Fail2ban support

defaults/main.yml

@@ -93,15 +93,23 @@ icinga2_web_managed_config_files:
 
 icinga2_web_modules: []
  #- name: graphite
+ #  url: 'https://github.com/icinga/icingaweb2-module-graphite.git'
  #  version: master
  #- name: ipl
+ #  url: 'https://github.com/icinga/icingaweb2-module-ipl.git'
  #  version: v0.5.0
  #- name: incubator
+ #  url: 'https://github.com/icinga/icingaweb2-module-incubator.git'
  #  version: v0.5.0
  #- name: reactbundle
+ #  url: 'https://github.com/icinga/icingaweb2-module-reactbundle.git'
  #  version: v0.7.0
  #- name: director
+ #  url: 'https://github.com/icinga/icingaweb2-module-director.git'
  #  version: v1.7.2
+ #- name: audit
+ #  url: 'https://github.com/adfinis/icingaweb2-module-audit.git'
+ #  version: master
 
 # Icingaweb2 LDAP authentication
 # For further information, consult the official icingaweb2 documentation at

files/0001-icingaweb2-module-audit-remote-ip-logging.patch

@@ -0,0 +1,67 @@
+From 3bf6f47910834e4ddd9c7fb4bf085daed5ab515a Mon Sep 17 00:00:00 2001
+From: airbone95 <airbone95@users.noreply.github.com>
+Date: Mon, 25 May 2020 08:37:14 +0200
+Subject: [PATCH] added ip-logging
+
+---
+ application/controllers/LogController.php  | 1 +
+ application/views/scripts/log/index.phtml  | 3 +++
+ library/Audit/ProvidedHook/AuditLog.php    | 3 ++-
+ library/Audit/ProvidedHook/AuditStream.php | 3 ++-
+ 4 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/application/controllers/LogController.php b/application/controllers/LogController.php
+index cc0d110..d0d2c4d 100644
+--- a/application/controllers/LogController.php
++++ b/application/controllers/LogController.php
+@@ -36,6 +36,7 @@ public function indexAction()
+             'fields'    => '/(?<!.)' // ^ can't handle multilines, don't ask *me* why this works
+                 . '(?<datetime>[0-9]{4}(?:-[0-9]{2}){2}'                    // date
+                 . 'T[0-9]{2}(?::[0-9]{2}){2}(?:[\+\-][0-9]{2}:[0-9]{2})?)'  // time
++                . ' - (?<remoteip>.+)'                                      // remoteip
+                 . ' - (?<identity>.+)'                                      // identity
+                 . ' - (?<type>.+)'                                          // type
+                 . ' - (?<message>.+)'                                       // message
+diff --git a/application/views/scripts/log/index.phtml b/application/views/scripts/log/index.phtml
+index 79b9239..80140a7 100644
+--- a/application/views/scripts/log/index.phtml
++++ b/application/views/scripts/log/index.phtml
+@@ -19,6 +19,9 @@
+                     <br>
+                     <?= $this->escape($value->type) ?>
+                 </td>
++                <td style="width: 6em; text-align: center">
++                    <?= $this->escape($value->remoteip) ?>
++                </td>
+                 <td style="width: 12em; text-align: center">
+                     <?= $this->escape($value->identity) ?>
+                 </td>
+diff --git a/library/Audit/ProvidedHook/AuditLog.php b/library/Audit/ProvidedHook/AuditLog.php
+index 39ae592..909c350 100644
+--- a/library/Audit/ProvidedHook/AuditLog.php
++++ b/library/Audit/ProvidedHook/AuditLog.php
+@@ -14,8 +14,9 @@ public function logMessage($time, $identity, $type, $message, array $data = null
+     {
+         $logConfig = Config::module('audit')->getSection('log');
+         if ($logConfig->type === 'file') {
++            $remoteip = (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];
+             $file = new File($logConfig->get('path', '/var/log/icingaweb2/audit.log'), 'a');
+-            $file->fwrite(date('c', $time) . ' - ' . $identity . ' - ' . $type . ' - ' . $message . PHP_EOL);
++            $file->fwrite(date('c', $time) . ' - ' . $remoteip . ' - ' . $identity . ' - ' . $type . ' - ' . $message . PHP_EOL);
+             $file->fflush();
+         } elseif ($logConfig->type === 'syslog') {
+             openlog(
+diff --git a/library/Audit/ProvidedHook/AuditStream.php b/library/Audit/ProvidedHook/AuditStream.php
+index 869464f..863e93e 100644
+--- a/library/Audit/ProvidedHook/AuditStream.php
++++ b/library/Audit/ProvidedHook/AuditStream.php
+@@ -16,7 +16,8 @@ public function logMessage($time, $identity, $type, $message, array $data = null
+             'activity_time' => $time,
+             'activity'      => $type,
+             'message'       => $message,
+-            'identity'      => $identity
++            'identity'      => $identity,
++            'remoteip'      => $remoteip
+         ];
+         if (! empty($data)) {
+             $activityData['data'] = $data;

meta/main.yml

@@ -5,9 +5,10 @@ dependencies:
 
 galaxy_info:
   role_name: 'icinga2_web'
-  author: 'Adfinis SyGroup AG'
+  namespace: adfinis
+  author: 'Adfinis AG'
   description: 'This role installs and configures icingaweb2'
-  company: 'Adfinis SyGroup AG'
+  company: 'Adfinis AG'
   license: 'GNU General Public License v3'
   min_ansible_version: '2.6.0'
   platforms:
@@ -18,3 +19,9 @@ galaxy_info:
     - 'icinga2'
     - 'monitoring'
     - 'icingaweb2'
+  github_branch: master
+
+collections:
+  - ansible.posix
+  - community.general
+  - robertdebock.roles

tasks/installation.yml

@@ -5,6 +5,10 @@
     name: '{{ icinga2_web_packages }}'
     state: present
 
+- name: install fail2ban using role
+  ansible.builtin.include_role:
+    name: robertdebock.roles.fail2ban
+
 # Allow httpd to connect to the mysql database
 - name: set httpd_can_network_connect_db flag on and keep it persistent across reboots
   seboolean:
@@ -88,7 +92,7 @@
 
 - name: install modules from github
   git: # noqa 401
-    repo: 'https://github.com/icinga/icingaweb2-module-{{ item.name }}.git'
+    repo: '{{ item.url }}'
     dest: '/etc/icingaweb2/modules/{{ item.name }}'
     version: '{{ item.version }}'
   loop: '{{ icinga2_web_modules }}'

templates/etc/fail2ban/filter.d/icingaweb2-auth.conf

@@ -0,0 +1,7 @@
+[Definition]
+
+failregex = ^.*- <HOST> - \S+ - login-failed - User failed to authenticate$
+
+ignoreregex =
+
+datepattern = {^LN-BEG}