ansible 部署脚本
默认会将项目创建在 /root 目录,需要的话请修改该目录
---
- name: Fail2Ban
hosts: target
become: yes
become_method: sudo
tasks:
- name: 创建 fail2ban 目录
ansible.builtin.file:
path: /root/fail2ban/data/jail.d
state: directory
mode: '0755'
recurse: yes
- name: 创建 docker compose 文件
ansible.builtin.copy:
dest: /root/fail2ban/docker-compose.yml
content: |
name: fail2ban
services:
fail2ban:
image: crazymax/fail2ban:1.1.0
restart: always
volumes:
- './data:/data'
- '/var/log/auth.log:/var/log/auth.log:ro'
cap_add:
- NET_ADMIN
- NET_RAW
network_mode: host
- name: 创建 配置文件 fail2ban jail.conf
ansible.builtin.copy:
dest: /root/fail2ban/data/jail.conf
content: |
[DEFAULT]
ignoreip = 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8
findtime = 1h # 检测区间
maxretry = 10 # 尝试次数
bantime = 1d # 封禁时间
- name: 创建 配置文件 fail2ban sshd.conf
ansible.builtin.copy:
dest: /root/fail2ban/data/jail.d/sshd.conf
content: |
[sshd]
enabled = true
chain = INPUT
port = ssh
filter = sshd[mode=aggressive]
logpath = /var/log/auth.log
- name: 启动 fail2ban
command: docker compose -f /root/fail2ban/docker-compose.yml up -d
fail2ban 命令
docker exec fail2ban fail2ban-client status
docker exec fail2ban fail2ban-client status sshd