security: Use cron to expire PF table instead of daily periodic task

author: Aaron LI <aly@aaronly.me> 2019-09-21 21:36:58 +0800
committer: Aaron LI <aly@aaronly.me> 2019-09-21 21:36:58 +0800
commit: 5af989627b316d8b8c9928143261ce8e4a084de8 (patch)
tree: d4d435d5028856c39fe553cfec2ca96a2e258873 /roles/security/tasks
parent: 0712e9493139c08288733e047332102bbf8fd30e (diff)
download: ansible-dfly-vps-5af989627b316d8b8c9928143261ce8e4a084de8.tar.bz2
1 files changed, 7 insertions, 14 deletions
diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml
index 043792f..e72a79d 100644
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@@ -21,17 +21,10 @@
   notify: restart-syslogd
   tags: sshlockout
 
-- name: periodic - copy clean-pf script
-  copy:
-    src: 600.clean-pf
-    dest: /etc/periodic/daily/600.clean-pf
-    mode: 0755
-
-- name: periodic - enable clean-pf
-  blockinfile:
-    path: /etc/periodic.conf
-    marker: '# {mark} ANSIBLE MANAGED - clean-pf'
-    block: |
-      # Clean up PF tables
-      daily_clean_pf_enable="YES"
-      daily_clean_pf_tables="bruteforce"
+- name: cron - expire PF table (bruteforce)
+  cron:
+    name: "pf-expire-table-bruteforce"
+    user: root
+    minute: "0"
+    hour: "*/2"  # every 2 hours
+    job: "pfctl -t bruteforce -T expire 86400 >/dev/null"
author	Aaron LI <aly@aaronly.me>	2019-09-21 21:36:58 +0800
committer	Aaron LI <aly@aaronly.me>	2019-09-21 21:36:58 +0800
commit	5af989627b316d8b8c9928143261ce8e4a084de8 (patch)
tree	d4d435d5028856c39fe553cfec2ca96a2e258873 /roles/security/tasks
parent	0712e9493139c08288733e047332102bbf8fd30e (diff)
download	ansible-dfly-vps-5af989627b316d8b8c9928143261ce8e4a084de8.tar.bz2