diff options
author | Aaron LI <aly@aaronly.me> | 2019-09-21 21:36:58 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2019-09-21 21:36:58 +0800 |
commit | 5af989627b316d8b8c9928143261ce8e4a084de8 (patch) | |
tree | d4d435d5028856c39fe553cfec2ca96a2e258873 | |
parent | 0712e9493139c08288733e047332102bbf8fd30e (diff) | |
download | ansible-dfly-vps-5af989627b316d8b8c9928143261ce8e4a084de8.tar.bz2 |
security: Use cron to expire PF table instead of daily periodic task
-rw-r--r-- | roles/security/files/600.clean-pf | 28 | ||||
-rw-r--r-- | roles/security/tasks/main.yml | 21 |
2 files changed, 7 insertions, 42 deletions
diff --git a/roles/security/files/600.clean-pf b/roles/security/files/600.clean-pf deleted file mode 100644 index 9ecf42c..0000000 --- a/roles/security/files/600.clean-pf +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -# -# Clean up PF tables ... -# - -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_pf_enable" in - [Yy][Ee][Ss]) - echo "" - echo "PF tables cleanup:" - : ${daily_clean_pf_expire:=86400} - for table in $daily_clean_pf_tables; do - echo "Cleanup table $table ..." - pfctl -v -t $table -T expire $daily_clean_pf_expire - rc=$? - done - ;; - *) - rc=0 - ;; -esac - -exit $rc diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 043792f..e72a79d 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -21,17 +21,10 @@ notify: restart-syslogd tags: sshlockout -- name: periodic - copy clean-pf script - copy: - src: 600.clean-pf - dest: /etc/periodic/daily/600.clean-pf - mode: 0755 - -- name: periodic - enable clean-pf - blockinfile: - path: /etc/periodic.conf - marker: '# {mark} ANSIBLE MANAGED - clean-pf' - block: | - # Clean up PF tables - daily_clean_pf_enable="YES" - daily_clean_pf_tables="bruteforce" +- name: cron - expire PF table (bruteforce) + cron: + name: "pf-expire-table-bruteforce" + user: root + minute: "0" + hour: "*/2" # every 2 hours + job: "pfctl -t bruteforce -T expire 86400 >/dev/null" |