From a3bab5f482dfe85f2a2ba3ba492df6d5cdd82a72 Mon Sep 17 00:00:00 2001 From: 12ww1160 <12ww1160@confdroid.com> Date: Thu, 12 Mar 2026 14:15:13 +0100 Subject: [PATCH] OP#490 add jail --- manifests/main/config.pp | 4 + manifests/monitoring/fail2ban.pp | 31 +++++++ manifests/params.pp | 31 ++++++- templates/fail2ban/filter.conf.erb | 8 ++ templates/fail2ban/jail.conf.erb | 13 +++ templates/httpd/forward_conf.erb | 96 -------------------- templates/httpd/index_html.erb | 0 templates/httpd/nagios_ssl_vhost.erb | 126 --------------------------- 8 files changed, 83 insertions(+), 226 deletions(-) create mode 100644 templates/fail2ban/filter.conf.erb create mode 100644 templates/fail2ban/jail.conf.erb delete mode 100644 templates/httpd/forward_conf.erb delete mode 100644 templates/httpd/index_html.erb delete mode 100644 templates/httpd/nagios_ssl_vhost.erb diff --git a/manifests/main/config.pp b/manifests/main/config.pp index 469dd78..c1dc8df 100644 --- a/manifests/main/config.pp +++ b/manifests/main/config.pp @@ -13,4 +13,8 @@ class confdroid_nagios::main::config ( if $ng_enable_target == true { include confdroid_nagios::client::target } + + if $ng_enable_fail2ban == true { + include confdroid_nagios::monitoring::fail2ban + } } diff --git a/manifests/monitoring/fail2ban.pp b/manifests/monitoring/fail2ban.pp index 79c45b5..e77f235 100644 --- a/manifests/monitoring/fail2ban.pp +++ b/manifests/monitoring/fail2ban.pp @@ -7,4 +7,35 @@ class confdroid_nagios::monitoring::fail2ban ( ) inherits confdroid_nagios::params { # we want to create a nagios jail here + if ($ng_nagios_host == $fqdn) and ($ng_enable_fail2ban == true) { + require confdroid_fail2ban + + # create the jail file + file { $fn_jail_file: + ensure => file, + user => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => etc_t, + seluser => system_u, + content => template('confdroid_nagios/fail2ban/jail.conf.erb'), + notify => Service['fail2ban'], + } + + # create the filter rule + file { $fn_filter_file: + ensure => file, + user => 'root', + group => 'root', + mode => '0644', + selrange => s0, + selrole => object_r, + seltype => etc_t, + seluser => system_u, + content => template('confdroid_nagios/fail2ban/filter.conf.erb'), + notify => Service['fail2ban'], + } + } } diff --git a/manifests/params.pp b/manifests/params.pp index ff6ce8a..df3c486 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -427,6 +427,20 @@ # Default is 'linux-services'. # @param [String] ng_servicegroup_alias The alias of the default service group. # Default is 'Linux Services'. +# @param [Boolean] ng_enable_fail2ban Whether to enable fail2ban monitoring in +# Nagios. Default is false. +# @param [String] ng_jail_order The order number of jails in the jail.d directory. +# Default is '10'. +# @param [String] ng_jail_enable Whether to enable the monitoring of a specific +# jail in Nagios. Default is 'true'. +# @param [String] ng_fail2ban_logpath The path to the nagios access log to +# monitor. Default is '/var/log/httpd/access.log'. +# @param [String] ng_fail2ban_maxretry The maximum number of retries before a +# host is considered banned in fail2ban. Default is '5'. +# @param [String] ng_fail2ban_bantime The time in seconds that a host is banned +# in fail2ban. Default is '3600'. +# @param [String] ng_fail2ban_ignoreip A comma-separated list of IP addresses +# to ignore in fail2ban. Default is '127.0.0.1/8 ::1 192.168.1.0/24'. ################################################################################ class confdroid_nagios::params ( @@ -671,13 +685,16 @@ class confdroid_nagios::params ( Boolean $ng_enable_swap_check = true, # fail2ban - Boolean $ng_enable_fail2ban = false, + Boolean $ng_enable_fail2ban = false, + String $ng_jail_order = '10', + Boolean $ng_jail_enable = true, #String $ng_fail2ban_jail = 'httpd', - #String $ng_fail2ban_log = '/var/log/secure', + String $ng_fail2ban_logpath = '/var/log/httpd/access.log', #String $ng_fail2ban_regex = 'sshd.