├── .fixtures.yml
├── .github
└── workflows
│ └── ci.yml
├── .gitignore
├── .rspec
├── .rubocop.yml
├── Gemfile
├── LICENSE
├── README.md
├── REFERENCE.md
├── Rakefile
├── data
├── RedHat.yaml
└── common.yaml
├── examples
└── init.pp
├── files
├── debian
│ ├── action_d_iptables-common.conf
│ ├── paths-common.conf
│ └── paths-debian.conf
└── jail.header
├── hiera.yaml
├── manifests
├── action.pp
├── config.pp
├── filter.pp
├── init.pp
├── install.pp
├── jail.pp
└── service.pp
├── metadata.json
├── renovate.json
├── spec
├── classes
│ └── init_spec.rb
└── spec_helper.rb
├── templates
├── action.epp
├── debian
│ └── jail.conf.epp
├── fail2ban.conf.epp
├── filter.epp
├── jail.epp
└── rhel
│ └── jail.conf.epp
└── types
├── autoorflag.pp
├── backend.pp
├── bantime_extra.pp
├── dbfile.pp
├── loglevel.pp
├── logtarget.pp
├── port.pp
├── protocol.pp
├── syslogsocket.pp
├── time.pp
└── usedns.pp
/.fixtures.yml:
--------------------------------------------------------------------------------
1 | ---
2 | fixtures:
3 | symlinks:
4 | "fail2ban": "#{source_dir}"
5 | forge_modules:
6 | "stdlib":
7 | repo: "puppetlabs/stdlib"
8 | ref: "8.6.0"
9 |
--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
1 | name: CI
2 |
3 | on: [push, pull_request]
4 |
5 | jobs:
6 | setup_matrix:
7 | name: 'Setup Test Matrix'
8 | runs-on: ubuntu-latest
9 | outputs:
10 | puppet_major_versions: ${{ steps.get-outputs.outputs.puppet_major_versions }}
11 | puppet_unit_test_matrix: ${{ steps.get-outputs.outputs.puppet_unit_test_matrix }}
12 | env:
13 | BUNDLE_WITHOUT: development:release
14 | steps:
15 | - uses: actions/checkout@v4
16 | - name: Setup ruby
17 | uses: ruby/setup-ruby@v1
18 | with:
19 | ruby-version: '2.7'
20 | bundler-cache: true
21 | - name: Validate syntax of all puppet files
22 | run: bundle exec rake validate
23 | - name: Validate ruby syntax and codestyle
24 | run: bundle exec rake rubocop
25 | - name: Check puppet code style
26 | run: bundle exec rake lint
27 | - name: Setup Test Matrix
28 | id: get-outputs
29 | run: bundle exec metadata2gha --pidfile-workaround false
30 |
31 | unit:
32 | needs: setup_matrix
33 | runs-on: ubuntu-latest
34 | strategy:
35 | fail-fast: false
36 | matrix:
37 | include: ${{fromJson(needs.setup_matrix.outputs.puppet_unit_test_matrix)}}
38 | env:
39 | BUNDLE_WITHOUT: docs
40 | PUPPET_VERSION: "~> ${{ matrix.puppet }}.0"
41 | name: Puppet ${{ matrix.puppet }} (Ruby ${{ matrix.ruby }})
42 | steps:
43 | - uses: actions/checkout@v4
44 | - name: Setup ruby
45 | uses: ruby/setup-ruby@v1
46 | with:
47 | ruby-version: ${{ matrix.ruby }}
48 | bundler-cache: true
49 | - name: Run tests
50 | run: bundle exec rake spec
51 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .bundle
2 | .vagrant
3 | /pkg
4 | spec/fixtures
5 | /doc
6 | Gemfile.lock
7 | /.yardoc
8 | .librarian
9 | .tmp
10 | /tests/Puppetfile.lock
11 | /tests/modules/**
12 | /vendor
13 |
--------------------------------------------------------------------------------
/.rspec:
--------------------------------------------------------------------------------
1 | --color
2 | --format documentation
3 |
--------------------------------------------------------------------------------
/.rubocop.yml:
--------------------------------------------------------------------------------
1 | ---
2 | require: rubocop-rspec
3 | AllCops:
4 | DisplayCopNames: true
5 | TargetRubyVersion: '2.7'
6 | NewCops: enable
7 | Exclude:
8 | - bin/*
9 | - ".vendor/**/*"
10 | - pkg/**/*
11 | - spec/fixtures/**/*
12 | - tests/modules/**/*
13 | - vendor/**/*
14 | Layout/EmptyLinesAroundAttributeAccessor:
15 | Enabled: true
16 | Layout/LineLength:
17 | Description: People have wide screens, use them.
18 | Max: 200
19 | Layout/SpaceAroundMethodCallOperator:
20 | Enabled: true
21 | Lint/BinaryOperatorWithIdenticalOperands:
22 | Enabled: true
23 | Lint/DeprecatedOpenSSLConstant:
24 | Enabled: true
25 | Lint/DuplicateElsifCondition:
26 | Enabled: true
27 | Lint/DuplicateRescueException:
28 | Enabled: true
29 | Lint/EmptyConditionalBody:
30 | Enabled: true
31 | Lint/FloatComparison:
32 | Enabled: true
33 | Lint/MissingSuper:
34 | Enabled: true
35 | Lint/MixedRegexpCaptureTypes:
36 | Enabled: true
37 | Lint/OutOfRangeRegexpRef:
38 | Enabled: true
39 | Lint/RaiseException:
40 | Enabled: true
41 | Lint/SelfAssignment:
42 | Enabled: true
43 | Lint/StructNewOverride:
44 | Enabled: true
45 | Lint/TopLevelReturnWithArgument:
46 | Enabled: true
47 | Lint/UnreachableLoop:
48 | Enabled: true
49 | RSpec/BeforeAfterAll:
50 | Description: Beware of using after(:all) as it may cause state to leak between tests.
51 | A necessary evil in acceptance testing.
52 | Exclude:
53 | - spec/acceptance/**/*.rb
54 | RSpec/HookArgument:
55 | Description: Prefer explicit :each argument, matching existing module's style
56 | EnforcedStyle: each
57 | Style/BlockDelimiters:
58 | Description: Prefer braces for chaining. Mostly an aesthetical choice. Better to
59 | be consistent then.
60 | EnforcedStyle: braces_for_chaining
61 | Style/ClassAndModuleChildren:
62 | Description: Compact style reduces the required amount of indentation.
63 | EnforcedStyle: compact
64 | Style/EmptyElse:
65 | Description: Enforce against empty else clauses, but allow `nil` for clarity.
66 | EnforcedStyle: empty
67 | Style/FormatString:
68 | Description: Following the main puppet project's style, prefer the % format format.
69 | EnforcedStyle: percent
70 | Style/FormatStringToken:
71 | Description: Following the main puppet project's style, prefer the simpler template
72 | tokens over annotated ones.
73 | EnforcedStyle: template
74 | Style/FrozenStringLiteralComment:
75 | Enabled: false
76 | Style/Lambda:
77 | Description: Prefer the keyword for easier discoverability.
78 | EnforcedStyle: literal
79 | Style/RegexpLiteral:
80 | Description: Community preference. See https://github.com/voxpupuli/modulesync_config/issues/168
81 | EnforcedStyle: percent_r
82 | Style/TernaryParentheses:
83 | Description: Checks for use of parentheses around ternary conditions. Enforce parentheses
84 | on complex expressions for better readability, but seriously consider breaking
85 | it up.
86 | EnforcedStyle: require_parentheses_when_complex
87 | Style/TrailingCommaInArguments:
88 | Description: Prefer always trailing comma on multiline argument lists. This makes
89 | diffs, and re-ordering nicer.
90 | EnforcedStyleForMultiline: comma
91 | Style/TrailingCommaInArrayLiteral:
92 | Description: Prefer always trailing comma on multiline literals. This makes diffs,
93 | and re-ordering nicer.
94 | EnforcedStyleForMultiline: comma
95 | Style/TrailingCommaInHashLiteral:
96 | Description: Prefer always trailing comma on multiline literals. This makes diffs,
97 | and re-ordering nicer.
98 | EnforcedStyleForMultiline: comma
99 | Style/SymbolArray:
100 | Description: Using percent style obscures symbolic intent of array's contents.
101 | EnforcedStyle: brackets
102 | RSpec/MessageSpies:
103 | EnforcedStyle: receive
104 | Style/CollectionMethods:
105 | Enabled: true
106 | Style/MethodCalledOnDoEndBlock:
107 | Enabled: true
108 | Style/StringMethods:
109 | Enabled: true
110 | Layout/EndOfLine:
111 | Enabled: false
112 | Metrics/AbcSize:
113 | Enabled: false
114 | Metrics/BlockLength:
115 | Enabled: false
116 | Metrics/ClassLength:
117 | Enabled: false
118 | Metrics/CyclomaticComplexity:
119 | Enabled: false
120 | Metrics/MethodLength:
121 | Enabled: false
122 | Metrics/ModuleLength:
123 | Enabled: false
124 | Metrics/ParameterLists:
125 | Enabled: false
126 | Metrics/PerceivedComplexity:
127 | Enabled: false
128 | RSpec/DescribeClass:
129 | Enabled: false
130 | RSpec/ExampleLength:
131 | Enabled: false
132 | RSpec/MessageExpectation:
133 | Enabled: false
134 | RSpec/MultipleExpectations:
135 | Enabled: false
136 | RSpec/NestedGroups:
137 | Enabled: false
138 | Style/AccessorGrouping:
139 | Enabled: true
140 | Style/ArrayCoercion:
141 | Enabled: true
142 | Style/AsciiComments:
143 | Enabled: false
144 | Style/BisectedAttrAccessor:
145 | Enabled: true
146 | Style/CaseLikeIf:
147 | Enabled: true
148 | Style/ExplicitBlockArgument:
149 | Enabled: true
150 | Style/ExponentialNotation:
151 | Enabled: true
152 | Style/GlobalStdStream:
153 | Enabled: true
154 | Style/HashAsLastArrayItem:
155 | Enabled: true
156 | Style/HashEachMethods:
157 | Enabled: true
158 | Style/HashLikeCase:
159 | Enabled: true
160 | Style/HashTransformKeys:
161 | Enabled: true
162 | Style/HashTransformValues:
163 | Enabled: true
164 | Style/IfUnlessModifier:
165 | Enabled: true
166 | Style/OptionalBooleanParameter:
167 | Enabled: true
168 | Style/RedundantAssignment:
169 | Enabled: true
170 | Style/RedundantFetchBlock:
171 | Enabled: true
172 | Style/RedundantFileExtensionInRequire:
173 | Enabled: true
174 | Style/RedundantRegexpCharacterClass:
175 | Enabled: true
176 | Style/RedundantRegexpEscape:
177 | Enabled: true
178 | Style/SingleArgumentDig:
179 | Enabled: true
180 | Style/SlicingWithRange:
181 | Enabled: true
182 | Style/StringConcatenation:
183 | Enabled: true
184 | Style/SymbolProc:
185 | Enabled: false
186 |
--------------------------------------------------------------------------------
/Gemfile:
--------------------------------------------------------------------------------
1 | source 'https://rubygems.org'
2 |
3 | puppetversion = ENV.key?('PUPPET_VERSION') ? ENV['PUPPET_VERSION'].to_s : ['>= 6.0']
4 |
5 | gem 'facter', '>= 2.4.0'
6 | gem 'puppet', puppetversion
7 | gem 'rake'
8 |
9 | group :tests do
10 | gem 'metadata-json-lint'
11 | # Use info from metadata.json for tests
12 | gem 'puppetlabs_spec_helper'
13 | gem 'puppet-lint', '>= 2.3.0'
14 | gem 'puppet_metadata'
15 | gem 'puppet-syntax'
16 | gem 'rspec-puppet', '>= 2.4.0'
17 | # This draws in rubocop and other useful gems for puppet tests
18 | gem 'voxpupuli-test'
19 | end
20 |
21 | group :docs do
22 | gem 'puppet-strings'
23 | end
24 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | GNU GENERAL PUBLIC LICENSE
2 | Version 3, 29 June 2007
3 |
4 | Copyright (C) 2007 Free Software Foundation, Inc.
5 | Everyone is permitted to copy and distribute verbatim copies
6 | of this license document, but changing it is not allowed.
7 |
8 | Preamble
9 |
10 | The GNU General Public License is a free, copyleft license for
11 | software and other kinds of works.
12 |
13 | The licenses for most software and other practical works are designed
14 | to take away your freedom to share and change the works. By contrast,
15 | the GNU General Public License is intended to guarantee your freedom to
16 | share and change all versions of a program--to make sure it remains free
17 | software for all its users. We, the Free Software Foundation, use the
18 | GNU General Public License for most of our software; it applies also to
19 | any other work released this way by its authors. You can apply it to
20 | your programs, too.
21 |
22 | When we speak of free software, we are referring to freedom, not
23 | price. Our General Public Licenses are designed to make sure that you
24 | have the freedom to distribute copies of free software (and charge for
25 | them if you wish), that you receive source code or can get it if you
26 | want it, that you can change the software or use pieces of it in new
27 | free programs, and that you know you can do these things.
28 |
29 | To protect your rights, we need to prevent others from denying you
30 | these rights or asking you to surrender the rights. Therefore, you have
31 | certain responsibilities if you distribute copies of the software, or if
32 | you modify it: responsibilities to respect the freedom of others.
33 |
34 | For example, if you distribute copies of such a program, whether
35 | gratis or for a fee, you must pass on to the recipients the same
36 | freedoms that you received. You must make sure that they, too, receive
37 | or can get the source code. And you must show them these terms so they
38 | know their rights.
39 |
40 | Developers that use the GNU GPL protect your rights with two steps:
41 | (1) assert copyright on the software, and (2) offer you this License
42 | giving you legal permission to copy, distribute and/or modify it.
43 |
44 | For the developers' and authors' protection, the GPL clearly explains
45 | that there is no warranty for this free software. For both users' and
46 | authors' sake, the GPL requires that modified versions be marked as
47 | changed, so that their problems will not be attributed erroneously to
48 | authors of previous versions.
49 |
50 | Some devices are designed to deny users access to install or run
51 | modified versions of the software inside them, although the manufacturer
52 | can do so. This is fundamentally incompatible with the aim of
53 | protecting users' freedom to change the software. The systematic
54 | pattern of such abuse occurs in the area of products for individuals to
55 | use, which is precisely where it is most unacceptable. Therefore, we
56 | have designed this version of the GPL to prohibit the practice for those
57 | products. If such problems arise substantially in other domains, we
58 | stand ready to extend this provision to those domains in future versions
59 | of the GPL, as needed to protect the freedom of users.
60 |
61 | Finally, every program is threatened constantly by software patents.
62 | States should not allow patents to restrict development and use of
63 | software on general-purpose computers, but in those that do, we wish to
64 | avoid the special danger that patents applied to a free program could
65 | make it effectively proprietary. To prevent this, the GPL assures that
66 | patents cannot be used to render the program non-free.
67 |
68 | The precise terms and conditions for copying, distribution and
69 | modification follow.
70 |
71 | TERMS AND CONDITIONS
72 |
73 | 0. Definitions.
74 |
75 | "This License" refers to version 3 of the GNU General Public License.
76 |
77 | "Copyright" also means copyright-like laws that apply to other kinds of
78 | works, such as semiconductor masks.
79 |
80 | "The Program" refers to any copyrightable work licensed under this
81 | License. Each licensee is addressed as "you". "Licensees" and
82 | "recipients" may be individuals or organizations.
83 |
84 | To "modify" a work means to copy from or adapt all or part of the work
85 | in a fashion requiring copyright permission, other than the making of an
86 | exact copy. The resulting work is called a "modified version" of the
87 | earlier work or a work "based on" the earlier work.
88 |
89 | A "covered work" means either the unmodified Program or a work based
90 | on the Program.
91 |
92 | To "propagate" a work means to do anything with it that, without
93 | permission, would make you directly or secondarily liable for
94 | infringement under applicable copyright law, except executing it on a
95 | computer or modifying a private copy. Propagation includes copying,
96 | distribution (with or without modification), making available to the
97 | public, and in some countries other activities as well.
98 |
99 | To "convey" a work means any kind of propagation that enables other
100 | parties to make or receive copies. Mere interaction with a user through
101 | a computer network, with no transfer of a copy, is not conveying.
102 |
103 | An interactive user interface displays "Appropriate Legal Notices"
104 | to the extent that it includes a convenient and prominently visible
105 | feature that (1) displays an appropriate copyright notice, and (2)
106 | tells the user that there is no warranty for the work (except to the
107 | extent that warranties are provided), that licensees may convey the
108 | work under this License, and how to view a copy of this License. If
109 | the interface presents a list of user commands or options, such as a
110 | menu, a prominent item in the list meets this criterion.
111 |
112 | 1. Source Code.
113 |
114 | The "source code" for a work means the preferred form of the work
115 | for making modifications to it. "Object code" means any non-source
116 | form of a work.
117 |
118 | A "Standard Interface" means an interface that either is an official
119 | standard defined by a recognized standards body, or, in the case of
120 | interfaces specified for a particular programming language, one that
121 | is widely used among developers working in that language.
122 |
123 | The "System Libraries" of an executable work include anything, other
124 | than the work as a whole, that (a) is included in the normal form of
125 | packaging a Major Component, but which is not part of that Major
126 | Component, and (b) serves only to enable use of the work with that
127 | Major Component, or to implement a Standard Interface for which an
128 | implementation is available to the public in source code form. A
129 | "Major Component", in this context, means a major essential component
130 | (kernel, window system, and so on) of the specific operating system
131 | (if any) on which the executable work runs, or a compiler used to
132 | produce the work, or an object code interpreter used to run it.
133 |
134 | The "Corresponding Source" for a work in object code form means all
135 | the source code needed to generate, install, and (for an executable
136 | work) run the object code and to modify the work, including scripts to
137 | control those activities. However, it does not include the work's
138 | System Libraries, or general-purpose tools or generally available free
139 | programs which are used unmodified in performing those activities but
140 | which are not part of the work. For example, Corresponding Source
141 | includes interface definition files associated with source files for
142 | the work, and the source code for shared libraries and dynamically
143 | linked subprograms that the work is specifically designed to require,
144 | such as by intimate data communication or control flow between those
145 | subprograms and other parts of the work.
146 |
147 | The Corresponding Source need not include anything that users
148 | can regenerate automatically from other parts of the Corresponding
149 | Source.
150 |
151 | The Corresponding Source for a work in source code form is that
152 | same work.
153 |
154 | 2. Basic Permissions.
155 |
156 | All rights granted under this License are granted for the term of
157 | copyright on the Program, and are irrevocable provided the stated
158 | conditions are met. This License explicitly affirms your unlimited
159 | permission to run the unmodified Program. The output from running a
160 | covered work is covered by this License only if the output, given its
161 | content, constitutes a covered work. This License acknowledges your
162 | rights of fair use or other equivalent, as provided by copyright law.
163 |
164 | You may make, run and propagate covered works that you do not
165 | convey, without conditions so long as your license otherwise remains
166 | in force. You may convey covered works to others for the sole purpose
167 | of having them make modifications exclusively for you, or provide you
168 | with facilities for running those works, provided that you comply with
169 | the terms of this License in conveying all material for which you do
170 | not control copyright. Those thus making or running the covered works
171 | for you must do so exclusively on your behalf, under your direction
172 | and control, on terms that prohibit them from making any copies of
173 | your copyrighted material outside their relationship with you.
174 |
175 | Conveying under any other circumstances is permitted solely under
176 | the conditions stated below. Sublicensing is not allowed; section 10
177 | makes it unnecessary.
178 |
179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
180 |
181 | No covered work shall be deemed part of an effective technological
182 | measure under any applicable law fulfilling obligations under article
183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
184 | similar laws prohibiting or restricting circumvention of such
185 | measures.
186 |
187 | When you convey a covered work, you waive any legal power to forbid
188 | circumvention of technological measures to the extent such circumvention
189 | is effected by exercising rights under this License with respect to
190 | the covered work, and you disclaim any intention to limit operation or
191 | modification of the work as a means of enforcing, against the work's
192 | users, your or third parties' legal rights to forbid circumvention of
193 | technological measures.
194 |
195 | 4. Conveying Verbatim Copies.
196 |
197 | You may convey verbatim copies of the Program's source code as you
198 | receive it, in any medium, provided that you conspicuously and
199 | appropriately publish on each copy an appropriate copyright notice;
200 | keep intact all notices stating that this License and any
201 | non-permissive terms added in accord with section 7 apply to the code;
202 | keep intact all notices of the absence of any warranty; and give all
203 | recipients a copy of this License along with the Program.
204 |
205 | You may charge any price or no price for each copy that you convey,
206 | and you may offer support or warranty protection for a fee.
207 |
208 | 5. Conveying Modified Source Versions.
209 |
210 | You may convey a work based on the Program, or the modifications to
211 | produce it from the Program, in the form of source code under the
212 | terms of section 4, provided that you also meet all of these conditions:
213 |
214 | a) The work must carry prominent notices stating that you modified
215 | it, and giving a relevant date.
