--- files/denyhosts/allowed-hosts | 27 -- files/denyhosts/denyhosts.conf | 626 ---------------------------------- handlers/restart_services.yml | 3 - playbooks/groups/arm-packager.yml | 2 +- playbooks/groups/arm-qa.yml | 2 +- playbooks/groups/backup-server.yml | 2 +- playbooks/groups/badges-backend.yml | 2 +- playbooks/groups/badges-web.yml | 2 +- playbooks/groups/beaker.yml | 2 +- playbooks/groups/gallery.yml | 2 +- playbooks/groups/kernel-qa.yml | 2 +- playbooks/groups/keyserver.yml | 2 +- playbooks/groups/koji-hub.yml | 2 +- playbooks/groups/mailman.yml | 2 +- playbooks/groups/mirrorlist.yml | 2 +- playbooks/groups/postgresl-server.yml | 2 +- playbooks/groups/taskbot.yml | 2 +- playbooks/groups/virthost.yml | 2 +- roles/denyhosts/files/allowed-hosts | 27 ++ roles/denyhosts/files/denyhosts.conf | 626 ++++++++++++++++++++++++++++++++++ roles/denyhosts/handlers/main.yml | 3 + roles/denyhosts/tasks/main.yml | 26 ++ tasks/denyhosts.yml | 26 -- 23 files changed, 697 insertions(+), 697 deletions(-) delete mode 100644 files/denyhosts/allowed-hosts delete mode 100644 files/denyhosts/denyhosts.conf create mode 100644 roles/denyhosts/files/allowed-hosts create mode 100644 roles/denyhosts/files/denyhosts.conf create mode 100644 roles/denyhosts/handlers/main.yml create mode 100644 roles/denyhosts/tasks/main.yml delete mode 100644 tasks/denyhosts.yml diff --git a/files/denyhosts/allowed-hosts b/files/denyhosts/allowed-hosts deleted file mode 100644 index f5a88b7..0000000 --- a/files/denyhosts/allowed-hosts +++ /dev/null @@ -1,27 +0,0 @@ -# We mustn't block localhost -127.0.0.1 - -#bastion -10.5.126.11 -10.5.126.12 -#lockbox -10.5.126.23 -# don't block lockbox's remote addr, either -209.132.181.6 - -#noc1 -noc1.phx2.fedoraproject.org -10.5.126.41 -192.168.1.10 - -# RDU NAT -66.187.233.202 -66.187.233.206 -# RH NAT -66.187.230.200 -# PHX2 NAT -209.132.181.102 -# tlv RHT NAT -66.187.237.10 -# brno RHT NAT -209.132.186.34 diff --git a/files/denyhosts/denyhosts.conf b/files/denyhosts/denyhosts.conf deleted file mode 100644 index 577b851..0000000 --- a/files/denyhosts/denyhosts.conf +++ /dev/null @@ -1,626 +0,0 @@ - ############ THESE SETTINGS ARE REQUIRED ############ - -######################################################################## -# -# SECURE_LOG: the log file that contains sshd logging info -# if you are not sure, grep "sshd:" /var/log/* -# -# The file to process can be overridden with the --file command line -# argument -# -# Redhat or Fedora Core: -SECURE_LOG = /var/log/secure -# -# Mandrake, FreeBSD or OpenBSD: -#SECURE_LOG = /var/log/auth.log -# -# SuSE: -#SECURE_LOG = /var/log/messages -# -# Mac OS X (v10.4 or greater - -# also refer to: http://www.denyhosts.net/faq.html#macos -#SECURE_LOG = /private/var/log/asl.log -# -# Mac OS X (v10.3 or earlier): -#SECURE_LOG=/private/var/log/system.log -# -######################################################################## - -######################################################################## -# -# HOSTS_DENY: the file which contains restricted host access information -# -# Most operating systems: -HOSTS_DENY = /etc/hosts.deny -# -# Some BSD (FreeBSD) Unixes: -#HOSTS_DENY = /etc/hosts.allow -# -# Another possibility (also see the next option): -#HOSTS_DENY = /etc/hosts.evil -####################################################################### - - -######################################################################## -# -# PURGE_DENY: removed HOSTS_DENY entries that are older than this time -# when DenyHosts is invoked with the --purge flag -# -# format is: i[dhwmy] -# Where 'i' is an integer (eg. 7) -# 'm' = minutes -# 'h' = hours -# 'd' = days -# 'w' = weeks -# 'y' = years -# -# never purge: -#PURGE_DENY = -# -# purge entries older than 1 week -#PURGE_DENY = 1w -# -# purge entries older than 5 days -#PURGE_DENY = 5d -# -# For the default Fedora Extras install, we want timestamping but no -# expiration (at least by default) so this is deliberately set high. -# Adjust to taste. -PURGE_DENY = 4w -####################################################################### - -####################################################################### -# -# PURGE_THRESHOLD: defines the maximum times a host will be purged. -# Once this value has been exceeded then this host will not be purged. -# Setting this parameter to 0 (the default) disables this feature. -# -# default: a denied host can be purged/re-added indefinitely -PURGE_THRESHOLD = 4 -# -# a denied host will be purged at most 2 times. -#PURGE_THRESHOLD = 2 -# -####################################################################### - - -####################################################################### -# -# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY -# -# man 5 hosts_access for details -# -# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 -# -# To block all services for the offending host: -#BLOCK_SERVICE = ALL -# To block only sshd: -BLOCK_SERVICE = sshd -# To only record the offending host and nothing else (if using -# an auxilary file to list the hosts). Refer to: -# http://denyhosts.sourceforge.net/faq.html#aux -#BLOCK_SERVICE = -# -####################################################################### - - -####################################################################### -# -# DENY_THRESHOLD_INVALID: block each host after the number of failed login -# attempts has exceeded this value. This value applies to invalid -# user login attempts (eg. non-existent user accounts) -# -DENY_THRESHOLD_INVALID = 15 -# -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_VALID: block each host after the number of failed -# login attempts has exceeded this value. This value applies to valid -# user login attempts (eg. user accounts that exist in /etc/passwd) except -# for the "root" user -# -DENY_THRESHOLD_VALID = 15 -# -####################################################################### - -####################################################################### -# -# DENY_THRESHOLD_ROOT: block each host after the number of failed -# login attempts has exceeded this value. This value applies to -# "root" user login attempts only. -# -DENY_THRESHOLD_ROOT = 5 -# -####################################################################### - - -####################################################################### -# -# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed -# login attempts has exceeded this value. This