-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
|Repo Name| version | Build
Status|
|---|---|---|---|
-|cd_fail2ban| 0.0.0.2 | cd_fail2ban| 0.0.0.6 | {Build
Status/]|
Installation * install required binaries
+Configuration +* manage directory structure (file system permissions, +selinux context) +* manage configration files (file system permissions, +selinux context, content based on parameters)
+ +Service +* manage service status (running or stopped)
+Repostructure has moved to REPOSTRUCTURE.md in repo.
@@ -184,6 +193,10 @@ right out of box as is. selinux is disabled, these contexts are ignored.firewalld: firewalld is auto-installed on CentOS7 as dependency of fail2ban +by yum.
+|Repo Name| version | Build
Status|
|---|---|---|---|
-|cd_fail2ban| 0.0.0.2 | cd_fail2ban| 0.0.0.6 | {Build
Status/]|
Installation * install required binaries
+Configuration +* manage directory structure (file system permissions, +selinux context) +* manage configration files (file system permissions, +selinux context, content based on parameters)
+ +Service +* manage service status (running or stopped)
+Repostructure has moved to REPOSTRUCTURE.md in repo.
@@ -184,6 +193,10 @@ right out of box as is. selinux is disabled, these contexts are ignored.firewalld: firewalld is auto-installed on CentOS7 as dependency of fail2ban +by yum.
+# File 'manifests/main/config.pp', line 24
@@ -144,9 +143,8 @@ class cd_fail2ban::main::config (
) inherits cd_fail2ban::params {
- if $fn_enable_fail2ban == true {
include cd_fail2ban::main::service
- }
+
}
cd_fail2ban::main::dirs.pp Module name: cd_fail2ban Author: Arne Teuke -(arne_teuke@ConfDroid.com)
+(arne_teuke@confdroid.com) +License: + This file is part of cd_fail2ban. -cd_fail2ban is used for providing automatic configuration of Fail2Ban -
This file is part of cd_fail2ban.
- -cd_fail2ban is used for providing automatic configuration of - <service / -purpose> - Copyright (C) 2016 ConfDroid (copyright@ConfDroid.com) - This -program is free software: you can redistribute it and/or modify - it under -the terms of the GNU General Public License as published by - the Free -Software Foundation, either version 3 of the License, or - (at your option) -any later version.
+Copyright (C) 2017 confdroid (copyright@confdroid.com) + This program is +free software: you can redistribute it and/or modify + it under the terms of +the GNU General Public License as published by + the Free Software +Foundation, either version 3 of the License, or + (at your option) any later +version.This program is distributed in the hope that it will be useful, but @@ -130,6 +127,7 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.
+23 24 25 26 @@ -138,10 +136,106 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/. 29 30 31 -32+32 +33 +34 +35 +36 +37 +38 +39 +40 +41 +42 +43 +44 +45 +46 +47 +48 +49 +50 +51 +52 +53 +54 +55 +56 +57 +58 +59 +60 +61 +62 +63 +64 +65 +66 +67 +68 +69 +70 +71 +72 +73 +74 +75 +76 +77 +78 +79 +80 +81 +82 +83 +84 +85 +86 +87 +88 +89 +90 +91 +92 +93 +94 +95 +96 +97 +98 +99 +100 +101 +102 +103 +104 +105 +106 +107 +108 +109 +110 +111 +112 +113 +114 +115 +116 +117 +118 +119 +120 +121 +122 +123 +124 +125 +126 +127 +128
# File 'manifests/main/dirs.pp', line 24
+ # File 'manifests/main/dirs.pp', line 23
class cd_fail2ban::main::dirs (
@@ -149,6 +243,103 @@ class cd_fail2ban::main::dirs (
require cd_fail2ban::main::install
+ # manage main dir
+
+ file { $fn_main_dir:
+ ensure => directory,
+ path => $fn_main_dir,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ }
+
+ # manage action.d dir
+
+ file { $fn_action_d_dir:
+ ensure => directory,
+ path => $fn_action_d_dir,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ }
+
+ # manage fail2ban.d dir
+
+ file { $fn_fail2ban_d_dir:
+ ensure => directory,
+ path => $fn_fail2ban_d_dir,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ }
+
+ # manage filter.d dir
+
+ file { $fn_filter_d_dir:
+ ensure => directory,
+ path => $fn_filter_d_dir,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ }
+
+ # manage jail.d dir
+
+ file { $fn_jail_d_dir:
+ ensure => directory,
+ path => $fn_jail_d_dir,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ }
+
+ # manage /var/lib/fail2ban
+
+ file { $fn_var_lib_dir:
+ ensure => directory,
+ path => $fn_var_lib_dir,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ selrange => s0,
+ selrole => object_r,
+ seltype => fail2ban_var_lib_t,
+ seluser => system_u,
+ }
+
+ # manage /var/run/fail2bam
+
+ file { $fn_var_run_dir:
+ ensure => directory,
+ path => $fn_var_run_dir,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ selrange => s0,
+ selrole => object_r,
+ seltype => fail2ban_var_run_t,
+ seluser => system_u,
+ }
}
@@ -159,7 +350,7 @@ class cd_fail2ban::main::dirs (
diff --git a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html
index 950258c..6332c8e 100644
--- a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html
+++ b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html
@@ -133,7 +133,89 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.
