diff --git a/roles/_web_app/templates/php-fpm-user.j2 b/roles/_web_app/templates/php-fpm-user.j2 index 4f2992a0304fb2e24ab8f84a05b49445f972086d..86ce54adda2f5f25a03bdd3dbd2b023b05d494d2 100644 --- a/roles/_web_app/templates/php-fpm-user.j2 +++ b/roles/_web_app/templates/php-fpm-user.j2 @@ -26,8 +26,8 @@ ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. -user = $pool -group = $pool +user = {{ app_user }} +group = {{ app_group }} ; The address on which to accept FastCGI requests. ; Valid syntaxes are: @@ -393,3 +393,5 @@ env[TEMP] = /tmp ;php_admin_value[error_log] = /var/log/fpm-php.www.log ;php_admin_flag[log_errors] = on ;php_admin_value[memory_limit] = 32M + + diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..81019070d0ce9ef4e0bd495fd8359fa06c1ea9aa --- /dev/null +++ b/roles/fail2ban/defaults/main.yml @@ -0,0 +1,5 @@ +--- +fail2ban_nginx_access_log: /var/log/nginx/*access.log +maxretry: 6 +bantime: 600 +findtime: 600 diff --git a/roles/fail2ban/files/nextcloud.conf b/roles/fail2ban/files/nextcloud.conf new file mode 100644 index 0000000000000000000000000000000000000000..12f4db71994f16f41f082b2fa485072a758518b8 --- /dev/null +++ b/roles/fail2ban/files/nextcloud.conf @@ -0,0 +1,5 @@ +[Definition] +_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*) +failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Login failed: + ^\{%(_groupsre)s,?\s*"remoteAddr":""%(_groupsre)s,?\s*"message":"Trusted domain error. +datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?" \ No newline at end of file diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..eff098ab8068af6a87c7fbdc9583615abe167733 --- /dev/null +++ b/roles/fail2ban/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart fail2ban + service: + name: fail2ban + state: restarted \ No newline at end of file diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..49e6b49b633bea9c6cb874aacf7cf0aab6643d55 --- /dev/null +++ b/roles/fail2ban/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: Install fail2ban + yum: name=fail2ban state=present + when: ansible_distribution == 'CentOS' + +- name: Install fail2ban + apt: + name: fail2ban + state: present + when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu' + +- name: Enable fail2ban + service: + name: fail2ban + enabled: yes + +- name: Create jail.d + file: + path: /etc/fail2ban/jail.d + state: directory + +- name: Setup filters + template: + src: "{{item}}-filter.conf.j2" + dest: "/etc/fail2ban/filter.d/{{item}}.conf" + with_items: + - nginx-proxy + when: rev_proxy == "nginx" + notify: + - restart fail2ban + +- name: setup jails + template: + src: "{{item}}-jail.conf.j2" + dest: "/etc/fail2ban/jail.d/{{item}}.conf" + with_items: + - nginx-proxy + when: rev_proxy == "nginx" + notify: + - restart fail2ban + +- import_tasks: nextcloud.yml diff --git a/roles/fail2ban/tasks/nextcloud.yml b/roles/fail2ban/tasks/nextcloud.yml new file mode 100644 index 0000000000000000000000000000000000000000..671f630f66d1a38093f65cea6793c359f3443f34 --- /dev/null +++ b/roles/fail2ban/tasks/nextcloud.yml @@ -0,0 +1,7 @@ +--- +- name: setup jails for Nextcloud + copy: + src: "../files/nextcloud.conf" + dest: "/etc/fail2ban/filter.d/nextcloud.conf" + notify: + - restart fail2ban \ No newline at end of file diff --git a/roles/fail2ban/tasks/nginx.yml b/roles/fail2ban/tasks/nginx.yml new file mode 100644 index 0000000000000000000000000000000000000000..a1486f4e9821d06df4102734e8399f9ac8e9b79c --- /dev/null +++ b/roles/fail2ban/tasks/nginx.yml @@ -0,0 +1,14 @@ +--- +- name: Setup filter + template: + src: "../templates/nginx-proxy-filter.conf.j2" + dest: "/etc/fail2ban/filter.d/nginx-proxy.conf" + notify: restart fail2ban + when: rev_proxy == "nginx" + +- name: Setup jail + template: + src: "../templates/nginx-proxy-jail.conf.j2" + dest: "/etc/fail2ban/jail.d/nginx-proxy.conf" + notify: restart fail2ban + when: rev_proxy == "nginx" \ No newline at end of file diff --git a/roles/fail2ban/templates/nginx-proxy-filter.conf.j2 b/roles/fail2ban/templates/nginx-proxy-filter.