value applies to -# usernames that appear in the WORK_DIR/restricted-usernames file only. -# -DENY_THRESHOLD_RESTRICTED = 1 -# -####################################################################### - - -####################################################################### -# -# WORK_DIR: the path that DenyHosts will use for writing data to -# (it will be created if it does not already exist). -# -# Note: it is recommended that you use an absolute pathname -# for this value (eg. /home/foo/denyhosts/data) -# -WORK_DIR = /var/lib/denyhosts -# -####################################################################### - -####################################################################### -# -# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS -# -# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO -# If set to YES, if a suspicious login attempt results from an allowed-host -# then it is considered suspicious. If this is NO, then suspicious logins -# from allowed-hosts will not be reported. All suspicious logins from -# ip addresses that are not in allowed-hosts will always be reported. -# -SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES -###################################################################### - -###################################################################### -# -# HOSTNAME_LOOKUP -# -# HOSTNAME_LOOKUP=YES|NO -# If set to YES, for each IP address that is reported by Denyhosts, -# the corresponding hostname will be looked up and reported as well -# (if available). -# -HOSTNAME_LOOKUP=YES -# -###################################################################### - - -###################################################################### -# -# LOCK_FILE -# -# LOCK_FILE=/path/denyhosts -# If this file exists when DenyHosts is run, then DenyHosts will exit -# immediately. Otherwise, this file will be created upon invocation -# and deleted upon exit. This ensures that only one instance is -# running at a time. -# -# Redhat/Fedora: -LOCK_FILE = /var/lock/subsys/denyhosts -# -# Debian -#LOCK_FILE = /var/run/denyhosts.pid -# -# Misc -#LOCK_FILE = /tmp/denyhosts.lock -# -###################################################################### - - - ############ THESE SETTINGS ARE OPTIONAL ############ - - -####################################################################### -# -# ADMIN_EMAIL: if you would like to receive emails regarding newly -# restricted hosts and suspicious logins, set this address to -# match your email address. If you do not want to receive these reports -# leave this field blank (or run with the --noemail option) -# -# Multiple email addresses can be delimited by a comma, eg: -# ADMIN_EMAIL = foo@xxxxxxx, bar@xxxxxxx, etc@xxxxxxxxxx -# -# ADMIN_EMAIL = ausil@xxxxxxxxxxxxxxxxx -# -####################################################################### - -####################################################################### -# -# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email -# reports (see ADMIN_EMAIL) then these settings specify the -# email server address (SMTP_HOST) and the server port (SMTP_PORT) -# -# -# THEMOVE FIXME this needs to work from external non-VPN machines. -SMTP_HOST = bastion -SMTP_PORT = 25 -# -####################################################################### - -####################################################################### -# -# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your -# smtp email server requires authentication -# -#SMTP_USERNAME=foo -#SMTP_PASSWORD=bar -# -###################################################################### - -####################################################################### -# -# SMTP_FROM: you can specify the "From:" address in messages sent -# from DenyHosts when it reports thwarted abuse attempts -# -SMTP_FROM = DenyHosts <denyhosts@xxxxxxxxxxxxxxxxx> -# -####################################################################### - -####################################################################### -# -# SMTP_SUBJECT: you can specify the "Subject:" of messages sent -# by DenyHosts when it reports thwarted abuse attempts -SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME] -# -###################################################################### - -###################################################################### -# -# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header -# when sending email messages. -# -# for possible values for this parameter refer to: man strftime -# -# the default: -# -#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z -# -###################################################################### - -###################################################################### -# -# SYSLOG_REPORT -# -# SYSLOG_REPORT=YES|NO -# If set to yes, when denied hosts are recorded the report data -# will be sent to syslog (syslog must be present on your system). -# The default is: NO -# -#SYSLOG_REPORT=NO -# -#SYSLOG_REPORT=YES -# -###################################################################### - -###################################################################### -# -# ALLOWED_HOSTS_HOSTNAME_LOOKUP -# -# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO -# If set to YES, for each entry in the WORK_DIR/allowed-hosts file, -# the hostname will be looked up. If your versions of tcp_wrappers -# and sshd sometimes log hostnames in addition to ip addresses -# then you may wish to specify this option. -# -#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO -# -###################################################################### - -###################################################################### -# -# AGE_RESET_VALID: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to login attempts -# to all valid users (those within /etc/passwd) with the -# exception of root. If not defined, this count will never -# be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_VALID=5d -# -###################################################################### - -###################################################################### -# -# AGE_RESET_ROOT: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to all login -# attempts to the "root" user account. If not defined, -# this count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_ROOT=25d -# -###################################################################### - -###################################################################### -# -# AGE_RESET_RESTRICTED: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to