216 |
217 | b) The work must carry prominent notices stating that it is
218 | released under this License and any conditions added under section
219 | 7. This requirement modifies the requirement in section 4 to
220 | "keep intact all notices".
221 |
222 | c) You must license the entire work, as a whole, under this
223 | License to anyone who comes into possession of a copy. This
224 | License will therefore apply, along with any applicable section 7
225 | additional terms, to the whole of the work, and all its parts,
226 | regardless of how they are packaged. This License gives no
227 | permission to license the work in any other way, but it does not
228 | invalidate such permission if you have separately received it.
229 |
230 | d) If the work has interactive user interfaces, each must display
231 | Appropriate Legal Notices; however, if the Program has interactive
232 | interfaces that do not display Appropriate Legal Notices, your
233 | work need not make them do so.
234 |
235 | A compilation of a covered work with other separate and independent
236 | works, which are not by their nature extensions of the covered work,
237 | and which are not combined with it such as to form a larger program,
238 | in or on a volume of a storage or distribution medium, is called an
239 | "aggregate" if the compilation and its resulting copyright are not
240 | used to limit the access or legal rights of the compilation's users
241 | beyond what the individual works permit. Inclusion of a covered work
242 | in an aggregate does not cause this License to apply to the other
243 | parts of the aggregate.
244 |
245 | 6. Conveying Non-Source Forms.
246 |
247 | You may convey a covered work in object code form under the terms
248 | of sections 4 and 5, provided that you also convey the
249 | machine-readable Corresponding Source under the terms of this License,
250 | in one of these ways:
251 |
252 | a) Convey the object code in, or embodied in, a physical product
253 | (including a physical distribution medium), accompanied by the
254 | Corresponding Source fixed on a durable physical medium
255 | customarily used for software interchange.
256 |
257 | b) Convey the object code in, or embodied in, a physical product
258 | (including a physical distribution medium), accompanied by a
259 | written offer, valid for at least three years and valid for as
260 | long as you offer spare parts or customer support for that product
261 | model, to give anyone who possesses the object code either (1) a
262 | copy of the Corresponding Source for all the software in the
263 | product that is covered by this License, on a durable physical
264 | medium customarily used for software interchange, for a price no
265 | more than your reasonable cost of physically performing this
266 | conveying of source, or (2) access to copy the
267 | Corresponding Source from a network server at no charge.
268 |
269 | c) Convey individual copies of the object code with a copy of the
270 | written offer to provide the Corresponding Source. This
271 | alternative is allowed only occasionally and noncommercially, and
272 | only if you received the object code with such an offer, in accord
273 | with subsection 6b.
274 |
275 | d) Convey the object code by offering access from a designated
276 | place (gratis or for a charge), and offer equivalent access to the
277 | Corresponding Source in the same way through the same place at no
278 | further charge. You need not require recipients to copy the
279 | Corresponding Source along with the object code. If the place to
280 | copy the object code is a network server, the Corresponding Source
281 | may be on a different server (operated by you or a third party)
282 | that supports equivalent copying facilities, provided you maintain
283 | clear directions next to the object code saying where to find the
284 | Corresponding Source. Regardless of what server hosts the
285 | Corresponding Source, you remain obligated to ensure that it is
286 | available for as long as needed to satisfy these requirements.
287 |
288 | e) Convey the object code using peer-to-peer transmission, provided
289 | you inform other peers where the object code and Corresponding
290 | Source of the work are being offered to the general public at no
291 | charge under subsection 6d.
292 |
293 | A separable portion of the object code, whose source code is excluded
294 | from the Corresponding Source as a System Library, need not be
295 | included in conveying the object code work.
296 |
297 | A "User Product" is either (1) a "consumer product", which means any
298 | tangible personal property which is normally used for personal, family,
299 | or household purposes, or (2) anything designed or sold for incorporation
300 | into a dwelling. In determining whether a product is a consumer product,
301 | doubtful cases shall be resolved in favor of coverage. For a particular
302 | product received by a particular user, "normally used" refers to a
303 | typical or common use of that class of product, regardless of the status
304 | of the particular user or of the way in which the particular user
305 | actually uses, or expects or is expected to use, the product. A product
306 | is a consumer product regardless of whether the product has substantial
307 | commercial, industrial or non-consumer uses, unless such uses represent
308 | the only significant mode of use of the product.
309 |
310 | "Installation Information" for a User Product means any methods,
311 | procedures, authorization keys, or other information required to install
312 | and execute modified versions of a covered work in that User Product from
313 | a modified version of its Corresponding Source. The information must
314 | suffice to ensure that the continued functioning of the modified object
315 | code is in no case prevented or interfered with solely because
316 | modification has been made.
317 |
318 | If you convey an object code work under this section in, or with, or
319 | specifically for use in, a User Product, and the conveying occurs as
320 | part of a transaction in which the right of possession and use of the
321 | User Product is transferred to the recipient in perpetuity or for a
322 | fixed term (regardless of how the transaction is characterized), the
323 | Corresponding Source conveyed under this section must be accompanied
324 | by the Installation Information. But this requirement does not apply
325 | if neither you nor any third party retains the ability to install
326 | modified object code on the User Product (for example, the work has
327 | been installed in ROM).
328 |
329 | The requirement to provide Installation Information does not include a
330 | requirement to continue to provide support service, warranty, or updates
331 | for a work that has been modified or installed by the recipient, or for
332 | the User Product in which it has been modified or installed. Access to a
333 | network may be denied when the modification itself materially and
334 | adversely affects the operation of the network or violates the rules and
335 | protocols for communication across the network.
336 |
337 | Corresponding Source conveyed, and Installation Information provided,
338 | in accord with this section must be in a format that is publicly
339 | documented (and with an implementation available to the public in
340 | source code form), and must require no special password or key for
341 | unpacking, reading or copying.
342 |
343 | 7. Additional Terms.
344 |
345 | "Additional permissions" are terms that supplement the terms of this
346 | License by making exceptions from one or more of its conditions.
347 | Additional permissions that are applicable to the entire Program shall
348 | be treated as though they were included in this License, to the extent
349 | that they are valid under applicable law. If additional permissions
350 | apply only to part of the Program, that part may be used separately
351 | under those permissions, but the entire Program remains governed by
352 | this License without regard to the additional permissions.
353 |
354 | When you convey a copy of a covered work, you may at your option
355 | remove any additional permissions from that copy, or from any part of
356 | it. (Additional permissions may be written to require their own
357 | removal in certain cases when you modify the work.) You may place
358 | additional permissions on material, added by you to a covered work,
359 | for which you have or can give appropriate copyright permission.
360 |
361 | Notwithstanding any other provision of this License, for material you
362 | add to a covered work, you may (if authorized by the copyright holders of
363 | that material) supplement the terms of this License with terms:
364 |
365 | a) Disclaiming warranty or limiting liability differently from the
366 | terms of sections 15 and 16 of this License; or
367 |
368 | b) Requiring preservation of specified reasonable legal notices or
369 | author attributions in that material or in the Appropriate Legal
370 | Notices displayed by works containing it; or
371 |
372 | c) Prohibiting misrepresentation of the origin of that material, or
373 | requiring that modified versions of such material be marked in
374 | reasonable ways as different from the original version; or
375 |
376 | d) Limiting the use for publicity purposes of names of licensors or
377 | authors of the material; or
378 |
379 | e) Declining to grant rights under trademark law for use of some
380 | trade names, trademarks, or service marks; or
381 |
382 | f) Requiring indemnification of licensors and authors of that
383 | material by anyone who conveys the material (or modified versions of
384 | it) with contractual assumptions of liability to the recipient, for
385 | any liability that these contractual assumptions directly impose on
386 | those licensors and authors.
387 |
388 | All other non-permissive additional terms are considered "further
389 | restrictions" within the meaning of section 10. If the Program as you
390 | received it, or any part of it, contains a notice stating that it is
391 | governed by this License along with a term that is a further
392 | restriction, you may remove that term. If a license document contains
393 | a further restriction but permits relicensing or conveying under this
394 | License, you may add to a covered work material governed by the terms
395 | of that license document, provided that the further restriction does
396 | not survive such relicensing or conveying.
397 |
398 | If you add terms to a covered work in accord with this section, you
399 | must place, in the relevant source files, a statement of the
400 | additional terms that apply to those files, or a notice indicating
401 | where to find the applicable terms.
402 |
403 | Additional terms, permissive or non-permissive, may be stated in the
404 | form of a separately written license, or stated as exceptions;
405 | the above requirements apply either way.
406 |
407 | 8. Termination.
408 |
409 | You may not propagate or modify a covered work except as expressly
410 | provided under this License. Any attempt otherwise to propagate or
411 | modify it is void, and will automatically terminate your rights under
412 | this License (including any patent licenses granted under the third
413 | paragraph of section 11).
414 |
415 | However, if you cease all violation of this License, then your
416 | license from a particular copyright holder is reinstated (a)
417 | provisionally, unless and until the copyright holder explicitly and
418 | finally terminates your license, and (b) permanently, if the copyright
419 | holder fails to notify you of the violation by some reasonable means
420 | prior to 60 days after the cessation.
421 |
422 | Moreover, your license from a particular copyright holder is
423 | reinstated permanently if the copyright holder notifies you of the
424 | violation by some reasonable means, this is the first time you have
425 | received notice of violation of this License (for any work) from that
426 | copyright holder, and you cure the violation prior to 30 days after
427 | your receipt of the notice.
428 |
429 | Termination of your rights under this section does not terminate the
430 | licenses of parties who have received copies or rights from you under
431 | this License. If your rights have been terminated and not permanently
432 | reinstated, you do not qualify to receive new licenses for the same
433 | material under section 10.
434 |
435 | 9. Acceptance Not Required for Having Copies.
436 |
437 | You are not required to accept this License in order to receive or
438 | run a copy of the Program. Ancillary propagation of a covered work
439 | occurring solely as a consequence of using peer-to-peer transmission
440 | to receive a copy likewise does not require acceptance. However,
441 | nothing other than this License grants you permission to propagate or
442 | modify any covered work. These actions infringe copyright if you do
443 | not accept this License. Therefore, by modifying or propagating a
444 | covered work, you indicate your acceptance of this License to do so.
445 |
446 | 10. Automatic Licensing of Downstream Recipients.
447 |
448 | Each time you convey a covered work, the recipient automatically
449 | receives a license from the original licensors, to run, modify and
450 | propagate that work, subject to this License. You are not responsible
451 | for enforcing compliance by third parties with this License.
452 |
453 | An "entity transaction" is a transaction transferring control of an
454 | organization, or substantially all assets of one, or subdividing an
455 | organization, or merging organizations. If propagation of a covered
456 | work results from an entity transaction, each party to that
457 | transaction who receives a copy of the work also receives whatever
458 | licenses to the work the party's predecessor in interest had or could
459 | give under the previous paragraph, plus a right to possession of the
460 | Corresponding Source of the work from the predecessor in interest, if
461 | the predecessor has it or can get it with reasonable efforts.
462 |
463 | You may not impose any further restrictions on the exercise of the
464 | rights granted or affirmed under this License. For example, you may
465 | not impose a license fee, royalty, or other charge for exercise of
466 | rights granted under this License, and you may not initiate litigation
467 | (including a cross-claim or counterclaim in a lawsuit) alleging that
468 | any patent claim is infringed by making, using, selling, offering for
469 | sale, or importing the Program or any portion of it.
470 |
471 | 11. Patents.
472 |
473 | A "contributor" is a copyright holder who authorizes use under this
474 | License of the Program or a work on which the Program is based. The
475 | work thus licensed is called the contributor's "contributor version".
476 |
477 | A contributor's "essential patent claims" are all patent claims
478 | owned or controlled by the contributor, whether already acquired or
479 | hereafter acquired, that would be infringed by some manner, permitted
480 | by this License, of making, using, or selling its contributor version,
481 | but do not include claims that would be infringed only as a
482 | consequence of further modification of the contributor version. For
483 | purposes of this definition, "control" includes the right to grant
484 | patent sublicenses in a manner consistent with the requirements of
485 | this License.
486 |
487 | Each contributor grants you a non-exclusive, worldwide, royalty-free
488 | patent license under the contributor's essential patent claims, to
489 | make, use, sell, offer for sale, import and otherwise run, modify and
490 | propagate the contents of its contributor version.
491 |
492 | In the following three paragraphs, a "patent license" is any express
493 | agreement or commitment, however denominated, not to enforce a patent
494 | (such as an express permission to practice a patent or covenant not to
495 | sue for patent infringement). To "grant" such a patent license to a
496 | party means to make such an agreement or commitment not to enforce a
497 | patent against the party.
498 |
499 | If you convey a covered work, knowingly relying on a patent license,
500 | and the Corresponding Source of the work is not available for anyone
501 | to copy, free of charge and under the terms of this License, through a
502 | publicly available network server or other readily accessible means,
503 | then you must either (1) cause the Corresponding Source to be so
504 | available, or (2) arrange to deprive yourself of the benefit of the
505 | patent license for this particular work, or (3) arrange, in a manner
506 | consistent with the requirements of this License, to extend the patent
507 | license to downstream recipients. "Knowingly relying" means you have
508 | actual knowledge that, but for the patent license, your conveying the
509 | covered work in a country, or your recipient's use of the covered work
510 | in a country, would infringe one or more identifiable patents in that
511 | country that you have reason to believe are valid.
512 |
513 | If, pursuant to or in connection with a single transaction or
514 | arrangement, you convey, or propagate by procuring conveyance of, a
515 | covered work, and grant a patent license to some of the parties
516 | receiving the covered work authorizing them to use, propagate, modify
517 | or convey a specific copy of the covered work, then the patent license
518 | you grant is automatically extended to all recipients of the covered
519 | work and works based on it.
520 |
521 | A patent license is "discriminatory" if it does not include within
522 | the scope of its coverage, prohibits the exercise of, or is
523 | conditioned on the non-exercise of one or more of the rights that are
524 | specifically granted under this License. You may not convey a covered
525 | work if you are a party to an arrangement with a third party that is
526 | in the business of distributing software, under which you make payment
527 | to the third party based on the extent of your activity of conveying
528 | the work, and under which the third party grants, to any of the
529 | parties who would receive the covered work from you, a discriminatory
530 | patent license (a) in connection with copies of the covered work
531 | conveyed by you (or copies made from those copies), or (b) primarily
532 | for and in connection with specific products or compilations that
533 | contain the covered work, unless you entered into that arrangement,
534 | or that patent license was granted, prior to 28 March 2007.
535 |
536 | Nothing in this License shall be construed as excluding or limiting
537 | any implied license or other defenses to infringement that may
538 | otherwise be available to you under applicable patent law.
539 |
540 | 12. No Surrender of Others' Freedom.
541 |
542 | If conditions are imposed on you (whether by court order, agreement or
543 | otherwise) that contradict the conditions of this License, they do not
544 | excuse you from the conditions of this License. If you cannot convey a
545 | covered work so as to satisfy simultaneously your obligations under this
546 | License and any other pertinent obligations, then as a consequence you may
547 | not convey it at all. For example, if you agree to terms that obligate you
548 | to collect a royalty for further conveying from those to whom you convey
549 | the Program, the only way you could satisfy both those terms and this
550 | License would be to refrain entirely from conveying the Program.
551 |
552 | 13. Use with the GNU Affero General Public License.
553 |
554 | Notwithstanding any other provision of this License, you have
555 | permission to link or combine any covered work with a work licensed
556 | under version 3 of the GNU Affero General Public License into a single
557 | combined work, and to convey the resulting work. The terms of this
558 | License will continue to apply to the part which is the covered work,
559 | but the special requirements of the GNU Affero General Public License,
560 | section 13, concerning interaction through a network will apply to the
561 | combination as such.
562 |
563 | 14. Revised Versions of this License.
564 |
565 | The Free Software Foundation may publish revised and/or new versions of
566 | the GNU General Public License from time to time. Such new versions will
567 | be similar in spirit to the present version, but may differ in detail to
568 | address new problems or concerns.
569 |
570 | Each version is given a distinguishing version number. If the
571 | Program specifies that a certain numbered version of the GNU General
572 | Public License "or any later version" applies to it, you have the
573 | option of following the terms and conditions either of that numbered
574 | version or of any later version published by the Free Software
575 | Foundation. If the Program does not specify a version number of the
576 | GNU General Public License, you may choose any version ever published
577 | by the Free Software Foundation.
578 |
579 | If the Program specifies that a proxy can decide which future
580 | versions of the GNU General Public License can be used, that proxy's
581 | public statement of acceptance of a version permanently authorizes you
582 | to choose that version for the Program.
583 |
584 | Later license versions may give you additional or different
585 | permissions. However, no additional obligations are imposed on any
586 | author or copyright holder as a result of your choosing to follow a
587 | later version.
588 |
589 | 15. Disclaimer of Warranty.
590 |
591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
599 |
600 | 16. Limitation of Liability.
601 |
602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
610 | SUCH DAMAGES.
611 |
612 | 17. Interpretation of Sections 15 and 16.
613 |
614 | If the disclaimer of warranty and limitation of liability provided
615 | above cannot be given local legal effect according to their terms,
616 | reviewing courts shall apply local law that most closely approximates
617 | an absolute waiver of all civil liability in connection with the
618 | Program, unless a warranty or assumption of liability accompanies a
619 | copy of the Program in return for a fee.
620 |
621 | END OF TERMS AND CONDITIONS
622 |
623 | How to Apply These Terms to Your New Programs
624 |
625 | If you develop a new program, and you want it to be of the greatest
626 | possible use to the public, the best way to achieve this is to make it
627 | free software which everyone can redistribute and change under these terms.
628 |
629 | To do so, attach the following notices to the program. It is safest
630 | to attach them to the start of each source file to most effectively
631 | state the exclusion of warranty; and each file should have at least
632 | the "copyright" line and a pointer to where the full notice is found.
633 |
634 |
635 | Copyright (C)
636 |
637 | This program is free software: you can redistribute it and/or modify
638 | it under the terms of the GNU General Public License as published by
639 | the Free Software Foundation, either version 3 of the License, or
640 | (at your option) any later version.
641 |
642 | This program is distributed in the hope that it will be useful,
643 | but WITHOUT ANY WARRANTY; without even the implied warranty of
644 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
645 | GNU General Public License for more details.
646 |
647 | You should have received a copy of the GNU General Public License
648 | along with this program. If not, see .
649 |
650 | Also add information on how to contact you by electronic and paper mail.
651 |
652 | If the program does terminal interaction, make it output a short
653 | notice like this when it starts in an interactive mode:
654 |
655 | Copyright (C)
656 | This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
657 | This is free software, and you are welcome to redistribute it
658 | under certain conditions; type `show c' for details.
659 |
660 | The hypothetical commands `show w' and `show c' should show the appropriate
661 | parts of the General Public License. Of course, your program's commands
662 | might be different; for a GUI interface, you would use an "about box".
663 |
664 | You should also get your employer (if you work as a programmer) or school,
665 | if any, to sign a "copyright disclaimer" for the program, if necessary.
666 | For more information on this, and how to apply and follow the GNU GPL, see
667 | .
668 |
669 | The GNU General Public License does not permit incorporating your program
670 | into proprietary programs. If your program is a subroutine library, you
671 | may consider it more useful to permit linking proprietary applications with
672 | the library. If this is what you want to do, use the GNU Lesser General
673 | Public License instead of this License. But first, please read
674 | .
675 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Puppet module for fail2ban #
2 |
3 | ___Table of contents___:
4 |
5 | 1. [Overview](#overview)
6 | 2. [Module description](#module-description)
7 | 3. [Usage](#usage)
8 | * [Defining jails](#defining-jails)
9 | * [Predefined jails](#predefined-jails)
10 | * [Defining filters](#defining-filters)
11 | * [Defining actions](#defining-actions)
12 | * [Python action scripts](#python-action-scripts)
13 | * [nftables support](#nftables-support)
14 | 4. [Requirements](#requirements)
15 | 5. [Compatibility](#compatibility)
16 | 6. [Upgrade notices](#upgrade-notices)
17 | 7. [Documentation](#documentation)
18 | 8. [Testing](#testing)
19 | * [Unit tests](#unit-tests)
20 | * [Funtionality tests](#funtionality-tests)
21 |
22 | ## Overview ##
23 |
24 | Install and manage fail2ban with puppet to block bruteforce attempts.
25 |
26 | ## Module description ##
27 |
28 | With this module, you can install fail2ban and define any configuration for
29 | the service in order to slow down bruteforce attempts on services that need to
30 | be exposed to the internet.
31 |
32 | This module lets you create:
33 |
34 | * actions (e.g. what to do when there's a problematic case)
35 | * filters (e.g. how to discover problematic cases)
36 | * jails (e.g. combining actions and filters with a rate limit on filter
37 | matches)
38 |
39 | ## Usage ##
40 |
41 | To use this module just include the `fail2ban` class.
42 |
43 | To change default configurations in `jail.conf` or `fail2ban.conf`, you can
44 | pass values to parameters to the `fail2ban` class. See technical reference
45 | documentation (REFERENCE.md) for full list of parameters.
