confdroid/confdroid_nagios
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

OP#490 add jail

Browse Source
This commit is contained in:
Arne Teuke
2026-03-12 14:15:13 +01:00
parent eba740c4df
commit a3bab5f482
8 changed files with 83 additions and 226 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
manifests/main/config.pp
View File

@@ -13,4 +13,8 @@ class confdroid_nagios::main::config (
if $ng_enable_target == true { if $ng_enable_target == true {
include confdroid_nagios::client::target include confdroid_nagios::client::target
} }
if $ng_enable_fail2ban == true {
include confdroid_nagios::monitoring::fail2ban
}
} }

31
manifests/monitoring/fail2ban.pp
View File

@@ -7,4 +7,35 @@ class confdroid_nagios::monitoring::fail2ban (
) inherits confdroid_nagios::params { ) inherits confdroid_nagios::params {
# we want to create a nagios jail here # we want to create a nagios jail here
if ($ng_nagios_host == $fqdn) and ($ng_enable_fail2ban == true) {
require confdroid_fail2ban
# create the jail file
file { $fn_jail_file:
ensure => file,
user => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template('confdroid_nagios/fail2ban/jail.conf.erb'),
notify => Service['fail2ban'],
}
# create the filter rule
file { $fn_filter_file:
ensure => file,
user => 'root',
group => 'root',
mode => '0644',
selrange => s0,
selrole => object_r,
seltype => etc_t,
seluser => system_u,
content => template('confdroid_nagios/fail2ban/filter.conf.erb'),
notify => Service['fail2ban'],
}
}
} }

29
manifests/params.pp
View File

@@ -427,6 +427,20 @@
# Default is 'linux-services'. # Default is 'linux-services'.
# @param [String] ng_servicegroup_alias The alias of the default service group. # @param [String] ng_servicegroup_alias The alias of the default service group.
# Default is 'Linux Services'. # Default is 'Linux Services'.
# @param [Boolean] ng_enable_fail2ban Whether to enable fail2ban monitoring in
# Nagios. Default is false.
# @param [String] ng_jail_order The order number of jails in the jail.d directory.
# Default is '10'.
# @param [String] ng_jail_enable Whether to enable the monitoring of a specific
# jail in Nagios. Default is 'true'.
# @param [String] ng_fail2ban_logpath The path to the nagios access log to
# monitor. Default is '/var/log/httpd/access.log'.
# @param [String] ng_fail2ban_maxretry The maximum number of retries before a
# host is considered banned in fail2ban. Default is '5'.
# @param [String] ng_fail2ban_bantime The time in seconds that a host is banned
# in fail2ban. Default is '3600'.
# @param [String] ng_fail2ban_ignoreip A comma-separated list of IP addresses
# to ignore in fail2ban. Default is '127.0.0.1/8 ::1 192.168.1.0/24'.
################################################################################ ################################################################################
class confdroid_nagios::params ( class confdroid_nagios::params (
@@ -672,12 +686,15 @@ class confdroid_nagios::params (
# fail2ban # fail2ban
Boolean $ng_enable_fail2ban = false, Boolean $ng_enable_fail2ban = false,
String $ng_jail_order = '10',
Boolean $ng_jail_enable = true,
#String $ng_fail2ban_jail = 'httpd', #String $ng_fail2ban_jail = 'httpd',
#String $ng_fail2ban_log = '/var/log/secure', String $ng_fail2ban_logpath = '/var/log/httpd/access.log',
#String $ng_fail2ban_regex = 'sshd.*Failed password for', #String $ng_fail2ban_regex = 'sshd.*Failed password for',
#String $ng_fail2ban_maxretry = '5', String $ng_fail2ban_maxretry = '5',
#String $ng_fail2ban_findtime = '600', #String $ng_fail2ban_findtime = '600',
#String $ng_fail2ban_bantime = '3600', String $ng_fail2ban_bantime = '3600',
String $ng_fail2ban_ignoreip = '127.0.0.1/8 ::1 192.168.1.0/24'
) { ) {
# Default facts # Default facts
@@ -761,6 +778,12 @@ class confdroid_nagios::params (
$ng_svc_perfdata_file = "${ng_log_dir}/service-perfdata" $ng_svc_perfdata_file = "${ng_log_dir}/service-perfdata"
$ng_debug_file = "${ng_log_dir}/nagios.debug" $ng_debug_file = "${ng_log_dir}/nagios.debug"
# fail2ban
$fn_jail_path = '/etc/fail2ban/jail.d'
$fn_jail_file = "${fn_jail_path}/${ng_jail_order}-nagios.conf"
$fn_filter_path = '/etc/fail2ban/filter.d'
$fn_filter_file = "${fn_filter_path}/${ng_jail_order}-nagios.conf"
# includes must be last # includes must be last
include confdroid_nagios::main::config include confdroid_nagios::main::config
} }

8
templates/fail2ban/filter.conf.erb Normal file
View File

@@ -0,0 +1,8 @@
###############################################################################
########## parameterized nagios filter created by Puppet ##########
########## manual changes will be overwritten !!! ##########
###############################################################################
[Definition]
failregex = ^<HOST> - \S+ \[\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}\] "(?:GET|POST|HEAD|PUT|DELETE|OPTIONS|PATCH) \S+ HTTP/\d\.\d" 401
ignoreregex =