*Failed password for', - #String $ng_fail2ban_maxretry = '5', + String $ng_fail2ban_maxretry = '5', #String $ng_fail2ban_findtime = '600', - #String $ng_fail2ban_bantime = '3600', + String $ng_fail2ban_bantime = '3600', + String $ng_fail2ban_ignoreip = '127.0.0.1/8 ::1 192.168.1.0/24' ) { # Default facts @@ -761,6 +778,12 @@ class confdroid_nagios::params ( $ng_svc_perfdata_file = "${ng_log_dir}/service-perfdata" $ng_debug_file = "${ng_log_dir}/nagios.debug" +# fail2ban + $fn_jail_path = '/etc/fail2ban/jail.d' + $fn_jail_file = "${fn_jail_path}/${ng_jail_order}-nagios.conf" + $fn_filter_path = '/etc/fail2ban/filter.d' + $fn_filter_file = "${fn_filter_path}/${ng_jail_order}-nagios.conf" + # includes must be last include confdroid_nagios::main::config } diff --git a/templates/fail2ban/filter.conf.erb b/templates/fail2ban/filter.conf.erb new file mode 100644 index 0000000..697b033 --- /dev/null +++ b/templates/fail2ban/filter.conf.erb @@ -0,0 +1,8 @@ +############################################################################### +########## parameterized nagios filter created by Puppet ########## +########## manual changes will be overwritten !!! ########## +############################################################################### + +[Definition] +failregex = ^ - \S+ \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}\] "(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \S+ HTTP/\d\.\d" 401 +ignoreregex = \ No newline at end of file diff --git a/templates/fail2ban/jail.conf.erb b/templates/fail2ban/jail.conf.erb new file mode 100644 index 0000000..b321004 --- /dev/null +++ b/templates/fail2ban/jail.conf.erb @@ -0,0 +1,13 @@ +############################################################################### +########## parameterized nagios jail created by Puppet ########## +########## manual changes will be overwritten !!! ########## +############################################################################### + +[nagios-auth] +enabled = <%= @ng_jail_enable %> +port = http,https +filter = nagios-auth +logpath = <%= @ng_fail2ban_logpath %> +maxretry = <%= @ng_fail2ban_maxretry %> +bantime = <%= @ng_fail2ban_bantime %> +ignoreip = <%= @ng_fail2ban_ignoreip %> diff --git a/templates/httpd/forward_conf.erb b/templates/httpd/forward_conf.erb deleted file mode 100644 index db5ffc6..0000000 --- a/templates/httpd/forward_conf.erb +++ /dev/null @@ -1,96 +0,0 @@ -> - ServerAdmin root@localhost - DocumentRoot /var/www/html - ServerName www.<%= @ng_webserver_name %>/nagios - ServerAlias <%= @ng_webserver_name %> -<% if @ng_use_https == true -%> - Redirect permanent / https://<%= @ng_webserver_name %>/ -<% end -%> -<% if @ng_use_https != true -%> - -ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/" - - -<% if @ng_use_https == true -%> - SSLRequireSSL -<% else -%> -# SSLRequireSSL -<% end -%> - Options ExecCGI - AllowOverride None - = 2.3> - - Require all granted -<% unless @ng_required_hosts.empty? -%> - Require host <%= @ng_required_hosts %> -<% end -%> -<% unless @ng_required_ips.empty? -%> - Require ip <%= @ng_required_ips %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - - - Order allow,deny -<% unless @ng_required_hosts.empty? -%> - Allow from <%= @ng_required_hosts %> -<% end -%> -<% unless @ng_required_ips.empty? -%> - Allow from <%= @ng_required_ips %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - - -Alias /nagios "/usr/share/nagios/html" - - -<% if @ng_use_https == true -%> - SSLRequireSSL -<% else -%> -# SSLRequireSSL -<% end -%> - Options None - AllowOverride None - = 2.3> - - Require all granted -<% unless @ng_required_hosts.empty? -%> - Require host <%= @ng_required_hosts %> -<% end -%> -<% unless @ng_required_ips.empty? -%> - Require ip <%= @ng_required_ips %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - - - Order allow,deny -<% unless @ng_required_hosts.empty? -%> - Allow from <%= @ng_required_hosts %> -<% end -%> -<% unless @ng_required_ips.empty? -%> - Allow from <%= @ng_required_ips %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - -<% end -%> - - AllowOverride All - - ErrorLog /var/log/httpd/<%= @ng_webserver_name %>-error_log - CustomLog /var/log/httpd/<%= @ng_webserver_name %>-access_log common - diff --git a/templates/httpd/index_html.erb b/templates/httpd/index_html.erb deleted file mode 100644 index e69de29..0000000 diff --git a/templates/httpd/nagios_ssl_vhost.erb b/templates/httpd/nagios_ssl_vhost.erb deleted file mode 100644 index 9adab84..0000000 --- a/templates/httpd/nagios_ssl_vhost.erb +++ /dev/null @@ -1,126 +0,0 @@ -############################################################################### -##### virtual_host file created by puppet, changes will be overwritten ###### -############################################################################### - -> - - ServerAdmin root@localhost - DocumentRoot /var/www/html - ServerName <%= @ng_webserver_name %> - ServerAlias <%= @ng_webserver_name %> - ErrorLog /var/log/httpd/nagios_ssl_error_log -# ErrorLog syslog:local1 - TransferLog /var/log/httpd/nagios_ssl_transfer_log - LogLevel warn - - SSLEngine on - SSLProtocol all -SSLv2 -SSLv3 - SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" - -<% if @ng_enable_certbot == true -%> - SSLCertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/cert.pem - SSLCertificateKeyFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/privkey.pem - SSLCACertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/fullchain.pem -<% elsif @ng_enable_certbot != true -%> - SSLCertificateFile /etc/pki/tls/certs/localhost.crt - SSLCertificateKeyFile /etc/pki/tls/private/localhost.key - #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt -<% end -%> - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - -ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/" - - -<% if @ng_use_https == true -%> - SSLRequireSSL -<% else -%> -# SSLRequireSSL -<% end -%> - Options ExecCGI - AllowOverride None - = 2.3> - - Require all granted -<% unless @ng_required_hosts.empty? -%> - Require host <%= @ng_required_hosts %> -<% end -%> -<% unless @source_range.empty? -%> - Require ip <%= @source_range %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - - - Order allow,deny -<% unless @ng_required_hosts.empty? -%> - Allow from <%= @ng_required_hosts %> -<% end -%> -<% unless @source_range.empty? -%> - Allow from <%= @source_range %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - - -Alias /nagios "/usr/share/nagios/html" - - -<% if @ng_use_https == true -%> - SSLRequireSSL -<% else -%> -# SSLRequireSSL -<% end -%> - Options None - AllowOverride None - = 2.3> - - Require all granted -<% unless @ng_required_hosts.empty? -%> - Require host <%= @ng_required_hosts %> -<% end -%> -<% unless @source_range.empty? -%> - Require ip <%= @source_range %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - - - Order allow,deny -<% unless @ng_required_hosts.empty? -%> - Allow from <%= @ng_required_hosts %> -<% end -%> -<% unless @source_range.empty? -%> - Allow from <%= @source_range %> -<% end -%> - AuthName "Nagios Access" - AuthType Basic - AuthUserFile /etc/nagios/passwd - Require valid-user - - - -RedirectMatch ^/$ https://<%= @ng_webserver_name %>/nagios - - SetEnvIf User-Agent ".*MSIE.*" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 - - - CustomLog logs/ssl_request_log \ - "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - -