diff --git a/CHANGELOG.md b/CHANGELOG.md index 929b8c8..9fb548a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,16 @@ Changelog of Git Changelog.

No issue

+3fdfda26d55dc96 Jenkins Server 2017-08-03 13:10:45 +

+

recommit for updates in build 6

+ +

+fdf29a4e38ba36a Arne Teuke 2017-08-03 13:09:41 +

+

added directory control

+ +

3c581b56cc82cb9 Arne Teuke 2017-08-03 13:01:25

added directory control

diff --git a/README.md b/README.md index aa51431..7889547 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ |Repo Name| version | Build Status| |---|---|---|---| -|`cd_fail2ban`| 0.0.0.3 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_fail2ban)](https://jenkins.confdroid.com/job/cd_fail2ban/)| +|`cd_fail2ban`| 0.0.0.4 | [![Build Status](https://jenkins.confdroid.com/buildStatus/icon?job=cd_fail2ban)](https://jenkins.confdroid.com/job/cd_fail2ban/)| ### Synopsis Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks. @@ -34,6 +34,13 @@ Fail2Ban is an intrusion prevention software framework that protects computer se Installation * install required binaries +Configuration +* manage directory structure (file system permissions, selinux context) +* manage configration files (file system permissions, selinux context, content based on parameters) + +Service +* manage service status (running or stopped) + ### Repo Structure Repostructure has moved to REPOSTRUCTURE.md in repo. diff --git a/REPOSTRUCTURE.md b/REPOSTRUCTURE.md index 752e395..3ce4a87 100644 --- a/REPOSTRUCTURE.md +++ b/REPOSTRUCTURE.md @@ -31,6 +31,9 @@ | | `-- service.pp | |-- init.pp | `-- params.pp +|-- templates +| |-- fail2ban_conf.erb +| `-- fail2ban_local.erb |-- tests | `-- UTF_Files |-- CHANGELOG.md @@ -41,4 +44,4 @@ |-- README.md `-- REPOSTRUCTURE.md -7 directories, 34 files +8 directories, 36 files diff --git a/doc/_index.html b/doc/_index.html index fb70178..b21ade1 100644 --- a/doc/_index.html +++ b/doc/_index.html @@ -132,7 +132,7 @@ diff --git a/doc/file.README.html b/doc/file.README.html index 7fc480b..1a1160e 100644 --- a/doc/file.README.html +++ b/doc/file.README.html @@ -61,7 +61,7 @@

|Repo Name| version | Build Status| |---|---|---|---| -|cd_fail2ban| 0.0.0.3 | cd_fail2ban| 0.0.0.4 | {Build Status/]|

@@ -128,6 +128,15 @@ href="https://gitlab.puppetsoft.com/12WW1160/cd_fail2ban/blob/master/CHANGELOG.m

Installation * install required binaries

+

Configuration +* manage directory structure (file system permissions, +selinux context) +* manage configration files (file system permissions, +selinux context, content based on parameters)

+ +

Service +* manage service status (running or stopped)

+

Repo Structure

Repostructure has moved to REPOSTRUCTURE.md in repo.

@@ -242,7 +251,7 @@ environments.

diff --git a/doc/index.html b/doc/index.html index eb53701..e8815cd 100644 --- a/doc/index.html +++ b/doc/index.html @@ -61,7 +61,7 @@

|Repo Name| version | Build Status| |---|---|---|---| -|cd_fail2ban| 0.0.0.3 | cd_fail2ban| 0.0.0.4 | {Build Status/]|

@@ -128,6 +128,15 @@ href="https://gitlab.puppetsoft.com/12WW1160/cd_fail2ban/blob/master/CHANGELOG.m

Installation * install required binaries

+

Configuration +* manage directory structure (file system permissions, +selinux context) +* manage configration files (file system permissions, +selinux context, content based on parameters)

+ +

Service +* manage service status (running or stopped)

+

Repo Structure

Repostructure has moved to REPOSTRUCTURE.md in repo.

