bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9d562c718895a6dd3f8dd7660fbed3074a76a869
deploy_home/ansible/roles/common/tasks/security.yml
Bastian de Byl 9d562c7188 feat: smart zomboid traffic filtering with packet-size detection 
Replace per-IP hashlimit with smarter filtering that distinguishes
legitimate players from scanner bots based on packet behavior:
- Players send varied packet sizes (53, 37, 1472 bytes)
- Scanners only send 53-byte query packets

New firewall rule chain:
- Priority 2: Mark + ACCEPT non-query packets (verifies player)
- Priority 3: ACCEPT queries from verified IPs (1 hour TTL)
- Priority 4: LOG rate-limited queries from unverified IPs
- Priority 5: DROP rate-limited queries (2 burst, then 1/hour)

Also includes:
- Fail2ban zomboid jail with tighter thresholds (5 retries/4h, 1w ban)
- Graylog streams for zomboid-connections, zomboid-ratelimit, fail2ban
- GeoIP pipeline enrichment for zomboid traffic
- Fluent-bit inputs for ratelimit logs and fail2ban events
- Remove Legendary Katana mod (Workshop 3418366499) - removed from Steam
- Bump Immich to v2.5.0
- Fix fulfillr config (nil → null)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-27 15:09:26 -05:00

52 lines
1.4 KiB
YAML
Raw Blame History

---
- name: enable post-quantum key exchange for sshd
become: true
ansible.builtin.template:
src: sshd-pq-kex.conf.j2
dest: /etc/ssh/sshd_config.d/30-pq-kex.conf
mode: 0600
notify: restart_sshd
tags: security, sshd
- name: ensure sshd disallows passwords
become: true
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config
regexp: "{{ item.re }}"
line: "{{ item.li }}"
loop:
- { re: "^[# ]*PasswordAuthentication ", li: "PasswordAuthentication no" }
- { re: "^[# ]*PermitEmptyPasswords ", li: "PermitEmptyPasswords no" }
- { re: "^[# ]*PermitRootLogin ", li: "PermitRootLogin no" }
notify: restart_sshd
tags: security
- name: setup fail2ban filters
become: true
ansible.builtin.copy:
src: files/fail2ban/filters/{{ item }}
dest: /etc/fail2ban/filter.d/{{ item }}
mode: 0644
loop: "{{ fail2ban_filters }}"
notify: restart_fail2ban
tags: security
- name: setup fail2ban jails
become: true
ansible.builtin.copy:
src: files/fail2ban/jails/{{ item }}
dest: /etc/fail2ban/jail.d/{{ item }}
mode: 0644
loop: "{{ fail2ban_jails }}"
notify: restart_fail2ban
tags: security
- name: adjust fail2ban sshd filter
become: true
ansible.builtin.lineinfile:
path: /etc/fail2ban/filter.d/sshd.conf
regexp: "^[#]*filter ="
line: "filter = sshd[mode=extra]"
notify: restart_fail2ban
tags: security
Reference in New Issue View Git Blame Copy Permalink