Merge pull request #71 from Oefenweb/pr-70

Configuration for bantime increment added
Oefenweb · Nov 29, 2021 · aefe6b1 · aefe6b1
2 parents e769f17 + 74d7c28
commit aefe6b1
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -42,6 +42,15 @@ None
 - `fail2ban_services.{n}.*` [optional]: Name of the option
 - `fail2ban_services.{n}.*.*` [optional]: Value of the option
 
+### For version >= 0.11.1
+
+- `fail2ban_bantime_increment`: [default: `true`]: Increases bantime after being banned before
+- `fail2ban_bantime_factor`: [default: `1`]: Bantime increase factor for `bantime_formula` or `bantime_multipliers`
+- `fail2ban_bantime_formula`: [default: `'ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor'`]: Formula that will be used to calculate the increased bantime. **Note that you can either use `bantime_formula` or `bantime_multipliers` while `bantime_multipliers` takes precedence.**
+- `fail2ban_bantime_overalljails`: [default: `false`]: Ban IPs for all jails if multiple are defined
+- `fail2ban_bantime_rndtime`: [optional]: Option for smart bots that try to access after the bantime immediately
+- `fail2ban_bantime_multipliers`: [optional]: Multiplier to use instead of bantime_formula. For example `1 2 4 8 16 32 64`. **Note for bantime = 600 and bantime_factor=1 this would be `600*1*1, 600*1*2...`**
+
 ## Dependencies
 
 None

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -13,7 +13,13 @@ fail2ban_sendername: 'Fail2ban'
 fail2ban_ignoreips:
   - 127.0.0.1/8
   - ::1
+
 fail2ban_bantime: 600
+fail2ban_bantime_increment: true
+fail2ban_bantime_factor: 1
+fail2ban_bantime_formula: 'ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor'
+fail2ban_bantime_overalljails: false
+
 fail2ban_maxretry: 3
 fail2ban_findtime: 600
 fail2ban_backend: auto

diff --git a/tasks/main.yml b/tasks/main.yml
@@ -11,6 +11,25 @@
     - fail2ban
     - fail2ban-install
 
+- name: get fail2ban version
+  command: >
+    fail2ban-server -V
+  changed_when: false
+  register: _fail2ban_version_raw
+  tags:
+    - configuration
+    - fail2ban
+    - fail2ban-install
+
+- name: register fail2ban version
+  set_fact:
+    fail2ban_version: "{{ _fail2ban_version_raw.stdout | regex_search('([0-9]+\\.[0-9]+\\.[0-9]+)') }}"
+  changed_when: false
+  tags:
+    - configuration
+    - fail2ban
+    - fail2ban-install
+
 - name: remove configuration file - /etc/fail2ban/jail.d/defaults-debian.conf
   file:
     state: absent

diff --git a/templates/etc/fail2ban/jail.local.j2 b/templates/etc/fail2ban/jail.local.j2
@@ -2,10 +2,28 @@
 
 # Fail2Ban local configuration file.
 # Overrides changes in the main jail file, /etc/fail2ban/jail.conf
-# Use this file to change local settings. 
+# Use this file to change local settings.
 
 [DEFAULT]
 
+{% if fail2ban_version is version('0.11.1', '>=') %}
+bantime.increment = {{ fail2ban_bantime_increment | bool | to_json }}
+{% if fail2ban_bantime_rndtime is defined %}
+bantime.rndtime = {{ fail2ban_bantime_rndtime }}
+{% endif %}
+{% if fail2ban_bantime_maxtime is defined %}
+bantime.maxtime = {{ fail2ban_bantime_maxtime }}
+{% endif %}
+bantime.factor = {{ fail2ban_bantime_factor }}
+{% if fail2ban_bantime_multipliers is not defined %}
+bantime.formula = {{ fail2ban_bantime_formula }}
+{% endif %}
+{% if fail2ban_bantime_multipliers is defined %}
+bantime.multipliers = {{ fail2ban_bantime_multipliers }}
+{% endif %}
+bantime.overalljails = {{ fail2ban_bantime_overalljails | bool | to_json }}
+{% endif %}
+
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = {{ fail2ban_ignoreips | join(' ') }}
 bantime  = {{ fail2ban_bantime }}