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..27f74cd558ef4c231605ed9ae327a466ec79352c --- /dev/null +++ b/roles/fail2ban/templates/nginx-proxy-filter.conf.j2 @@ -0,0 +1,10 @@ +# Block IPs trying to use server as proxy. +[Definition] +failregex = .*\" 400 + .*"[A-Z]* /(cms|muieblackcat|db|cpcommerce|cgi-bin|wp-login|joomla|awstatstotals|wp-content|wp-includes|pma|phpmyadmin|myadmin|mysql|mysqladmin|sqladmin|mypma|admin|xampp|mysqldb|pmadb|phpmyadmin1|phpmyadmin2).*" 4[\d][\d] + .*".*supports_implicit_sdk_logging.*" 4[\d][\d] + .*".*activities?advertiser_tracking_enabled.*" 4[\d][\d] + .*".*/picture?type=normal.*" 4[\d][\d] + .*".*/announce.php?info_hash=.*" 4[\d][\d] + +ignoreregex = \ No newline at end of file diff --git a/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 b/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 new file mode 100644 index 0000000000000000000000000000000000000000..7999319fcb4b6e366bc2c5459278814bfe18915f --- /dev/null +++ b/roles/fail2ban/templates/nginx-proxy-jail.conf.j2 @@ -0,0 +1,19 @@ +## block hosts trying to abuse our server as a forward proxy +[nginx-proxy] +enabled = true +filter = nginx-proxy +logpath = {{ fail2ban_nginx_access_log }} +action = iptables-multiport[name=NoNginxProxy, port="http,https"] +maxretry = {{ maxretry }} +bantime = {{ bantime }} +findtime = {{ findtime }} + + +[nginx-limit-req] +enabled = true + +[nginx-http-auth] +enabled = true + +[nginx-botsearch] +enabled = true \ No newline at end of file diff --git a/roles/nextcloud_instance/handlers/main.yml b/roles/nextcloud_instance/handlers/main.yml index fec12881ca3134dc0d940e46d12f3d497f038b77..e8eaceaa1e0ef0881fcb074ba332986a0cc3837d 100644 --- a/roles/nextcloud_instance/handlers/main.yml +++ b/roles/nextcloud_instance/handlers/main.yml @@ -5,3 +5,8 @@ - name: reload apache2 nextcloud_instance service: name=apache2 state=reloaded + +- name: restart fail2ban + service: + name: fail2ban + state: restarted diff --git a/roles/nextcloud_instance/tasks/fail2ban.yml b/roles/nextcloud_instance/tasks/fail2ban.yml new file mode 100644 index 0000000000000000000000000000000000000000..ca694a677a359626015d5b17827c0da81ffdab62 --- /dev/null +++ b/roles/nextcloud_instance/tasks/fail2ban.yml @@ -0,0 +1,7 @@ +--- + +- name: Setup jail for instance + template: + src: "nextcloud_instance_jail.j2" + dest: "/etc/fail2ban/jail.d/nginx-{{ app_instance_id }}.conf" + notify: restart fail2ban \ No newline at end of file diff --git a/roles/nextcloud_instance/tasks/install.yml b/roles/nextcloud_instance/tasks/install.yml index 38b19bbd691b4802f5e5a2b04dabed0d01ff21b4..2b90f4faf81e21c5d5c2ed7a95c5ddad89cfdc23 100644 --- a/roles/nextcloud_instance/tasks/install.yml +++ b/roles/nextcloud_instance/tasks/install.yml @@ -127,4 +127,6 @@ - name: Set up monit import_role: - name: _app_monit \ No newline at end of file + name: _app_monit + + - import_tasks: fail2ban.yml \ No newline at end of file diff --git a/roles/nextcloud_instance/templates/nextcloud_instance_jail.j2 b/roles/nextcloud_instance/templates/nextcloud_instance_jail.j2 new file mode 100644 index 0000000000000000000000000000000000000000..838129b059ae20a008d95feff2b78f4a2e1035c5 --- /dev/null +++ b/roles/nextcloud_instance/templates/nextcloud_instance_jail.j2 @@ -0,0 +1,10 @@ +[nextcloud] +backend = auto +enabled = true +port = 80,443 +protocol = tcp +filter = nextcloud +maxretry = 3 +bantime = 86400 +findtime = 43200 +logpath = {{ app_instance_root }}/data/nextcloud.log \ No newline at end of file diff --git