Puppet Class: cd_fail2ban::params

Inherited by:
cd_fail2ban::main::dirs
cd_fail2ban::main::files
cd_fail2ban::main::config
cd_fail2ban::main::install
cd_fail2ban::main::service
Defined in:
manifests/params.pp

Summary

Class holds all parameters for the cd_fail2ban module and is inherited by all classes except defines.

Overview

cd_fail2ban::params.pp Module name: cd_fail2ban Author: Arne Teuke (arne_teuke@confdroid.com) License: This file is part of cd_fail2ban.

cd_fail2ban is used for providing automatic configuration of Fail2Ban Copyright (C) 2017 confdroid (copyright@confdroid.com) This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see www.gnu.org/licenses/. CRITICAL,ERROR,WARNING,NOTICE,INFO and DEBUG.

Parameters:

  • pkg_ensure (string) (defaults to: 'latest')

    which package type to choose, i.e. latest or present.

  • reqpackages (array) (defaults to: ['fail2ban','fail2ban-firewalld', 'fail2ban-sendmail','fail2ban-server.noarch', 'whois'])

    the packages to install.

  • fn_manage_config (boolean) (defaults to: true)

    Whether to manage the fail2ban configuration files. If set to false, fail2ban will be installed, but the configuration will not be managed.

  • fn_enable_service (string) (defaults to: 'running')

    Whether to enable/start or disable/stop the fail2ban service. Valid options are running or stopped.

  • fn_loglevel (string) (defaults to: 'INFO')

    Set the log level output. Valid options are

  • fn_logtarget (string) (defaults to: 'SYSLOG')

    Set the log target. This could be a file, SYSLOG, STDERR or STDOUT. Only one log target can be specified.

  • fn_syslogsocket (string) (defaults to: 'auto')

    Set the syslog socket file. Only used when logtarget is SYSLOG. auto uses platform.system() to determine predefined paths Valid options: [ auto | FILE ].

  • fn_socket (string) (defaults to: '/var/run/fail2ban/fail2ban.sock')

    Set the socket file to communicate with the daemon.

  • fn_pidfile (string) (defaults to: '/var/run/fail2ban/fail2ban.pid')

    Set the PID file to store the process ID of the fail2ban server.

  • fn_dbfile (string) (defaults to: '/var/lib/fail2ban/fail2ban.sqlite3')

    file for the fail2ban persistent data to be stored. A value of “:memory:” means database is only stored in memory and data is lost when fail2ban is stopped. A value of “None” disables the database.

  • fn_dbpurgeage (string) (defaults to: '86400')

    age in seconds at which bans should be purged from the database.

  • fn_ignoreip (string) (defaults to: '127.0.0.1/8')

    can be an IP address, a CIDR mask or a DNS host. Fail2ban will not ban a host which matches an address in this list. Several addresses can be defined using space (and/or comma) separator.

  • fn_ignorecommand (string) (defaults to: '')

    External command that will take an tagged arguments to ignore, e.g. <ip>,and return true if the IP is to be ignored. False otherwise.

  • fn_bantime (string) (defaults to: '600')

    number of seconds that a host is banned.

  • fn_findtime (string) (defaults to: '600')

    A host is banned if it has generated “maxretry” during the last “findtime” seconds.

  • fn_maxretry (string) (defaults to: '5')

    number of failures before a host get banned.

  • fn_backend (string) (defaults to: 'auto')

    specifies the backend used to get files modification. options are “pyinotify”, “gamin”, “polling”, “systemd” and “auto”. pyinotify: requires pyinotify (a file alteration monitor) to be installed. If pyinotify is not installed, Fail2ban will use auto. gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin is not installed, Fail2ban will use auto. polling: uses a polling algorithm which does not require external libraries. systemd: uses systemd python library to access the systemd journal. Specifying “logpath” is not valid for this backend. See “journalmatch” in the jails associated filter config auto: will try to use the following backends, in order: pyinotify, gamin, polling.

  • fn_usedns (string) (defaults to: 'warn')

    specifies if jails should trust hostnames in logs, warn when DNS lookups are performed, or ignore all hostnames in logs yes: if a hostname is encountered, a DNS lookup will be performed. warn: if a hostname is encountered, a DNS lookup will be performed, but it will be logged as a warning. no: if a hostname is encountered, will not be used for banning, but it will be logged as info. raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)

  • fn_logencoding (string) (defaults to: 'auto')

    specifies the encoding of the log files handled by the jail This is used to decode the lines from the log file. Typical examples: “ascii”, “utf-8” auto: will use the system locale setting

  • fn_enabled (boolean) (defaults to: false)

    enables the jails. By default all jails are disabled, and it should stay this way. Enable only relevant to your setup jails in your .local or jail.d/*.conf true: jail will be enabled and log files will get monitored for changes false: jail is not enabled

  • fn_filter (string) (defaults to: '%(__name__)s')

    defines the filter to use by the jail. By default jails have names matching their filter name

  • fn_destemail (string) (defaults to: 'root@localhost')

    Destination email address used solely for the interpolations in jail.confconf.localconf.local.d/* configuration files.

  • fn_sender (string) (defaults to: "fail2ban@${::fqdn}")

    Sender email address used solely for some actions

  • fn_mta (string) (defaults to: 'sendmail')

    E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the mailing. Change mta configuration parameter to mail if you want to revert to conventional 'mail'.

  • fn_protocol (string) (defaults to: 'tcp')

    Default protocol.

  • fn_chain (string) (defaults to: 'INPUT')

    Specify chain where jumps would need to be added in iptables-* actions.