@@ -242,7 +251,7 @@ environments.

diff --git a/doc/puppet_classes/cd_fail2ban.html b/doc/puppet_classes/cd_fail2ban.html index cc1d3a6..d998ea2 100644 --- a/doc/puppet_classes/cd_fail2ban.html +++ b/doc/puppet_classes/cd_fail2ban.html @@ -139,7 +139,7 @@ class cd_fail2ban { diff --git a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aconfig.html b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aconfig.html index ef6344d..086a584 100644 --- a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aconfig.html +++ b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aconfig.html @@ -134,8 +134,7 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

27 28 29 -30 -31 +30 
# File 'manifests/main/config.pp', line 24
@@ -144,9 +143,8 @@ class cd_fail2ban::main::config (
 
 ) inherits cd_fail2ban::params {
 
-  if $fn_enable_fail2ban == true {
     include cd_fail2ban::main::service
-  }
+
 }
@@ -155,7 +153,7 @@ class cd_fail2ban::main::config ( diff --git a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Adirs.html b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Adirs.html index 8bd8578..4adb85a 100644 --- a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Adirs.html +++ b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Adirs.html @@ -216,7 +216,23 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

109 110 111 -112 +112 +113 +114 +115 +116 +117 +118 +119 +120 +121 +122 +123 +124 +125 +126 +127 +128 
# File 'manifests/main/dirs.pp', line 23
@@ -310,6 +326,22 @@ class cd_fail2ban::main::dirs (
     seltype   =>  fail2ban_var_lib_t,
     seluser   =>  system_u,
   }
+
+  # manage /var/run/fail2bam
+
+  file { $fn_var_run_dir:
+    ensure    =>  directory,
+    path      =>  $fn_var_run_dir,
+    owner     =>  'root',
+    group     =>  'root',
+    mode      =>  '0755',
+    selrange  =>  s0,
+    selrole   =>  object_r,
+    seltype   =>  fail2ban_var_run_t,
+    seluser   =>  system_u,
+  }
+
+
 }
@@ -318,7 +350,7 @@ class cd_fail2ban::main::dirs ( diff --git a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html index 8fb404a..67c717c 100644 --- a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html +++ b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Afiles.html @@ -133,7 +133,42 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

26 27 28 -29 +29 +30 +31 +32 +33 +34 +35 +36 +37 +38 +39 +40 +41 +42 +43 +44 +45 +46 +47 +48 +49 +50 +51 +52 +53 +54 +55 +56 +57 +58 +59 +60 +61 +62 +63 +64 
# File 'manifests/main/files.pp', line 23
@@ -144,6 +179,41 @@ class cd_fail2ban::main::files (
 
   require cd_fail2ban::main::dirs
 
+  if $fn_manage_config == true {
+
+    # manage fail2ban.conf
+
+    file { $fn_fail2ban_conf_file:
+      ensure    =>  present,
+      path      =>  $fn_fail2ban_conf_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0640',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($fn_fail2ban_conf_erb),
+      notify    =>  Service[$fn_service],
+    }
+
+    # manage fail2ban.local
+
+    file { $fn_fail2ban_local_file:
+      ensure    =>  present,
+      path      =>  $fn_fail2ban_local_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0640',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($fn_fail2ban_conf_erb),
+      notify    =>  Service[$fn_service],
+    }
+
+  }
 }
@@ -152,7 +222,7 @@ class cd_fail2ban::main::files ( diff --git a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Ainstall.html b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Ainstall.html index 3737d5f..0abcedc 100644 --- a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Ainstall.html +++ b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Ainstall.html @@ -159,7 +159,7 @@ class cd_fail2ban::main::install ( diff --git a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aservice.html b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aservice.html index d108ef2..3fdc1a7 100644 --- a/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aservice.html +++ b/doc/puppet_classes/cd_fail2ban_3A_3Amain_3A_3Aservice.html @@ -139,7 +139,8 @@ href="http://www.gnu.org/licenses">www.gnu.org/licenses/.