all login -# attempts to entries found in the WORK_DIR/restricted-usernames file. -# If not defined, the count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_RESTRICTED=25d -# -###################################################################### - - -###################################################################### -# -# AGE_RESET_INVALID: Specifies the period of time between failed login -# attempts that, when exceeded will result in the failed count for -# this host to be reset to 0. This value applies to login attempts -# made to any invalid username (those that do not appear -# in /etc/passwd). If not defined, count will never be reset. -# -# See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -AGE_RESET_INVALID=10d -# -###################################################################### - - -###################################################################### -# -# RESET_ON_SUCCESS: If this parameter is set to "yes" then the -# failed count for the respective ip address will be reset to 0 -# if the login is successful. -# -# The default is RESET_ON_SUCCESS = no -# -RESET_ON_SUCCESS = yes -# -##################################################################### - - -###################################################################### -# -# PLUGIN_DENY: If set, this value should point to an executable -# program that will be invoked when a host is added to the -# HOSTS_DENY file. This executable will be passed the host -# that will be added as it's only argument. -# -#PLUGIN_DENY=/usr/bin/true -# -###################################################################### - - -###################################################################### -# -# PLUGIN_PURGE: If set, this value should point to an executable -# program that will be invoked when a host is removed from the -# HOSTS_DENY file. This executable will be passed the host -# that is to be purged as it's only argument. -# -#PLUGIN_PURGE=/usr/bin/true -# -###################################################################### - -###################################################################### -# -# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain -# a regular expression that can be used to identify additional -# hackers for your particular ssh configuration. This functionality -# extends the built-in regular expressions that DenyHosts uses. -# This parameter can be specified multiple times. -# See this faq entry for more details: -# http://denyhosts.sf.net/faq.html#userdef_regex -# -#USERDEF_FAILED_ENTRY_REGEX= -# -# -###################################################################### - - - - - ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## - - - -####################################################################### -# -# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) -# this is the logfile that DenyHosts uses to report it's status. -# To disable logging, leave blank. (default is: /var/log/denyhosts) -# -DAEMON_LOG = /var/log/denyhosts -# -# disable logging: -#DAEMON_LOG = -# -###################################################################### - -####################################################################### -# -# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode -# (--daemon flag) this specifies the timestamp format of -# the DAEMON_LOG messages (default is the ISO8061 format: -# ie. 2005-07-22 10:38:01,745) -# -# for possible values for this parameter refer to: man strftime -# -# Jan 1 13:05:59 -#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S -# -# Jan 1 01:05:59 -#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S -# -###################################################################### - -####################################################################### -# -# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode -# (--daemon flag) this specifies the message format of each logged -# entry. By default the following format is used: -# -# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s -# -# Where the "%(asctime)s" portion is expanded to the format -# defined by DAEMON_LOG_TIME_FORMAT -# -# This string is passed to python's logging.Formatter contstuctor. -# For details on the possible format types please refer to: -# http://docs.python.org/lib/node357.html -# -# This is the default: -#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s -# -# -###################################################################### - - -####################################################################### -# -# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) -# this is the amount of time DenyHosts will sleep between polling -# the SECURE_LOG. See the comments in the PURGE_DENY section (above) -# for details on specifying this value or for complete details -# refer to: http://denyhosts.sourceforge.net/faq.html#timespec -# -# -DAEMON_SLEEP = 30s -# -####################################################################### - -####################################################################### -# -# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, -# run the purge mechanism to expire old entries in HOSTS_DENY -# This has no effect if PURGE_DENY is blank. -# -DAEMON_PURGE = 1h -# -####################################################################### - - - ######### THESE SETTINGS ARE SPECIFIC TO ########## - ######### DAEMON SYNCHRONIZATION ########## - - -####################################################################### -# -# Synchronization mode allows the DenyHosts daemon the ability -# to periodically send and receive denied host data such that -# DenyHosts daemons worldwide can automatically inform one -# another regarding banned hosts. This mode is disabled by -# default, you must uncomment SYNC_SERVER to enable this mode. -# -# for more information, please refer to: -# http:/denyhosts.sourceforge.net/faq.html#sync -# -####################################################################### - - -####################################################################### -# -# SYNC_SERVER: The central server that communicates with DenyHost -# daemons. Currently, denyhosts.net is the only available server -# however, in the future, it may be possible for organizations to -# install their own server for internal network synchronization -# -# To disable synchronization (the default), do nothing. -# -# To enable synchronization, you must uncomment the following line: -#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 -# -####################################################################### - -####################################################################### -# -# SYNC_INTERVAL: the interval of time to perform synchronizations if -# SYNC_SERVER has been uncommented. The default is 1 hour. -# -SYNC_INTERVAL = 1h -# -####################################################################### - - -####################################################################### -# -# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have -# been denied? This option only applies if SYNC_SERVER has -# been uncommented. -# The default is SYNC_UPLOAD = yes -# -#SYNC_UPLOAD = no -#SYNC_UPLOAD = yes -# -####################################################################### - - -####################################################################### -# -# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have -# been denied by others? This option only applies if SYNC_SERVER has -# been uncommented. -# The default is SYNC_DOWNLOAD = yes -# -#SYNC_DOWNLOAD = no -#SYNC_DOWNLOAD = yes -# -# -# -####################################################################### - -####################################################################### -# -# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter -# filters the returned hosts to those that have been blocked this many -# times by others. That is, if set to 1, then if a single DenyHosts -# server has denied an ip address then you will receive the denied host. -# -# See also SYNC_DOWNLOAD_RESILIENCY -# -#SYNC_DOWNLOAD_THRESHOLD = 10 -# -# The default is SYNC_DOWNLOAD_THRESHOLD = 3 -# -#SYNC_DOWNLOAD_THRESHOLD = 3 -# -####################################################################### - -####################################################################### -# -# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the -# value specified for this option limits the downloaded data -# to this resiliency period or greater. -# -# Resiliency is defined as the timespan between a hackers first known -# attack and it's most recent attack. Example: -# -# If the centralized denyhosts.net server records an attack at 2 PM -# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h -# will not download this ip address. -# -# However, if the attacker is recorded again at 6:15 PM then the -# ip address will be downloaded by your DenyHosts instance. -# -# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD -# and only hosts that satisfy both values will be downloaded. -# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 -# -# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours) -# -# Only obtain hackers that have been at it for 2 days or more: -#SYNC_DOWNLOAD_RESILIENCY = 2d -# -# Only obtain hackers that have been at it for 5 hours or more: -#SYNC_DOWNLOAD_RESILIENCY = 5h -# -####################################################################### - diff --git a/handlers/restart_services.yml b/handlers/restart_services.yml index 805ee4e..32c11e3 100644 --- a/handlers/restart_services.yml +++ b/handlers/restart_services.yml @@ -26,9 +26,6 @@ - name: restart crond action: service name=crond state=restarted -- name: restart denyhosts - action: service name=denyhosts state=restarted - - name: restart httpd action: service name=httpd state=restarted diff --git a/playbooks/groups/arm-packager.yml b/playbooks/groups/arm-packager.yml index e8008f9..2f33e92 100644 --- a/playbooks/groups/arm-packager.yml +++ b/playbooks/groups/arm-packager.yml @@ -13,6 +13,7 @@ roles: - rkhunter + - denyhosts tasks: # this is how you include other task lists @@ -23,7 +24,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/arm-qa.yml b/playbooks/groups/arm-qa.yml index d9a745b..b92184b 100644 --- a/playbooks/groups/arm-qa.yml +++ b/playbooks/groups/arm-qa.yml @@ -13,6 +13,7 @@ roles: - rkhunter + - denyhosts tasks: # this is how you include other task lists @@ -23,7 +24,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml handlers: - include: $handlers/restart_services.yml diff --git a/playbooks/groups/backup-server.yml b/playbooks/groups/backup-server.yml index 8b95ebb..0820d9f 100644 --- a/playbooks/groups/backup-server.yml +++ b/playbooks/groups/backup-server.yml @@ -15,6 +15,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -24,7 +25,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/mysql_server.yml - include: $tasks/bacula_server.yml diff --git a/playbooks/groups/badges-backend.yml b/playbooks/groups/badges-backend.yml index 73aba95..9d599c1 100644 --- a/playbooks/groups/badges-backend.yml +++ b/playbooks/groups/badges-backend.yml @@ -31,6 +31,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -40,7 +41,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/openvpn_client.yml only_if: "'$env' != 'staging'" diff --git a/playbooks/groups/badges-web.yml b/playbooks/groups/badges-web.yml index 15ae8df..4fddc4e 100644 --- a/playbooks/groups/badges-web.yml +++ b/playbooks/groups/badges-web.yml @@ -34,6 +34,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -43,7 +44,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/openvpn_client.yml only_if: "'$env' != 'staging'" diff --git a/playbooks/groups/beaker.yml b/playbooks/groups/beaker.yml index 1be9e9d..43606c1 100644 --- a/playbooks/groups/beaker.yml +++ b/playbooks/groups/beaker.yml @@ -30,6 +30,7 @@ roles: - rkhunter + - denyhosts tasks: # this is how you include other task lists @@ -41,7 +42,6 @@ - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml handlers: diff --git a/playbooks/groups/gallery.yml b/playbooks/groups/gallery.yml index a99a438..141e613 100644 --- a/playbooks/groups/gallery.yml +++ b/playbooks/groups/gallery.yml @@ -31,6 +31,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -40,7 +41,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/fedmsg_base.yml - include: $tasks/apache.yml diff --git a/playbooks/groups/kernel-qa.yml b/playbooks/groups/kernel-qa.yml index 4f2fdc7..a99e3b5 100644 --- a/playbooks/groups/kernel-qa.yml +++ b/playbooks/groups/kernel-qa.yml @@ -14,6 +14,7 @@ roles: - rkhunter + - denyhosts tasks: # this is how you include other task lists @@ -24,7 +25,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml diff --git a/playbooks/groups/keyserver.yml b/playbooks/groups/keyserver.yml index 