26
27
28
-29
+29
+30
+31
+32
+33
+34
+35
+36
+37
+38
+39
+40
+41
+42
+43
+44
+45
+46
+47
+48
+49
+50
+51
+52
+53
+54
+55
+56
+57
+58
+59
+60
+61
+62
+63
+64
+65
+66
+67
+68
+69
+70
+71
+72
+73
+74
+75
+76
+77
+78
+79
+80
+81
+82
+83
+84
+85
+86
+87
+88
+89
+90
+91
+92
+93
+94
+95
+96
+97
+98
+99
+100
+101
+102
+103
+104
+105
+106
+107
+108
+109
+110
+111
# File 'manifests/main/files.pp', line 23
@@ -144,6 +226,88 @@ class cd_fail2ban::main::files (
require cd_fail2ban::main::dirs
+ if $fn_manage_config == true {
+
+ # manage fail2ban.conf
+
+ file { $fn_fail2ban_conf_file:
+ ensure => file,
+ path => $fn_fail2ban_conf_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ content => template($fn_fail2ban_conf_erb),
+ notify => Service[$fn_service],
+ }
+
+ # manage fail2ban.local
+
+ file { $fn_fail2ban_local_file:
+ ensure => file,
+ path => $fn_fail2ban_local_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ content => template($fn_fail2ban_local_erb),
+ notify => Service[$fn_service],
+ }
+
+ # manage jail.conf
+
+ file { $fn_jail_conf_file:
+ ensure => file,
+ path => $fn_jail_conf_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ content => template($fn_jail_conf_erb),
+ notify => Service[$fn_service],
+ }
+
+ # manage jail.local
+
+ file { $fn_jail_local_file:
+ ensure => file,
+ path => $fn_jail_local_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ content => template($fn_jail_local_erb),
+ notify => Service[$fn_service],
+ }
+
+ # manage paths-common.conf
+
+ file { $fn_paths_common_file:
+ ensure => file,
+ path => $fn_paths_common_file,
+ owner => 'root',
+ group => 'root',
+ mode => '0640',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ content => template($fn_paths_common_erb),
+ notify => Service[$fn_service],
+ }
+ }
}
# File 'manifests/main/service.pp', line 23
@@ -151,11 +152,12 @@ class cd_fail2ban::main::service (
require cd_fail2ban::main::files
service { $fn_service:
- ensure => running,
+ ensure => $fn_enable_service,
hasstatus => true,
hasrestart => true,
enable => true,
}
+
}
You should have received a copy of the GNU General Public License along with this program. If not, see www.gnu.org/licenses/.
+href="http://www.gnu.org/licenses">www.gnu.org/licenses/. +CRITICAL,ERROR,WARNING,NOTICE,INFO
+and DEBUG.
+ @param [string] Report ban via badips.com, and use
+as blacklist
@@ -156,13 +160,764 @@ to choose, i.e. latest or present.
Whether to manage the fail2ban +configuration files. If set to false, +fail2ban will be installed, but the +configuration will not be managed.
+Whether to enable/start or disable/stop
+the fail2ban service. Valid options
+are running or stopped.
Set the log level output. Valid options are
+Set the log target. This could be a file, +SYSLOG, STDERR or STDOUT. Only +one log target can be specified.
+Set the syslog socket file. Only used when +logtarget is SYSLOG. auto uses +platform.system() to determine predefined +paths Valid options: [ auto | +FILE ].
+Set the socket file to communicate with the daemon.