46 |
47 | Here's an example that sets default ignored IP address for all jails to
48 | localhost plus another rfc1819 IP:
49 |
50 | ~~~puppet
51 | class { 'fail2ban':
52 | ignoreip => ['127.0.0.1', '10.0.0.1'],
53 | }
54 | ~~~
55 |
56 | ### Defining jails ###
57 |
58 | The `fail2ban::jail` defined type lets you configure jails. This is the
59 | resource you'll mostly likely be using the most.
60 |
61 | You can use one of the jail parameter presets (see details and list of presets
62 | in the section below. for more details the presets are defined in hiera files
63 | in `data/`) to speed up defining some common jails.
64 |
65 | The following example defines a jail for the jenkins service:
66 |
67 | ~~~puppet
68 | fail2ban::jail { 'jenkins':
69 | port => 'all',
70 | filter => 'jenkins',
71 | logpath => ['/var/log/jenkins.log'],
72 | }
73 | ~~~
74 |
75 | #### Predefined jails ####
76 |
77 | The list at the end of this section contains all of the presets that can be
78 | used to configure jails more easily.
79 |
80 | Each of them is a data point -- a hash of parameter and values -- in hiera that
81 | needs to be gathered with the `lookup()` function.
82 |
83 | Each hash represents parameters and values that should be passed in
84 | to the `fail2ban::jail` defined type (so they are really just presets for the
85 | type's parameters) documented above and has a lookup key of
86 | `fail2ban::jail::$jailname`.
87 |
88 | For example, to quickly configure a jail for the ssh service with the preset
89 | parameters:
90 |
91 | ~~~puppet
92 | $ssh_params = lookup('fail2ban::jail::sshd')
93 | fail2ban::jail { 'sshd':
94 | * => $ssh_params,
95 | }
96 | ~~~
97 |
98 | You can also override values from the preset or define new parameters by
99 | concatenating your own hash to it. In the following example we define new
100 | parameters `bantime` and `findtime` and we override the preset for `maxretry`:
101 |
102 | ~~~puppet
103 | $ssh_extra_params = {
104 | 'bantime' => 300,
105 | 'findtime' => 200,
106 | 'maxretry' => 3,
107 | }
108 | $ssh_params = lookup('fail2ban::jail::sshd') + $ssh_extra_params
109 | fail2ban::jail { 'sshd':
110 | * => $ssh_params,
111 | }
112 | ~~~
113 |
114 | This way you can set any parameter to the `fail2ban::jail` defined type and
115 | override preset values.
116 |
117 | Watch out: jails by default use the same filter name as the jail name, so make
118 | sure to either use the same string as the lookup key for the `jail` resource
119 | name, or override the `filter` parameter.
120 |
121 | Here's the full list of currently available presets. To know each preset's
122 | default values you can inspect files in `data/`:
123 |
124 | * 3proxy
125 | * apache-auth
126 | * apache-badbots
127 | * apache-noscript
128 | * apache-overflows
129 | * apache-nohome
130 | * apache-botsearch
131 | * apache-fakegooglebot
132 | * apache-modsecurity
133 | * apache-shellshock
134 | * assp
135 | * asterisk
136 | * bitwarden
137 | * centreon
138 | * counter-strike
139 | * courier-auth
140 | * courier-smtp
141 | * cyrus-imap
142 | * directadmin
143 | * domino-smtp
144 | * dovecot
145 | * dropbear
146 | * drupal-auth
147 | * ejabberd-auth
148 | * exim
149 | * exim-spam
150 | * freeswitch
151 | * froxlor-auth
152 | * gitlab
153 | * grafana
154 | * groupoffice
155 | * gssftpd
156 | * guacamole
157 | * haproxy-http-auth
158 | * horde
159 | * kerio
160 | * lighttpd-auth
161 | * mongodb-auth
162 | * monit
163 | * murmur
164 | * mysql-auth
165 | * To log wrong MySQL access attempts add to `/etc/mysql/my.cnf` in
166 | `[mysqld]` or equivalent section: `log-warning = 2`
167 | * nagios
168 | * named-refused
169 | * nginx-http-auth
170 | * nginx-limit-req
171 | * To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
172 | and define `limit_req` and `limit_req_zone` as described in nginx
173 | documentation
174 |
175 | or for example see in 'config/filter.d/nginx-limit-req.conf'
176 | * nginx-botsearch
177 | * nsd
178 | * openhab-auth
179 | * openwebmail
180 | * oracleims
181 | * pam-generic
182 | * pass2allow-ftp
183 | * perdition
184 | * php-url-fopen
185 | * phpmyadmin-syslog
186 | * portsentry
187 | * postfix
188 | * postfix-rbl
189 | * postfix-sasl
190 | * proftpd
191 | * pure-ftpd
192 | * qmail-rbl
193 | * recidive
194 | * Ban IPs that get repeatedly banned, but for a longer period of time -- by
195 | default for one week and one day. Some warnings apply:
196 | 1. Make sure that your loglevel specified in fail2ban.conf/.local
197 | is not at DEBUG level -- which might then cause fail2ban to fall into
198 | an infinite loop constantly feeding itself with non-informative lines
199 | 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
200 | to maintain entries for failed logins for sufficient amount of time
201 | * roundcube-auth
202 | * screensharing
203 | * selinux-ssh
204 | * sendmail-auth
205 | * sendmail-reject
206 | * sieve
207 | * slapd
208 | * softethervpn
209 | * sogo-auth
210 | * solid-pop3d
211 | * squid
212 | * squirrelmail
213 | * sshd
214 | * sshd-ddos
215 | * stunnel
216 | * This pre-defined jail does not specify ports to ban since this service can
217 | run on many choices of ports. By default this means that all ports will be
218 | blocked for IPs that are banned by this jail. You may want to override the
219 | hash to add in specific ports in the `port` parameter.
220 | * suhosin
221 | * tine20
222 | * traefik-auth
223 | * uwimap-auth
224 | * vsftpd
225 | * webmin-auth
226 | * wuftpd
227 | * xinetd-fail
228 | * This pre-defined jail does not specify ports to ban since this service can
229 | run on many choices of ports. By default this means that all ports will be
230 | blocked for IPs that are banned by this jail. You may want to override the
231 | hash to add in specific ports in the `port` parameter.
232 | * znc-adminlog
233 | * zoneminder
234 |
235 | ### Defining filters ###
236 |
237 | You might want to define new filters for your new jails. To do that, you can
238 | use the `fail2ban::filter` defined type:
239 |
240 | ~~~puppet
241 | fail2ban::filter { 'jenkins':
242 | failregexes => [
243 | # Those regexes are really arbitrary examples.
244 | 'Invalid login to Jenkins by user mooh by IP \'\'',
245 | 'Forced entry trial by ',
246 | ],
247 | }
248 | ~~~
249 |
250 | ### Defining actions ###
251 |
252 | Fail2ban can do pretty much what you want it to do (e.g. run an action) when an
253 | IP matches a filter enough times during the rate limit set by the jail.
254 |
255 | To define a new action, you can use the `fail2ban::action` defined type.
256 | Here's an example that would call out to a fictitious REST API whenever an IP
257 | address is banned and unbanned:
258 |
259 | ~~~puppet
260 | fail2ban::action { 'rest_api':
261 | ensure => present,
262 | actionban => ['curl -s -X PUT http://yourapi:8080/theapi/v4/firewall/rules -H "Content-Type:application/json" -H "Authorization: ..." -d "{\"ban\": \"\"}"'],
263 | actionunban => ['curl -s -X DELETE http://yourapi:8080/theapi/v4/firewall/rules/1 -H "Authorization: ..."'],
264 | }
265 | ~~~
266 |
267 | #### Python action scripts ####
268 |
269 | Fail2ban lets users define actions as python scripts. These actions should
270 | exist as a file within `/etc/fail2ban/action/$action.py` where `$action` is the
271 | name of the action.
272 |
273 | The contents of those files can differ wildly. Other than ensuring the
274 | location of the file and its permissions, this module wouldn't actually add
275 | much more on top of simply managing the python scripts as `file` resources, so
276 | no defined resource type was created for them.
277 |
278 | If you manage such an action script, it is recommended to make it signal
279 | `Class['fail2ban::service']` (e.g. with `~>`) in order to automatically
280 | restart the service upon changes.
281 |
282 | #### nftables support ####
283 |
284 | Fail2ban supports nftables with the builtin actions:
285 |
286 | * `nftables`
287 | * `nftables-multiport` (it's just an alias of `nftables`)
288 | * `nftables-allports`
289 |
290 | These actions use nftables' `set` functionality to contain banned IPs instead
291 | of adding a firewall rule for each new banned IP. This should make your
292 | firewall more efficient if you have lots of banned IPs.
293 |
294 | Since nftables is now used by default on Debian since the buster release but
295 | `iptables` is still used by fail2ban's default action, here's how to quickly
296 | enable usage of nftables for fail2ban:
297 |
298 | Only two global parameters need to be changed:
299 |
300 | * `chain` needs to be set to the same value but lowercased
301 | * by default the chain used is expected to be in table `filter` of address
302 | family `ip` (e.g. the iptables compatibility table).
303 | * `banaction` needs to be set to the nftables action of your choice
304 | * If you want to customize further what table, address family, chain hook, hook
305 | priority or the action taken by the rule if an address is matched, you can
306 | create a file `/etc/fail2ban/filter.d/nftables-common.local` that overrides
307 | the variables in the Init section of the `nftables.conf` file.
308 |
309 | Here's an example minimal configuration for using nftables with one sshd jail
310 | defined as usual:
311 |
312 | ~~~puppet
313 | class { 'fail2ban':
314 | banaction => 'nftables',
315 | chain => 'input',
316 | }
317 | $ssh_params = lookup('fail2ban::jail::sshd')
318 | fail2ban::jail { 'sshd':
319 | * => $ssh_params,
320 | }
321 | ~~~
322 |
323 | Do note that upon service restart, fail2ban will not create the ip set and the
324 | corresponding rule right away so it will appear as though "it's not working".
325 | They will only be added whenever the first "action" is taken (so when banning
326 | the first IP for a jail). After that you should see both the set and the rule
327 | for that jail when running `nft list ruleset`.
328 |
329 | To list which IPs are currently banned, you can either use `fail2ban-client
330 | status sshd` or list elements of the corresponding set. For the example above:
331 | `nft list set filter f2b-sshd`
332 |
333 | ## Requirements ##
334 |
335 | This module depends on the following modules to function:
336 |
337 | * puppetlabs' stdlib module (at least version 4.6.0)
338 |
339 | ## Compatibility ##
340 |
341 | This module supports
342 |
343 | * Debian 10, 11
344 | * Ubuntu 18.04, 20.04, 22.04
345 | * RHEL 7, 8, 9
346 | * CentOS 7 and 8
347 | * version 8 is currently EOL and support for it will be removed along with
348 | version 7 when that one becomes EOL as well
349 |
350 | Puppet versions 6 and 7 are supported.
351 |
352 | If you still need to use this module with puppet 5 or 4.10+ you can either try
353 | your luck with version 4.x of this module even though support is not official,
354 | or you can use the 3.x releases of the module.
355 |
356 | ## Upgrade notices ##
357 |
358 | * 4.0.0: Support for Debian 11 was added, but Debian 8 was removed from
359 | supported releases.
360 |
361 | With the removal of debian 8 support, the `$persistent_bans` parameter was
362 | removed since it is not needed anymore. This has the side-effect of stopping
363 | management of the `actions.d/iptables-multiport.conf` file, so users may let
364 | their package manager change it back to its default form now.
365 |
366 | A couple of new parameters have been added to match newly available
367 | configuration options in the fail2ban version (0.11) in Debian bullseye.
368 |
369 | Watch out though, the `$logpath` parameter has changed data type from
370 | `String` to `Array[String]` so you'll need to adapt your calls to the main
371 | class and to the `jail` defined type.
372 |
373 | The `$action` parameter in the main class and in the `fail2ban::jail` defined
374 | type now accept an array of strings. Using a simple `String` is now
375 | considered deprecated and the data type will get removed in version 5.x of
376 | the module.
377 |
378 | Similarly, the `$failregex` and `$ignoreregex` parameters in the main class
379 | now accept an array of strings and using a simple `String` is now considered
380 | deprecated. The `String` type will be removed from those parameters in
381 | version `5.x` of the module.
382 |
383 | Some new default jails were added to match what's available in newer
384 | versions of fail2ban. You can check them out in `data/common.yaml`.
385 |
386 | Some default jails were modified. You might want to check what their changes
387 | are before upgrading. Namely:
388 |
389 | * asterisk
390 | * dovecot
391 | * freeswitch
392 | * murmur
393 | * mysql-auth was renamed to mysqld-auth
394 | * nrpe was renamed to nagios
395 | * nsd
396 | * openhab-auth
397 | * openwebmail
398 |
399 | * 3.3: Support for the 2.x branch was discontinued. Only puppet 4.x+ is
400 | supported from now on.
401 |
402 | Documentation in the `README.md` file is now limited to only examples of
403 | how to use the module. For a technical reference of all classes, defined
404 | types and their parameters, please refer to REFERENCE.md or generate html
405 | documentation with puppet-strings.
406 |
407 | Note that debian 8 is still being supported for a little while, but with
408 | the expectation that users use this module with puppet 4.x+. Debian 8's
409 | support cycle is almost over, thus so it is for this module. Expect
410 | support to be removed from this module in the coming months.
411 |
412 | * 3.2: No pre-defined jail sends out an email as an action by default. Users
413 | who still want to receive emails when an action is taken can override the
414 | `action` field from the predefined jail data and append the action the
415 | following: `\n %(mta)s-whois[name=%(__name__)s,
416 | dest=\"%(destemail)s\"]`
417 |
418 | Also note that puppet 4.x prior to 4.10 is not supported anymore, and that
419 | hiera 5 is now required (hence the limitation for the puppet version.
420 |
421 | * 3.1: `fail2ban.local` and all unmanaged files in `fail2ban.d` are now being
422 | purged by default. Users who have local modifications that they want to
423 | keep should set `$rm_fail2ban_local` and/or `$purge_fail2ban_d` to false.
424 |
425 | * 3.0: all of the defined types for predefined jails in `fail2ban::jail::*`
426 | have been removed and instead transformed into data structures with hiera.
427 | If you were using the predefined jails, you will need to change your code:
428 | please take a look at the new method of using them with `lookup()` further
429 | down in this file.
430 |
431 | * 3.0: `fail2ban::jail`'s `order` parameter was removed. Users should adapt their
432 | calls in order to remove this parameter. All jail files are now just
433 | individual files dropped in jail.d and order is not relevant there.
434 |
435 | * 3.0: Deprecation notice: the `persistent_bans` parameter to the `fail2ban`
436 | class is now deprecated and will be removed for the 4.0 release. fail2ban
437 | can now manage persistent bans naturally by using its own sqlite3 database.
438 |
439 | * 2.0: Jail definitions have been moved to `jail.d/*.conf` files . The
440 | `jail.local` file is now getting removed by the module. To
441 | avoid this, set `rm_jail_local` to true.
442 |
443 | * 2.0: `ignoreip` both on the main class and in `fail2ban::jail` (and thus in
444 | all `fail2ban::jail::*` classes too) is no longer expected to be a string.
445 | It is now a list of strings that automatically gets joined with spaces.
446 | Users of the fail2ban module will need to adjust these parameters.
447 |
448 | * The directory `/etc/fail2ban/jail.d` is now getting purged by default. Users
449 | who would like to preserve files in this directory that are not managed by
450 | puppet should now set the `purge_jail_dot_d` parameter to the `fail2ban`
451 | class to false.
452 |
453 | ## Documentation ##
454 |
455 | This module uses puppet-strings comments. The most stable way of using
456 | puppet-strings is to reuse the same version as what's specified in the Gemfile,
457 | so start by running `gem install` (you might need to setup local path for
458 | non-root install first).
459 |
460 | Then you can generate HTML documentation in the `docs` directory with the
461 | following command:
462 |
463 | ~~~bash
464 | bundle exec rake strings:generate
465 | ~~~
466 |
467 | The `REFERENCE.md` file should be updated along with the code if any API and
468 | accompanying puppet-strings documentation change. You can do this with:
469 |
470 | ~~~bash
471 | bundle exec rake strings:generate:reference
472 | ~~~
473 |
474 | ## Testing ##
475 |
476 | This module has some tests that you can run to ensure that everything is
477 | working as expected.
478 |
479 | Before you can use the tests, make sure that you setup your local environment
480 | with `bundle install`.
481 |
482 | ### Smoke tests ###
483 |
484 | You can run sanity check with the `validate` task from puppet-syntax:
485 |
486 | ~~~bash
487 | bundle exec rake validate
488 | ~~~
489 |
490 | This will check manifest syntax, template syntax, yaml syntax for hiera files
491 | and ensure that the REFERENCE.md file is up to date.
492 |
493 | Additionally to this, you can also use rubocop to run sanity checks on ruby
494 | files:
495 |
496 | ~~~bash
497 | bundle exec rake rubocop
498 | ~~~
499 |
500 | ### Unit tests ###
501 |
502 | The unit tests are built with rspec-puppet.
503 |
504 | The usual rspec-puppet_helper rake tasks are available. So, to run spec tests:
505 |
506 | ~~~bash
507 | bundle exec rake spec
508 | ~~~
509 |
510 | ### Funtionality tests ###
511 |
512 | Unit tests are great, but sometimes it's nice to actually run the code in order
513 | to see if everything is setup properly and that the software is working as
514 | expected.
515 |
516 | This repository does not have automated functionality tests, but it has a
517 | `Vagrantfile` that you can use to bring up a VM and run this module inside it.
518 |
519 | The `Vagrantfile` expects you to have the vagrant plugin
520 | `vagrant-librarian-puppet` installed. If you don't have it you can also
521 | download this module's requirements (see `metadata.json`) and place them inside
522 | `tests/modules/`.
523 |
524 | A couple of manifest files inside `tests/` prepare sets of use cases. You can
525 | modify the `Vagrantfile` to use any of them for provisioning the VM.
526 |
--------------------------------------------------------------------------------
/REFERENCE.md:
--------------------------------------------------------------------------------
1 | # Reference
2 |
3 |
4 |
5 | ## Table of Contents
6 |
7 | ### Classes
8 |
9 | #### Public Classes
10 |
11 | * [`fail2ban`](#fail2ban): Manage fail2ban and its configuration to jam bruteforce attempts on
12 | services running on a computer.
13 |
14 | #### Private Classes
15 |
16 | * `fail2ban::config`: Configure fail2ban service
17 | * `fail2ban::install`: Install fail2ban
18 | * `fail2ban::service`: Enable fail2ban daemon
19 |
20 | ### Defined types
21 |
22 | * [`fail2ban::action`](#fail2ban--action): Create an action for fail2ban
23 | * [`fail2ban::filter`](#fail2ban--filter): Setup a filter for fail2ban
24 | * [`fail2ban::jail`](#fail2ban--jail): Setup a fail2ban jail to reduce effectiveness of bruteforce.
25 |
26 | ### Data types
27 |
28 | * [`Fail2ban::AutoOrFlag`](#Fail2ban--AutoOrFlag): A boolean flag that can also be set to the string 'auto'.
29 | * [`Fail2ban::Backend`](#Fail2ban--Backend): Backend names that fail2ban understands Can be one of the pre-defined backend names, "systemd" with optionally a list of parameters between s
30 | * [`Fail2ban::Bantime_extra`](#Fail2ban--Bantime_extra): Optional additional bantime.* options. See manifests/init.pp for details about what each option means.
31 | * [`Fail2ban::Dbfile`](#Fail2ban--Dbfile): Where fail2ban's database gets stored. None disables storage
32 | * [`Fail2ban::Loglevel`](#Fail2ban--Loglevel): How much logging is needed from fail2ban
33 | * [`Fail2ban::Logtarget`](#Fail2ban--Logtarget): Where logs are sent
34 | * [`Fail2ban::Port`](#Fail2ban--Port): Possible values for the port parameter ports can be specified by number, but you can also pass in a comma-separated list of values in a strin
35 | * [`Fail2ban::Protocol`](#Fail2ban--Protocol): Options for protocol type This is used by the default action iptables-multiport to defined what protocol to ban for the specified ports.
36 | * [`Fail2ban::Syslogsocket`](#Fail2ban--Syslogsocket): Path to a socket for communication with syslog, or 'auto' for letting fail2ban auto-discover the path.
37 | * [`Fail2ban::Time`](#Fail2ban--Time): Time in seconds for some configuration options can be specified either in an integer number of seconds, or an abbreviation that can help spec
38 | * [`Fail2ban::Usedns`](#Fail2ban--Usedns): Possible values for usedns parameter
39 |
40 | ## Classes
41 |
42 | ### `fail2ban`
43 |
44 | fail2ban/manifests/init.pp
45 |
46 | - Copyright (C) 2007 admin@immerda.ch
47 | - Copyright (C) 2014-2018 gabster@lelutin.ca
48 |
49 | * **Note** `blocktype` is not offered as a global option since it's not a great
50 | idea to set a globally used default value for this option. It's used
51 | differently by all actions and different values are expected from each
52 | action, so it's generally recommended to override this for each action
53 | individually by creating a `.local` file in `actions.d`.
