218 lines
11 KiB
Puppet
218 lines
11 KiB
Puppet
## cd_fail2ban::params.pp
|
|
# Module name: cd_fail2ban
|
|
# Author: Arne Teuke (arne_teuke@confdroid.com)
|
|
# License:
|
|
# This file is part of cd_fail2ban.
|
|
#
|
|
# cd_fail2ban is used for providing automatic configuration of Fail2Ban
|
|
# Copyright (C) 2017 confdroid (copyright@confdroid.com)
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
# @summary Class holds all parameters for the cd_fail2ban module and is
|
|
# inherited by all classes except defines.
|
|
# @param [string] pkg_ensure
|
|
# which [package type](https://confdroid.com/2017/05/puppet-type-package/)
|
|
# to choose, i.e. `latest` or `present`.
|
|
# @param [array] reqpackages the packages to install.
|
|
# @param [boolean] fn_manage_config Whether to manage the fail2ban
|
|
# configuration files. If set to false, fail2ban will be installed, but the
|
|
# configuration will not be managed.
|
|
# @param [string] fn_enable_service Whether to enable/start or disable/stop
|
|
# the fail2ban service. Valid options are `running` or `stopped`.
|
|
# @param [string] fn_loglevel Set the log level output. Valid options are
|
|
# `CRITICAL`,`ERROR`,`WARNING`,`NOTICE`,`INFO` and `DEBUG`.
|
|
# @param [string] fn_logtarget Set the log target. This could be a file,
|
|
# SYSLOG, STDERR or STDOUT. Only one log target can be specified.
|
|
# @param [string] fn_syslogsocket Set the syslog socket file. Only used when
|
|
# logtarget is SYSLOG. auto uses platform.system() to determine predefined
|
|
# paths Valid options: [ auto | FILE ].
|
|
# @param [string] fn_socket Set the socket file to communicate with the daemon.
|
|
# @param [string] fn_pidfile Set the PID file to store the process ID of the
|
|
# fail2ban server.
|
|
# @param [string] fn_dbfile file for the fail2ban persistent data to be stored.
|
|
# A value of ":memory:" means database is only stored in memory
|
|
# and data is lost when fail2ban is stopped.
|
|
# A value of "None" disables the database.
|
|
# @param [string] fn_dbpurgeage age in seconds at which bans should be purged
|
|
# from the database.
|
|
# @param [string] fn_ignoreip can be an IP address, a CIDR mask or a DNS host.
|
|
# Fail2ban will not ban a host which matches an address in this list. Several
|
|
# addresses can be defined using space (and/or comma) separator.
|
|
# @param [string] fn_ignorecommand External command that will take an
|
|
# tagged arguments to ignore, e.g. <ip>,and return true if the IP is to be
|
|
# ignored. False otherwise.
|
|
# @param [string] fn_bantime number of seconds that a host is banned.
|
|
# @param [string] fn_findtime A host is banned if it has generated "maxretry"
|
|
# during the last "findtime" seconds.
|
|
# @param [string] fn_maxretry number of failures before a host get banned.
|
|
# @param [string] fn_backend specifies the backend used to get files
|
|
# modification. options are "pyinotify", "gamin", "polling", "systemd" and
|
|
# "auto".
|
|
# pyinotify: requires pyinotify (a file alteration monitor) to be installed.
|
|
# If pyinotify is not installed, Fail2ban will use auto.
|
|
# gamin: requires Gamin (a file alteration monitor) to be installed.
|
|
# If Gamin is not installed, Fail2ban will use auto.
|
|
# polling: uses a polling algorithm which does not require external libraries.
|
|
# systemd: uses systemd python library to access the systemd journal.
|
