From fa4758835e44da1e8b120ae0996ad5d18f592fe3 Mon Sep 17 00:00:00 2001 From: Arne Teuke Date: Sun, 6 Aug 2017 15:30:02 +0100 Subject: [PATCH] finalized jail.local --- manifests/params.pp | 81 ++++++++++++++++++++------------- templates/jail_local.erb | 97 +++++++++++++--------------------------- 2 files changed, 81 insertions(+), 97 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index 8e52965..14ffafd 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -105,46 +105,65 @@ # @param [string] fn_action_ ban only # @param [string] fn_action_mw ban & send an e-mail with whois report to the # destemail. +# @param [string] fn_action_mwl ban & send an e-mail with whois report and +# relevant log lines +# @param [string] fn_action_xarf ban & send a xarf e-mail to abuse contact of +# IP address and include relevant log lines. +# @param [string] fn_action_cf_mwl ban IP on CloudFlare & send an e-mail with +# whois report and relevant log lines. +# @param [string] fn_action_blocklist_de Report block via blocklist.de fail2ban +# reporting service API +# @param [string] Report ban via badips.com, and use as blacklist +# @param [string] fn_action_badips_report # Report ban via badips.com +# (uses action.d/badips.conf for reporting only). +# @param [string] fn_default_action Choose default action. ############################################################################### class cd_fail2ban::params ( -$pkg_ensure = 'latest', +$pkg_ensure = 'latest', -$fn_manage_config = true, -$fn_enable_service = 'running', +$fn_manage_config = true, +$fn_enable_service = 'running', # fail2ban.conf/local -$fn_loglevel = 'INFO', -$fn_logtarget = 'SYSLOG', -$fn_syslogsocket = 'auto', -$fn_socket = '/var/run/fail2ban/fail2ban.sock', -$fn_pidfile = '/var/run/fail2ban/fail2ban.pid', -$fn_dbfile = '/var/lib/fail2ban/fail2ban.sqlite3', -$fn_dbpurgeage = '86400', +$fn_loglevel = 'INFO', +$fn_logtarget = 'SYSLOG', +$fn_syslogsocket = 'auto', +$fn_socket = '/var/run/fail2ban/fail2ban.sock', +$fn_pidfile = '/var/run/fail2ban/fail2ban.pid', +$fn_dbfile = '/var/lib/fail2ban/fail2ban.sqlite3', +$fn_dbpurgeage = '86400', # jail.conf/local -$fn_ignoreip = '127.0.0.1/8', -$fn_ignorecommand = '', -$fn_bantime = '600', -$fn_findtime = '600', -$fn_maxretry = '5', -$fn_backend = 'auto', -$fn_usedns = 'warn', -$fn_logencoding = 'auto', -$fn_enabled = 'false', -$fn_filter = '%(__name__)s', -$fn_destemail = 'root@localhost', -$fn_sender = 'root@localhost', -$fn_mta = 'sendmail', -$fn_protocol = 'tcp', -$fn_chain = 'INPUT', -$fn_port = '0:65535', -$fn_fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s', -$fn_banaction = 'iptables-multiport', -$fn_banaction_allports = 'iptables-allports', -$fn_action_ = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]', -$fn_action_mw = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]', +$fn_ignoreip = '127.0.0.1/8', +$fn_ignorecommand = '', +$fn_bantime = '600', +$fn_findtime = '600', +$fn_maxretry = '5', +$fn_backend = 'auto', +$fn_usedns = 'warn', +$fn_logencoding = 'auto', +$fn_enabled = 'false', +$fn_filter = '%(__name__)s', +$fn_destemail = 'root@localhost', +$fn_sender = 'root@localhost', +$fn_mta = 'sendmail', +$fn_protocol = 'tcp', +$fn_chain = 'INPUT', +$fn_port = '0:65535', +$fn_fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s', +$fn_banaction = 'iptables-multiport', +$fn_banaction_allports = 'iptables-allports', +$fn_action_ = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]', +$fn_action_mw = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]', +$fn_action_mwl = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]', +$fn_action_xarf = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]', +$fn_action_cf_mwl = 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]', +$fn_action_blocklist_de = 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]', +$fn_action_badips = 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]', +$fn_action_badips_report = 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]', +$fn_default_action = 'action_', ) { diff --git a/templates/jail_local.erb b/templates/jail_local.erb index 36893a2..c64f2f2 100644 --- a/templates/jail_local.erb +++ b/templates/jail_local.erb @@ -8,73 +8,38 @@ [INCLUDES] -before = paths-<%= @fn_jail_paths %>.conf +before = paths-<%= @fn_jail_paths %>.conf [DEFAULT] -ignoreip = <%= @fn_ignoreip %> -ignorecommand = <%= @fn_ignorecommand %> -bantime = <%= @fn_bantime %> -findtime = <%= @fn_findtime %> -maxretry = <%= @fn_maxretry %> -backend = <%= @fn_backend %> -usedns = <%= @fn_usedns %> -logencoding = <%= @fn_logencoding %> -enabled = <%= @fn_enabled %> -filter = <%= @fn_enabled %> -destemail = <%= @fn_destemail %> -sender = <%= @fn_sender %> -mta = <%= @fn_sender %> -protocol = <%= @fn_protocol %> -chain = <%= @fn_chain %> -port = <%= @fn_port %> -fail2ban_agent = <%= @fn_fail2ban_agent %> -banaction = <%= @fn_banaction %> -banaction_allports = <%= @fn_banaction_allports %> +ignoreip = <%= @fn_ignoreip %> +ignorecommand = <%= @fn_ignorecommand %> +bantime = <%= @fn_bantime %> +findtime = <%= @fn_findtime %> +maxretry = <%= @fn_maxretry %> +backend = <%= @fn_backend %> +usedns = <%= @fn_usedns %> +logencoding = <%= @fn_logencoding %> +enabled = <%= @fn_enabled %> +filter = <%= @fn_enabled %> +destemail = <%= @fn_destemail %> +sender = <%= @fn_sender %> +mta = <%= @fn_sender %> +protocol = <%= @fn_protocol %> +chain = <%= @fn_chain %> +port = <%= @fn_port %> +fail2ban_agent = <%= @fn_fail2ban_agent %> +banaction = <%= @fn_banaction %> +banaction_allports = <%= @fn_banaction_allports %> -action_ = <%= @fn_action_ %> -action_mw = <%= @fn_action_mw %> +# available actions +action_ = <%= @fn_action_ %> +action_mw = <%= @fn_action_mw %> +action_mwl = <%= @fn_action_mwl %> +action_xarf = <%= @fn_action_xarf %> +action_cf_mwl = <%= @fn_action_cf_mwl %> +action_blocklist_de = <%= @fn_action_blocklist_de %> +action_badips = <%= @fn_action_badips %> +action_badips_report = <%= @fn_action_badips_report %> -# ban & send an e-mail with whois report and relevant log lines -# to the destemail. -action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] - -# See the IMPORTANT note in action.d/xarf-login-attack for when to use this action -# -# ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines -# to the destemail. -action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"] - -# ban IP on CloudFlare & send an e-mail with whois report and relevant log lines -# to the destemail. -action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] - %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] - -# Report block via blocklist.de fail2ban reporting service API -# -# See the IMPORTANT note in action.d/blocklist_de.conf for when to -# use this action. Create a file jail.d/blocklist_de.local containing -# [Init] -# blocklist_de_apikey = {api key from registration] -# -action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"] - -# Report ban via badips.com, and use as blacklist -# -# See BadIPsAction docstring in config/action.d/badips.py for -# documentation for this action. -# -# NOTE: This action relies on banaction being present on start and therefore -# should be last action defined for a jail. -# -action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"] -# -# Report ban via badips.com (uses action.d/badips.conf for reporting only) -# -action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"] - -# Choose default action. To change, just override value of 'action' with the -# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local -# globally (section [DEFAULT]) or per specific section -action = %(action_)s +# Default action +action = %(<%= @fn_default_action %>)s