~nka/ansible-role-ferm

ff3f78d8a7b51858e155db21dbf2eda1adfb2b7f — Nicolas KAROLAK 2 months ago a688598 master v1.2.0
add global ssh ratelimit rule
2 files changed, 11 insertions(+), 0 deletions(-)

M defaults/main.yml
M templates/ferm.conf.j2
M defaults/main.yml => defaults/main.yml +5 -0
@@ 4,6 4,11 @@
ferm_packages:
  - ferm

# enable ssh ratelimit rule
ferm_ssh_ratelimit_enabled: true
ferm_ssh_ratelimit_seconds: 120
ferm_ssh_ratelimit_hitcount: 8

# enable anti-lockout rule
ferm_antilockout_enabled: true


M templates/ferm.conf.j2 => templates/ferm.conf.j2 +6 -0
@@ 17,6 17,12 @@ domain (ip ip6) {

        # allow ping
        proto icmp ACCEPT;
    {% if ferm_ssh_ratelimit_enabled %}

        # limit ssh new connections rate
        proto tcp dport 22 mod state state NEW mod recent name SSH set NOP;
        proto tcp dport 22 mod state state NEW mod recent name SSH update seconds {{ ferm_ssh_ratelimit_seconds }} hitcount {{ ferm_ssh_ratelimit_hitcount }} rttl DROP;
    {% endif %}
    {% if ferm_antilockout_enabled %}

        # allow ssh, anti-lockout rule