+Set the PID file to store the process ID of the +fail2ban server.
+file for the fail2ban persistent data to be stored. +A value of +":memory:" means database is only stored in memory +and data is +lost when fail2ban is stopped. +A value of "None" disables the +database.
+age in seconds at which bans should be purged +from the database.
+can be an IP address, a CIDR mask or a DNS host. +Fail2ban will not ban a +host which matches an address in this list. Several +addresses can be +defined using space (and/or comma) separator.
+External command that will take an +tagged arguments to ignore, e.g. +<ip>,and return true if the IP is to be +ignored. False otherwise.
+number of seconds that a host is banned.
+A host is banned if it has generated “maxretry” +during the last +"findtime" seconds.
+number of failures before a host get banned.
+specifies the backend used to get files +modification. options are +"pyinotify", "gamin", "polling", +"systemd" and +"auto". +pyinotify: requires pyinotify (a +file alteration monitor) to be installed. + If pyinotify is not installed, +Fail2ban will use auto. +gamin: requires Gamin (a file alteration monitor) +to be installed. + If Gamin is not installed, Fail2ban will use +auto. +polling: uses a polling algorithm which does not require external +libraries. +systemd: uses systemd python library to access the systemd +journal. + Specifying "logpath" is not valid for this backend. + +See "journalmatch" in the jails associated filter config +auto: +will try to use the following backends, in order: + pyinotify, gamin, +polling.
+specifies if jails should trust hostnames in logs, +warn when DNS lookups +are performed, or ignore all hostnames in logs +yes: if a hostname is +encountered, a DNS lookup will be performed. +warn: if a hostname is +encountered, a DNS lookup will be performed, + but it will be logged as a +warning. +no: if a hostname is encountered, will not be used for banning, + +but it will be logged as info. +raw: use raw value (no hostname), allow use +it for no-host filters/actions +(example user)
+specifies the encoding of the log files +handled by the jail This is used to +decode the lines from the log file. +Typical examples: "ascii", +"utf-8" +auto: will use the system locale setting
+enables the jails. +By default all jails are disabled, and it should stay +this way. +Enable only relevant to your setup jails in your .local or +jail.d/*.conf +true: jail will be enabled and log files will get monitored +for changes +false: jail is not enabled
+defines the filter to use by the jail. +By default jails have names matching +their filter name
+Destination email address used solely for the +interpolations in +jail.conf,local,d/* configuration files.
+Sender email address used solely for some actions
+E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA +for the mailing. +Change mta configuration parameter to mail if you want to +revert to +conventional 'mail'.
+Default protocol.
+Specify chain where jumps would need to be added in +iptables-* actions.
+in a particular jail
+Format of user-agent +tools.ietf.org/html/rfc7231#section-5.5.3
+Default banning action
+Default banning action
+ban only
+ban & send an e-mail with whois report to the +destemail.
+ban & send an e-mail with whois report and +relevant log lines
+ban & send a xarf e-mail to abuse contact of +IP address and include +relevant log lines.
+ban IP on CloudFlare & send an e-mail with +whois report and relevant +log lines.
+Report block via blocklist.de fail2ban +reporting service API
+(uses action.d/badips.conf for reporting only).
+Choose default action.
+latest or present.