  • fn_port (string) (defaults to: '0:65535')

    Ports to be banned Usually should be overridden

    in a particular jail

  • fn_fail2ban_agent (string) (defaults to: 'Fail2Ban/%(fail2ban_version)s')

    Format of user-agent tools.ietf.org/html/rfc7231#section-5.5.3

  • fn_banaction (string) (defaults to: 'iptables-multiport')

    Default banning action

  • fn_banaction_allports (string) (defaults to: 'iptables-allports')

    Default banning action

  • fn_action_ (string) (defaults to: '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]')

    ban only

  • fn_action_mw (string) (defaults to: '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]')

    ban & send an e-mail with whois report to the destemail.

  • fn_action_mwl (string) (defaults to: '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]')

    ban & send an e-mail with whois report and relevant log lines

  • fn_action_xarf (string) (defaults to: '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]')

    ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines.

  • fn_action_cf_mwl (string) (defaults to: 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"] %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]')

    ban IP on CloudFlare & send an e-mail with whois report and relevant log lines.

  • fn_action_blocklist_de (string) (defaults to: 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]')

    Report block via blocklist.de fail2ban reporting service API

  • fn_action_badips (string) (defaults to: 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]')

    string to be be used in config files

  • fn_action_badips_report (string) (defaults to: 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]')

    Report ban via badips.com

    (uses action.d/badips.conf for reporting only).

  • fn_default_action (string) (defaults to: 'action_')

    Choose default action.

  • fn_extra_repo_url (string) (defaults to: 'http://repo.okay.com.mx/centos/latest/x86_64/release/okay-release-1-3.el8.noarch.rpm')

    Specify the URL for the extra repo for additiional required packages, which are not in the regular repos.



124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
 
# File 'manifests/params.pp', line 124

class cd_fail2ban::params (

# installation
$pkg_ensure                 = 'latest',
$reqpackages                = ['fail2ban','fail2ban-firewalld',
                              'fail2ban-sendmail','fail2ban-server.noarch',
                              'whois'],
# urls
$fn_extra_repo_url          = 'http://repo.okay.com.mx/centos/latest/x86_64/release/okay-release-1-3.el8.noarch.rpm',

$fn_manage_config           = true,
$fn_enable_service          = 'running',

# fail2ban.conf/local

$fn_loglevel                = 'INFO',
$fn_logtarget               = 'SYSLOG',
$fn_syslogsocket            = 'auto',
$fn_socket                  = '/var/run/fail2ban/fail2ban.sock',
$fn_pidfile                 = '/var/run/fail2ban/fail2ban.pid',
$fn_dbfile                  = '/var/lib/fail2ban/fail2ban.sqlite3',
$fn_dbpurgeage              = '86400',

# jail.conf/local
$fn_ignoreip                = '127.0.0.1/8',
$fn_ignorecommand           = '',
$fn_bantime                 = '600',
$fn_findtime                = '600',
$fn_maxretry                = '5',
$fn_backend                 = 'auto',
$fn_usedns                  = 'warn',
$fn_logencoding             = 'auto',
$fn_enabled                 = false,
$fn_filter                  = '%(__name__)s',
$fn_destemail               = 'root@localhost',
$fn_sender                  = "fail2ban@${::fqdn}",
$fn_mta                     = 'sendmail',
$fn_protocol                = 'tcp',
$fn_chain                   = 'INPUT',
$fn_port                    = '0:65535',
$fn_fail2ban_agent          = 'Fail2Ban/%(fail2ban_version)s',
$fn_banaction               = 'iptables-multiport',
$fn_banaction_allports      = 'iptables-allports',
$fn_action_                 = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]',
$fn_action_mw               = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                        %(mta)s-whois[name=%(__name__)s,  sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]',
$fn_action_mwl              = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                        %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
$fn_action_xarf             = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
                        xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]',
$fn_action_cf_mwl           = 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
                        %(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
$fn_action_blocklist_de     = 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]',
$fn_action_badips           = 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]',
$fn_action_badips_report    = 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]',
$fn_default_action          = 'action_',


) {

$fn_jail_paths    = $::operatingsystem ? {
    /(?i-mx:centos|fedora|redhat)/ => 'fedora',
  }

# shortcuts
$fn_os                  = $::operatingsystem

# service
$fn_service             = 'fail2ban'

# directories
$fn_main_dir            = '/etc/fail2ban'
$fn_action_d_dir        = "${fn_main_dir}/action.d"
$fn_fail2ban_d_dir      = "${fn_main_dir}/fail2ban.d"
$fn_filter_d_dir        = "${fn_main_dir}/filter.d"
$fn_jail_d_dir          = "${fn_main_dir}/jail.d"
$fn_var_lib_dir         = '/var/lib/fail2ban'
$fn_var_run_dir         = '/var/run/fail2ban'

# files
$fn_fail2ban_conf_file  = "${fn_main_dir}/fail2ban.conf"
$fn_fail2ban_conf_erb   = 'cd_fail2ban/fail2ban_conf.erb'
$fn_fail2ban_local_file = "${fn_main_dir}/fail2ban.local"
$fn_fail2ban_local_erb  = 'cd_fail2ban/fail2ban_local.erb'
$fn_jail_conf_file      = "${fn_main_dir}/jail.conf"
$fn_jail_conf_erb       = 'cd_fail2ban/jail_conf.erb'
$fn_jail_local_file     = "${fn_main_dir}/jail.local"
$fn_jail_local_erb      = 'cd_fail2ban/jail_local.erb'
$fn_paths_common_file   = "${fn_main_dir}/paths-common.conf"
$fn_paths_common_erb    = 'cd_fail2ban/paths_common_conf.erb'

# includes must be last

  include cd_fail2ban::main::config

}