0b9e190..9fc5066 100644 --- a/playbooks/groups/keyserver.yml +++ b/playbooks/groups/keyserver.yml @@ -31,6 +31,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -40,7 +41,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/fedmsg_base.yml - include: $tasks/apache.yml diff --git a/playbooks/groups/koji-hub.yml b/playbooks/groups/koji-hub.yml index 6b9725f..2ede558 100644 --- a/playbooks/groups/koji-hub.yml +++ b/playbooks/groups/koji-hub.yml @@ -32,6 +32,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -41,7 +42,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml - include: $tasks/koji/koji_hub.yml diff --git a/playbooks/groups/mailman.yml b/playbooks/groups/mailman.yml index cd3af1c..c90f1c5 100644 --- a/playbooks/groups/mailman.yml +++ b/playbooks/groups/mailman.yml @@ -30,6 +30,7 @@ roles: - rkhunter + - denyhosts tasks: # this is how you include other task lists @@ -41,7 +42,6 @@ - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml handlers: diff --git a/playbooks/groups/mirrorlist.yml b/playbooks/groups/mirrorlist.yml index dbc70ed..e28e034 100644 --- a/playbooks/groups/mirrorlist.yml +++ b/playbooks/groups/mirrorlist.yml @@ -40,6 +40,7 @@ roles: - rkhunter + - denyhosts tasks: # this is how you include other task lists @@ -52,7 +53,6 @@ - include: $tasks/openvpn_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/apache.yml - include: $tasks/mod_wsgi.yml diff --git a/playbooks/groups/postgresl-server.yml b/playbooks/groups/postgresl-server.yml index 44f9934..92fdbde 100644 --- a/playbooks/groups/postgresl-server.yml +++ b/playbooks/groups/postgresl-server.yml @@ -32,6 +32,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -41,7 +42,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml - include: $tasks/postgresql_server.yml diff --git a/playbooks/groups/taskbot.yml b/playbooks/groups/taskbot.yml index 47bb3a2..3d57356 100644 --- a/playbooks/groups/taskbot.yml +++ b/playbooks/groups/taskbot.yml @@ -30,6 +30,7 @@ roles: - rkhunter + - denyhosts tasks: # this is how you include other task lists @@ -41,7 +42,6 @@ - include: $tasks/collectd/client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml handlers: diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml index 6d22a47..24761a4 100644 --- a/playbooks/groups/virthost.yml +++ b/playbooks/groups/virthost.yml @@ -14,6 +14,7 @@ roles: - rkhunter + - denyhosts tasks: - include: $tasks/hosts.yml @@ -23,7 +24,6 @@ - include: $tasks/2fa_client.yml - include: $tasks/motd.yml - include: $tasks/sudo.yml - - include: $tasks/denyhosts.yml - include: $tasks/nagios_client.yml - include: $tasks/collectd/client.yml - include: $tasks/virthost.yml diff --git a/roles/denyhosts/files/allowed-hosts b/roles/denyhosts/files/allowed-hosts new file mode 100644 index 0000000..f5a88b7 --- /dev/null +++ b/roles/denyhosts/files/allowed-hosts @@ -0,0 +1,27 @@ +# We mustn't block localhost +127.0.0.1 + +#bastion +10.5.126.11 +10.5.126.12 +#lockbox +10.5.126.23 +# don't block lockbox's remote addr, either +209.132.181.6 + +#noc1 +noc1.phx2.fedoraproject.org +10.5.126.41 +192.168.1.10 + +# RDU NAT +66.187.233.202 +66.187.233.206 +# RH NAT +66.187.230.200 +# PHX2 NAT +209.132.181.102 +# tlv RHT NAT +66.187.237.10 +# brno RHT NAT +209.132.186.34 diff --git a/roles/denyhosts/files/denyhosts.conf b/roles/denyhosts/files/denyhosts.conf new file mode 100644 index 0000000..577b851 --- /dev/null +++ b/roles/denyhosts/files/denyhosts.conf @@ -0,0 +1,626 @@ + ############ THESE SETTINGS ARE REQUIRED ############ + +######################################################################## +# +# SECURE_LOG: the log file that contains sshd logging info +# if you are not sure, grep "sshd:" /var/log/* +# +# The file to process can be overridden with the --file command line +# argument +# +# Redhat or Fedora Core: +SECURE_LOG = /var/log/secure +# +# Mandrake, FreeBSD or OpenBSD: +#SECURE_LOG = /var/log/auth.log +# +# SuSE: +#SECURE_LOG = /var/log/messages +# +# Mac OS X (v10.4 or greater - +# also refer to: http://www.denyhosts.net/faq.html#macos +#SECURE_LOG = /private/var/log/asl.log +# +# Mac OS X (v10.3 or earlier): +#SECURE_LOG=/private/var/log/system.log +# +######################################################################## + +######################################################################## +# +# HOSTS_DENY: the file which contains restricted host access information +# +# Most operating systems: +HOSTS_DENY = /etc/hosts.deny +# +# Some BSD (FreeBSD) Unixes: +#HOSTS_DENY = /etc/hosts.allow +# +# Another possibility (also see the next option): +#HOSTS_DENY = /etc/hosts.evil +####################################################################### + + +######################################################################## +# +# PURGE_DENY: removed HOSTS_DENY entries that are older than this time +# when DenyHosts is invoked with the --purge flag +# +# format is: i[dhwmy] +# Where 'i' is an integer (eg. 7) +# 'm' = minutes +# 'h' = hours +# 'd' = days +# 'w' = weeks +# 'y' = years +# +# never purge: +#PURGE_DENY = +# +# purge entries older than 1 week +#PURGE_DENY = 1w +# +# purge entries older than 5 days +#PURGE_DENY = 5d +# +# For the default Fedora Extras install, we want timestamping but no +# expiration (at least by default) so this is deliberately set high. +# Adjust to taste. +PURGE_DENY = 4w +####################################################################### + +####################################################################### +# +# PURGE_THRESHOLD: defines the maximum times a host will be purged. +# Once this value has been exceeded then this host will not be purged. +# Setting this parameter to 0 (the default) disables this feature. +# +# default: a denied host can be purged/re-added indefinitely +PURGE_THRESHOLD = 4 +# +# a denied host will be purged at most 2 times. +#PURGE_THRESHOLD = 2 +# +####################################################################### + + +####################################################################### +# +# BLOCK_SERVICE: the service name that should be blocked in HOSTS_DENY +# +# man 5 hosts_access for details +# +# eg. sshd: 127.0.0.1 # will block sshd logins from 127.0.0.1 +# +# To block all services for the offending host: +#BLOCK_SERVICE = ALL +# To block only sshd: +BLOCK_SERVICE = sshd +# To only record the offending host and nothing else (if using +# an auxilary file to list the hosts). Refer to: +# http://denyhosts.sourceforge.net/faq.html#aux +#BLOCK_SERVICE = +# +####################################################################### + + +####################################################################### +# +# DENY_THRESHOLD_INVALID: block each host after the number of failed login +# attempts has exceeded this value. This value applies to invalid +# user login attempts (eg. non-existent user accounts) +# +DENY_THRESHOLD_INVALID = 15 +# +####################################################################### + +####################################################################### +# +# DENY_THRESHOLD_VALID: block each host after the number of failed +# login attempts has exceeded this value. This value applies to valid +# user login attempts (eg. user accounts that exist in /etc/passwd) except +# for the "root" user +# +DENY_THRESHOLD_VALID = 15 +# +####################################################################### + +####################################################################### +# +# DENY_THRESHOLD_ROOT: block each host after the number of failed +# login attempts has exceeded this value. This value applies to +# "root" user login attempts only. +# +DENY_THRESHOLD_ROOT = 5 +# +####################################################################### + + +####################################################################### +# +# DENY_THRESHOLD_RESTRICTED: block each host after the number of failed +# login attempts has exceeded this value. This value applies to +# usernames that appear in the WORK_DIR/restricted-usernames file only. +# +DENY_THRESHOLD_RESTRICTED = 1 +# +####################################################################### + + +####################################################################### +# +# WORK_DIR: the path that DenyHosts will use for writing data to +# (it will be created if it does not already exist). +# +# Note: it is recommended that you use an absolute pathname +# for this value (eg. /home/foo/denyhosts/data) +# +WORK_DIR = /var/lib/denyhosts +# +####################################################################### + +####################################################################### +# +# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS +# +# SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES|NO +# If set to YES, if a suspicious login attempt results from an allowed-host +# then it is considered suspicious. If this is NO, then suspicious logins +# from allowed-hosts will not be reported. All suspicious logins from +# ip addresses that are not in allowed-hosts will always be reported. +# +SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES +###################################################################### + +###################################################################### +# +# HOSTNAME_LOOKUP +# +# HOSTNAME_LOOKUP=YES|NO +# If set to YES, for each IP address that is reported by Denyhosts, +# the corresponding hostname will be looked up and reported as well +# (if available). +# +HOSTNAME_LOOKUP=YES +# +###################################################################### + + +###################################################################### +# +# LOCK_FILE +# +# LOCK_FILE=/path/denyhosts +# If this file exists when DenyHosts is run, then DenyHosts will exit +# immediately. Otherwise, this file will be created upon invocation +# and deleted upon exit. This ensures that only one instance is +# running at a time. +# +# Redhat/Fedora: +LOCK_FILE = /var/lock/subsys/denyhosts +# +# Debian +#LOCK_FILE = /var/run/denyhosts.pid +# +# Misc +#LOCK_FILE = /tmp/denyhosts.lock +# +###################################################################### + + + ############ THESE SETTINGS ARE OPTIONAL ############ + + +####################################################################### +# +# ADMIN_EMAIL: if you would like to receive emails regarding newly +# restricted hosts and suspicious logins, set this address to +# match your email address. If you do not want to receive these reports +# leave this field blank (or run with the --noemail option) +# +# Multiple email addresses can be delimited by a comma, eg: +# ADMIN_EMAIL = foo@xxxxxxx, bar@xxxxxxx, etc@xxxxxxxxxx +# +# ADMIN_EMAIL = ausil@xxxxxxxxxxxxxxxxx +# +####################################################################### + +####################################################################### +# +# SMTP_HOST and SMTP_PORT: if DenyHosts is configured to email +# reports (see ADMIN_EMAIL) then these settings specify the +# email server address (SMTP_HOST) and the server port (SMTP_PORT) +# +# +# THEMOVE FIXME this needs to work from external non-VPN machines. +SMTP_HOST = bastion +SMTP_PORT = 25 +# +####################################################################### + +####################################################################### +# +# SMTP_USERNAME and SMTP_PASSWORD: set these parameters if your +# smtp email server requires authentication +# +#SMTP_USERNAME=foo +#SMTP_PASSWORD=bar +# +###################################################################### + +####################################################################### +# +# SMTP_FROM: you can specify the "From:" address in messages sent +# from DenyHosts when it reports thwarted abuse attempts +# +SMTP_FROM = DenyHosts <denyhosts@xxxxxxxxxxxxxxxxx> +# +####################################################################### + +####################################################################### +# +# SMTP_SUBJECT: you can specify the "Subject:" of messages sent +# by DenyHosts when it reports thwarted abuse attempts +SMTP_SUBJECT = DenyHosts Report from $[HOSTNAME] +# +###################################################################### + +###################################################################### +# +# SMTP_DATE_FORMAT: specifies the format used for the "Date:" header +# when sending email messages. +# +# for possible values for this parameter refer to: man strftime +# +# the default: +# +#SMTP_DATE_FORMAT = %a, %d %b %Y %H:%M:%S %z +# +###################################################################### + +###################################################################### +# +# SYSLOG_REPORT +# +# SYSLOG_REPORT=YES|NO +# If set to yes, when denied hosts are recorded the report data +# will be sent to syslog (syslog must be present on your system). +# The default is: NO +# +#SYSLOG_REPORT=NO +# +#SYSLOG_REPORT=YES +# +###################################################################### + +###################################################################### +# +# ALLOWED_HOSTS_HOSTNAME_LOOKUP +# +# ALLOWED_HOSTS_HOSTNAME_LOOKUP=YES|NO +# If set to YES, for each entry in the WORK_DIR/allowed-hosts file, +# the hostname will be looked up. If your versions of tcp_wrappers +# and sshd sometimes log hostnames in addition to ip addresses +# then you may wish to specify this option. +# +#ALLOWED_HOSTS_HOSTNAME_LOOKUP=NO +# +###################################################################### + +###################################################################### +# +# AGE_RESET_VALID: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to login attempts +# to all valid users (those within /etc/passwd) with the +# exception of root. If not defined, this count will never +# be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_VALID=5d +# +###################################################################### + +###################################################################### +# +# AGE_RESET_ROOT: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to all login +# attempts to the "root" user account. If not defined, +# this count will never be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_ROOT=25d +# +###################################################################### + +###################################################################### +# +# AGE_RESET_RESTRICTED: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to all login +# attempts to entries found in the WORK_DIR/restricted-usernames file. +# If not defined, the count will never be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_RESTRICTED=25d +# +###################################################################### + + +###################################################################### +# +# AGE_RESET_INVALID: Specifies the period of time between failed login +# attempts that, when exceeded will result in the failed count for +# this host to be reset to 0. This value applies to login attempts +# made to any invalid username (those that do not appear +# in /etc/passwd). If not defined, count will never be reset. +# +# See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +AGE_RESET_INVALID=10d +# +###################################################################### + + +###################################################################### +# +# RESET_ON_SUCCESS: If this parameter is set to "yes" then the +# failed count for the respective ip address will be reset to 0 +# if the login is successful. +# +# The default is RESET_ON_SUCCESS = no +# +RESET_ON_SUCCESS = yes +# +##################################################################### + + +###################################################################### +# +# PLUGIN_DENY: If set, this value should point to an executable +# program that will be invoked when a host is added to the +# HOSTS_DENY file. This executable will be passed the host +# that will be added as it's only argument. +# +#PLUGIN_DENY=/usr/bin/true +# +###################################################################### + + +###################################################################### +# +# PLUGIN_PURGE: If set, this value should point to an executable +# program that will be invoked when a host is removed from the +# HOSTS_DENY file. This executable will be passed the host +# that is to be purged as it's only argument. +# +#PLUGIN_PURGE=/usr/bin/true +# +###################################################################### + +###################################################################### +# +# USERDEF_FAILED_ENTRY_REGEX: if set, this value should contain +# a regular expression that can be used to identify additional +# hackers for your particular ssh configuration. This functionality +# extends the built-in regular expressions that DenyHosts uses. +# This parameter can be specified multiple times. +# See this faq entry for more details: +# http://denyhosts.sf.net/faq.html#userdef_regex +# +#USERDEF_FAILED_ENTRY_REGEX= +# +# +###################################################################### + + + + + ######### THESE SETTINGS ARE SPECIFIC TO DAEMON MODE ########## + + + +####################################################################### +# +# DAEMON_LOG: when DenyHosts is run in daemon mode (--daemon flag) +# this is the logfile that DenyHosts uses to report it's status. +# To disable logging, leave blank. (default is: /var/log/denyhosts) +# +DAEMON_LOG = /var/log/denyhosts +# +# disable logging: +#DAEMON_LOG = +# +###################################################################### + +####################################################################### +# +# DAEMON_LOG_TIME_FORMAT: when DenyHosts is run in daemon mode +# (--daemon flag) this specifies the timestamp format of +# the DAEMON_LOG messages (default is the ISO8061 format: +# ie. 2005-07-22 10:38:01,745) +# +# for possible values for this parameter refer to: man strftime +# +# Jan 1 13:05:59 +#DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S +# +# Jan 1 01:05:59 +#DAEMON_LOG_TIME_FORMAT = %b %d %I:%M:%S +# +###################################################################### + +####################################################################### +# +# DAEMON_LOG_MESSAGE_FORMAT: when DenyHosts is run in daemon mode +# (--daemon flag) this specifies the message format of each logged +# entry. By default the following format is used: +# +# %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s +# +# Where the "%(asctime)s" portion is expanded to the format +# defined by DAEMON_LOG_TIME_FORMAT +# +# This string is passed to python's logging.Formatter contstuctor. +# For details on the possible format types please refer to: +# http://docs.python.org/lib/node357.html +# +# This is the default: +#DAEMON_LOG_MESSAGE_FORMAT = %(asctime)s - %(name)-12s: %(levelname)-8s %(message)s +# +# +###################################################################### + + +####################################################################### +# +# DAEMON_SLEEP: when DenyHosts is run in daemon mode (--daemon flag) +# this is the amount of time DenyHosts will sleep between polling +# the SECURE_LOG. See the comments in the PURGE_DENY section (above) +# for details on specifying this value or for complete details +# refer