# File 'manifests/main/config.pp', line 6
@@ -126,6 +130,10 @@ class confdroid_nagios::main::config (
if $ng_enable_target == true {
include confdroid_nagios::client::target
}
+
+ if $ng_enable_fail2ban == true {
+ include confdroid_nagios::monitoring::fail2ban
+ }
}
# File 'manifests/monitoring/fail2ban.pp', line 6
@@ -114,6 +145,37 @@ class confdroid_nagios::monitoring::fail2ban (
) inherits confdroid_nagios::params {
# we want to create a nagios jail here
+ if ($ng_nagios_host == $fqdn) and ($ng_enable_fail2ban == true) {
+ require confdroid_fail2ban
+
+ # create the jail file
+ file { $fn_jail_file:
+ ensure => file,
+ user => 'root',
+ group => 'root',
+ mode => '0644',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ content => template('confdroid_nagios/fail2ban/jail.conf.erb'),
+ notify => Service['fail2ban'],
+ }
+
+ # create the filter rule
+ file { $fn_filter_file:
+ ensure => file,
+ user => 'root',
+ group => 'root',
+ mode => '0644',
+ selrange => s0,
+ selrole => object_r,
+ seltype => etc_t,
+ seluser => system_u,
+ content => template('confdroid_nagios/fail2ban/filter.conf.erb'),
+ notify => Service['fail2ban'],
+ }
+ }
}
The alias of the default service group. Default is ‘Linux Services’.
- - -Whether to enable fail2ban monitoring in Nagios. Default is false.
+The order number of jails in the jail.d directory. Default is ‘10’.
+Whether to enable the monitoring of a specific jail in Nagios. Default is ‘true’.
+The path to the nagios access log to monitor. Default is ‘/var/log/httpd/access.log’.
+The maximum number of retries before a host is considered banned in fail2ban. Default is ‘5’.
+The time in seconds that a host is banned in fail2ban. Default is ‘3600’.
+A comma-separated list of IP addresses to ignore in fail2ban. Default is ‘127.0.0.1/8 ::1 192.168.1.0/24’.
+-431 -432 -433 -434 -435 -436 -437 -438 -439 -440 -441 -442 -443 -444 445 446 447 @@ -4321,10 +4420,33 @@ inherited by all classes except defines. 763 764 765 -766+766 +767 +768 +769 +770 +771 +772 +773 +774 +775 +776 +777 +778 +779 +780 +781 +782 +783 +784 +785 +786 +787 +788 +789
# File 'manifests/params.pp', line 431
+ # File 'manifests/params.pp', line 445
class confdroid_nagios::params (
@@ -4569,13 +4691,16 @@ class confdroid_nagios::params (
Boolean $ng_enable_swap_check = true,
# fail2ban
- Boolean $ng_enable_fail2ban = false,
+ Boolean $ng_enable_fail2ban = false,
+ String $ng_jail_order = '10',
+ Boolean $ng_jail_enable = true,
#String $ng_fail2ban_jail = 'httpd',
- #String $ng_fail2ban_log = '/var/log/secure',
+ String $ng_fail2ban_logpath = '/var/log/httpd/access.log',
#String $ng_fail2ban_regex = 'sshd.*Failed password for',
- #String $ng_fail2ban_maxretry = '5',
+ String $ng_fail2ban_maxretry = '5',
#String $ng_fail2ban_findtime = '600',
- #String $ng_fail2ban_bantime = '3600',
+ String $ng_fail2ban_bantime = '3600',
+ String $ng_fail2ban_ignoreip = '127.0.0.1/8 ::1 192.168.1.0/24'
) {
# Default facts
@@ -4659,6 +4784,12 @@ class confdroid_nagios::params (
$ng_svc_perfdata_file = "${ng_log_dir}/service-perfdata"
$ng_debug_file = "${ng_log_dir}/nagios.debug"
+# fail2ban
+ $fn_jail_path = '/etc/fail2ban/jail.d'
+ $fn_jail_file = "${fn_jail_path}/${ng_jail_order}-nagios.conf"
+ $fn_filter_path = '/etc/fail2ban/filter.d'
+ $fn_filter_file = "${fn_filter_path}/${ng_jail_order}-nagios.conf"
+
# includes must be last
include confdroid_nagios::main::config
}