32 33 34 -35 +35 +36 
# File 'manifests/main/service.pp', line 23
@@ -151,11 +152,12 @@ class cd_fail2ban::main::service (
   require cd_fail2ban::main::files
 
   service { $fn_service:
-    ensure      => running,
+    ensure      => $fn_enable_service,
     hasstatus   => true,
     hasrestart  => true,
     enable      => true,
   }
+
 }
@@ -164,7 +166,7 @@ class cd_fail2ban::main::service ( diff --git a/doc/puppet_classes/cd_fail2ban_3A_3Aparams.html b/doc/puppet_classes/cd_fail2ban_3A_3Aparams.html index cec7144..00d5aa6 100644 --- a/doc/puppet_classes/cd_fail2ban_3A_3Aparams.html +++ b/doc/puppet_classes/cd_fail2ban_3A_3Aparams.html @@ -126,7 +126,9 @@ for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see www.gnu.org/licenses/.

+href="http://www.gnu.org/licenses">www.gnu.org/licenses/. +CRITICAL,ERROR,WARNING,NOTICE,INFO +and DEBUG.

@@ -156,15 +158,183 @@ to choose, i.e. latest or present.

  • - fn_enable_fail2ban + fn_manage_config - (Any) + (boolean) (defaults to: true) + — +
    +

    Whether to manage the fail2ban +configuration files. If set to false, +fail2ban will be installed, but the +configuration will not be managed.

    +
    + +
    • + +
  • + + fn_enable_service + + + (string) + + + (defaults to: 'running') + + + — +
    +

    Whether to enable/start or disable/stop +the fail2ban service. Valid options +are running or stopped.

    +
    + +
    • + +
  • + + fn_loglevel + + + (string) + + + (defaults to: 'INFO') + + + — +
    +

    Set the log level output. Valid options are

    +
    + +
    • + +
  • + + fn_logtarget + + + (string) + + + (defaults to: 'SYSLOG') + + + — +
    +

    Set the log target. This could be a file, +SYSLOG, STDERR or STDOUT. Only +one log target can be specified.

    +
    + +
    • + +
  • + + fn_syslogsocket + + + (string) + + + (defaults to: 'auto') + + + — +
    +

    Set the syslog socket file. Only used when +logtarget is SYSLOG. auto uses +platform.system() to determine predefined +paths Valid options: [ auto | +FILE ].

    +
    + +
    • + +
  • + + fn_socket + + + (string) + + + (defaults to: '/var/run/fail2ban/fail2ban.sock') + + + — +
    +

    Set the socket file to communicate with the daemon.

    +
    + +
    • + +
  • + + fn_pidfile + + + (string) + + + (defaults to: '/var/run/fail2ban/fail2ban.pid') + + + — +
    +

    Set the PID file to store the process ID of the +fail2ban server.

    +
    + +
    • + +
  • + + fn_dbfile + + + (string) + + + (defaults to: '/var/lib/fail2ban/fail2ban.sqlite3') + + + — +
    +

    file for the fail2ban persistent data to be stored. +A value of +":memory:" means database is only stored in memory +and data is +lost when fail2ban is stopped. +A value of "None" disables the +database.

    +
    + +
    • + +
  • + + fn_dbpurgeage + + + (string) + + + (defaults to: '86400') + + + — +
    +

    age in seconds at which bans should be purged +from the database.

    +
    +
    • @@ -177,27 +347,6 @@ to choose, i.e. latest or present.

     
 
-27
-28
-29
-30
-31
-32
-33
-34
-35
-36
-37
-38
-39
-40
-41
-42
-43
-44
-45
-46
-47
 48
 49
 50
@@ -212,16 +361,59 @@ to choose, i.e. latest or present.
    