to: http://denyhosts.sourceforge.net/faq.html#timespec +# +# +DAEMON_SLEEP = 30s +# +####################################################################### + +####################################################################### +# +# DAEMON_PURGE: How often should DenyHosts, when run in daemon mode, +# run the purge mechanism to expire old entries in HOSTS_DENY +# This has no effect if PURGE_DENY is blank. +# +DAEMON_PURGE = 1h +# +####################################################################### + + + ######### THESE SETTINGS ARE SPECIFIC TO ########## + ######### DAEMON SYNCHRONIZATION ########## + + +####################################################################### +# +# Synchronization mode allows the DenyHosts daemon the ability +# to periodically send and receive denied host data such that +# DenyHosts daemons worldwide can automatically inform one +# another regarding banned hosts. This mode is disabled by +# default, you must uncomment SYNC_SERVER to enable this mode. +# +# for more information, please refer to: +# http:/denyhosts.sourceforge.net/faq.html#sync +# +####################################################################### + + +####################################################################### +# +# SYNC_SERVER: The central server that communicates with DenyHost +# daemons. Currently, denyhosts.net is the only available server +# however, in the future, it may be possible for organizations to +# install their own server for internal network synchronization +# +# To disable synchronization (the default), do nothing. +# +# To enable synchronization, you must uncomment the following line: +#SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 +# +####################################################################### + +####################################################################### +# +# SYNC_INTERVAL: the interval of time to perform synchronizations if +# SYNC_SERVER has been uncommented. The default is 1 hour. +# +SYNC_INTERVAL = 1h +# +####################################################################### + + +####################################################################### +# +# SYNC_UPLOAD: allow your DenyHosts daemon to transmit hosts that have +# been denied? This option only applies if SYNC_SERVER has +# been uncommented. +# The default is SYNC_UPLOAD = yes +# +#SYNC_UPLOAD = no +#SYNC_UPLOAD = yes +# +####################################################################### + + +####################################################################### +# +# SYNC_DOWNLOAD: allow your DenyHosts daemon to receive hosts that have +# been denied by others? This option only applies if SYNC_SERVER has +# been uncommented. +# The default is SYNC_DOWNLOAD = yes +# +#SYNC_DOWNLOAD = no +#SYNC_DOWNLOAD = yes +# +# +# +####################################################################### + +####################################################################### +# +# SYNC_DOWNLOAD_THRESHOLD: If SYNC_DOWNLOAD is enabled this parameter +# filters the returned hosts to those that have been blocked this many +# times by others. That is, if set to 1, then if a single DenyHosts +# server has denied an ip address then you will receive the denied host. +# +# See also SYNC_DOWNLOAD_RESILIENCY +# +#SYNC_DOWNLOAD_THRESHOLD = 10 +# +# The default is SYNC_DOWNLOAD_THRESHOLD = 3 +# +#SYNC_DOWNLOAD_THRESHOLD = 3 +# +####################################################################### + +####################################################################### +# +# SYNC_DOWNLOAD_RESILIENCY: If SYNC_DOWNLOAD is enabled then the +# value specified for this option limits the downloaded data +# to this resiliency period or greater. +# +# Resiliency is defined as the timespan between a hackers first known +# attack and it's most recent attack. Example: +# +# If the centralized denyhosts.net server records an attack at 2 PM +# and then again at 5 PM, specifying a SYNC_DOWNLOAD_RESILIENCY = 4h +# will not download this ip address. +# +# However, if the attacker is recorded again at 6:15 PM then the +# ip address will be downloaded by your DenyHosts instance. +# +# This value is used in conjunction with the SYNC_DOWNLOAD_THRESHOLD +# and only hosts that satisfy both values will be downloaded. +# This value has no effect if SYNC_DOWNLOAD_THRESHOLD = 1 +# +# The default is SYNC_DOWNLOAD_RESILIENCY = 5h (5 hours) +# +# Only obtain hackers that have been at it for 2 days or more: +#SYNC_DOWNLOAD_RESILIENCY = 2d +# +# Only obtain hackers that have been at it for 5 hours or more: +#SYNC_DOWNLOAD_RESILIENCY = 5h +# +####################################################################### + diff --git a/roles/denyhosts/handlers/main.yml b/roles/denyhosts/handlers/main.yml new file mode 100644 index 0000000..83c446b --- /dev/null +++ b/roles/denyhosts/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart denyhosts + action: service name=denyhosts state=restarted diff --git a/roles/denyhosts/tasks/main.yml b/roles/denyhosts/tasks/main.yml new file mode 100644 index 0000000..1e0a1c4 --- /dev/null +++ b/roles/denyhosts/tasks/main.yml @@ -0,0 +1,26 @@ +--- +#install denyhosts +- name: install denyhosts + yum: name=denyhosts state=installed + tags: + - packages + +- name: /etc/denyhosts.conf + copy: src=denyhosts.conf dest=/etc/denyhosts.conf + notify: + - restart denyhosts + tags: + - config + +- name: /var/lib/denyhosts/allowed-hosts + copy: src=allowed-hosts dest=/var/lib/denyhosts/allowed-hosts + notify: + - restart denyhosts + tags: + - config + +- name: enable the service + service: name=denyhosts state=running enabled=true + tags: + - service + diff --git a/tasks/denyhosts.yml b/tasks/denyhosts.yml deleted file mode 100644 index cc4e756..0000000 --- a/tasks/denyhosts.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -#install denyhosts -- name: install denyhosts - yum: name=denyhosts state=installed - tags: - - packages - -- name: /etc/denyhosts.conf - copy: src=$files/denyhosts/denyhosts.conf dest=/etc/denyhosts.conf - notify: - - restart denyhosts - tags: - - config - -- name: /var/lib/denyhosts/allowed-hosts - copy: src=$files/denyhosts/allowed-hosts dest=/var/lib/denyhosts/allowed-hosts - notify: - - restart denyhosts - tags: - - config - -- name: enable the service - service: name=denyhosts state=running enabled=true - tags: - - service - -- 1.8.3.1 _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