54 |
55 | * **See also**
56 | * https://github.com/fail2ban/fail2ban/blob/0.11/man/jail.conf.5
57 | * jail.conf(5)
58 |
59 | #### Examples
60 |
61 | ##### basic usage
62 |
63 | ```puppet
64 | class { 'fail2ban: }
65 | ```
66 |
67 | ##### ignore localhost and another non-routable IP
68 |
69 | ```puppet
70 | class { 'fail2ban':
71 | ignoreip => ['127.0.0.1', '10.0.0.1'],
72 | }
73 | ```
74 |
75 | #### Parameters
76 |
77 | The following parameters are available in the `fail2ban` class:
78 |
79 | * [`rm_fail2ban_local`](#-fail2ban--rm_fail2ban_local)
80 | * [`rm_jail_local`](#-fail2ban--rm_jail_local)
81 | * [`purge_fail2ban_dot_d`](#-fail2ban--purge_fail2ban_dot_d)
82 | * [`purge_jail_dot_d`](#-fail2ban--purge_jail_dot_d)
83 | * [`config_file_mode`](#-fail2ban--config_file_mode)
84 | * [`manage_service`](#-fail2ban--manage_service)
85 | * [`fail2ban_conf_template`](#-fail2ban--fail2ban_conf_template)
86 | * [`loglvl`](#-fail2ban--loglvl)
87 | * [`logtarget`](#-fail2ban--logtarget)
88 | * [`syslogsocket`](#-fail2ban--syslogsocket)
89 | * [`socket`](#-fail2ban--socket)
90 | * [`pidfile`](#-fail2ban--pidfile)
91 | * [`allowipv6`](#-fail2ban--allowipv6)
92 | * [`dbfile`](#-fail2ban--dbfile)
93 | * [`dbpurgeage`](#-fail2ban--dbpurgeage)
94 | * [`dbmaxmatches`](#-fail2ban--dbmaxmatches)
95 | * [`stacksize`](#-fail2ban--stacksize)
96 | * [`jail_conf_template`](#-fail2ban--jail_conf_template)
97 | * [`enabled`](#-fail2ban--enabled)
98 | * [`mode`](#-fail2ban--mode)
99 | * [`backend`](#-fail2ban--backend)
100 | * [`usedns`](#-fail2ban--usedns)
101 | * [`filter`](#-fail2ban--filter)
102 | * [`logpath`](#-fail2ban--logpath)
103 | * [`logencoding`](#-fail2ban--logencoding)
104 | * [`logtimezone`](#-fail2ban--logtimezone)
105 | * [`datepattern`](#-fail2ban--datepattern)
106 | * [`prefregex`](#-fail2ban--prefregex)
107 | * [`failregex`](#-fail2ban--failregex)
108 | * [`ignoreregex`](#-fail2ban--ignoreregex)
109 | * [`ignoreself`](#-fail2ban--ignoreself)
110 | * [`ignoreip`](#-fail2ban--ignoreip)
111 | * [`ignorecommand`](#-fail2ban--ignorecommand)
112 | * [`ignorecache`](#-fail2ban--ignorecache)
113 | * [`maxretry`](#-fail2ban--maxretry)
114 | * [`maxlines`](#-fail2ban--maxlines)
115 | * [`maxmatches`](#-fail2ban--maxmatches)
116 | * [`findtime`](#-fail2ban--findtime)
117 | * [`action`](#-fail2ban--action)
118 | * [`bantime`](#-fail2ban--bantime)
119 | * [`bantime_extra`](#-fail2ban--bantime_extra)
120 | * [`banaction`](#-fail2ban--banaction)
121 | * [`banaction_allports`](#-fail2ban--banaction_allports)
122 | * [`chain`](#-fail2ban--chain)
123 | * [`port`](#-fail2ban--port)
124 | * [`protocol`](#-fail2ban--protocol)
125 | * [`mta`](#-fail2ban--mta)
126 | * [`destemail`](#-fail2ban--destemail)
127 | * [`sender`](#-fail2ban--sender)
128 | * [`fail2ban_agent`](#-fail2ban--fail2ban_agent)
129 |
130 | ##### `rm_fail2ban_local`
131 |
132 | Data type: `Boolean`
133 |
134 | Force removal of file /etc/fail2ban/fail2ban.local if present.
135 |
136 | Default value: `true`
137 |
138 | ##### `rm_jail_local`
139 |
140 | Data type: `Boolean`
141 |
142 | Force removal of file /etc/fail2ban/jail.local if present.
143 |
144 | Default value: `true`
145 |
146 | ##### `purge_fail2ban_dot_d`
147 |
148 | Data type: `Boolean`
149 |
150 | Remove all unmanaged files in /etc/fail2ban/fail2ban.d/
151 |
152 | Default value: `true`
153 |
154 | ##### `purge_jail_dot_d`
155 |
156 | Data type: `Boolean`
157 |
158 | Remove all unmanaged files in /etc/fail2ban/jail.d/
159 |
160 | Default value: `true`
161 |
162 | ##### `config_file_mode`
163 |
164 | Data type: `Stdlib::Filemode`
165 |
166 | File mode set on all fail2ban configuration files managed by this module.
167 |
168 | Default value: `'0644'`
169 |
170 | ##### `manage_service`
171 |
172 | Data type: `Boolean`
173 |
174 | Manage the fail2ban service, true by default
175 |
176 | Default value: `true`
177 |
178 | ##### `fail2ban_conf_template`
179 |
180 | Data type: `String[1]`
181 |
182 | Alternative template to use for the `fail2ban.conf` file.
183 |
184 | Default value: `'fail2ban/fail2ban.conf.epp'`
185 |
186 | ##### `loglvl`
187 |
188 | Data type: `Fail2ban::Loglevel`
189 |
190 | Set fail2ban's loglevel.
191 |
192 | Default value: `'INFO'`
193 |
194 | ##### `logtarget`
195 |
196 | Data type: `Fail2ban::Logtarget`
197 |
198 | Define where fail2ban's logs are sent.
199 |
200 | Default value: `'/var/log/fail2ban.log'`
201 |
202 | ##### `syslogsocket`
203 |
204 | Data type: `Fail2ban::Syslogsocket`
205 |
206 | Path to syslog's socket file, or "auto" for automatically discovering it.
207 |
208 | Default value: `'auto'`
209 |
210 | ##### `socket`
211 |
212 | Data type: `Stdlib::Absolutepath`
213 |
214 | Path to fail2ban's own socket file. This file is used by fail2ban-client to
215 | communicate with the daemon.
216 |
217 | Default value: `'/var/run/fail2ban/fail2ban.sock'`
218 |
219 | ##### `pidfile`
220 |
221 | Data type: `Stdlib::Absolutepath`
222 |
223 | Path to fail2ban's pid file. This usually needs to be in a place where the
224 | init script or systemd unit file can find it.
225 |
226 | Default value: `'/var/run/fail2ban/fail2ban.pid'`
227 |
228 | ##### `allowipv6`
229 |
230 | Data type: `Fail2ban::AutoOrFlag`
231 |
232 | Whether or not fail2ban interfaces with IPv6 stack on the system. Defaults
233 | to `auto`. Set to boolean true or false to force allowing or disallowing,
234 | respectively.
235 |
236 | Default value: `'auto'`
237 |
238 | ##### `dbfile`
239 |
240 | Data type: `Fail2ban::Dbfile`
241 |
242 | Path to fail2ban's database file.
243 |
244 | Default value: `'/var/lib/fail2ban/fail2ban.sqlite3'`
245 |
246 | ##### `dbpurgeage`
247 |
248 | Data type: `Integer`
249 |
250 | Age of entries in fail2ban's database that get removed when performing a
251 | database purge operation.
252 |
253 | Default value: `86400`
254 |
255 | ##### `dbmaxmatches`
256 |
257 | Data type: `Integer`
258 |
259 | Number of matches stored in database per ticket.
260 |
261 | Default value: `10`
262 |
263 | ##### `stacksize`
264 |
265 | Data type: `Variant[Integer[0,0], Integer[32]]`
266 |
267 | Specifies the stack size (in KiB) to be used for subsequently created threads,
268 | and must be 0 or a positive integer value of at least 32. 0 means that
269 | fail2ban will use platform or configured default.
270 |
271 | Default value: `0`
272 |
273 | ##### `jail_conf_template`
274 |
275 | Data type: `String[1]`
276 |
277 | Alternative template to use for the `jail.conf` file.
278 |
279 | Default value: `'fail2ban/debian/jail.conf.epp'`
280 |
281 | ##### `enabled`
282 |
283 | Data type: `Boolean`
284 |
285 | Whether or not to enable jails by default. fail2ban's man page recommends
286 | to keep this to false, but by default the module purges jail.d of unknown
287 | files so it might be safe to set to true in order to avoid repeating this
288 | setting on all jails. If you set purge_jail_dot_d to false, it might be
289 | wiser to keep this to false in order to avoid enabling jails that get
290 | dropped in jail.d.
291 |
292 | Default value: `false`
293 |
294 | ##### `mode`
295 |
296 | Data type: `String`
297 |
298 | Change the default behavior for filters. Watch out however, each
299 | individual filter can define its own value and so most values are not
300 | guaranteed to be available with all filters. The mode will generally
301 | determine which regular expressions the filter will include. To know
302 | exactly which values are available in filters, you need to read their
303 | configuration files.
304 |
305 | Default value: `'normal'`
306 |
307 | ##### `backend`
308 |
309 | Data type: `Fail2ban::Backend`
310 |
311 | Default method used to get information from logs.
312 |
313 | Default value: `'auto'`
314 |
315 | ##### `usedns`
316 |
317 | Data type: `Fail2ban::Usedns`
318 |
319 | Default behaviour whether or not to resolve IPs when they are found in a
320 | log by a filter.
321 |
322 | Default value: `'warn'`
323 |
324 | ##### `filter`
325 |
326 | Data type: `String`
327 |
328 | Default name of filter to use for jails.
329 |
330 | Default value: `'%(__name__)s[mode=%(mode)s]'`
331 |
332 | ##### `logpath`
333 |
334 | Data type: `Array[String]`
335 |
336 | Array of absolute paths specifying the default path(s) to log file(s) being
337 | used by jails. This value is usually not set and logpath is defined for
338 | each jail for more clarity.
339 |
340 | Default value: `[]`
341 |
342 | ##### `logencoding`
343 |
344 | Data type: `String`
345 |
346 | Name of the encoding of log files. If set to "auto", fail2ban will use what
347 | is set in the system's locale setting.
348 |
349 | Default value: `'auto'`
350 |
351 | ##### `logtimezone`
352 |
353 | Data type: `Optional[String]`
354 |
355 | Force a timezone by default for logs that don't specify them on timestamps.
356 |
357 | Default value: `undef`
358 |
359 | ##### `datepattern`
360 |
361 | Data type: `Optional[String]`
362 |
363 | Change the default format of recognized dates. Warning: it is generally
364 | not recommended to change the global value, if at all. If you need to
365 | change the datepattern for some reason, it is usually recommended to set
366 | this paramter at filter level.
367 |
368 | Default value: `undef`
369 |
370 | ##### `prefregex`
371 |
372 | Data type: `Optional[String]`
373 |
374 | Regular expression to parse common part in every message.
375 |
376 | Default value: `undef`
377 |
378 | ##### `failregex`
379 |
380 | Data type: `Optional[Variant[String, Array[String[1]]]]`
381 |
382 | Array of regular expressions to add to all filters' failregex. This is
383 | usually not used at the global level, but it can still be set.
384 |
385 | Default value: `undef`
386 |
387 | ##### `ignoreregex`
388 |
389 | Data type: `Optional[Variant[String, Array[String[1]]]]`
390 |
391 | Array of regular expressions to add to all filters' ignoreregex. This is
392 | usually not used at the global level, but could be useful to have something
393 | excluded from bans everywhere.
394 |
395 | Default value: `undef`
396 |
397 | ##### `ignoreself`
398 |
399 | Data type: `Boolean`
400 |
401 | If set to false, fail2ban will not ignore IP addresses that are bound to
402 | interfaces on the host.
403 |
404 | Default value: `true`
405 |
406 | ##### `ignoreip`
407 |
408 | Data type: `Array[String, 0]`
409 |
410 | Default list of IPs or CIDR prefixes that should not get banned.
411 |
412 | Default value: `['127.0.0.1']`
413 |
414 | ##### `ignorecommand`
415 |
416 | Data type: `Optional[String]`
417 |
418 | Default command used to determine if an IP should be exempted from being
419 | banned.
420 |
421 | Default value: `undef`
422 |
423 | ##### `ignorecache`
424 |
425 | Data type: `Optional[String]`
426 |
427 | If set, caches the results from `ignoreip`, `ignoreself` and
428 | `ignorecommand` for a set amount of time to avoid calling `ignorecommand`
429 | repeatedly.
430 |
431 | Default value: `undef`
432 |
433 | ##### `maxretry`
434 |
435 | Data type: `Integer[1]`
436 |
437 | Default number of times an IP should be detectd by a filter during findtime
438 | for it to get banned.
439 |
440 | Default value: `3`
441 |
442 | ##### `maxlines`
443 |
444 | Data type: `Optional[Integer[1]]`
445 |
446 | Default number of lines to buffer for regex search. Used for multi-line
447 | regexes. Note that it is rather unsual to set a default global value for
448 | this, and it is usually rather set on a filter itself.
449 |
450 | Default value: `undef`
451 |
452 | ##### `maxmatches`
453 |
454 | Data type: `Variant[Integer[1], String]`
455 |
456 | Number of matches stored in ticket.
457 |
458 | Default value: `'%(maxretry)s'`
459 |
460 | ##### `findtime`
461 |
462 | Data type: `Fail2ban::Time`
463 |
464 | Default interval during which to count occurences of an IP.
465 |
466 | Default value: `'10m'`
467 |
468 | ##### `action`
469 |
470 | Data type: `Variant[String, Array[String, 1]]`
471 |
472 | List of default actions that get called when an IP triggers maxretry number
473 | of times a filter within findtime.
474 |
475 | Default value: `['%(action_)s']`
476 |
477 | ##### `bantime`
478 |
479 | Data type: `Fail2ban::Time`
480 |
481 | Default duration in number of seconds to ban an IP address for.
482 |
483 | Default value: `'10m'`
484 |
485 | ##### `bantime_extra`
486 |
487 | Data type: `Optional[Fail2ban::Bantime_extra]`
488 |
489 | Set of additional optional settings relating to bantime. The keys in this
490 | structure are set in the configuration file as `bantime.$key`. The
491 | different possible keys are:
492 | * increment: boolean. set to true to make IP search happen across all
493 | jails instead of only the one being processed.
494 | * maxtime: string. maximum number of seconds that the formula (see below)
495 | can reach.
496 | * rndtime: string. upper bounds in seconds for ban time randomization (to
497 | prevent bots from guessing the exact ban time)
498 | * formula: string. python mathematical expression used for calculating
499 | next value of ban time. The values provided by the formula are
500 | multiplied by `bantime` and by the factor exponent coefficient to give
501 | the actual amount of time that an IP gets banned.
502 | * factor: sting. coefficient to calculate exponent growing of the
503 | ban times. The default value is 1, thus the bantime grows by 1, 2, 4,
504 | 8, 16...
505 | * multipliers: string. if set, used to calculate the next ban times
506 | instead of the formula. numbers are used sequentially until the last
507 | one is reached, at which point the same value will be used for all
508 | subsequent bantimes.
509 | * overalljails: boolean. if set to true, search for IP in the database
510 | will be done across all jails instead of only the currently processed
511 | jail.
512 |
513 | Default value: `undef`
514 |
515 | ##### `banaction`
516 |
517 | Data type: `String`
518 |
519 | Default action name extrapolated when defining some of the default actions.
520 |
521 | Default value: `'iptables-multiport'`
522 |
523 | ##### `banaction_allports`
524 |
525 | Data type: `String`
526 |
527 | Default action name that can be extrapolated when defining some of the
528 | default actions. This one is meant to ban all ports at once instead of
529 | specific ones.
530 |
531 | Default value: `'iptables-allports'`
532 |
533 | ##### `chain`
534 |
535 | Data type: `String`
536 |
537 | Default name of the iptables chain used by iptables-based actions.
538 |
539 | Default value: `'INPUT'`
540 |
541 | ##### `port`
542 |
543 | Data type: `Fail2ban::Port`
544 |
545 | Default comma separated list of ports, port names or port ranges used by
546 | actions when banning an IP.
547 |
548 | Default value: `'0:65535'`
549 |
550 | ##### `protocol`
551 |
552 | Data type: `Fail2ban::Protocol`
553 |
554 | Default protocol name used by actions.
555 |
556 | Default value: `'tcp'`
557 |
558 | ##### `mta`
559 |
560 | Data type: `String`
561 |
562 | Default program name used for sending out email by actions that do so.
563 |
564 | Default value: `'sendmail'`
565 |
566 | ##### `destemail`
567 |
568 | Data type: `String`
569 |
570 | Default email address used as recipient by actions that send out emails.
571 |
572 | Default value: `'root@localhost'`
573 |
574 | ##### `sender`
575 |
576 | Data type: `String`
577 |
578 | Default email address set as sender by actions that send out emails.
579 |
580 | Default value: `'root@localhost'`
581 |
582 | ##### `fail2ban_agent`
583 |
584 | Data type: `String`
585 |
586 | User-agent sent on HTTP requests that are made by some actions.
587 |
588 | Default value: `'Fail2Ban/%(fail2ban_version)s'`
589 |
590 | ## Defined types
591 |
592 | ### `fail2ban::action`
593 |
594 | fail2ban/manifests/action.pp
595 |
596 | - Copyright (C) 2014-2019 gabster@lelutin.ca
597 |
598 | Actions define what fail2ban should do when if finds mischief happening in
599 | logs. Usually, an action defines commands that should be run during
600 | setup/teardown and commands for when a ban or an unban happen. Using action
601 | you can make fail2ban whatever you want, from creating an iptables rule to
602 | calling out to your edge server API to create a rule there instead.
603 |
604 | * **See also**
605 | * jail.conf(5)
606 |
607 | #### Examples
608 |
609 | ##### defining a new action to call out to a REST API
610 |
611 | ```puppet
612 | fail2ban::action { 'rest_api':
613 | ensure => present,
614 | actionban => ['curl -s -X PUT http://yourapi:8080/theapi/v4/firewall/rules -H "Content-Type:application/json" -H "Authorization: ..." -d "{\"ban\": \"\"}"'],
615 | actionunban => ['curl -s -X DELETE http://yourapi:8080/theapi/v4/firewall/rules/1 -H "Authorization: ..."'],
616 | }
617 | ```
618 |
619 | #### Parameters
620 |
621 | The following parameters are available in the `fail2ban::action` defined type:
622 |
623 | * [`ensure`](#-fail2ban--action--ensure)
624 | * [`config_file_mode`](#-fail2ban--action--config_file_mode)
625 | * [`timeout`](#-fail2ban--action--timeout)
626 | * [`init`](#-fail2ban--action--init)
627 | * [`includes`](#-fail2ban--action--includes)
628 | * [`includes_after`](#-fail2ban--action--includes_after)
629 | * [`additional_defs`](#-fail2ban--action--additional_defs)
630 | * [`actionban`](#-fail2ban--action--actionban)
631 | * [`actionunban`](#-fail2ban--action--actionunban)
632 | * [`actioncheck`](#-fail2ban--action--actioncheck)
633 | * [`actionstart`](#-fail2ban--action--actionstart)
634 | * [`actionstop`](#-fail2ban--action--actionstop)
635 |
636 | ##### `ensure`
637 |
638 | Data type: `Enum['present', 'absent']`
639 |
640 | Whether the resources should be installed or removed.
641 |
642 | Default value: `'present'`
643 |
644 | ##### `config_file_mode`
645 |
646 | Data type: `String`
647 |
648 | Permission mode given to the filter file created by this defined type.
649 |
650 | Default value: `'0644'`
651 |
652 | ##### `timeout`
653 |
654 | Data type: `Optional[Integer[1]]`
655 |
656 | Special tag in the Init section that, if present, defines the maximum
657 | period of time in seconds that an action command can be executed before
658 | being killed.
659 |
660 | Default value: `undef`
661 |
662 | ##### `init`
663 |
664 | Data type: `Array[String]`
665 |
666 | List of arbitrary lines that will be a part of the [Init] section. All
667 | tags (variables) defined in this section can be overridden by any
668 | individual jail to change the action's behaviour.
669 |
670 | Default value: `[]`
671 |
672 | ##### `includes`
673 |
674 | Data type: `Array[String]`
675 |
676 | List of files to include before considering the rest of the action
677 | definition. These files can declare variables used by the action to set
678 | default or common behaviours.
679 |
680 | Default value: `[]`
681 |
682 | ##### `includes_after`
683 |
684 | Data type: `Array[String]`
685 |
686 | List of files to include after action definition.
687 |
688 | Default value: `[]`
689 |
690 | ##### `additional_defs`
691 |
692 | Data type: `Array[String]`
693 |
694 | List of arbitrary lines that should appear at the begining of the action's
695 | definition section, for anything that didn't fit in other parameters. Each
696 | item in the list is output on its own line in the action file. No syntax
697 | checking is done.