a/roles/php7_fpm/tasks/configure_fpm.yml b/roles/php7_fpm/tasks/configure_fpm.yml index 1e17cc9b79144a01d4f3f4369f985046f4ef7a4c..ed8c7d7bee9a1d4b94c17a039a388eed98be8723 100644 --- a/roles/php7_fpm/tasks/configure_fpm.yml +++ b/roles/php7_fpm/tasks/configure_fpm.yml @@ -2,7 +2,7 @@ - name: "Memory limit from 128M to {{ php_memory }} for PHP{{ php_version }}" lineinfile: - line: "memory_limit = {{ php_memory }}" + line: "memory_limit={{ php_memory }}" regexp: "^memory_limit" path: "{{ php_ini_file }}" state: present @@ -12,8 +12,8 @@ - name: "opcache.save_comments to {{ opcache_save_comments }} for PHP{{ php_version }}" lineinfile: - line: "opcache.save_comments = {{ opcache_save_comments }}" - regexp: "^opcache.save_comments" + line: "opcache.save_comments={{ opcache_save_comments }}" + regexp: "^opcache\\.save_comments" path: "{{ php_ini_file }}" state: present notify: reload php-fpm php7_fpm @@ -22,8 +22,8 @@ - name: "opcache.revalidate_freq to {{ opcache_revalidate_freq }} for PHP{{ php_version }}" lineinfile: - line: "opcache.revalidate_freq = {{ opcache_revalidate_freq }}" - regexp: "^opcache.revalidate_freq" + line: "opcache.revalidate_freq={{ opcache_revalidate_freq }}" + regexp: "^opcache\\.revalidate_freq" path: "{{ php_ini_file }}" state: present notify: reload php-fpm php7_fpm @@ -32,8 +32,8 @@ - name: "opcache.max_accelerated_files to {{ opcache_max_accelerated_files }} for PHP{{ php_version }}" lineinfile: - line: "opcache.max_accelerated_files = {{ opcache_max_accelerated_files }}" - regexp: "^opcache.max_accelerated_files" + line: "opcache.max_accelerated_files={{ opcache_max_accelerated_files }}" + regexp: "^opcache\\.max_accelerated_files" path: "{{ php_ini_file }}" state: present notify: reload php-fpm php7_fpm @@ -42,8 +42,8 @@ - name: "opcache.interned_strings_buffer to {{ opcache_interned_strings_buffer }} for PHP{{ php_version }}" lineinfile: - line: "opcache.interned_strings_buffer = {{ opcache_interned_strings_buffer }}" - regexp: "^opcache.max_accelerated_files" + line: "opcache.interned_strings_buffer={{ opcache_interned_strings_buffer }}" + regexp: "^opcache\\.interned_strings_buffer" path: "{{ php_ini_file }}" state: present notify: reload php-fpm php7_fpm @@ -52,7 +52,7 @@ - name: "pm.max_children {{ php_pm_max_children }} for PHP{{ php_version }}" lineinfile: - line: "pm.max_children = {{ php_pm_max_children }}" + line: "pm.max_children={{ php_pm_max_children }}" regexp: "^pm\\.max_children" path: "{{ php_www_conf_file }}" state: present @@ -62,7 +62,7 @@ - name: "max pm.start_servers {{ php_pm_start_servers }} for PHP{{ php_version }}" lineinfile: - line: "pm.start_servers = {{ php_pm_start_servers }}" + line: "pm.start_servers={{ php_pm_start_servers }}" regexp: "^pm\\.start_servers" path: "{{ php_www_conf_file }}" state: present @@ -72,7 +72,7 @@ - name: "max pm.min_spare_servers {{ php_pm_min_spare_servers }} for PHP{{ php_version }}" lineinfile: - line: "pm.min_spare_servers = {{ php_pm_min_spare_servers }}" + line: "pm.min_spare_servers={{ php_pm_min_spare_servers }}" regexp: "^pm\\.min_spare_servers" path: "{{ php_www_conf_file }}" state: present @@ -82,7 +82,7 @@ - name: "max pm.max_spare_servers {{ php_pm_max_spare_servers }} for PHP{{ php_version }}" lineinfile: - line: "pm.max_spare_servers = {{ php_pm_max_spare_servers }}" + line: "pm.max_spare_servers={{ php_pm_max_spare_servers }}" regexp: "^pm\\.max_spare_servers" path: "{{ php_www_conf_file }}" state: present @@ -93,7 +93,7 @@ - name: "upload_max_filesize limit from 2M to {{ php_upload_max_filesize }} for PHP{{ php_version }}" lineinfile: - line: "upload_max_filesize = {{ php_upload_max_filesize }}" + line: "upload_max_filesize={{ php_upload_max_filesize }}" regexp: "^upload_max_filesize" path: "{{ php_ini_file }}" state: present