 59
 60
 61
-62
    +62 +63 +64 +65 +66 +67 +68 +69 +70 +71 +72 +73 +74 +75 +76 +77 +78 +79 +80 +81 +82 +83 +84 +85 +86 +87 +88 +89 +90 +91 +92 +93 +94 +95 +96 - 
    # File 'manifests/params.pp', line 27
+        
    # File 'manifests/params.pp', line 48
 
 class cd_fail2ban::params (
 
-$pkg_ensure           = 'latest',
+$pkg_ensure             = 'latest',
+
+$fn_manage_config       = true,
+$fn_enable_service      = 'running',
+$fn_loglevel            = 'INFO',
+$fn_logtarget           = 'SYSLOG',
+$fn_syslogsocket        = 'auto',
+$fn_socket              = '/var/run/fail2ban/fail2ban.sock',
+$fn_pidfile             = '/var/run/fail2ban/fail2ban.pid',
+$fn_dbfile              = '/var/lib/fail2ban/fail2ban.sqlite3',
+$fn_dbpurgeage          = '86400',
 
-$fn_enable_fail2ban   =  true,
 
 ) {
 
@@ -235,18 +427,22 @@ $reqpackages  = $::operatingsystem ? {
 
 
 # service
-$fn_service           = 'fail2ban'
+$fn_service             = 'fail2ban'
 
 # directories
-$fn_main_dir          = '/etc/fail2ban'
-$fn_action_d_dir      = "${fn_main_dir}/action.d"
-$fn_fail2ban_d_dir    = "${fn_main_dir}/fail2ban.d"
-$fn_filter_d_dir      = "${fn_main_dir}/filter.d"
-$fn_jail_d_dir        = "${fn_main_dir}/jail.d"
-$fn_var_lib_dir       = '/var/lib/fail2ban'
-
+$fn_main_dir            = '/etc/fail2ban'
+$fn_action_d_dir        = "${fn_main_dir}/action.d"
+$fn_fail2ban_d_dir      = "${fn_main_dir}/fail2ban.d"
+$fn_filter_d_dir        = "${fn_main_dir}/filter.d"
+$fn_jail_d_dir          = "${fn_main_dir}/jail.d"
+$fn_var_lib_dir         = '/var/lib/fail2ban'
+$fn_var_run_dir         = '/var/run/fail2ban'
 
 # files
+$fn_fail2ban_conf_file  = "${fn_main_dir}fail2ban.conf"
+$fn_fail2ban_conf_erb   = 'cd_fail2ban/fail2ban_conf.erb'
+$fn_fail2ban_local_file = "${fn_main_dir}fail2ban.local"
+$fn_fail2ban_local_erb  = 'cd_fail2ban/fail2ban_local.erb'
 
 # includes must be last
 
@@ -260,7 +456,7 @@ $fn_var_lib_dir       = '/var/lib/fail2ban'
 
 
       
diff --git a/doc/top-level-namespace.html b/doc/top-level-namespace.html
index deae4d9..0410a43 100644
--- a/doc/top-level-namespace.html
+++ b/doc/top-level-namespace.html
@@ -90,7 +90,7 @@
 
 
       
diff --git a/manifests/main/config.pp b/manifests/main/config.pp
index d332125..39e0312 100644
--- a/manifests/main/config.pp
+++ b/manifests/main/config.pp
@@ -25,7 +25,6 @@ class cd_fail2ban::main::config (
 
 ) inherits cd_fail2ban::params {
 
-  if $fn_enable_fail2ban == true {
     include cd_fail2ban::main::service
-  }
+
 }
diff --git a/manifests/main/dirs.pp b/manifests/main/dirs.pp
index cd5b9ca..f39f30b 100644
--- a/manifests/main/dirs.pp
+++ b/manifests/main/dirs.pp
@@ -109,4 +109,20 @@ class cd_fail2ban::main::dirs (
     seltype   =>  fail2ban_var_lib_t,
     seluser   =>  system_u,
   }
+
+  # manage /var/run/fail2bam
+
+  file { $fn_var_run_dir:
+    ensure    =>  directory,
+    path      =>  $fn_var_run_dir,
+    owner     =>  'root',
+    group     =>  'root',
+    mode      =>  '0755',
+    selrange  =>  s0,
+    selrole   =>  object_r,
+    seltype   =>  fail2ban_var_run_t,
+    seluser   =>  system_u,
+  }
+
+
 }
diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index edbb472..ee0335b 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -26,4 +26,39 @@ class cd_fail2ban::main::files (
 
