initial commit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-27 15:09:25 -07:00 · 2026-02-27 15:09:25 -07:00 · 75891c3271
commit 75891c3271
129 changed files with 8046 additions and 0 deletions
--- a/roles/fail2ban/files/filter.d/caddy-auth.conf
+++ b/roles/fail2ban/files/filter.d/caddy-auth.conf
@ -0,0 +1,3 @@
+[Definition]
+# matches 401 responses using remote_ip extracted from X-Real-IP by Caddy in JSON access logs
+failregex = .*"remote_ip":"<HOST>".*"status":401.*
--- a/roles/fail2ban/files/filter.d/caddy-scanners.conf
+++ b/roles/fail2ban/files/filter.d/caddy-scanners.conf
@ -0,0 +1,3 @@
+[Definition]
+# admin.php is intentionally specific; broader /admin would match legitimate paths (e.g. /admin-api)
+failregex = .*"remote_ip":"<HOST>".*"uri":"\/(wp-admin|wp-login|phpmyadmin|xmlrpc|\.env|\.git|cgi-bin|admin\.php|setup\.php|eval-stdin).*".*
--- a/roles/fail2ban/files/filter.d/docker-mailserver.conf
+++ b/roles/fail2ban/files/filter.d/docker-mailserver.conf
@ -0,0 +1,8 @@
+[Definition]
+# Postfix SASL auth failures: warning: unknown[IP]: SASL ... authentication failed
+failregex = ^.*warning: .*\[<HOST>\]: SASL .* authentication failed.*$
+# Dovecot auth failures: auth failed ... rip=IP
+            ^.*dovecot: (?:imap|pop3)-login: .*\(auth failed.*rip=<HOST>,.*$
+
+ignoreregex =
+
--- a/roles/fail2ban/files/filter.d/forgejo-auth.conf
+++ b/roles/fail2ban/files/filter.d/forgejo-auth.conf
@ -0,0 +1,4 @@
+[Definition]
+# Matches both web login failures and SSH auth failures
+failregex = ^.*Failed authentication attempt from <HOST>(:\d+)?$
+            ^.*Failed login for user '[^']*' from <HOST>$
--- a/roles/fail2ban/files/jail.d/caddy.conf
+++ b/roles/fail2ban/files/jail.d/caddy.conf
@ -0,0 +1,16 @@
+[caddy-scanners]
+enabled = true
+journalmatch = CONTAINER_NAME=caddy
+filter = caddy-scanners
+maxretry = 3
+findtime = 10m
+bantime = 24h
+
+# high maxretry/short bantime: Grafana auth can be slow; strict limits cause false positives
+[caddy-auth]
+enabled = true
+journalmatch = CONTAINER_NAME=caddy
+filter = caddy-auth
+maxretry = 40
+findtime = 10m
+bantime = 1h
--- a/roles/fail2ban/files/jail.d/forgejo.conf
+++ b/roles/fail2ban/files/jail.d/forgejo.conf
@ -0,0 +1,8 @@
+[forgejo]
+enabled = true
+backend = systemd
+journalmatch = CONTAINER_NAME=forgejo
+filter = forgejo-auth
+maxretry = 5
+findtime = 10m
+bantime = 24h
--- a/roles/fail2ban/files/jail.d/mailserver.conf
+++ b/roles/fail2ban/files/jail.d/mailserver.conf
@ -0,0 +1,9 @@
+[mailserver]
+enabled = true
+backend = systemd
+journalmatch = CONTAINER_NAME=mailserver
+filter = docker-mailserver
+maxretry = 5
+findtime = 10m
+bantime = 24h
+