698 |
699 | Default value: `[]`
700 |
701 | ##### `actionban`
702 |
703 | Data type: `Array[String[1], 1]`
704 |
705 | List of commands that are executed when fail2ban has found too many
706 | matches for a given IP address.
707 |
708 | ##### `actionunban`
709 |
710 | Data type: `Array[String[1], 1]`
711 |
712 | List of commands that are executed after `bantime` has elapsed.
713 |
714 | ##### `actioncheck`
715 |
716 | Data type: `Array[String[1]]`
717 |
718 | List of commands that are run by fail2ban before any other action to
719 | verify that the environment (or setup) is still in good shape.
720 |
721 | Default value: `[]`
722 |
723 | ##### `actionstart`
724 |
725 | Data type: `Array[String[1]]`
726 |
727 | List of commands that are executed when the jail is started.
728 |
729 | Default value: `[]`
730 |
731 | ##### `actionstop`
732 |
733 | Data type: `Array[String[1]]`
734 |
735 | List of commands that are executed when the jail is stopped.
736 |
737 | Default value: `[]`
738 |
739 | ### `fail2ban::filter`
740 |
741 | fail2ban/manifests/filter.pp
742 |
743 | - Copyright (C) 2014-2018 gabster@lelutin.ca
744 |
745 | Filters are how fail2ban detects mischief in logs. They contain regular
746 | expressions that should catch bad activity and identify the IP that is doing
747 | this activity.
748 |
749 | * **See also**
750 | * https://fail2ban.readthedocs.io/en/latest/filters.html
751 | * https://github.com/fail2ban/fail2ban/blob/0.11/man/jail.conf.5
752 | * jail.conf(5)
753 |
754 | #### Examples
755 |
756 | ##### defining filter for jenkins
757 |
758 | ```puppet
759 | fail2ban::filter { 'jenkins':
760 | failregexes => [
761 | # Those regexes are really arbitrary examples.
762 | 'Invalid login to Jenkins by user mooh by IP \'\'',
763 | 'Forced entry trial by ',
764 | ],
765 | }
766 | ```
767 |
768 | #### Parameters
769 |
770 | The following parameters are available in the `fail2ban::filter` defined type:
771 |
772 | * [`filter_template`](#-fail2ban--filter--filter_template)
773 | * [`failregexes`](#-fail2ban--filter--failregexes)
774 | * [`ensure`](#-fail2ban--filter--ensure)
775 | * [`config_file_mode`](#-fail2ban--filter--config_file_mode)
776 | * [`init`](#-fail2ban--filter--init)
777 | * [`includes`](#-fail2ban--filter--includes)
778 | * [`includes_after`](#-fail2ban--filter--includes_after)
779 | * [`additional_defs`](#-fail2ban--filter--additional_defs)
780 | * [`prefregex`](#-fail2ban--filter--prefregex)
781 | * [`ignoreregexes`](#-fail2ban--filter--ignoreregexes)
782 | * [`maxlines`](#-fail2ban--filter--maxlines)
783 | * [`datepattern`](#-fail2ban--filter--datepattern)
784 | * [`journalmatch`](#-fail2ban--filter--journalmatch)
785 |
786 | ##### `filter_template`
787 |
788 | Data type: `String[1]`
789 |
790 | Path to the epp template given to the epp() function in order to render
791 | the filter file.
792 |
793 | Default value: `'fail2ban/filter.epp'`
794 |
795 | ##### `failregexes`
796 |
797 | Data type: `Array[String, 1]`
798 |
799 | List of regular expressions that will be run against new log lines as they
800 | reach fail2ban. The regular expressions follow the Python regular
801 | expression format, and there are some special patterns that fail2ban can
802 | use. See the jail.conf(5) man page for more details. Each item in the list
803 | is placed on its own line. Lines starting with the second one are prepended
804 | with spaces so that the regular expressions line up with the beginning of
805 | the first one.
806 |
807 | ##### `ensure`
808 |
809 | Data type: `Enum['present', 'absent']`
810 |
811 | Whether the resources should be installed or removed.
812 |
813 | Default value: `'present'`
814 |
815 | ##### `config_file_mode`
816 |
817 | Data type: `String`
818 |
819 | Permission mode given to the filter file created by this defined type.
820 |
821 | Default value: `'0644'`
822 |
823 | ##### `init`
824 |
825 | Data type: `Array[String]`
826 |
827 | List of arbitrary lines that should appear in the optional filter
828 | Init section. Variable definitions in the Init section can be overridden by
829 | users in *.local files. Each item in the list is output on its own line in
830 | the filter file. No syntax checking is done.
831 |
832 | Default value: `[]`
833 |
834 | ##### `includes`
835 |
836 | Data type: `Array[String, 0]`
837 |
838 | List of files to include before considering the rest of the filter
839 | definition. These files can declare variables used by the filter to set
840 | default behaviours.
841 |
842 | Default value: `[]`
843 |
844 | ##### `includes_after`
845 |
846 | Data type: `Array[String, 0]`
847 |
848 | List of files to include after filter definition.
849 |
850 | Default value: `[]`
851 |
852 | ##### `additional_defs`
853 |
854 | Data type: `Array[String, 0]`
855 |
856 | List of arbitrary lines that should appear at the begining of the filter's
857 | definition section, for anything that didn't fit in other parameters. Each
858 | item in the list is output on its own line in the filter file. No syntax
859 | checking is done.
860 |
861 | Default value: `[]`
862 |
863 | ##### `prefregex`
864 |
865 | Data type: `Optional[String]`
866 |
867 | If this is set, it contains a regular expression that should be used to
868 | parse (after datepattern found a match) a common part to all messages that
869 | can then match a smaller failregex or ignoreregex. If this regex does not
870 | match, then failregex or ignoreregex are not even tried.
871 |
872 | Default value: `undef`
873 |
874 | ##### `ignoreregexes`
875 |
876 | Data type: `Array[String, 0]`
877 |
878 | List of Python regular expressions that should prevent a log line from
879 | being considered for banning. If a line matches regular expressions
880 | contained in this parameter, they are ignored even though they would have
881 | matched a failregex. Each item in the list is placed on its own line. Lines
882 | starting with the second one are prepended with spaces so that the regular
883 | expressions line up with the beginning of the first one.
884 |
885 | Default value: `[]`
886 |
887 | ##### `maxlines`
888 |
889 | Data type: `Optional[Integer[1]]`
890 |
891 | Maximum number of lines that fail2ban should buffer for matching
892 | multi-line regexes.
893 |
894 | Default value: `undef`
895 |
896 | ##### `datepattern`
897 |
898 | Data type: `Optional[String]`
899 |
900 | Custom date pattern/regex for the log file. This is useful if dates use a
901 | non-standard formatting.
902 |
903 | Default value: `undef`
904 |
905 | ##### `journalmatch`
906 |
907 | Data type: `Optional[String]`
908 |
909 | If the log backend is set to systemd, this specifies a matching pattern to
910 | filter journal entries.
911 |
912 | Default value: `undef`
913 |
914 | ### `fail2ban::jail`
915 |
916 | fail2ban/manifests/jail.pp
917 |
918 | - Copyright (C) 2014-2018 gabster@lelutin.ca
919 |
920 | Jails are the top level of fail2ban configuration; what you'll be using most
921 | often to setup protection of a service from bruteforce attempts or pesky
922 | attack traffic. They rely on a filter to find out IPs that are doing
923 | mischief, and then use an action to ban (and subsequently unban) IPs.
924 |
925 | Most parameters of this defined type are used for overriding what has been
926 | set in the global context in jail.conf/jail.local (see parameters to the
927 | fail2ban class). They are not mandatory if you can reuse the global values.
928 |
929 | * **See also**
930 | * https://github.com/fail2ban/fail2ban/blob/0.11/man/jail.conf.5
931 | * jail.conf(5)
932 |
933 | #### Examples
934 |
935 | ##### creating simple jail for service
936 |
937 | ```puppet
938 | fail2ban::jail { 'honeypot':
939 | findtime => 300,
940 | maxretry => 1,
941 | port => 'all',
942 | logpath => ['/var/log/honeypot.log'],
943 | }
944 | ```
945 |
946 | ##### using a pre-defined jail
947 |
948 | ```puppet
949 | $ssh_params = lookup('fail2ban::jail::sshd')
950 | fail2ban::jail { 'sshd':
951 | * => $ssh_params,
952 | }
953 | ```
954 |
955 | ##### overriding parameters from a pre-defined jail
956 |
957 | ```puppet
958 | $ssh_extra_params = {
959 | 'bantime' => 300,
960 | 'findtime' => 200,
961 | 'maxretry' => 3,
962 | }
963 | $ssh_params = lookup('fail2ban::jail::sshd') + $ssh_extra_params
964 | fail2ban::jail { 'sshd':
965 | * => $ssh_params,
966 | }
967 | ```
968 |
969 | #### Parameters
970 |
971 | The following parameters are available in the `fail2ban::jail` defined type:
972 |
973 | * [`ensure`](#-fail2ban--jail--ensure)
974 | * [`config_file_mode`](#-fail2ban--jail--config_file_mode)
975 | * [`enabled`](#-fail2ban--jail--enabled)
976 | * [`mode`](#-fail2ban--jail--mode)
977 | * [`backend`](#-fail2ban--jail--backend)
978 | * [`usedns`](#-fail2ban--jail--usedns)
979 | * [`filter`](#-fail2ban--jail--filter)
980 | * [`logpath`](#-fail2ban--jail--logpath)
981 | * [`logencoding`](#-fail2ban--jail--logencoding)
982 | * [`logtimezone`](#-fail2ban--jail--logtimezone)
983 | * [`datepattern`](#-fail2ban--jail--datepattern)
984 | * [`prefregex`](#-fail2ban--jail--prefregex)
985 | * [`failregex`](#-fail2ban--jail--failregex)
986 | * [`ignoreregex`](#-fail2ban--jail--ignoreregex)
987 | * [`ignoreself`](#-fail2ban--jail--ignoreself)
988 | * [`ignoreip`](#-fail2ban--jail--ignoreip)
989 | * [`ignorecommand`](#-fail2ban--jail--ignorecommand)
990 | * [`ignorecache`](#-fail2ban--jail--ignorecache)
991 | * [`maxretry`](#-fail2ban--jail--maxretry)
992 | * [`maxlines`](#-fail2ban--jail--maxlines)
993 | * [`maxmatches`](#-fail2ban--jail--maxmatches)
994 | * [`findtime`](#-fail2ban--jail--findtime)
995 | * [`action`](#-fail2ban--jail--action)
996 | * [`bantime`](#-fail2ban--jail--bantime)
997 | * [`bantime_extra`](#-fail2ban--jail--bantime_extra)
998 | * [`banaction`](#-fail2ban--jail--banaction)
999 | * [`banaction_allports`](#-fail2ban--jail--banaction_allports)
1000 | * [`chain`](#-fail2ban--jail--chain)
1001 | * [`port`](#-fail2ban--jail--port)
1002 | * [`protocol`](#-fail2ban--jail--protocol)
1003 | * [`mta`](#-fail2ban--jail--mta)
1004 | * [`destemail`](#-fail2ban--jail--destemail)
1005 | * [`sender`](#-fail2ban--jail--sender)
1006 | * [`fail2ban_agent`](#-fail2ban--jail--fail2ban_agent)
1007 | * [`additional_options`](#-fail2ban--jail--additional_options)
1008 |
1009 | ##### `ensure`
1010 |
1011 | Data type: `Enum['present','absent']`
1012 |
1013 | Whether resources for the defined jail should be installed or removed.
1014 |
1015 | Default value: `'present'`
1016 |
1017 | ##### `config_file_mode`
1018 |
1019 | Data type: `String`
1020 |
1021 | Permission mode given to the jail file created by this defined type.
1022 |
1023 | Default value: `'0644'`
1024 |
1025 | ##### `enabled`
1026 |
1027 | Data type: `Boolean`
1028 |
1029 | Whether or not a jail is enabled. Setting this to false makes it possible
1030 | to keep configuration around for a certain jail but temporarily disable it.
1031 |
1032 | Default value: `true`
1033 |
1034 | ##### `mode`
1035 |
1036 | Data type: `Optional[String]`
1037 |
1038 | Change the behavior of the filter used by this jail. The mode will
1039 | generally determine which regular expressions the filter will include. The
1040 | values that this can take are determined by each individual filter. To know
1041 | exactly which values are available in filters, you need to read their
1042 | configuration files.
1043 |
1044 | Default value: `undef`
1045 |
1046 | ##### `backend`
1047 |
1048 | Data type: `Optional[Fail2ban::Backend]`
1049 |
1050 | Method used by fail2ban to obtain new log lines from the log file(s) in
1051 | logpath.
1052 |
1053 | Default value: `undef`
1054 |
1055 | ##### `usedns`
1056 |
1057 | Data type: `Optional[Fail2ban::Usedns]`
1058 |
1059 | Whether or not to resolve DNS hostname of IPs that have been found by a
1060 | failregex.
1061 |
1062 | Default value: `undef`
1063 |
1064 | ##### `filter`
1065 |
1066 | Data type: `Optional[String]`
1067 |
1068 | Name of the filter to use for this jail. The default value for the filter
1069 | is usually to use a filter with the same name as the jail name (although
1070 | this could be changed by the filter parameter on the fail2ban class).
1071 |
1072 | Default value: `undef`
1073 |
1074 | ##### `logpath`
1075 |
1076 | Data type: `Array[String]`
1077 |
1078 | Array of absolute paths to the log files against which regular expressions
1079 | should be verified to catch activity that you want to block. This
1080 | parameter must be set to a non-empty array when not using the 'systemd'
1081 | backend, however it must be empty if the 'systemd' backend is used.
1082 |
1083 | Default value: `[]`
1084 |
1085 | ##### `logencoding`
1086 |
1087 | Data type: `Optional[String]`
1088 |
1089 | Name of the encoding of log files. If set to "auto", fail2ban will use what
1090 | is set in the system's locale setting.
1091 |
1092 | Default value: `undef`
1093 |
1094 | ##### `logtimezone`
1095 |
1096 | Data type: `Optional[String]`
1097 |
1098 | Force a timezone if the logs don't specify them on timestamps.
1099 |
1100 | Default value: `undef`
1101 |
1102 | ##### `datepattern`
1103 |
1104 | Data type: `Optional[String]`
1105 |
1106 | Change the format of dates recognized by the filter this jail uses.
1107 |
1108 | Default value: `undef`
1109 |
1110 | ##### `prefregex`
1111 |
1112 | Data type: `Optional[String[1]]`
1113 |
1114 | Regular expression to parse common part in every message for this jail.
1115 |
1116 | Default value: `undef`
1117 |
1118 | ##### `failregex`
1119 |
1120 | Data type: `Optional[Array[String[1]]]`
1121 |
1122 | Regular expressions to add to the failregex of the filter used by this
1123 | jail.
1124 |
1125 | Default value: `undef`
1126 |
1127 | ##### `ignoreregex`
1128 |
1129 | Data type: `Optional[Array[String[1]]]`
1130 |
1131 | Regular expressions to add to the ignoreregex of the filter used by this
1132 | jail.
1133 |
1134 | Default value: `undef`
1135 |
1136 | ##### `ignoreself`
1137 |
1138 | Data type: `Optional[Boolean]`
1139 |
1140 | If set to false, fail2ban will not ignore IP addresses, for this jail, that
1141 | are bound to interfaces on the host.
1142 |
1143 | Default value: `undef`
1144 |
1145 | ##### `ignoreip`
1146 |
1147 | Data type: `Optional[Array[String, 1]]`
1148 |
1149 | List of IPs or CIDR prefixes to ignore when identifying matches of
1150 | failregex. The IPs that fit the descriptions in this parameter will never
1151 | get banned by the jail.
1152 |
1153 | Default value: `undef`
1154 |
1155 | ##### `ignorecommand`
1156 |
1157 | Data type: `Optional[String]`
1158 |
1159 | Command used to determine if an IP should found by a failregex be ignored.
1160 | This can be used to have a more complex and dynamic method of listing and
1161 | identifying IPs that should not get banned. It can be used also when
1162 | ignoreip is present.
1163 |
1164 | Default value: `undef`
1165 |
1166 | ##### `ignorecache`
1167 |
1168 | Data type: `Optional[String]`
1169 |
1170 | If set, caches the results from `ignoreip`, `ignoreself` and
1171 | `ignorecommand` for a set amount of time to avoid calling `ignorecommand`
1172 | repeatedly.
1173 |
1174 | Default value: `undef`
1175 |
1176 | ##### `maxretry`
1177 |
1178 | Data type: `Optional[Integer[1]]`
1179 |
1180 | Number of failregex matches during findtime after which an IP gets banned.
1181 |
1182 | Default value: `undef`
1183 |
1184 | ##### `maxlines`
1185 |
1186 | Data type: `Optional[Integer[1]]`
1187 |
1188 | Number of lines to buffer for filter's regex search when looking for
1189 | multi-line regex matches.
1190 |
1191 | Default value: `undef`
1192 |
1193 | ##### `maxmatches`
1194 |
1195 | Data type: `Optional[Variant[Integer[1], String]]`
1196 |
1197 | Number of matches stored in ticket.
1198 |
1199 | Default value: `undef`
1200 |
1201 | ##### `findtime`
1202 |
1203 | Data type: `Optional[Fail2ban::Time]`
1204 |
1205 | Time period in seconds during which maxretry number of matches will get an
1206 | IP banned.
1207 |
1208 | Default value: `undef`
1209 |
1210 | ##### `action`
1211 |
1212 | Data type: `Optional[Variant[String, Array[String, 1]]]`
1213 |
1214 | List of actions that should be used to ban and unban IPs when maxretry
1215 | matches of failregex has happened for an IP during findtime.
1216 |
1217 | Default value: `undef`
1218 |
1219 | ##### `bantime`
1220 |
1221 | Data type: `Optional[Fail2ban::Time]`
1222 |
1223 | Time period in seconds for which an IP is banned if maxretry matches of
1224 | failregex happen for the same IP during findtime.
1225 |
1226 | Default value: `undef`
1227 |
1228 | ##### `bantime_extra`
1229 |
1230 | Data type: `Optional[Fail2ban::Bantime_extra]`
1231 |
1232 | Set of additional optional settings relating to bantime. The keys in this
1233 | structure are set in the configuration file as `bantime.$key`. See the
1234 | same parameter in class fail2ban for more details on the possible values.
1235 |
1236 | Default value: `undef`
1237 |
1238 | ##### `banaction`
1239 |
1240 | Data type: `Optional[String]`
1241 |
1242 | Name of the action that is extrapolated in default action definitions, or
1243 | in the action param. This can let you override the action name but keep the
1244 | default parameters to the action.
1245 |
1246 | Default value: `undef`
1247 |
1248 | ##### `banaction_allports`
1249 |
1250 | Data type: `Optional[String]`
1251 |
1252 | Action name that can be extrapolated by some of the default actions. This
1253 | one is meant to ban all ports at once instead of specific ones. Setting
1254 | this will change the action for this jail.
1255 |
1256 | Default value: `undef`
1257 |
1258 | ##### `chain`
1259 |
1260 | Data type: `Optional[String]`
1261 |
1262 | Name of the iptables chain used by iptables-based actions.
1263 |
1264 | Default value: `undef`
1265 |
1266 | ##### `port`
1267 |
1268 | Data type: `Optional[Fail2ban::Port]`
1269 |
1270 | Comma separated list of ports, port ranges or service names (as found in
1271 | /etc/services) that should get blocked by the ban action.
1272 |
1273 | Default value: `undef`
1274 |
1275 | ##### `protocol`
1276 |
1277 | Data type: `Optional[Fail2ban::Protocol]`
1278 |
1279 | Name of the protocol to ban using the action.
1280 |
1281 | Default value: `undef`
1282 |
1283 | ##### `mta`
1284 |
1285 | Data type: `Optional[String]`
1286 |
1287 | Program name used for sending out email by actions that do so.
1288 |
1289 | Default value: `undef`
1290 |
1291 | ##### `destemail`
1292 |
1293 | Data type: `Optional[String]`
1294 |
1295 | Email address used as recipient by actions that send out emails. Setting
1296 | this will override destemail for this jail only.
1297 |
1298 | Default value: `undef`
1299 |
1300 | ##### `sender`
1301 |
1302 | Data type: `Optional[String]`
1303 |
1304 | Email address set as sender by actions that send out emails.
1305 |
1306 | Default value: `undef`
1307 |
1308 | ##### `fail2ban_agent`
1309 |
1310 | Data type: `Optional[String]`
1311 |
1312 | User-agent sent on HTTP requests that are made by some actions.
1313 |
1314 | Default value: `undef`
1315 |
1316 | ##### `additional_options`
1317 |
1318 | Data type: `Hash[String, String]`
1319 |
1320 | Hash of additional values that should be declared for the jail. Keys
1321 | represent the jail configuration value names and hash values are placed to
1322 | the right of the "=". This can be used to declare arbitrary values for
1323 | filters or actions to use. No syntax checking is done on the contents of
1324 | this hash.
