smauro/prod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ansible: modification du playbook fail2ban & install.sh

Browse Source
This commit is contained in:
Stephane M 2025-02-18 21:46:59 +01:00
parent 2ff8064703
commit 56befcd67f
4 changed files with 139 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
ansible/install_fail2ban.sh
View File

@ -1,43 +1,32 @@
#!/bin/bash #!/bin/bash
# Demander les informations avec Zenity # Vérifie si Zenity est installé, sinon l'installe
USER_INPUT=$(zenity --forms --title="Configuration Fail2ban" \ if ! command -v zenity &> /dev/null; then
--text="Remplissez les informations pour l'installation" \ echo "Zenity non trouvé, installation..."
--add-entry="Adresse IP du serveur" \ sudo apt update && sudo apt install -y zenity
--add-entry="Utilisateur SSH" \
--add-entry="Mot de passe SSH" \
--add-entry="Port SSH" \
--add-entry="Webhook Mattermost" \
--separator=",")
# Vérifier si l'utilisateur a annulé
if [ $? -ne 0 ]; then
echo "Opération annulée."
exit 1
fi fi
# Extraire les valeurs # Demande les infos via Zenity
IP_SERVER=$(echo "$USER_INPUT" | cut -d',' -f1) IP_SERVER=$(zenity --entry --title "Configuration Serveur" --text "Entrez l'adresse IP du serveur :")
SSH_USER=$(echo "$USER_INPUT" | cut -d',' -f2) SSH_USER=$(zenity --entry --title "Configuration Serveur" --text "Entrez l'utilisateur SSH :")
SSH_PASS=$(echo "$USER_INPUT" | cut -d',' -f3) SSH_PASS=$(zenity --password --title "Configuration Serveur" --text "Entrez le mot de passe SSH :")
SSH_PORT=$(echo "$USER_INPUT" | cut -d',' -f4) SSH_PORT=$(zenity --entry --title "Configuration Serveur" --text "Entrez le port SSH (ex: 22) :" --entry-text "22")
MATTERMOST_WEBHOOK=$(echo "$USER_INPUT" | cut -d',' -f5) MATTERMOST_WEBHOOK=$(zenity --entry --title "Mattermost" --text "Entrez l'URL du webhook Mattermost :")
# Vérifier que toutes les valeurs sont renseignées # Vérifie si les variables sont vides
if [[ -z "$IP_SERVER" || -z "$SSH_USER" || -z "$SSH_PASS" || -z "$SSH_PORT" || -z "$MATTERMOST_WEBHOOK" ]]; then if [[ -z "$IP_SERVER" || -z "$SSH_USER" || -z "$SSH_PASS" || -z "$SSH_PORT" || -z "$MATTERMOST_WEBHOOK" ]]; then
zenity --error --text="Toutes les informations doivent être remplies !" --width=300 zenity --error --title "Erreur" --text "Toutes les informations sont requises !"
exit 1 exit 1
fi fi
# Générer un fichier d'inventaire dynamique # Crée le fichier d'inventaire dynamique
cat > inventory.ini <<EOL cat > inventory.ini <<EOL
[servers] [servers]
$IP_SERVER ansible_host=$IP_SERVER ansible_user=$SSH_USER ansible_password=$SSH_PASS ansible_port=$SSH_PORT ansible_become_password=$SSH_PASS $IP_SERVER ansible_host=$IP_SERVER ansible_user=$SSH_USER ansible_password=$SSH_PASS ansible_port=$SSH_PORT ansible_become_password=$SSH_PASS
EOL EOL
# Lancer le playbook Ansible avec les variables dynamiques # Lancer le playbook Ansible
ansible-playbook -i inventory.ini playbooks/fail2ban.yml --extra-vars "ssh_port=$SSH_PORT mattermost_webhook=$MATTERMOST_WEBHOOK" ansible-playbook -i inventory.ini playbooks/fail2ban.yml --extra-vars "ssh_port=$SSH_PORT mattermost_webhook=$MATTERMOST_WEBHOOK"
# Informer l'utilisateur que l'installation est terminée zenity --info --title "Installation terminée" --text "Fail2ban a été installé et configuré sur $IP_SERVER."
zenity --info --text="Fail2ban a été installé et configuré sur $IP_SERVER !" --width=300

