mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-07-27 00:05:44 +02:00
Update to 2022-01-12 10:14
This commit is contained in:
@@ -41,12 +41,13 @@ ssh_users: []
|
||||
# ssh_keys:
|
||||
# - 'ssh-rsa AAAAB3NzaC1yc2...'
|
||||
# - 'ssh-rsa AAAAB3NzaC1yc2...'
|
||||
# keys_exclusive: True
|
||||
# keys_file: %h/.ssh/authorized_keys
|
||||
# key_options:
|
||||
# - from="192.168.3.7"
|
||||
# - no-pty
|
||||
# sftp_only: True
|
||||
# chroot: /var/www/html
|
||||
# keys_file: %h/.ssh/authorized_keys
|
||||
# allow_forwarding: False
|
||||
# sudo_defaults:
|
||||
# - '!env_reset'
|
||||
|
@@ -60,7 +60,7 @@
|
||||
key_options: "{{ item.key_options | default([]) | join(',') }}"
|
||||
path: "{{ item.keys_file | default('/etc/ssh/authorized_keys/' ~ item.name ~ '/authorized_keys') }}"
|
||||
manage_dir: False
|
||||
exclusive: True
|
||||
exclusive: "{{ item.keys_exclusive | default(True) }}"
|
||||
ignore_errors: True # Needed eg, if LDAP isn't available on first run
|
||||
loop: "{{ ssh_users }}"
|
||||
tags: ssh
|
||||
|
@@ -4,9 +4,14 @@
|
||||
iptables_raw:
|
||||
name: sshd_limit
|
||||
rules: |
|
||||
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --set
|
||||
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
|
||||
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
|
||||
-N SSH_LIMIT
|
||||
{% if trusted_ip is defined and trusted_ip | length > 0 %}
|
||||
-A SSH_LIMIT -s {{ trusted_ip | join(',') }} -j RETURN
|
||||
{% endif %}
|
||||
-A SSH_LIMIT -m recent --name ssh_limit --set
|
||||
-A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j LOG --log-prefix "Firewall (ssh limit): "
|
||||
-A SSH_LIMIT -m recent --name ssh_limit --rcheck --seconds 60 --hitcount {{ sshd_max_conn_per_minute }} -j REJECT
|
||||
-A INPUT -p tcp -m state --state NEW -m multiport --dports {{ sshd_ports | join(',') }} -j SSH_LIMIT
|
||||
state: "{{ (sshd_max_conn_per_minute > 0) | ternary('present','absent') }}"
|
||||
weight: 10
|
||||
tags: ssh,firewall
|
||||
|
Reference in New Issue
Block a user