1325 | Note that any keys in this hash that correspond to a parameter name for
1326 | this defined type will get overridden by the value that the defined type's
1327 | parameter was given (e.g. if there is mode => '0600' in additional_options,
1328 | the value of mode in the file on disk will not take on the value '0600'
1329 | since there is a resource parameter that already corresponds to this key
1330 | name).
1331 |
1332 | Default value: `{}`
1333 |
1334 | ## Data types
1335 |
1336 | ### `Fail2ban::AutoOrFlag`
1337 |
1338 | A boolean flag that can also be set to the string 'auto'.
1339 |
1340 | Alias of `Variant[Boolean, Enum['auto']]`
1341 |
1342 | ### `Fail2ban::Backend`
1343 |
1344 | Backend names that fail2ban understands
1345 | Can be one of the pre-defined backend names, "systemd" with optionally a list
1346 | of parameters between square brackets or a python-style variable
1347 |
1348 | Alias of `Variant[Enum['auto','pyinotify','gamin','polling'], Pattern[/^systemd(\[.*\]$)?/], Pattern[/%\(\w+\)s/]]`
1349 |
1350 | ### `Fail2ban::Bantime_extra`
1351 |
1352 | Optional additional bantime.* options. See manifests/init.pp for details
1353 | about what each option means.
1354 |
1355 | Alias of
1356 |
1357 | ```puppet
1358 | Struct[{
1359 | Optional[increment] => Boolean,
1360 | Optional[factor] => String[1],
1361 | Optional[formula] => String[1],
1362 | Optional[multipliers] => String[1],
1363 | Optional[maxtime] => String[1],
1364 | Optional[rndtime] => String[1],
1365 | Optional[overalljails] => Boolean,
1366 | }]
1367 | ```
1368 |
1369 | ### `Fail2ban::Dbfile`
1370 |
1371 | Where fail2ban's database gets stored. None disables storage
1372 |
1373 | Alias of `Variant[Stdlib::Absolutepath, Enum['None']]`
1374 |
1375 | ### `Fail2ban::Loglevel`
1376 |
1377 | How much logging is needed from fail2ban
1378 |
1379 | Alias of `Enum['CRITICAL', 'ERROR', 'WARNING', 'NOTICE', 'INFO', 'DEBUG', 'TRACEDEBUG', 'HEAVYDEBUG']`
1380 |
1381 | ### `Fail2ban::Logtarget`
1382 |
1383 | Where logs are sent
1384 |
1385 | Alias of `Variant[Stdlib::Absolutepath, Enum['STDOUT', 'STDERR', 'SYSLOG', 'SYSOUT', 'SYSTEMD-JOURNAL']]`
1386 |
1387 | ### `Fail2ban::Port`
1388 |
1389 | Possible values for the port parameter
1390 | ports can be specified by number, but you can also pass in a comma-separated
1391 | list of values in a string.
1392 | The values in the string can be port numbers (integers), a range of port
1393 | numbers in the format 'number:number', service names (looked up in
1394 | /etc/services) or 'all' which is translated to '0:65535'
1395 |
1396 | Alias of `Variant[Integer, String]`
1397 |
1398 | ### `Fail2ban::Protocol`
1399 |
1400 | Options for protocol type
1401 | This is used by the default action iptables-multiport to defined what
1402 | protocol to ban for the specified ports.
1403 |
1404 | Alias of `Enum['tcp', 'udp', 'icmp', 'all']`
1405 |
1406 | ### `Fail2ban::Syslogsocket`
1407 |
1408 | Path to a socket for communication with syslog, or 'auto' for letting
1409 | fail2ban auto-discover the path.
1410 |
1411 | Alias of `Variant[Stdlib::Absolutepath, Enum['auto']]`
1412 |
1413 | ### `Fail2ban::Time`
1414 |
1415 | Time in seconds for some configuration options can be specified either in an
1416 | integer number of seconds, or an abbreviation that can help specify some time
1417 | periods more easily
1418 |
1419 | Time abbreviation can be combined to make a more precise amount. For example
1420 | 1d3h20m
1421 |
1422 | * **See also**
1423 | * https://github.com/fail2ban/fail2ban/blob/master/man/jail.conf.5
1424 | * jail.conf(5)
1425 |
1426 | Alias of `Variant[Integer[1], Pattern[/^(\d+(ye(a(r(s)?)?)?|yy?|mo(n(th(s)?)?)?|we(e(k(s)?)?)?|ww?|da(y(s)?)?|dd?|ho(u(r(s)?)?)?|hh?|mi(n(ute(s)?)?)?|mm?|se(c(ond(s)?)?)?|ss?))+$/]]`
1427 |
1428 | ### `Fail2ban::Usedns`
1429 |
1430 | Possible values for usedns parameter
1431 |
1432 | Alias of `Enum['yes', 'no', 'warn', 'raw']`
1433 |
1434 |
--------------------------------------------------------------------------------
/Rakefile:
--------------------------------------------------------------------------------
1 | require 'puppetlabs_spec_helper/rake_tasks'
2 | require 'puppet-syntax/tasks/puppet-syntax'
3 |
4 | # Temporary workaround: the keys we use in hiera for default jail data sets
5 | # tend to trigger errors from puppet-syntax. Fixing that is going to be
6 | # annoying.
7 | PuppetSyntax.check_hiera_keys = false
8 |
--------------------------------------------------------------------------------
/data/RedHat.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | fail2ban::jail_conf_template: "fail2ban/rhel/jail.conf.epp"
3 |
--------------------------------------------------------------------------------
/data/common.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Default jails that can be used with fail2ban::jail. See the README for an
3 | # example of how to use those structures.
4 | #
5 | fail2ban::jail::3proxy:
6 | port: 3128
7 | logpath:
8 | - "/var/log/3proxy.log"
9 | fail2ban::jail::apache-auth:
10 | port: "http,https"
11 | logpath:
12 | - "%(apache_error_log)s"
13 | fail2ban::jail::apache-badbots:
14 | port: "http,https"
15 | logpath:
16 | - "%(apache_access_log)s"
17 | bantime: 172800
18 | maxretry: 1
19 | fail2ban::jail::apache-noscript:
20 | port: "http,https"
21 | logpath:
22 | - "%(apache_error_log)s"
23 | fail2ban::jail::apache-overflows:
24 | port: "http,https"
25 | logpath:
26 | - "%(apache_error_log)s"
27 | maxretry: 2
28 | fail2ban::jail::apache-nohome:
29 | port: "http,https"
30 | logpath:
31 | - "%(apache_error_log)s"
32 | maxretry: 2
33 | fail2ban::jail::apache-botsearch:
34 | port: "http,https"
35 | logpath:
36 | - "%(apache_error_log)s"
37 | maxretry: 2
38 | fail2ban::jail::apache-fakegooglebot:
39 | port: "http,https"
40 | logpath:
41 | - "%(apache_access_log)s"
42 | maxretry: 1
43 | ignorecommand: "%(ignorecommands_dir)s/apache-fakegooglebot "
44 | fail2ban::jail::apache-modsecurity:
45 | port: "http,https"
46 | logpath:
47 | - "%(apache_error_log)s"
48 | maxretry: 2
49 | fail2ban::jail::apache-shellshock:
50 | port: "http,https"
51 | logpath:
52 | - "%(apache_error_log)s"
53 | maxretry: 1
54 | fail2ban::jail::assp:
55 | port: "smtp,465,submission"
56 | logpath:
57 | - "/root/path/to/assp/logs/maillog.txt"
58 | # ports 2000, 5000 and 4520 are associated with the "skinny" module, UNISTIM,
59 | # and the "dundi" module, respectively.
60 | fail2ban::jail::asterisk:
61 | port: "5060,5061"
62 | logpath:
63 | - "/var/log/asterisk/messages"
64 | # yamllint disable-line rule:line-length
65 | action: "%(default/action_)s[name=%(__name__)s-tcp, protocol=\"tcp\"]\n %(default/action_)s[name=%(__name__)s-udp, protocol=\"udp\"]"
66 | maxretry: 10
67 | fail2ban::jail::bitwarden:
68 | port: "http,https"
69 | logpath:
70 | - "/home/*/bwdata/logs/identity/Identity/log.txt"
71 | fail2ban::jail::centreon:
72 | port: "http,https"
73 | logpath:
74 | - "/var/log/centreon/login.log"
75 | fail2ban::jail::counter-strike:
76 | logpath:
77 | - "/opt/cstrike/logs/L[0-9]*.log"
78 | additional_options:
79 | tcpport: "27030,27031,27032,27033,27034,27035,27036,27037,27038,27039"
80 | udpport: "1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015"
81 | action_: "%(default/action_)s[name=%(__name__)s-tcp, port=\"%(tcpport)s\", protocol=\"tcp\"]\n %(default/action_)s[name=%(__name__)s-udp, port=\"%(udpport)s\", protocol=\"udp\"]"
82 | fail2ban::jail::courier-auth:
83 | port: "smtp,465,submission,imap,imaps,pop3,pop3s"
84 | logpath:
85 | - "%(syslog_mail)s"
86 | backend: "%(syslog_backend)s"
87 | fail2ban::jail::courier-smtp:
88 | port: "smtp,465,submission"
89 | logpath:
90 | - "%(syslog_mail)s"
91 | backend: "%(syslog_backend)s"
92 | fail2ban::jail::cyrus-imap:
93 | port: "imap,imaps"
94 | logpath:
95 | - "%(syslog_mail)s"
96 | backend: "%(syslog_backend)s"
97 | fail2ban::jail::directadmin:
98 | port: 2222
99 | logpath:
100 | - "/var/log/directadmin/login.log"
101 | fail2ban::jail::domino-smtp:
102 | port: "smtp,ssmtp"
103 | logpath:
104 | - "/home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log"
105 | fail2ban::jail::dovecot:
106 | port: "pop3,pop3s,imap,imaps,submission,465,sieve"
107 | logpath:
108 | - "%(dovecot_log)s"
109 | backend: "%(dovecot_backend)s"
110 | fail2ban::jail::dropbear:
111 | port: "ssh"
112 | logpath:
113 | - "%(dropbear_log)s"
114 | backend: "%(dropbear_backend)s"
115 | fail2ban::jail::drupal-auth:
116 | port: "http,https"
117 | logpath:
118 | - "%(syslog_daemon)s"
119 | backend: "%(syslog_backend)s"
120 | fail2ban::jail::ejabberd-auth:
121 | port: 5222
122 | logpath:
123 | - "/var/log/ejabberd/ejabberd.log"
124 | fail2ban::jail::exim:
125 | port: "smtp,465,submission"
126 | logpath:
127 | - "%(exim_main_log)s"
128 | fail2ban::jail::exim-spam:
129 | port: "smtp,465,submission"
130 | logpath:
131 | - "%(exim_main_log)s"
132 | fail2ban::jail::freeswitch:
133 | port: "5060,5061"
134 | logpath:
135 | - "/var/log/freeswitch.log"
136 | # yamllint disable-line rule:line-length
137 | action: "%(default/action_)s[name=%(__name__)s-tcp, protocol=\"tcp\"]\n %(default/action_)s[name=%(__name__)s-udp, protocol=\"udp\"]"
138 | maxretry: 10
139 | fail2ban::jail::froxlor-auth:
140 | port: "http,https"
141 | logpath:
142 | - "%(syslog_authpriv)s"
143 | backend: "%(syslog_backend)s"
144 | fail2ban::jail::gitlab:
145 | port: "http,https"
146 | logpath:
147 | - "/var/log/gitlab/gitlab-rails/application.log"
148 | fail2ban::jail::grafana:
149 | port: "http,https"
150 | logpath:
151 | - "/var/log/grafana/grafana.log"
152 | fail2ban::jail::groupoffice:
153 | port: "http,https"
154 | logpath:
155 | - "/home/groupoffice/log/info.log"
156 | fail2ban::jail::gssftpd:
157 | port: "ftp,ftp-data,ftps,ftps-data"
158 | logpath:
159 | - "%(syslog_daemon)s"
160 | backend: "%(syslog_backend)s"
161 | fail2ban::jail::guacamole:
162 | port: "http,https"
163 | logpath:
164 | - "/var/log/tomcat*/catalina.out"
165 | # HAProxy by default doesn't log to file you'll need to set it up to forward
166 | # logs to a syslog server which would then write them to disk.
167 | # See "haproxy-http-auth" filter for a brief cautionary note when setting
168 | # maxretry and findtime.
169 | fail2ban::jail::haproxy-http-auth:
170 | logpath:
171 | - "/var/log/haproxy.log"
172 | fail2ban::jail::horde:
173 | port: "http,https"
174 | logpath:
175 | - "/var/log/horde/horde.log"
176 | fail2ban::jail::kerio:
177 | port: "imap,smtp,imaps,465"
178 | logpath:
179 | - "/opt/kerio/mailserver/store/logs/security.log"
180 | fail2ban::jail::lighttpd-auth:
181 | port: "http,https"
182 | logpath:
183 | - "%(lighttpd_error_log)s"
184 | fail2ban::jail::mongodb-auth:
185 | port: 27017
186 | logpath:
187 | - "/var/log/mongodb/mongodb.log"
188 | fail2ban::jail::monit:
189 | port: 2812
190 | logpath:
191 | - "/var/log/monit"
192 | - "/var/log/monit.log"
193 | fail2ban::jail::murmur:
194 | port: 64738
195 | # yamllint disable-line rule:line-length
196 | action: "%(default/action_)s[name=%(__name__)s-tcp, protocol=\"tcp\"]\n %(default/action_)s[name=%(__name__)s-udp, protocol=\"udp\"]"
197 | logpath:
198 | - "/var/log/mumble-server/mumble-server.log"
199 | # To log wrong MySQL access attempts add to /etc/my.cnf in [mysqld] or
200 | # equivalent section:
201 | # log-warning = 2
202 | #
203 | # for syslog (daemon facility)
204 | # [mysqld_safe]
205 | # syslog
206 | #
207 | # for own logfile
208 | # [mysqld]
209 | # log-error=/var/log/mysqld.log
210 | fail2ban::jail::mysqld-auth:
211 | port: 3306
212 | logpath:
213 | - "%(mysql_log)s"
214 | backend: "%(mysql_backend)s"
215 | # consider low maxretry and a long bantime
216 | # nobody except your own Nagios server should ever probe nrpe
217 | fail2ban::jail::nagios:
218 | logpath:
219 | # nrpe.cfg may define a different log_facility
220 | - "%(syslog_daemon)s"
221 | backend: "%(syslog_backend)s"
222 | maxretry: 1
223 | fail2ban::jail::named-refused:
224 | port: "domain,953"
225 | logpath:
226 | - "/var/log/named/security.log"
227 | fail2ban::jail::nginx-http-auth:
228 | port: "http,https"
229 | logpath:
230 | - "%(nginx_error_log)s"
231 | # To use 'nginx-limit-req' jail you should have `ngx_http_limit_req_module`
232 | # and define `limit_req` and `limit_req_zone` as described in nginx
233 | # documentation:
234 | # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html
235 | # or for example see in 'config/filter.d/nginx-limit-req.conf'
236 | fail2ban::jail::nginx-limit-req:
237 | port: "http,https"
238 | logpath:
239 | - "%(nginx_error_log)s"
240 | fail2ban::jail::nginx-botsearch:
241 | port: "http,https"
242 | logpath:
243 | - "%(nginx_error_log)s"
244 | maxretry: 2
245 | fail2ban::jail::nsd:
246 | port: 53
247 | # yamllint disable-line rule:line-length
248 | action: "%(default/action_)s[name=%(__name__)s-tcp, protocol=\"tcp\"]\n %(default/action_)s[name=%(__name__)s-udp, protocol=\"udp\"]"
249 | logpath:
250 | - "/var/log/nsd.log"
251 | fail2ban::jail::openhab-auth:
252 | filter: "openhab"
253 | action: "%(banaction_allports)s"
254 | logpath:
255 | - "/opt/openhab/logs/request.log"
256 | fail2ban::jail::openwebmail:
257 | port: "http,https"
258 | logpath:
259 | - "/var/log/openwebmail.log"
260 | fail2ban::jail::oracleims:
261 | logpath:
262 | - "/opt/sun/comms/messaging64/log/mail.log_current"
263 | banaction: "%(banaction_allports)s"
264 | fail2ban::jail::pam-generic:
265 | banaction: "%(banaction_allports)s"
266 | logpath:
267 | - "%(syslog_authpriv)s"
268 | backend: "%(syslog_backend)s"
269 | fail2ban::jail::pass2allow-ftp:
270 | port: "ftp,ftp-data,ftps,ftps-data"
271 | filter: "apache-pass[knocking_url=\"%(knocking_url)s\"]"
272 | action: "%(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,\n actionstart_on_demand=false, actionrepair_on_unban=true]"
273 | logpath:
274 | - "%(apache_access_log)s"
275 | # 1h
276 | bantime: 3600
277 | maxretry: 1
278 | findtime: 1
279 | additional_options:
280 | knocking_url: "/knocking/"
281 | blocktype: "RETURN"
282 | returntype: "DROP"
283 | fail2ban::jail::perdition:
284 | port: "imap,imaps,pop3,pop3s"
285 | logpath:
286 | - "%(syslog_mail)s"
287 | backend: "%(syslog_backend)s"
288 | fail2ban::jail::php-url-fopen:
289 | port: "http,https"
290 | logpath:
291 | - "%(nginx_access_log)s"
292 | - "%(apache_access_log)s"
293 | fail2ban::jail::phpmyadmin-syslog:
294 | port: "http,https"
295 | logpath:
296 | - "%(syslog_authpriv)s"
297 | backend: "%(syslog_backend)s"
298 | fail2ban::jail::portsentry:
299 | logpath:
300 | - "/var/lib/portsentry/portsentry.history"
301 | maxretry: 1
302 | fail2ban::jail::postfix:
303 | mode: "more"
304 | port: "smtp,465,submission"
305 | logpath:
306 | - "%(postfix_log)s"
307 | backend: "%(postfix_backend)s"
308 | fail2ban::jail::postfix-rbl:
309 | filter: "postfix[mode=rbl]"
310 | port: "smtp,465,submission"
311 | logpath:
312 | - "%(postfix_log)s"
313 | backend: "%(postfix_backend)s"
314 | maxretry: 1
315 | fail2ban::jail::postfix-sasl:
316 | filter: "postfix[mode=auth]"
317 | logpath:
318 | - "%(postfix_log)s"
319 | backend: "%(postfix_backend)s"
320 | fail2ban::jail::proftpd:
321 | port: "ftp,ftp-data,ftps,ftps-data"
322 | logpath:
323 | - "%(proftpd_log)s"
324 | backend: "%(proftpd_backend)s"
325 | fail2ban::jail::pure-ftpd:
326 | port: "ftp,ftp-data,ftps,ftps-data"
327 | logpath:
328 | - "%(pureftpd_log)s"
329 | backend: "%(pureftpd_backend)s"
330 | fail2ban::jail::qmail-rbl:
331 | filter: "qmail"
332 | port: "smtp,465,submission"
333 | logpath:
334 | - "/service/qmail/log/main/current"
335 | # Jail for more extended banning of persistent abusers
336 | # !!! WARNINGS !!!
337 | # 1. Make sure that your loglevel specified in fail2ban.conf/.local
338 | # is not at DEBUG level -- which might then cause fail2ban to fall into
339 | # an infinite loop constantly feeding itself with non-informative lines
340 | # 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)
341 | # to maintain entries for failed logins for sufficient amount of time
342 | fail2ban::jail::recidive:
343 | logpath:
344 | - "/var/log/fail2ban.log"
345 | banaction: "%(banaction_allports)s"
346 | # 1 week
347 | bantime: 604800
348 | # 1 day
349 | findtime: 86400
350 | fail2ban::jail::roundcube-auth:
351 | port: "http,https"
352 | logpath:
353 | - "%(roundcube_errors_log)s"
354 | # For Mac OS Screen Sharing Service (VNC)
355 | fail2ban::jail::screensharing:
356 | logpath:
357 | - "/var/log/system.log"
358 | logencoding: "utf-8"
359 | fail2ban::jail::selinux-ssh:
360 | port: "ssh"
361 | logpath:
362 | - "%(auditd_log)s"
363 | fail2ban::jail::sendmail-auth:
364 | port: "submission,465,smtp"
365 | logpath:
366 | - "%(syslog_mail)s"
367 | backend: "%(syslog_backend)s"
368 | fail2ban::jail::sendmail-reject:
369 | port: "smtp,465,submission"
370 | logpath: "%(syslog_mail)s"
371 | backend: "%(syslog_backend)s"
372 | fail2ban::jail::sieve:
373 | port: "smtp,465,submission"
374 | logpath:
375 | - "%(dovecot_log)s"
376 | backend: "%(dovecot_backend)s"
377 | fail2ban::jail::slapd:
378 | port: "ldap,ldaps"
379 | logpath:
380 | - "/var/log/slapd.log"
381 | fail2ban::jail::softethervpn:
382 | port: "500,4500"
383 | protocol: "udp"
384 | logpath:
385 | - "/usr/local/vpnserver/security_log/*/sec.log"
386 | fail2ban::jail::sogo-auth:
387 | port: "http,https"
388 | logpath:
389 | - "/var/log/sogo/sogo.log"
390 | fail2ban::jail::solid-pop3d:
391 | port: "pop3,pop3s"
392 | logpath:
393 | - "%(solidpop3d_log)s"
394 | fail2ban::jail::squid:
395 | port: "80,443,3128,8080"
396 | logpath:
397 | - "/var/log/squid/access.log"
398 | fail2ban::jail::squirrelmail:
399 | port: "smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks"
400 | logpath:
401 | - "/var/lib/squirrelmail/prefs/squirrelmail_access_log"
402 | fail2ban::jail::sshd:
403 | port: "ssh"
404 | logpath:
405 | - "%(sshd_log)s"
406 | backend: "%(sshd_backend)s"
407 | fail2ban::jail::sshd-ddos:
408 | filter: "sshd[mode=ddos]"
409 | port: "ssh"
410 | logpath:
411 | - "%(sshd_log)s"
412 | backend: "%(sshd_backend)s"
413 | fail2ban::jail::stunnel:
414 | logpath:
415 | - "/var/log/stunnel4/stunnel.log"
416 | fail2ban::jail::suhosin:
417 | port: "http,https"
418 | logpath:
419 | - "%(suhosin_log)s"
420 | fail2ban::jail::tine20:
421 | port: "http,https"
422 | logpath:
423 | - "/var/log/tine20/tine20.log"
424 | # to use 'traefik-auth' filter you have to configure your Traefik instance,
425 | # see `filter.d/traefik-auth.conf` for details and service example.