43
ansible/install_fail2ban.sh.BACKUP Executable file
View File

@ -0,0 +1,43 @@
#!/bin/bash
# Demander les informations avec Zenity
USER_INPUT=$(zenity --forms --title="Configuration Fail2ban" \
--text="Remplissez les informations pour l'installation" \
--add-entry="Adresse IP du serveur" \
--add-entry="Utilisateur SSH" \
--add-entry="Mot de passe SSH" \
--add-entry="Port SSH" \
--add-entry="Webhook Mattermost" \
--separator=",")
# Vérifier si l'utilisateur a annulé
if [ $? -ne 0 ]; then
echo "Opération annulée."
exit 1
fi
# Extraire les valeurs
IP_SERVER=$(echo "$USER_INPUT" | cut -d',' -f1)
SSH_USER=$(echo "$USER_INPUT" | cut -d',' -f2)
SSH_PASS=$(echo "$USER_INPUT" | cut -d',' -f3)
SSH_PORT=$(echo "$USER_INPUT" | cut -d',' -f4)
MATTERMOST_WEBHOOK=$(echo "$USER_INPUT" | cut -d',' -f5)
# Vérifier que toutes les valeurs sont renseignées
if [[ -z "$IP_SERVER" || -z "$SSH_USER" || -z "$SSH_PASS" || -z "$SSH_PORT" || -z "$MATTERMOST_WEBHOOK" ]]; then
zenity --error --text="Toutes les informations doivent être remplies !" --width=300
exit 1
fi
# Générer un fichier d'inventaire dynamique
cat > inventory.ini <<EOL
[servers]
$IP_SERVER ansible_host=$IP_SERVER ansible_user=$SSH_USER ansible_password=$SSH_PASS ansible_port=$SSH_PORT ansible_become_password=$SSH_PASS
EOL
# Lancer le playbook Ansible avec les variables dynamiques
ansible-playbook -i inventory.ini playbooks/fail2ban.yml --extra-vars "ssh_port=$SSH_PORT mattermost_webhook=$MATTERMOST_WEBHOOK"
# Informer l'utilisateur que l'installation est terminée
zenity --info --text="Fail2ban a été installé et configuré sur $IP_SERVER !" --width=300

45
ansible/playbooks/fail2ban.yml
View File

@ -3,11 +3,8 @@
hosts: servers hosts: servers
become: yes become: yes
vars: vars:
ssh_port: "{{ ssh_port }}" ssh_port: "22"
ban_time: 1800 mattermost_webhook: ""
max_retry: 3
find_time: 600
mattermost_webhook: "{{ mattermost_webhook }}"
tasks: tasks:
- name: Install Fail2ban - name: Install Fail2ban
@ -16,7 +13,19 @@
state: present state: present
update_cache: yes update_cache: yes
- name: Create Fail2ban jail.local configuration - name: Install iptables
apt:
name: iptables
state: present
update_cache: yes
- name: Ensure Fail2ban service is started and enabled
systemd:
name: fail2ban
state: started
enabled: yes
- name: Configure Fail2ban jail.local
copy: copy:
dest: /etc/fail2ban/jail.local dest: /etc/fail2ban/jail.local
content: | content: |
@ -24,17 +33,27 @@
enabled = true enabled = true
port = {{ ssh_port }} port = {{ ssh_port }}
filter = sshd filter = sshd
maxretry = {{ max_retry }} maxretry = 3
findtime = {{ find_time }} findtime = 600
bantime = {{ ban_time }} bantime = 1800
backend = systemd backend = systemd
action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp, chain=INPUT, blocktype=DROP] action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp, chain=INPUT, blocktype=DROP] mattermost
mattermost[action="{{ mattermost_webhook }}", sender="Fail2ban", format="Failed login attempt from <ip>"] notify: Restart Fail2ban
notify:
- Restart Fail2ban - name: Create Mattermost action file
copy:
dest: /etc/fail2ban/action.d/mattermost.conf
content: |
[Definition]
actionstart =
actionstop =
actionban = curl -X POST -H "Content-Type: application/json" --data "{"text": "🚨 Fail2ban a banni <ip> après trop d'échecs SSH 🚨"}" {{ mattermost_webhook }}
actionunban =
notify: Restart Fail2ban
handlers: handlers:
- name: Restart Fail2ban - name: Restart Fail2ban
systemd: systemd:
name: fail2ban name: fail2ban
state: restarted state: restarted

49
ansible/playbooks/fail2ban.yml.BACKUP Normal file
View File

@ -0,0 +1,49 @@
---
- name: Install and configure Fail2ban with Mattermost notifications
hosts: servers
become: yes
vars:
ssh_port: "{{ ssh_port }}"
ban_time: 1800
max_retry: 3
find_time: 600
mattermost_webhook: "{{ mattermost_webhook }}"
tasks:
- name: Install Fail2ban
apt:
name: fail2ban
state: present
update_cache: yes
- name: Configure Fail2ban jail.local
copy:
dest: /etc/fail2ban/jail.local
content: |
[sshd]
enabled = true
port = {{ ssh_port }}
logpath = /var/log/auth.log
maxretry = 3
bantime = 1800
action = iptables-multiport[name=SSH, port={{ ssh_port }}, protocol=tcp]
mattermost
notify:
- Restart Fail2ban
- name: Create Mattermost action file
copy:
dest: /etc/fail2ban/action.d/mattermost.conf
content: |
[Definition]
actionstart =
actionstop =
actionban = curl -X POST -H 'Content-Type: application/json' --data '{"text": "🚨 Fail2ban a banni <ip> après trop d'échecs SSH 🚨"}' {{ mattermost_webhook }}
actionunban =
notify: Restart Fail2ban
handlers:
- name: Restart Fail2ban
systemd:
name: fail2ban
state: restarted