-27 -28 -29 -30 -31 -32 -33 -34 -35 -36 -37 -38 -39 -40 -41 -42 -43 -44 -45 -46 -47+121 +122 +123 +124 +125 +126 +127 +128 +129 +130 +131 +132 +133 +134 +135 +136 +137 +138 +139 +140 +141 +142 +143 +144 +145 +146 +147 +148 +149 +150 +151 +152 +153 +154 +155 +156 +157 +158 +159 +160 +161 +162 +163 +164 +165 +166 +167 +168 +169 +170 +171 +172 +173 +174 +175 +176 +177 +178 +179 +180 +181 +182 +183 +184 +185 +186 +187 +188 +189 +190 +191 +192 +193 +194 +195 +196 +197 +198 +199 +200 +201 +202 +203 +204 +205 +206 +207 +208 +209 +210 +211 +212 +213 +214 +215 +216 +217
# File 'manifests/params.pp', line 27 +# File 'manifests/params.pp', line 121 class cd_fail2ban::params ( -$pkg_ensure = 'latest', +$pkg_ensure = 'latest', + +$fn_manage_config = true, +$fn_enable_service = 'running', + +# fail2ban.conf/local + +$fn_loglevel = 'INFO', +$fn_logtarget = 'SYSLOG', +$fn_syslogsocket = 'auto', +$fn_socket = '/var/run/fail2ban/fail2ban.sock', +$fn_pidfile = '/var/run/fail2ban/fail2ban.pid', +$fn_dbfile = '/var/lib/fail2ban/fail2ban.sqlite3', +$fn_dbpurgeage = '86400', + +# jail.conf/local +$fn_ignoreip = '127.0.0.1/8', +$fn_ignorecommand = '', +$fn_bantime = '600', +$fn_findtime = '600', +$fn_maxretry = '5', +$fn_backend = 'auto', +$fn_usedns = 'warn', +$fn_logencoding = 'auto', +$fn_enabled = false, +$fn_filter = '%(__name__)s', +$fn_destemail = 'root@localhost', +$fn_sender = 'root@localhost', +$fn_mta = 'sendmail', +$fn_protocol = 'tcp', +$fn_chain = 'INPUT', +$fn_port = '0:65535', +$fn_fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s', +$fn_banaction = 'iptables-multiport', +$fn_banaction_allports = 'iptables-allports', +$fn_action_ = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]', +$fn_action_mw = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]', +$fn_action_mwl = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]', +$fn_action_xarf = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] + xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]', +$fn_action_cf_mwl = 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] + %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]', +$fn_action_blocklist_de = 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]', +$fn_action_badips = 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]', +$fn_action_badips_report = 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]', +$fn_default_action = 'action_', -$fn_enable_fail2ban = true, ) { # installation section -$reqpackages = $::operatingsystem ? { - /(?i-mx:centos|fedora|redhat)/ => ['fail2ban'], +$reqpackages = $::operatingsystem ? { + /(?i-mx:centos|fedora|redhat)/ => ['fail2ban','fail2ban-firewalld', + 'fail2ban-sendmail', + 'fail2ban-server.noarch','jwhois'], } +$fn_jail_paths = $::operatingsystem ? { + /(?i-mx:centos|fedora|redhat)/ => 'fedora', + } + +# shortcuts +$fn_os = $::operatingsystem + # service -$fn_service = 'fail2ban' +$fn_service = 'fail2ban' + +# directories +$fn_main_dir = '/etc/fail2ban' +$fn_action_d_dir = "${fn_main_dir}/action.d" +$fn_fail2ban_d_dir = "${fn_main_dir}/fail2ban.d" +$fn_filter_d_dir = "${fn_main_dir}/filter.d" +$fn_jail_d_dir = "${fn_main_dir}/jail.d" +$fn_var_lib_dir = '/var/lib/fail2ban' +$fn_var_run_dir = '/var/run/fail2ban' + +# files +$fn_fail2ban_conf_file = "${fn_main_dir}/fail2ban.conf" +$fn_fail2ban_conf_erb = 'cd_fail2ban/fail2ban_conf.erb' +$fn_fail2ban_local_file = "${fn_main_dir}/fail2ban.local" +$fn_fail2ban_local_erb = 'cd_fail2ban/fail2ban_local.erb' +$fn_jail_conf_file = "${fn_main_dir}/jail.conf" +$fn_jail_conf_erb = 'cd_fail2ban/jail_conf.erb' +$fn_jail_local_file = "${fn_main_dir}/jail.local" +$fn_jail_local_erb = 'cd_fail2ban/jail_local.erb' +$fn_paths_common_file = "${fn_main_dir}/paths-common.conf" +$fn_paths_common_erb = 'cd_fail2ban/paths_common_conf.erb' # includes must be last @@ -230,7 +1137,7 @@ $fn_service = 'fail2ban' diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html index bcf9706..883f456 100644 --- a/doc/top-level-namespace.html +++ b/doc/top-level-namespace.html @@ -90,7 +90,7 @@ diff --git a/tests/UTF_Files b/tests/UTF_Files index a138597..4319827 100644 --- a/tests/UTF_Files +++ b/tests/UTF_Files @@ -4,3 +4,4 @@ ./.yardoc/objects/root.dat: data ./doc/css/style.css: HTML document, UTF-8 Unicode text, with very long lines ./doc/js/jquery.js: HTML document, UTF-8 Unicode text, with very long lines +./doc/puppet_classes/cd_fail2ban_3A_3Aparams.html: HTML document, UTF-8 Unicode text