426 | fail2ban::jail::traefik-auth:
427 | port: "http,https"
428 | logpath:
429 | - "/var/log/traefik/access.log"
430 | fail2ban::jail::uwimap-auth:
431 | port: "imap,imaps"
432 | logpath:
433 | - "%(syslog_mail)s"
434 | backend: "%(syslog_backend)s"
435 | fail2ban::jail::vsftpd:
436 | port: "ftp,ftp-data,ftps,ftps-data"
437 | logpath:
438 | - "%(vsftpd_log)s"
439 | fail2ban::jail::webmin-auth:
440 | port: 10000
441 | logpath:
442 | - "%(syslog_authpriv)s"
443 | backend: "%(syslog_backend)s"
444 | fail2ban::jail::wuftpd:
445 | port: "ftp,ftp-data,ftps,ftps-data"
446 | logpath:
447 | - "%(wuftpd_log)s"
448 | backend: "%(wuftpd_backend)s"
449 | fail2ban::jail::xinetd-fail:
450 | banaction: "iptables-multiport-log"
451 | logpath:
452 | - "%(syslog_daemon)s"
453 | backend: "%(syslog_backend)s"
454 | maxretry: 2
455 | fail2ban::jail::znc-adminlog:
456 | port: 6667
457 | logpath:
458 | - "/var/lib/znc/moddata/adminlog/znc.log"
459 | fail2ban::jail::zoneminder:
460 | port: "http,https"
461 | logpath:
462 | - "%(apache_error_log)s"
463 |
--------------------------------------------------------------------------------
/examples/init.pp:
--------------------------------------------------------------------------------
1 | # This test file runs just the most basic fail2ban setup
2 | class { 'fail2ban':
3 | }
4 |
5 | $ssh_params = lookup('fail2ban::jail::sshd')
6 | fail2ban::jail { 'sshd':
7 | * => $ssh_params,
8 | }
9 |
--------------------------------------------------------------------------------
/files/debian/action_d_iptables-common.conf:
--------------------------------------------------------------------------------
1 | # Fail2Ban configuration file
2 | #
3 | # Author: Daniel Black
4 | #
5 | # This is a included configuration file and includes the definitions for the iptables
6 | # used in all iptables based actions by default.
7 | #
8 | # The user can override the defaults in iptables-common.local
9 |
10 | [INCLUDES]
11 |
12 | after = iptables-blocktype.local
13 | iptables-common.local
14 | # iptables-blocktype.local is obsolete
15 |
16 | [Init]
17 |
18 | # Option: chain
19 | # Notes specifies the iptables chain to which the Fail2Ban rules should be
20 | # added
21 | # Values: STRING Default: INPUT
22 | chain = INPUT
23 |
24 | # Default name of the chain
25 | #
26 | name = default
27 |
28 | # Option: port
29 | # Notes.: specifies port to monitor
30 | # Values: [ NUM | STRING ] Default:
31 | #
32 | port = ssh
33 |
34 | # Option: protocol
35 | # Notes.: internally used by config reader for interpolations.
36 | # Values: [ tcp | udp | icmp | all ] Default: tcp
37 | #
38 | protocol = tcp
39 |
40 | # Option: blocktype
41 | # Note: This is what the action does with rules. This can be any jump target
42 | # as per the iptables man page (section 8). Common values are DROP
43 | # REJECT, REJECT --reject-with icmp-port-unreachable
44 | # Values: STRING
45 | blocktype = REJECT --reject-with icmp-port-unreachable
46 |
47 | # Option: returntype
48 | # Note: This is the default rule on "actionstart". This should be RETURN
49 | # in all (blocking) actions, except REJECT in allowing actions.
50 | # Values: STRING
51 | returntype = RETURN
52 |
53 | # Option: lockingopt
54 | # Notes.: Option was introduced to iptables to prevent multiple instances from
55 | # running concurrently and causing irratic behavior. -w was introduced
56 | # in iptables 1.4.20, so might be absent on older systems
57 | # See https://github.com/fail2ban/fail2ban/issues/1122
58 | # Values: STRING
59 | lockingopt = -w
60 |
61 | # Option: iptables
62 | # Notes.: Actual command to be executed, including common to all calls options
63 | # Values: STRING
64 | iptables = iptables
65 |
--------------------------------------------------------------------------------
/files/debian/paths-common.conf:
--------------------------------------------------------------------------------
1 | # Common
2 | #
3 |
4 | [INCLUDES]
5 |
6 | after = paths-overrides.local
7 |
8 | [DEFAULT]
9 |
10 | default_backend = auto
11 |
12 | sshd_log = %(syslog_authpriv)s
13 | sshd_backend = %(default_backend)s
14 |
15 | dropbear_log = %(syslog_authpriv)s
16 | dropbear_backend = %(default_backend)s
17 |
18 | # There is no sensible generic defaults for syslog log targets, thus
19 | # leaving them empty here so that no errors while parsing/interpolating configs
20 | syslog_daemon =
21 | syslog_ftp =
22 | syslog_local0 =
23 | syslog_mail_warn =
24 | syslog_user =
25 | # Set the default syslog backend target to default_backend
26 | syslog_backend = %(default_backend)s
27 |
28 | # from /etc/audit/auditd.conf
29 | auditd_log = /var/log/audit/audit.log
30 |
31 | exim_main_log = /var/log/exim/mainlog
32 |
33 | nginx_error_log = /var/log/nginx/*error.log
34 |
35 | nginx_access_log = /var/log/nginx/*access.log
36 |
37 |
38 | lighttpd_error_log = /var/log/lighttpd/error.log
39 |
40 | # http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
41 | # syslog_user is the default. Lighttpd also hooks errors into its log.
42 |
43 | suhosin_log = %(syslog_user)s
44 | %(lighttpd_error_log)s
45 |
46 | # defaults to ftp or local2 if ftp doesn't exist
47 | proftpd_log = %(syslog_ftp)s
48 | proftpd_backend = %(default_backend)s
49 |
50 | # http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
51 | # defaults to ftp but can be overwritten.
52 | pureftpd_log = %(syslog_ftp)s
53 | pureftpd_backend = %(default_backend)s
54 |
55 | # ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time
56 | #
57 | wuftpd_log = %(syslog_ftp)s
58 | wuftpd_backend = %(default_backend)s
59 |
60 | # syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log
61 | # No distro seems to set it to syslog by default
62 | # If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog.
63 | vsftpd_log = /var/log/vsftpd.log
64 |
65 | # Technically syslog_facility in main.cf can overwrite but no-one sane does this.
66 | postfix_log = %(syslog_mail_warn)s
67 | postfix_backend = %(default_backend)s
68 |
69 | dovecot_log = %(syslog_mail_warn)s
70 | dovecot_backend = %(default_backend)s
71 |
72 | # Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
73 | solidpop3d_log = %(syslog_local0)s
74 |
75 | mysql_log = %(syslog_daemon)s
76 | mysql_backend = %(default_backend)s
77 |
78 | roundcube_errors_log = /var/log/roundcube/errors
79 |
80 | # Directory with ignorecommand scripts
81 | ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands
82 |
--------------------------------------------------------------------------------
/files/debian/paths-debian.conf:
--------------------------------------------------------------------------------
1 | # Debian
2 |
3 | [INCLUDES]
4 |
5 | before = paths-common.conf
6 |
7 | after = paths-overrides.local
8 |
9 |
10 | [DEFAULT]
11 |
12 | syslog_mail = /var/log/mail.log
13 |
14 | syslog_mail_warn = /var/log/mail.warn
15 |
16 | syslog_authpriv = /var/log/auth.log
17 |
18 | # syslog_auth = /var/log/auth.log
19 | #
20 | syslog_user = /var/log/user.log
21 |
22 | syslog_ftp = /var/log/syslog
23 |
24 | syslog_daemon = /var/log/daemon.log
25 |
26 | syslog_local0 = /var/log/messages
27 |
28 |
29 | apache_error_log = /var/log/apache2/*error.log
30 |
31 | apache_access_log = /var/log/apache2/*access.log
32 |
33 | exim_main_log = /var/log/exim4/mainlog
34 |
35 | # was in debian squeezy but not in wheezy
36 | # /etc/proftpd/proftpd.conf (SystemLog)
37 | proftpd_log = /var/log/proftpd/proftpd.log
38 |
--------------------------------------------------------------------------------
/files/jail.header:
--------------------------------------------------------------------------------
1 | #
2 | # JAILS
3 | #
4 |
5 | # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
6 | # was shipped in Debian. Enable any defined here jail by including
7 | #
8 | # [SECTION_NAME]
9 | # enabled = true
10 |
11 | #
12 | # in /etc/fail2ban/jail.local.
13 | #
14 | # Optionally you may override any other parameter (e.g. banaction,
15 | # action, port, logpath, etc) in that section within jail.local
16 |
--------------------------------------------------------------------------------
/hiera.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | version: 5
3 | hierarchy:
4 | - name: "OS major release"
5 | path: "%{facts.os.name}-%{facts.os.distro.release.major}.yaml"
6 |
7 | - name: "OS family"
8 | path: "%{facts.os.family}.yaml"
9 |
10 | - name: "common"
11 | path: "common.yaml"
12 |
--------------------------------------------------------------------------------
/manifests/action.pp:
--------------------------------------------------------------------------------
1 | # fail2ban/manifests/action.pp
2 | #
3 | # - Copyright (C) 2014-2019 gabster@lelutin.ca
4 | #
5 | # Actions define what fail2ban should do when if finds mischief happening in
6 | # logs. Usually, an action defines commands that should be run during
7 | # setup/teardown and commands for when a ban or an unban happen. Using action
8 | # you can make fail2ban whatever you want, from creating an iptables rule to
9 | # calling out to your edge server API to create a rule there instead.
10 | #
11 | # @summary Create an action for fail2ban
12 | #
13 | # @api public
14 | #
15 | # @see jail.conf(5)
16 | #
17 | #
18 | # @example defining a new action to call out to a REST API
19 | # fail2ban::action { 'rest_api':
20 | # ensure => present,
21 | # actionban => ['curl -s -X PUT http://yourapi:8080/theapi/v4/firewall/rules -H "Content-Type:application/json" -H "Authorization: ..." -d "{\"ban\": \"\"}"'],
22 | # actionunban => ['curl -s -X DELETE http://yourapi:8080/theapi/v4/firewall/rules/1 -H "Authorization: ..."'],
23 | # }
24 | #
25 | #
26 | # @param ensure
27 | # Whether the resources should be installed or removed.
28 | # @param config_file_mode
29 | # Permission mode given to the filter file created by this defined type.
30 | # @param timeout
31 | # Special tag in the Init section that, if present, defines the maximum
32 | # period of time in seconds that an action command can be executed before
33 | # being killed.
34 | # @param init
35 | # List of arbitrary lines that will be a part of the [Init] section. All
36 | # tags (variables) defined in this section can be overridden by any
37 | # individual jail to change the action's behaviour.
38 | # @param includes
39 | # List of files to include before considering the rest of the action
40 | # definition. These files can declare variables used by the action to set
41 | # default or common behaviours.
42 | # @param includes_after
43 | # List of files to include after action definition.
44 | # @param additional_defs
45 | # List of arbitrary lines that should appear at the begining of the action's
46 | # definition section, for anything that didn't fit in other parameters. Each
47 | # item in the list is output on its own line in the action file. No syntax
48 | # checking is done.
49 | # @param actionban
50 | # List of commands that are executed when fail2ban has found too many
51 | # matches for a given IP address.
52 | # @param actionunban
53 | # List of commands that are executed after `bantime` has elapsed.
54 | # @param actioncheck
55 | # List of commands that are run by fail2ban before any other action to
56 | # verify that the environment (or setup) is still in good shape.
57 | # @param actionstart
58 | # List of commands that are executed when the jail is started.
59 | # @param actionstop
60 | # List of commands that are executed when the jail is stopped.
61 | #
62 | define fail2ban::action (
63 | Array[String[1], 1] $actionban,
64 | Array[String[1], 1] $actionunban,
65 | Enum['present', 'absent'] $ensure = 'present',
66 | String $config_file_mode = '0644',
67 | # general action configuration
68 | Optional[Integer[1]] $timeout = undef,
69 | Array[String] $init = [],
70 | Array[String] $includes = [],
71 | Array[String] $includes_after = [],
72 | # main action definition
73 | Array[String] $additional_defs = [],
74 | Array[String[1]] $actioncheck = [],
75 | Array[String[1]] $actionstart = [],
76 | Array[String[1]] $actionstop = [],
77 | ) {
78 | require fail2ban::config
79 |
80 | $action_args = {
81 | includes => $includes,
82 | includes_after => $includes_after,
83 | additional_defs => $additional_defs,
84 | actioncheck => $actioncheck,
85 | actionstart => $actionstart,
86 | actionstop => $actionstop,
87 | actionban => $actionban,
88 | actionunban => $actionunban,
89 | timeout => $timeout,
90 | init => $init,
91 | }
92 |
93 | file { "/etc/fail2ban/action.d/${name}.conf":
94 | ensure => $ensure,
95 | content => epp('fail2ban/action.epp', $action_args),
96 | owner => 'root',
97 | group => 0,
98 | mode => $config_file_mode,
99 | notify => Class['fail2ban::service'],
100 | }
101 | }
102 |
--------------------------------------------------------------------------------
/manifests/config.pp:
--------------------------------------------------------------------------------
1 | # fail2ban/manifests/config.pp
2 | #
3 | # This class should not be included directly. Users must use the fail2ban
4 | # class.
5 | #
6 | # @summary Configure fail2ban service
7 | #
8 | # @api private
9 | #
10 | class fail2ban::config {
11 | $fail2ban_conf_options = {
12 | loglvl => $fail2ban::loglvl,
13 | logtarget => $fail2ban::logtarget,
14 | syslogsocket => $fail2ban::syslogsocket,
15 | socket => $fail2ban::socket,
16 | pidfile => $fail2ban::pidfile,
17 | # boolean values get transliterated to a string of true/false which is
18 | # accepted by the option in the config, so no need for extra formatting
19 | allowipv6 => $fail2ban::allowipv6,
20 | dbfile => $fail2ban::dbfile,
21 | dbpurgeage => $fail2ban::dbpurgeage,
22 | dbmaxmatches => $fail2ban::dbmaxmatches,
23 | stacksize => $fail2ban::stacksize,
24 | }
25 |
26 | file { '/etc/fail2ban/fail2ban.conf':
27 | ensure => file,
28 | owner => 'root',
29 | group => 0,
30 | mode => $fail2ban::config_file_mode,
31 | content => epp($fail2ban::fail2ban_conf_template, $fail2ban_conf_options),
32 | }
33 |
34 | if $fail2ban::rm_fail2ban_local {
35 | file { '/etc/fail2ban/fail2ban.local':
36 | ensure => absent,
37 | }
38 | }
39 | if $fail2ban::purge_fail2ban_dot_d {
40 | file { '/etc/fail2ban/fail2ban.d':
41 | ensure => directory,
42 | recurse => true,
43 | purge => true,
44 | }
45 | }
46 |
47 | if $fail2ban::purge_jail_dot_d {
48 | file { '/etc/fail2ban/jail.d':
49 | ensure => directory,
50 | recurse => true,
51 | purge => true,
52 | }
53 | }
54 |
55 | $jail_conf_options = {
56 | ignoreself => $fail2ban::ignoreself,
57 | ignoreip => $fail2ban::ignoreip,
58 | ignorecommand => $fail2ban::ignorecommand,
59 | ignorecache => $fail2ban::ignorecache,
60 | bantime => $fail2ban::bantime,
61 | bantime_extra => $fail2ban::bantime_extra,
62 | findtime => $fail2ban::findtime,
63 | maxretry => $fail2ban::maxretry,
64 | maxlines => $fail2ban::maxlines,
65 | maxmatches => $fail2ban::maxmatches,
66 | backend => $fail2ban::backend,
67 | usedns => $fail2ban::usedns,
68 | logencoding => $fail2ban::logencoding,
69 | logtimezone => $fail2ban::logtimezone,
70 | datepattern => $fail2ban::datepattern,
71 | logpath => $fail2ban::logpath,
72 | enabled => $fail2ban::enabled,
73 | mode => $fail2ban::mode,
74 | filter => $fail2ban::filter,
75 | prefregex => $fail2ban::prefregex,
76 | failregex => $fail2ban::failregex,
77 | ignoreregex => $fail2ban::ignoreregex,
78 | destemail => $fail2ban::destemail,
79 | sender => $fail2ban::sender,
80 | mta => $fail2ban::mta,
81 | protocol => $fail2ban::protocol,
82 | chain => $fail2ban::chain,
83 | port => $fail2ban::port,
84 | fail2ban_agent => $fail2ban::fail2ban_agent,
85 | banaction => $fail2ban::banaction,
86 | banaction_allports => $fail2ban::banaction_allports,
87 | action => $fail2ban::action,
88 | }
89 |
90 | file { '/etc/fail2ban/jail.conf':
91 | ensure => file,
92 | owner => 'root',
93 | group => 0,
94 | mode => $fail2ban::config_file_mode,
95 | content => epp($fail2ban::jail_conf_template, $jail_conf_options),
96 | }
97 |
98 | if $fail2ban::rm_jail_local {
99 | file { '/etc/fail2ban/jail.local':
100 | ensure => absent,
101 | }
102 | }
103 | }
104 |
--------------------------------------------------------------------------------
/manifests/filter.pp:
--------------------------------------------------------------------------------
1 | # fail2ban/manifests/filter.pp
2 | #
3 | # - Copyright (C) 2014-2018 gabster@lelutin.ca
4 | #
5 | # Filters are how fail2ban detects mischief in logs. They contain regular
6 | # expressions that should catch bad activity and identify the IP that is doing
7 | # this activity.
8 | #
9 | # @summary Setup a filter for fail2ban
10 | #
11 | # @api public
12 | #
13 | # @see https://fail2ban.readthedocs.io/en/latest/filters.html
14 | # @see https://github.com/fail2ban/fail2ban/blob/0.11/man/jail.conf.5 jail.conf(5)
15 | #
16 | # @example defining filter for jenkins
17 | # fail2ban::filter { 'jenkins':
18 | # failregexes => [
19 | # # Those regexes are really arbitrary examples.
20 | # 'Invalid login to Jenkins by user mooh by IP \'\'',
21 | # 'Forced entry trial by ',
22 | # ],
23 | # }
24 | #
25 | #
26 | # @param filter_template
27 | # Path to the epp template given to the epp() function in order to render
28 | # the filter file.
29 | # @param failregexes
30 | # List of regular expressions that will be run against new log lines as they
31 | # reach fail2ban. The regular expressions follow the Python regular
32 | # expression format, and there are some special patterns that fail2ban can
33 | # use. See the jail.conf(5) man page for more details. Each item in the list
34 | # is placed on its own line. Lines starting with the second one are prepended
35 | # with spaces so that the regular expressions line up with the beginning of
36 | # the first one.
37 | # @param ensure
38 | # Whether the resources should be installed or removed.
39 | # @param config_file_mode
40 | # Permission mode given to the filter file created by this defined type.
41 | # @param init
42 | # List of arbitrary lines that should appear in the optional filter
43 | # Init section. Variable definitions in the Init section can be overridden by
44 | # users in *.local files. Each item in the list is output on its own line in
45 | # the filter file. No syntax checking is done.
46 | # @param includes
47 | # List of files to include before considering the rest of the filter
48 | # definition. These files can declare variables used by the filter to set
49 | # default behaviours.
50 | # @param includes_after
51 | # List of files to include after filter definition.
52 | # @param additional_defs
53 | # List of arbitrary lines that should appear at the begining of the filter's
54 | # definition section, for anything that didn't fit in other parameters. Each
55 | # item in the list is output on its own line in the filter file. No syntax
56 | # checking is done.