   require cd_fail2ban::main::dirs
 
+  if $fn_manage_config == true {
+
+    # manage fail2ban.conf
+
+    file { $fn_fail2ban_conf_file:
+      ensure    =>  present,
+      path      =>  $fn_fail2ban_conf_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0640',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($fn_fail2ban_conf_erb),
+      notify    =>  Service[$fn_service],
+    }
+
+    # manage fail2ban.local
+
+    file { $fn_fail2ban_local_file:
+      ensure    =>  present,
+      path      =>  $fn_fail2ban_local_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0640',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($fn_fail2ban_conf_erb),
+      notify    =>  Service[$fn_service],
+    }
+
+  }
 }
diff --git a/manifests/main/service.pp b/manifests/main/service.pp
index 0c2390e..30d6fb1 100644
--- a/manifests/main/service.pp
+++ b/manifests/main/service.pp
@@ -27,9 +27,10 @@ class cd_fail2ban::main::service (
   require cd_fail2ban::main::files
 
   service { $fn_service:
-    ensure      => running,
+    ensure      => $fn_enable_service,
     hasstatus   => true,
     hasrestart  => true,
     enable      => true,
   }
+
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 70c99b5..ed4811e 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -23,12 +23,42 @@
 # @param  [string] pkg_ensure
 #   which [package type](https://confdroid.com/2017/05/puppet-type-package/)
 #   to choose, i.e. `latest` or `present`.
+# @param  [boolean] fn_manage_config Whether to manage the fail2ban
+#   configuration files. If set to false, fail2ban will be installed, but the
+#   configuration will not be managed.
+# @param  [string] fn_enable_service Whether to enable/start or disable/stop
+#    the fail2ban service. Valid options are `running` or `stopped`.
+# @param  [string]  fn_loglevel Set the log level output. Valid options are
+# `CRITICAL`,`ERROR`,`WARNING`,`NOTICE`,`INFO` and `DEBUG`.
+# @param  [string]  fn_logtarget Set the log target. This could be a file,
+#   SYSLOG, STDERR or STDOUT. Only one log target can be specified.
+# @param  [string] fn_syslogsocket Set the syslog socket file. Only used when
+#   logtarget is SYSLOG.  auto uses platform.system() to determine predefined
+#   paths Valid options: [ auto | FILE ].
+# @param  [string] fn_socket Set the socket file to communicate with the daemon.
+# @param  [string]  fn_pidfile Set the PID file to store the process ID of the
+#   fail2ban server.
+# @param  [string] fn_dbfile file for the fail2ban persistent data to be stored.
+#   A value of ":memory:" means database is only stored in memory
+#   and data is lost when fail2ban is stopped.
+#   A value of "None" disables the database.
+# @param  [string] fn_dbpurgeage age in seconds at which bans should be purged
+#   from the database.
 ##############################################################################
 class cd_fail2ban::params (
 
-$pkg_ensure           = 'latest',
+$pkg_ensure             = 'latest',
+
+$fn_manage_config       = true,
+$fn_enable_service      = 'running',
+$fn_loglevel            = 'INFO',
+$fn_logtarget           = 'SYSLOG',
+$fn_syslogsocket        = 'auto',
+$fn_socket              = '/var/run/fail2ban/fail2ban.sock',
+$fn_pidfile             = '/var/run/fail2ban/fail2ban.pid',
+$fn_dbfile              = '/var/lib/fail2ban/fail2ban.sqlite3',
+$fn_dbpurgeage          = '86400',
 
