aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2019-09-21 21:36:58 +0800
committerAaron LI <aly@aaronly.me>2019-09-21 21:36:58 +0800
commit5af989627b316d8b8c9928143261ce8e4a084de8 (patch)
treed4d435d5028856c39fe553cfec2ca96a2e258873 /roles
parent0712e9493139c08288733e047332102bbf8fd30e (diff)
downloadansible-dfly-vps-5af989627b316d8b8c9928143261ce8e4a084de8.tar.bz2
security: Use cron to expire PF table instead of daily periodic task
Diffstat (limited to 'roles')
-rw-r--r--roles/security/files/600.clean-pf28
-rw-r--r--roles/security/tasks/main.yml21
2 files changed, 7 insertions, 42 deletions
diff --git a/roles/security/files/600.clean-pf b/roles/security/files/600.clean-pf
deleted file mode 100644
index 9ecf42c..0000000
--- a/roles/security/files/600.clean-pf
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-#
-# Clean up PF tables ...
-#
-
-if [ -r /etc/defaults/periodic.conf ]
-then
- . /etc/defaults/periodic.conf
- source_periodic_confs
-fi
-
-case "$daily_clean_pf_enable" in
- [Yy][Ee][Ss])
- echo ""
- echo "PF tables cleanup:"
- : ${daily_clean_pf_expire:=86400}
- for table in $daily_clean_pf_tables; do
- echo "Cleanup table $table ..."
- pfctl -v -t $table -T expire $daily_clean_pf_expire
- rc=$?
- done
- ;;
- *)
- rc=0
- ;;
-esac
-
-exit $rc
diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml
index 043792f..e72a79d 100644
--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@@ -21,17 +21,10 @@
notify: restart-syslogd
tags: sshlockout
-- name: periodic - copy clean-pf script
- copy:
- src: 600.clean-pf
- dest: /etc/periodic/daily/600.clean-pf
- mode: 0755
-
-- name: periodic - enable clean-pf
- blockinfile:
- path: /etc/periodic.conf
- marker: '# {mark} ANSIBLE MANAGED - clean-pf'
- block: |
- # Clean up PF tables
- daily_clean_pf_enable="YES"
- daily_clean_pf_tables="bruteforce"
+- name: cron - expire PF table (bruteforce)
+ cron:
+ name: "pf-expire-table-bruteforce"
+ user: root
+ minute: "0"
+ hour: "*/2" # every 2 hours
+ job: "pfctl -t bruteforce -T expire 86400 >/dev/null"