multiport`.
- Enables and starts the Fail2Ban service.
@@ -32,7 +35,8 @@ This Ansible playbook deploys and configures **Fail2Ban** on a Proxmox VE enviro
## Variables
The playbook uses the following variables (can be defined in a `vars` file or inventory group vars):
The playbook uses the following variables (can be defined in a `vars` file or
inventory group vars):
| Variable | Description | Default / Notes |
|----------|-------------|----------------|
@@ -75,19 +79,25 @@ ansible-playbook -i inventory fail2ban-proxmox.yml -e "f2b_unban_ip=1.2.3.4"
## How It Works
- Detects Proxmox ensures the playbook runs only on Proxmox VE hosts.
- Cluster safety checks verifies /etc/pve/.members and corosync.conf for quorum.
- Installs Fail2Ban ensures /etc/fail2ban/jail.local exists and applies configuration.
- Cluster-aware action for clustered nodes, Fail2Ban bans are added to Proxmox firewall and compiled immediately (pve-firewall compile).
- Single-node fallback uses iptables-multiport for nodes not in a cluster.
- Corosync protection prevents firewall rules from dropping cluster communication ports (5404/5405).
- Cluster safety checks verifies /etc/pve/.members and corosync.conf
for quorum.
- Installs Fail2Ban ensures /etc/fail2ban/jail.local exists and applies
configuration.
- Cluster-aware action for clustered nodes, Fail2Ban bans are added to
Proxmox firewall and compiled immediately (pve-firewall compile).
- Single-node fallback uses iptables-multiport for nodes not in
a cluster.
- Corosync protection prevents firewall rules from dropping cluster
communication ports (5404/5405).
## Notes & Safety
- The playbook does not copy jail.conf, only manages jail.local.
- Firewall rules for clustered nodes are only modified if quorum exists.
- pve-firewall compile is called safely (>/dev/null 2>&1 || true) to prevent playbook failure on minor compilation warnings.
- pve-firewall compile is called safely (>/dev/null 2>&1 || true)
to prevent playbook failure on minor compilation warnings.
- Manual unban is supported via f2b_unban_ip variable.
- Always verify that the Proxmox firewall is enabled when using cluster-wide bans.
- Always verify that the Proxmox firewall is enabled when using cluster-wide bans.
## License

2
tasks/fail2ban.yml
View File

@@ -266,7 +266,7 @@
actionstart =
actionstop =
when:
- clustered.stat.exists | default(false)
- clustered.stat.exists | default(false)
notify:
- Restart fail2ban