diff --git a/fail2ban/fail2ban-bad-auth-filter.conf b/fail2ban/fail2ban-bad-auth-filter.conf new file mode 100644 index 0000000..aefeed8 --- /dev/null +++ b/fail2ban/fail2ban-bad-auth-filter.conf @@ -0,0 +1,5 @@ +# Fail2Ban configuration file +[Definition] +failregex = .* client login failed: .+ client:\ +ignoreregex = +journalmatch = CONTAINER_TAG=docker-front diff --git a/fail2ban/fail2ban-bad-auth-jail.conf b/fail2ban/fail2ban-bad-auth-jail.conf new file mode 100644 index 0000000..d2c76a7 --- /dev/null +++ b/fail2ban/fail2ban-bad-auth-jail.conf @@ -0,0 +1,11 @@ +[bad-auth] +enabled = true +backend = systemd +filter = bad-auth +bantime = 1w +bantime.increment = true +bantime.factor = 2 +bantime.maxtime = 128w +findtime = 86400 +maxretry = 3 +action = docker-action diff --git a/fail2ban/fail2ban-docker-action.conf b/fail2ban/fail2ban-docker-action.conf new file mode 100644 index 0000000..58424e5 --- /dev/null +++ b/fail2ban/fail2ban-docker-action.conf @@ -0,0 +1,16 @@ +[Definition] + +actionstart = iptables -N f2b-bad-auth + iptables -A f2b-bad-auth -j RETURN + iptables -I DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth + +actionstop = iptables -D DOCKER-USER -p tcp -m multiport --dports 1:1024 -j f2b-bad-auth + iptables -F f2b-bad-auth + iptables -X f2b-bad-auth + +actioncheck = iptables -n -L DOCKER-USER | grep -q 'f2b-bad-auth[ \t]' + +actionban = iptables -I f2b-bad-auth 1 -s -j DROP + +actionunban = iptables -D f2b-bad-auth -s -j DROP + diff --git a/fail2ban/fail2ban-override.conf b/fail2ban/fail2ban-override.conf new file mode 100644 index 0000000..fa12217 --- /dev/null +++ b/fail2ban/fail2ban-override.conf @@ -0,0 +1,2 @@ +[Unit] +After=docker.service diff --git a/fail2ban/fail2ban-sshd-jail.conf b/fail2ban/fail2ban-sshd-jail.conf new file mode 100644 index 0000000..c43f118 --- /dev/null +++ b/fail2ban/fail2ban-sshd-jail.conf @@ -0,0 +1,8 @@ +[sshd] +enabled = true +bantime = 1w +bantime.increment = true +bantime.factor = 2 +bantime.maxtime = 128w +findtime = 86400 +maxretry = 3 diff --git a/gotask/install.sh b/gotask/install.sh new file mode 100644 index 0000000..94ed10a --- /dev/null +++ b/gotask/install.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +mkdir -p ~/.local/bin +stat ~/.local/bin/task > /dev/null || cp task ~/.local/bin +stat /etc/bash_completion.d/task.bash || sudo cp task.bash /etc/bash_completion.d/task.bash diff --git a/gotask/task b/gotask/task new file mode 100755 index 0000000..9084d1e Binary files /dev/null and b/gotask/task differ diff --git a/gotask/task.bash b/gotask/task.bash new file mode 100644 index 0000000..de93e4c --- /dev/null +++ b/gotask/task.bash @@ -0,0 +1,55 @@ +# vim: set tabstop=2 shiftwidth=2 expandtab: + +_GO_TASK_COMPLETION_LIST_OPTION='--list-all' + +function _task() +{ + local cur prev words cword + _init_completion -n : || return + + # Check for `--` within command-line and quit or strip suffix. + local i + for i in "${!words[@]}"; do + if [ "${words[$i]}" == "--" ]; then + # Do not complete words following `--` passed to CLI_ARGS. + [ $cword -gt $i ] && return + # Remove the words following `--` to not put --list in CLI_ARGS. + words=( "${words[@]:0:$i}" ) + break + fi + done + + # Handle special arguments of options. + case "$prev" in + -d|--dir) + _filedir -d + return $? + ;; + -t|--taskfile) + _filedir yaml || return $? + _filedir yml + return $? + ;; + -o|--output) + COMPREPLY=( $( compgen -W "interleaved group prefixed" -- $cur ) ) + return 0 + ;; + esac + + # Handle normal options. + case "$cur" in + -*) + COMPREPLY=( $( compgen -W "$(_parse_help $1)" -- $cur ) ) + return 0 + ;; + esac + + # Prepare task name completions. + local tasks=( $( "${words[@]}" --silent $_GO_TASK_COMPLETION_LIST_OPTION 2> /dev/null ) ) + COMPREPLY=( $( compgen -W "${tasks[*]}" -- "$cur" ) ) + + # Post-process because task names might contain colons. + __ltrim_colon_completions "$cur" +} + +complete -F _task task