13
templates/fail2ban/jail.conf.erb Normal file
View File

@@ -0,0 +1,13 @@
###############################################################################
########## parameterized nagios jail created by Puppet ##########
########## manual changes will be overwritten !!! ##########
###############################################################################
[nagios-auth]
enabled = <%= @ng_jail_enable %>
port = http,https
filter = nagios-auth
logpath = <%= @ng_fail2ban_logpath %>
maxretry = <%= @ng_fail2ban_maxretry %>
bantime = <%= @ng_fail2ban_bantime %>
ignoreip = <%= @ng_fail2ban_ignoreip %>

96
templates/httpd/forward_conf.erb
View File

@@ -1,96 +0,0 @@
<VirtualHost *:<%= @ng_http_port %>>
ServerAdmin root@localhost
DocumentRoot /var/www/html
ServerName www.<%= @ng_webserver_name %>/nagios
ServerAlias <%= @ng_webserver_name %>
<% if @ng_use_https == true -%>
Redirect permanent / https://<%= @ng_webserver_name %>/
<% end -%>
<% if @ng_use_https != true -%>
ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
<Directory "/usr/lib64/nagios/cgi-bin/">
<% if @ng_use_https == true -%>
SSLRequireSSL
<% else -%>
# SSLRequireSSL
<% end -%>
Options ExecCGI
AllowOverride None
<IfVersion >= 2.3>
<RequireAll>
Require all granted
<% unless @ng_required_hosts.empty? -%>
Require host <%= @ng_required_hosts %>
<% end -%>
<% unless @ng_required_ips.empty? -%>
Require ip <%= @ng_required_ips %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
<% unless @ng_required_hosts.empty? -%>
Allow from <%= @ng_required_hosts %>
<% end -%>
<% unless @ng_required_ips.empty? -%>
Allow from <%= @ng_required_ips %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</IfVersion>
</Directory>
Alias /nagios "/usr/share/nagios/html"
<Directory "/usr/share/nagios/html">
<% if @ng_use_https == true -%>
SSLRequireSSL
<% else -%>
# SSLRequireSSL
<% end -%>
Options None
AllowOverride None
<IfVersion >= 2.3>
<RequireAll>
Require all granted
<% unless @ng_required_hosts.empty? -%>
Require host <%= @ng_required_hosts %>
<% end -%>
<% unless @ng_required_ips.empty? -%>
Require ip <%= @ng_required_ips %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
<% unless @ng_required_hosts.empty? -%>
Allow from <%= @ng_required_hosts %>
<% end -%>
<% unless @ng_required_ips.empty? -%>
Allow from <%= @ng_required_ips %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</IfVersion>
</Directory>
<% end -%>
<Directory />
AllowOverride All
</Directory>
ErrorLog /var/log/httpd/<%= @ng_webserver_name %>-error_log
CustomLog /var/log/httpd/<%= @ng_webserver_name %>-access_log common
</VirtualHost>

0
templates/httpd/index_html.erb
View File

126
templates/httpd/nagios_ssl_vhost.erb
View File

@@ -1,126 +0,0 @@
###############################################################################
##### virtual_host file created by puppet, changes will be overwritten ######
###############################################################################
<VirtualHost *:<%= @ng_https_port %>>
ServerAdmin root@localhost
DocumentRoot /var/www/html
ServerName <%= @ng_webserver_name %>
ServerAlias <%= @ng_webserver_name %>
ErrorLog /var/log/httpd/nagios_ssl_error_log
# ErrorLog syslog:local1
TransferLog /var/log/httpd/nagios_ssl_transfer_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
<% if @ng_enable_certbot == true -%>
SSLCertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/cert.pem
SSLCertificateKeyFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/privkey.pem
SSLCACertificateFile <%= @ng_certbot_live %>/<%= @ng_webserver_name %>/fullchain.pem
<% elsif @ng_enable_certbot != true -%>
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
<% end -%>
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
ScriptAlias /nagios/cgi-bin/ "/usr/lib64/nagios/cgi-bin/"
<Directory "/usr/lib64/nagios/cgi-bin/">
<% if @ng_use_https == true -%>
SSLRequireSSL
<% else -%>
# SSLRequireSSL
<% end -%>
Options ExecCGI
AllowOverride None
<IfVersion >= 2.3>
<RequireAll>
Require all granted
<% unless @ng_required_hosts.empty? -%>
Require host <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
Require ip <%= @source_range %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
<% unless @ng_required_hosts.empty? -%>
Allow from <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
Allow from <%= @source_range %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</IfVersion>
</Directory>
Alias /nagios "/usr/share/nagios/html"
<Directory "/usr/share/nagios/html">
<% if @ng_use_https == true -%>
SSLRequireSSL
<% else -%>
# SSLRequireSSL
<% end -%>
Options None
AllowOverride None
<IfVersion >= 2.3>
<RequireAll>
Require all granted
<% unless @ng_required_hosts.empty? -%>
Require host <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
Require ip <%= @source_range %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</RequireAll>
</IfVersion>
<IfVersion < 2.3>
Order allow,deny
<% unless @ng_required_hosts.empty? -%>
Allow from <%= @ng_required_hosts %>
<% end -%>
<% unless @source_range.empty? -%>
Allow from <%= @source_range %>
<% end -%>
AuthName "Nagios Access"
AuthType Basic
AuthUserFile /etc/nagios/passwd
Require valid-user
</IfVersion>
</Directory>
RedirectMatch ^/$ https://<%= @ng_webserver_name %>/nagios
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>