-$fn_enable_fail2ban   =  true,
 
 ) {
 
@@ -42,18 +72,22 @@ $reqpackages  = $::operatingsystem ? {
 
 
 # service
-$fn_service           = 'fail2ban'
+$fn_service             = 'fail2ban'
 
 # directories
-$fn_main_dir          = '/etc/fail2ban'
-$fn_action_d_dir      = "${fn_main_dir}/action.d"
-$fn_fail2ban_d_dir    = "${fn_main_dir}/fail2ban.d"
-$fn_filter_d_dir      = "${fn_main_dir}/filter.d"
-$fn_jail_d_dir        = "${fn_main_dir}/jail.d"
-$fn_var_lib_dir       = '/var/lib/fail2ban'
-
+$fn_main_dir            = '/etc/fail2ban'
+$fn_action_d_dir        = "${fn_main_dir}/action.d"
+$fn_fail2ban_d_dir      = "${fn_main_dir}/fail2ban.d"
+$fn_filter_d_dir        = "${fn_main_dir}/filter.d"
+$fn_jail_d_dir          = "${fn_main_dir}/jail.d"
+$fn_var_lib_dir         = '/var/lib/fail2ban'
+$fn_var_run_dir         = '/var/run/fail2ban'
 
 # files
+$fn_fail2ban_conf_file  = "${fn_main_dir}fail2ban.conf"
+$fn_fail2ban_conf_erb   = 'cd_fail2ban/fail2ban_conf.erb'
+$fn_fail2ban_local_file = "${fn_main_dir}fail2ban.local"
+$fn_fail2ban_local_erb  = 'cd_fail2ban/fail2ban_local.erb'
 
 # includes must be last
 
diff --git a/templates/fail2ban_conf.erb b/templates/fail2ban_conf.erb
new file mode 100644
index 0000000..39c53d4
--- /dev/null
+++ b/templates/fail2ban_conf.erb
@@ -0,0 +1,77 @@
+################################################################################
+##########              fail2ban.conf managed by Puppet               ##########
+##########            manual changes will be overwritten !!!          ##########
+################################################################################
+##########              full reference available under                ##########
+##########   https://confdroid.com/2017/08/fail2ban-fail2ban-conf/    ##########
+################################################################################
+
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+#
+# Changes:  in most of the cases you should not modify this
+#           file, but provide customizations in fail2ban.local file, e.g.:
+#
+# [Definition]
+# loglevel = DEBUG
+#
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+#         CRITICAL
+#         ERROR
+#         WARNING
+#         NOTICE
+#         INFO
+#         DEBUG
+# Values: [ LEVEL ]  Default: ERROR
+#
+loglevel = INFO
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+#         Only one log target can be specified.
+#         If you change logtarget from the default value and you are
+#         using logrotate -- also adjust or disable rotation in the
+#         corresponding configuration file
+#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
+#
+logtarget = /var/log/fail2ban.log
+
+# Option: syslogsocket
+# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
+#        auto uses platform.system() to determine predefined paths
+# Values: [ auto | FILE ]  Default: auto
+syslogsocket = auto
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+#         not remove this file when Fail2ban runs. It will not be possible to
+#         communicate with the server afterwards.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
+#
+socket = /var/run/fail2ban/fail2ban.sock
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+#         fail2ban server.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
+#
+pidfile = /var/run/fail2ban/fail2ban.pid
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+#         A value of ":memory:" means database is only stored in memory
+#         and data is lost when fail2ban is stopped.
+#         A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = /var/lib/fail2ban/fail2ban.sqlite3
+
+# Options: dbpurgeage
+# Notes.: Sets age at which bans should be purged from the database
+# Values: [ SECONDS ] Default: 86400 (24hours)
+dbpurgeage = 86400
diff --git a/templates/fail2ban_local.erb b/templates/fail2ban_local.erb
new file mode 100644
index 0000000..4b7f5bb
--- /dev/null
+++ b/templates/fail2ban_local.erb
@@ -0,0 +1,16 @@
+################################################################################
+##########              fail2ban.local managed by Puppet              ##########
+##########            manual changes will be overwritten !!!          ##########
+################################################################################
+##########              full reference available under                ##########
+##########   https://confdroid.com/2017/08/fail2ban-fail2ban-conf/    ##########
+################################################################################
+
+[Definition]
+loglevel      = <%= @fn_loglevel %>
+logtarget     = <%= @fn_logtarget %>
+syslogsocket  = <%= @fn_syslogsocket %>
+socket        = <%= @fn_socket %>
+pidfile       = <%= @fn_pidfile %>
+dbfile        = <%= @fn_dbfile %>
+dbpurgeage    = <%= @fn_dbpurgeage %>