|
# Specifying "logpath" is not valid for this backend.
|
|
# See "journalmatch" in the jails associated filter config
|
|
# auto: will try to use the following backends, in order:
|
|
# pyinotify, gamin, polling.
|
|
# @param [string] fn_usedns specifies if jails should trust hostnames in logs,
|
|
# warn when DNS lookups are performed, or ignore all hostnames in logs
|
|
# yes: if a hostname is encountered, a DNS lookup will be performed.
|
|
# warn: if a hostname is encountered, a DNS lookup will be performed,
|
|
# but it will be logged as a warning.
|
|
# no: if a hostname is encountered, will not be used for banning,
|
|
# but it will be logged as info.
|
|
# raw: use raw value (no hostname), allow use it for no-host filters/actions
|
|
# (example user)
|
|
# @param [string] fn_logencoding specifies the encoding of the log files
|
|
# handled by the jail This is used to decode the lines from the log file.
|
|
# Typical examples: "ascii", "utf-8"
|
|
# auto: will use the system locale setting
|
|
# @param [boolean] fn_enabled enables the jails.
|
|
# By default all jails are disabled, and it should stay this way.
|
|
# Enable only relevant to your setup jails in your .local or jail.d/*.conf
|
|
# true: jail will be enabled and log files will get monitored for changes
|
|
# false: jail is not enabled
|
|
# @param [string] fn_filter defines the filter to use by the jail.
|
|
# By default jails have names matching their filter name
|
|
# @param [string] fn_destemail Destination email address used solely for the
|
|
# interpolations in jail.{conf,local,d/*} configuration files.
|
|
# @param [string] fn_sender Sender email address used solely for some actions
|
|
# @param [string] fn_mta E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA
|
|
# for the mailing. Change mta configuration parameter to mail if you want to
|
|
# revert to conventional 'mail'.
|
|
# @param [string] fn_protocol Default protocol.
|
|
# @param [string] fn_chain Specify chain where jumps would need to be added in
|
|
# iptables-* actions.
|
|
# @param [string] fn_port # Ports to be banned Usually should be overridden
|
|
# in a particular jail
|
|
# @param [string] fn_fail2ban_agent Format of user-agent
|
|
# https://tools.ietf.org/html/rfc7231#section-5.5.3
|
|
# @param [string] fn_banaction Default banning action
|
|
# @param [string] fn_banaction_allports Default banning action
|
|
# @param [string] fn_action_ ban only
|
|
# @param [string] fn_action_mw ban & send an e-mail with whois report to the
|
|
# destemail.
|
|
# @param [string] fn_action_mwl ban & send an e-mail with whois report and
|
|
# relevant log lines
|
|
# @param [string] fn_action_xarf ban & send a xarf e-mail to abuse contact of
|
|
# IP address and include relevant log lines.
|
|
# @param [string] fn_action_cf_mwl ban IP on CloudFlare & send an e-mail with
|
|
# whois report and relevant log lines.
|
|
# @param [string] fn_action_blocklist_de Report block via blocklist.de fail2ban
|
|
# reporting service API
|
|
# @param [string] Report ban via badips.com, and use as blacklist
|
|
# @param [string] fn_action_badips_report # Report ban via badips.com
|
|
# (uses action.d/badips.conf for reporting only).
|
|
# @param [string] fn_default_action Choose default action.
|
|
###############################################################################
|
|
class cd_fail2ban::params (
|
|
|
|
