From 5af989627b316d8b8c9928143261ce8e4a084de8 Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Sat, 21 Sep 2019 21:36:58 +0800 Subject: security: Use cron to expire PF table instead of daily periodic task --- roles/security/files/600.clean-pf | 28 ---------------------------- roles/security/tasks/main.yml | 21 +++++++-------------- 2 files changed, 7 insertions(+), 42 deletions(-) delete mode 100644 roles/security/files/600.clean-pf diff --git a/roles/security/files/600.clean-pf b/roles/security/files/600.clean-pf deleted file mode 100644 index 9ecf42c..0000000 --- a/roles/security/files/600.clean-pf +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -# -# Clean up PF tables ... -# - -if [ -r /etc/defaults/periodic.conf ] -then - . /etc/defaults/periodic.conf - source_periodic_confs -fi - -case "$daily_clean_pf_enable" in - [Yy][Ee][Ss]) - echo "" - echo "PF tables cleanup:" - : ${daily_clean_pf_expire:=86400} - for table in $daily_clean_pf_tables; do - echo "Cleanup table $table ..." - pfctl -v -t $table -T expire $daily_clean_pf_expire - rc=$? - done - ;; - *) - rc=0 - ;; -esac - -exit $rc diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 043792f..e72a79d 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -21,17 +21,10 @@ notify: restart-syslogd tags: sshlockout -- name: periodic - copy clean-pf script - copy: - src: 600.clean-pf - dest: /etc/periodic/daily/600.clean-pf - mode: 0755 - -- name: periodic - enable clean-pf - blockinfile: - path: /etc/periodic.conf - marker: '# {mark} ANSIBLE MANAGED - clean-pf' - block: | - # Clean up PF tables - daily_clean_pf_enable="YES" - daily_clean_pf_tables="bruteforce" +- name: cron - expire PF table (bruteforce) + cron: + name: "pf-expire-table-bruteforce" + user: root + minute: "0" + hour: "*/2" # every 2 hours + job: "pfctl -t bruteforce -T expire 86400 >/dev/null" -- cgit v1.2.2