# installation
|
|
$pkg_ensure = 'latest',
|
|
$reqpackages = ['fail2ban','fail2ban-firewalld',
|
|
'fail2ban-sendmail','fail2ban-server.noarch',
|
|
'whois'],
|
|
# urls
|
|
$fn_extra_repo_url = 'http://repo.okay.com.mx/centos/8/x86_64/release/okay-release-1-1.noarch.rpm',
|
|
|
|
$fn_manage_config = true,
|
|
$fn_enable_service = 'running',
|
|
|
|
# fail2ban.conf/local
|
|
|
|
$fn_loglevel = 'INFO',
|
|
$fn_logtarget = 'SYSLOG',
|
|
$fn_syslogsocket = 'auto',
|
|
$fn_socket = '/var/run/fail2ban/fail2ban.sock',
|
|
$fn_pidfile = '/var/run/fail2ban/fail2ban.pid',
|
|
$fn_dbfile = '/var/lib/fail2ban/fail2ban.sqlite3',
|
|
$fn_dbpurgeage = '86400',
|
|
|
|
# jail.conf/local
|
|
$fn_ignoreip = '127.0.0.1/8',
|
|
$fn_ignorecommand = '',
|
|
$fn_bantime = '600',
|
|
$fn_findtime = '600',
|
|
$fn_maxretry = '5',
|
|
$fn_backend = 'auto',
|
|
$fn_usedns = 'warn',
|
|
$fn_logencoding = 'auto',
|
|
$fn_enabled = false,
|
|
$fn_filter = '%(__name__)s',
|
|
$fn_destemail = 'root@localhost',
|
|
$fn_sender = "fail2ban@${::fqdn}",
|
|
$fn_mta = 'sendmail',
|
|
$fn_protocol = 'tcp',
|
|
$fn_chain = 'INPUT',
|
|
$fn_port = '0:65535',
|
|
$fn_fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s',
|
|
$fn_banaction = 'iptables-multiport',
|
|
$fn_banaction_allports = 'iptables-allports',
|
|
$fn_action_ = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]',
|
|
$fn_action_mw = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
%(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]',
|
|
$fn_action_mwl = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
|
|
$fn_action_xarf = '%(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
|
|
xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]',
|
|
$fn_action_cf_mwl = 'cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
|
|
%(mta)s-whois-lines[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]',
|
|
$fn_action_blocklist_de = 'blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]',
|
|
$fn_action_badips = 'badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]',
|
|
$fn_action_badips_report = 'badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]',
|
|
$fn_default_action = 'action_',
|
|
|
|
|
|
) {
|
|
|
|
$fn_jail_paths = $::operatingsystem ? {
|
|
/(?i-mx:centos|fedora|redhat)/ => 'fedora',
|
|
}
|
|
|
|
# shortcuts
|
|
$fn_os = $::operatingsystem
|
|
|
|
# service
|
|
$fn_service = 'fail2ban'
|
|
|
|
# directories
|
|
$fn_main_dir = '/etc/fail2ban'
|
|
$fn_action_d_dir = "${fn_main_dir}/action.d"
|
|
$fn_fail2ban_d_dir = "${fn_main_dir}/fail2ban.d"
|
|
$fn_filter_d_dir = "${fn_main_dir}/filter.d"
|
|
$fn_jail_d_dir = "${fn_main_dir}/jail.d"
|
|
$fn_var_lib_dir = '/var/lib/fail2ban'
|
|
$fn_var_run_dir = '/var/run/fail2ban'
|
|
|
|
# files
|
|
$fn_fail2ban_conf_file = "${fn_main_dir}/fail2ban.conf"
|
|
$fn_fail2ban_conf_erb = 'cd_fail2ban/fail2ban_conf.erb'
|
|
$fn_fail2ban_local_file = "${fn_main_dir}/fail2ban.local"
|
|
$fn_fail2ban_local_erb = 'cd_fail2ban/fail2ban_local.erb'
|
|
$fn_jail_conf_file = "${fn_main_dir}/jail.conf"
|
|
$fn_jail_conf_erb = 'cd_fail2ban/jail_conf.erb'
|
|
$fn_jail_local_file = "${fn_main_dir}/jail.local"
|
|
$fn_jail_local_erb = 'cd_fail2ban/jail_local.erb'
|
|
$fn_paths_common_file = "${fn_main_dir}/paths-common.conf"
|
|
$fn_paths_common_erb = 'cd_fail2ban/paths_common_conf.erb'
|
|
|
|
# includes must be last
|
|
|
|
include cd_fail2ban::main::config
|
|
|
|
}
|