57 | # @param prefregex
58 | # If this is set, it contains a regular expression that should be used to
59 | # parse (after datepattern found a match) a common part to all messages that
60 | # can then match a smaller failregex or ignoreregex. If this regex does not
61 | # match, then failregex or ignoreregex are not even tried.
62 | # @param ignoreregexes
63 | # List of Python regular expressions that should prevent a log line from
64 | # being considered for banning. If a line matches regular expressions
65 | # contained in this parameter, they are ignored even though they would have
66 | # matched a failregex. Each item in the list is placed on its own line. Lines
67 | # starting with the second one are prepended with spaces so that the regular
68 | # expressions line up with the beginning of the first one.
69 | # @param maxlines
70 | # Maximum number of lines that fail2ban should buffer for matching
71 | # multi-line regexes.
72 | # @param datepattern
73 | # Custom date pattern/regex for the log file. This is useful if dates use a
74 | # non-standard formatting.
75 | # @param journalmatch
76 | # If the log backend is set to systemd, this specifies a matching pattern to
77 | # filter journal entries.
78 | #
79 | define fail2ban::filter (
80 | Array[String, 1] $failregexes,
81 | String[1] $filter_template = 'fail2ban/filter.epp',
82 | Enum['present', 'absent'] $ensure = 'present',
83 | String $config_file_mode = '0644',
84 | # general configuration
85 | Array[String] $init = [],
86 | Array[String, 0] $includes = [],
87 | Array[String, 0] $includes_after = [],
88 | # main filter definition
89 | Array[String, 0] $additional_defs = [],
90 | Optional[String] $prefregex = undef,
91 | Array[String, 0] $ignoreregexes = [],
92 | Optional[Integer[1]] $maxlines = undef,
93 | Optional[String] $datepattern = undef,
94 | Optional[String] $journalmatch = undef,
95 | ) {
96 | include fail2ban::config
97 |
98 | $filter_options = {
99 | init => $init,
100 | includes => $includes,
101 | includes_after => $includes_after,
102 | additional_defs => $additional_defs,
103 | prefregex => $prefregex,
104 | failregexes => $failregexes,
105 | ignoreregexes => $ignoreregexes,
106 | maxlines => $maxlines,
107 | datepattern => $datepattern,
108 | journalmatch => $journalmatch,
109 | }
110 |
111 | file { "/etc/fail2ban/filter.d/${name}.conf":
112 | ensure => $ensure,
113 | content => epp($filter_template, $filter_options),
114 | owner => 'root',
115 | group => 0,
116 | mode => $config_file_mode,
117 | require => Class['fail2ban::config'],
118 | notify => Class['fail2ban::service'],
119 | }
120 | }
121 |
--------------------------------------------------------------------------------
/manifests/init.pp:
--------------------------------------------------------------------------------
1 | # fail2ban/manifests/init.pp
2 | #
3 | # - Copyright (C) 2007 admin@immerda.ch
4 | # - Copyright (C) 2014-2018 gabster@lelutin.ca
5 | #
6 | # @summary
7 | # Manage fail2ban and its configuration to jam bruteforce attempts on
8 | # services running on a computer.
9 | #
10 | # @api public
11 | #
12 | # @see https://github.com/fail2ban/fail2ban/blob/0.11/man/jail.conf.5 jail.conf(5)
13 | #
14 | # @note `blocktype` is not offered as a global option since it's not a great
15 | # idea to set a globally used default value for this option. It's used
16 | # differently by all actions and different values are expected from each
17 | # action, so it's generally recommended to override this for each action
18 | # individually by creating a `.local` file in `actions.d`.
19 | #
20 | #
21 | # @example basic usage
22 | # class { 'fail2ban: }
23 | #
24 | # @example ignore localhost and another non-routable IP
25 | # class { 'fail2ban':
26 | # ignoreip => ['127.0.0.1', '10.0.0.1'],
27 | # }
28 | #
29 | #
30 | # @param rm_fail2ban_local
31 | # Force removal of file /etc/fail2ban/fail2ban.local if present.
32 | # @param rm_jail_local
33 | # Force removal of file /etc/fail2ban/jail.local if present.
34 | # @param purge_fail2ban_dot_d
35 | # Remove all unmanaged files in /etc/fail2ban/fail2ban.d/
36 | # @param purge_jail_dot_d
37 | # Remove all unmanaged files in /etc/fail2ban/jail.d/
38 | # @param config_file_mode
39 | # File mode set on all fail2ban configuration files managed by this module.
40 | # @param manage_service
41 | # Manage the fail2ban service, true by default
42 | #
43 | # @param fail2ban_conf_template
44 | # Alternative template to use for the `fail2ban.conf` file.
45 | # @param loglvl
46 | # Set fail2ban's loglevel.
47 | # @param logtarget
48 | # Define where fail2ban's logs are sent.
49 | # @param syslogsocket
50 | # Path to syslog's socket file, or "auto" for automatically discovering it.
51 | # @param socket
52 | # Path to fail2ban's own socket file. This file is used by fail2ban-client to
53 | # communicate with the daemon.
54 | # @param pidfile
55 | # Path to fail2ban's pid file. This usually needs to be in a place where the
56 | # init script or systemd unit file can find it.
57 | # @param allowipv6
58 | # Whether or not fail2ban interfaces with IPv6 stack on the system. Defaults
59 | # to `auto`. Set to boolean true or false to force allowing or disallowing,
60 | # respectively.
61 | # @param dbfile
62 | # Path to fail2ban's database file.
63 | # @param dbpurgeage
64 | # Age of entries in fail2ban's database that get removed when performing a
65 | # database purge operation.
66 | # @param dbmaxmatches
67 | # Number of matches stored in database per ticket.
68 | # @param stacksize
69 | # Specifies the stack size (in KiB) to be used for subsequently created threads,
70 | # and must be 0 or a positive integer value of at least 32. 0 means that
71 | # fail2ban will use platform or configured default.
72 | #
73 | # @param jail_conf_template
74 | # Alternative template to use for the `jail.conf` file.
75 | #
76 | # @param enabled
77 | # Whether or not to enable jails by default. fail2ban's man page recommends
78 | # to keep this to false, but by default the module purges jail.d of unknown
79 | # files so it might be safe to set to true in order to avoid repeating this
80 | # setting on all jails. If you set purge_jail_dot_d to false, it might be
81 | # wiser to keep this to false in order to avoid enabling jails that get
82 | # dropped in jail.d.
83 | # @param mode
84 | # Change the default behavior for filters. Watch out however, each
85 | # individual filter can define its own value and so most values are not
86 | # guaranteed to be available with all filters. The mode will generally
87 | # determine which regular expressions the filter will include. To know
88 | # exactly which values are available in filters, you need to read their
89 | # configuration files.
90 | # @param backend
91 | # Default method used to get information from logs.
92 | # @param usedns
93 | # Default behaviour whether or not to resolve IPs when they are found in a
94 | # log by a filter.
95 | # @param filter
96 | # Default name of filter to use for jails.
97 | # @param logpath
98 | # Array of absolute paths specifying the default path(s) to log file(s) being
99 | # used by jails. This value is usually not set and logpath is defined for
100 | # each jail for more clarity.
101 | # @param logencoding
102 | # Name of the encoding of log files. If set to "auto", fail2ban will use what
103 | # is set in the system's locale setting.
104 | # @param logtimezone
105 | # Force a timezone by default for logs that don't specify them on timestamps.
106 | # @param datepattern
107 | # Change the default format of recognized dates. Warning: it is generally
108 | # not recommended to change the global value, if at all. If you need to
109 | # change the datepattern for some reason, it is usually recommended to set
110 | # this paramter at filter level.
111 | # @param prefregex
112 | # Regular expression to parse common part in every message.
113 | # @param failregex
114 | # Array of regular expressions to add to all filters' failregex. This is
115 | # usually not used at the global level, but it can still be set.
116 | # @param ignoreregex
117 | # Array of regular expressions to add to all filters' ignoreregex. This is
118 | # usually not used at the global level, but could be useful to have something
119 | # excluded from bans everywhere.
120 | # @param ignoreself
121 | # If set to false, fail2ban will not ignore IP addresses that are bound to
122 | # interfaces on the host.
123 | # @param ignoreip
124 | # Default list of IPs or CIDR prefixes that should not get banned.
125 | # @param ignorecommand
126 | # Default command used to determine if an IP should be exempted from being
127 | # banned.
128 | # @param ignorecache
129 | # If set, caches the results from `ignoreip`, `ignoreself` and
130 | # `ignorecommand` for a set amount of time to avoid calling `ignorecommand`
131 | # repeatedly.
132 | # @param maxretry
133 | # Default number of times an IP should be detectd by a filter during findtime
134 | # for it to get banned.
135 | # @param maxlines
136 | # Default number of lines to buffer for regex search. Used for multi-line
137 | # regexes. Note that it is rather unsual to set a default global value for
138 | # this, and it is usually rather set on a filter itself.
139 | # @param maxmatches
140 | # Number of matches stored in ticket.
141 | # @param findtime
142 | # Default interval during which to count occurences of an IP.
143 | # @param action
144 | # List of default actions that get called when an IP triggers maxretry number
145 | # of times a filter within findtime.
146 | # @param bantime
147 | # Default duration in number of seconds to ban an IP address for.
148 | # @param bantime_extra
149 | # Set of additional optional settings relating to bantime. The keys in this
150 | # structure are set in the configuration file as `bantime.$key`. The
151 | # different possible keys are:
152 | # * increment: boolean. set to true to make IP search happen across all
153 | # jails instead of only the one being processed.
154 | # * maxtime: string. maximum number of seconds that the formula (see below)
155 | # can reach.
156 | # * rndtime: string. upper bounds in seconds for ban time randomization (to
157 | # prevent bots from guessing the exact ban time)
158 | # * formula: string. python mathematical expression used for calculating
159 | # next value of ban time. The values provided by the formula are
160 | # multiplied by `bantime` and by the factor exponent coefficient to give
161 | # the actual amount of time that an IP gets banned.
162 | # * factor: sting. coefficient to calculate exponent growing of the
163 | # ban times. The default value is 1, thus the bantime grows by 1, 2, 4,
164 | # 8, 16...
165 | # * multipliers: string. if set, used to calculate the next ban times
166 | # instead of the formula. numbers are used sequentially until the last
167 | # one is reached, at which point the same value will be used for all
168 | # subsequent bantimes.
169 | # * overalljails: boolean. if set to true, search for IP in the database
170 | # will be done across all jails instead of only the currently processed
171 | # jail.
172 | # @param banaction
173 | # Default action name extrapolated when defining some of the default actions.
174 | # @param banaction_allports
175 | # Default action name that can be extrapolated when defining some of the
176 | # default actions. This one is meant to ban all ports at once instead of
177 | # specific ones.
178 | # @param chain
179 | # Default name of the iptables chain used by iptables-based actions.
180 | # @param port
181 | # Default comma separated list of ports, port names or port ranges used by
182 | # actions when banning an IP.
183 | # @param protocol
184 | # Default protocol name used by actions.
185 | # @param mta
186 | # Default program name used for sending out email by actions that do so.
187 | # @param destemail
188 | # Default email address used as recipient by actions that send out emails.
189 | # @param sender
190 | # Default email address set as sender by actions that send out emails.
191 | # @param fail2ban_agent
192 | # User-agent sent on HTTP requests that are made by some actions.
193 | #
194 | class fail2ban (
195 | # Options that change how the module behaves
196 | Boolean $rm_fail2ban_local = true,
197 | Boolean $rm_jail_local = true,
198 | Boolean $purge_fail2ban_dot_d = true,
199 | Boolean $purge_jail_dot_d = true,
200 | Stdlib::Filemode $config_file_mode = '0644',
201 | Boolean $manage_service = true,
202 | # Options for fail2ban.conf
203 | String[1] $fail2ban_conf_template = 'fail2ban/fail2ban.conf.epp',
204 | Fail2ban::Loglevel $loglvl = 'INFO',
205 | Fail2ban::Logtarget $logtarget = '/var/log/fail2ban.log',
206 | Fail2ban::Syslogsocket $syslogsocket = 'auto',
207 | Stdlib::Absolutepath $socket = '/var/run/fail2ban/fail2ban.sock',
208 | Stdlib::Absolutepath $pidfile = '/var/run/fail2ban/fail2ban.pid',
209 | Fail2ban::AutoOrFlag $allowipv6 = 'auto',
210 | Fail2ban::Dbfile $dbfile = '/var/lib/fail2ban/fail2ban.sqlite3',
211 | Integer $dbpurgeage = 86400,
212 | Integer $dbmaxmatches = 10,
213 | Variant[Integer[0,0], Integer[32]] $stacksize = 0,
214 | # Options for jail.conf
215 | String[1] $jail_conf_template = 'fail2ban/debian/jail.conf.epp',
216 | Boolean $enabled = false,
217 | String $mode = 'normal',
218 | Fail2ban::Backend $backend = 'auto',
219 | Fail2ban::Usedns $usedns = 'warn',
220 | String $filter = '%(__name__)s[mode=%(mode)s]',
221 | Array[String] $logpath = [],
222 | String $logencoding = 'auto',
223 | Optional[String] $logtimezone = undef,
224 | Optional[String] $datepattern = undef,
225 | Optional[String] $prefregex = undef,
226 | Optional[Variant[String, Array[String[1]]]] $failregex = undef,
227 | Optional[Variant[String, Array[String[1]]]] $ignoreregex = undef,
228 | Boolean $ignoreself = true,
229 | Array[String, 0] $ignoreip = ['127.0.0.1'],
230 | Optional[String] $ignorecommand = undef,
231 | Optional[String] $ignorecache = undef,
232 | Integer[1] $maxretry = 3,
233 | Optional[Integer[1]] $maxlines = undef,
234 | Variant[Integer[1], String] $maxmatches = '%(maxretry)s',
235 | Fail2ban::Time $findtime = '10m',
236 | Variant[String, Array[String, 1]] $action = ['%(action_)s'],
237 | Fail2ban::Time $bantime = '10m',
238 | Optional[Fail2ban::Bantime_extra] $bantime_extra = undef,
239 | String $banaction = 'iptables-multiport',
240 | String $banaction_allports = 'iptables-allports',
241 | String $chain = 'INPUT',
242 | Fail2ban::Port $port = '0:65535',
243 | Fail2ban::Protocol $protocol = 'tcp',
244 | # options for email-based actions
245 | String $mta = 'sendmail',
246 | String $destemail = 'root@localhost',
247 | String $sender = 'root@localhost',
248 | # option for http-based actions
249 | String $fail2ban_agent = 'Fail2Ban/%(fail2ban_version)s',
250 | ) {
251 | if ! $facts['os']['family'] in ['Debian', 'RedHat'] {
252 | fail("Unsupported Operating System family: ${facts['os']['family']}")
253 | }
254 |
255 | if $action =~ String {
256 | deprecation('fail2ban_action_param', 'The $action parameter will only take an array of strings in 5.x')
257 | }
258 | if $failregex =~ String {
259 | deprecation('fail2ban_failregex_param', 'The $failregex parameter will only take an array of strings in 5.x')
260 | }
261 | if $ignoreregex =~ String {
262 | deprecation('fail2ban_ignoreregex_param', 'The $ignoreregex parameter will only take an array of strings in 5.x')
263 | }
264 |
265 | contain fail2ban::install
266 | contain fail2ban::config
267 | contain fail2ban::service
268 |
269 | Class['fail2ban::install']
270 | -> Class['fail2ban::config']
271 | ~> Class['fail2ban::service']
272 | }
273 |
--------------------------------------------------------------------------------
/manifests/install.pp:
--------------------------------------------------------------------------------
1 | # fail2ban/manifests/install.pp
2 | #
3 | # This class should not be included directly. Users must use the fail2ban
4 | # class.
5 | #
6 | # @summary Install fail2ban
7 | #
8 | # @api private
9 | #
10 | class fail2ban::install {
11 | ensure_packages(['fail2ban'])
12 | }
13 |
--------------------------------------------------------------------------------
/manifests/jail.pp:
--------------------------------------------------------------------------------
1 | # fail2ban/manifests/jail.pp
2 | #
3 | # - Copyright (C) 2014-2018 gabster@lelutin.ca
4 | #
5 | # Jails are the top level of fail2ban configuration; what you'll be using most
6 | # often to setup protection of a service from bruteforce attempts or pesky
7 | # attack traffic. They rely on a filter to find out IPs that are doing
8 | # mischief, and then use an action to ban (and subsequently unban) IPs.
9 | #
10 | # Most parameters of this defined type are used for overriding what has been
11 | # set in the global context in jail.conf/jail.local (see parameters to the
12 | # fail2ban class). They are not mandatory if you can reuse the global values.
13 | #
14 | # @summary Setup a fail2ban jail to reduce effectiveness of bruteforce.
15 | #
16 | # @api public
17 | #
18 | # @see https://github.com/fail2ban/fail2ban/blob/0.11/man/jail.conf.5 jail.conf(5)
19 | #
20 | #
21 | # @example creating simple jail for service
22 | # fail2ban::jail { 'honeypot':
23 | # findtime => 300,
24 | # maxretry => 1,
25 | # port => 'all',
26 | # logpath => ['/var/log/honeypot.log'],
27 | # }
28 | #
29 | # @example using a pre-defined jail
30 | # $ssh_params = lookup('fail2ban::jail::sshd')
31 | # fail2ban::jail { 'sshd':
32 | # * => $ssh_params,
33 | # }
34 | #
35 | # @example overriding parameters from a pre-defined jail
36 | # $ssh_extra_params = {
37 | # 'bantime' => 300,
38 | # 'findtime' => 200,
39 | # 'maxretry' => 3,
40 | # }
41 | # $ssh_params = lookup('fail2ban::jail::sshd') + $ssh_extra_params
42 | # fail2ban::jail { 'sshd':
43 | # * => $ssh_params,
44 | # }
45 | #
46 | #
47 | # @param ensure
48 | # Whether resources for the defined jail should be installed or removed.
49 | # @param config_file_mode
50 | # Permission mode given to the jail file created by this defined type.
51 | #
52 | # @param enabled
53 | # Whether or not a jail is enabled. Setting this to false makes it possible
54 | # to keep configuration around for a certain jail but temporarily disable it.
55 | # @param mode
56 | # Change the behavior of the filter used by this jail. The mode will
57 | # generally determine which regular expressions the filter will include. The
58 | # values that this can take are determined by each individual filter. To know
59 | # exactly which values are available in filters, you need to read their
60 | # configuration files.
61 | # @param backend
62 | # Method used by fail2ban to obtain new log lines from the log file(s) in
63 | # logpath.
64 | # @param usedns
65 | # Whether or not to resolve DNS hostname of IPs that have been found by a
66 | # failregex.
67 | # @param filter
68 | # Name of the filter to use for this jail. The default value for the filter
69 | # is usually to use a filter with the same name as the jail name (although
70 | # this could be changed by the filter parameter on the fail2ban class).
71 | # @param logpath
72 | # Array of absolute paths to the log files against which regular expressions
73 | # should be verified to catch activity that you want to block. This
74 | # parameter must be set to a non-empty array when not using the 'systemd'
75 | # backend, however it must be empty if the 'systemd' backend is used.
76 | # @param logencoding
77 | # Name of the encoding of log files. If set to "auto", fail2ban will use what
78 | # is set in the system's locale setting.
79 | # @param logtimezone
80 | # Force a timezone if the logs don't specify them on timestamps.
81 | # @param datepattern
82 | # Change the format of dates recognized by the filter this jail uses.
83 | # @param prefregex
84 | # Regular expression to parse common part in every message for this jail.
85 | # @param failregex
86 | # Regular expressions to add to the failregex of the filter used by this
87 | # jail.
88 | # @param ignoreregex
89 | # Regular expressions to add to the ignoreregex of the filter used by this
90 | # jail.
91 | # @param ignoreself
92 | # If set to false, fail2ban will not ignore IP addresses, for this jail, that
93 | # are bound to interfaces on the host.
94 | # @param ignoreip
95 | # List of IPs or CIDR prefixes to ignore when identifying matches of
96 | # failregex. The IPs that fit the descriptions in this parameter will never
97 | # get banned by the jail.
98 | # @param ignorecommand
99 | # Command used to determine if an IP should found by a failregex be ignored.
100 | # This can be used to have a more complex and dynamic method of listing and
101 | # identifying IPs that should not get banned. It can be used also when
102 | # ignoreip is present.
103 | # @param ignorecache
104 | # If set, caches the results from `ignoreip`, `ignoreself` and
105 | # `ignorecommand` for a set amount of time to avoid calling `ignorecommand`
106 | # repeatedly.
107 | # @param maxretry
108 | # Number of failregex matches during findtime after which an IP gets banned.
109 | # @param maxlines
110 | # Number of lines to buffer for filter's regex search when looking for
111 | # multi-line regex matches.
112 | # @param maxmatches
113 | # Number of matches stored in ticket.
114 | # @param findtime
115 | # Time period in seconds during which maxretry number of matches will get an
116 | # IP banned.
117 | # @param action
118 | # List of actions that should be used to ban and unban IPs when maxretry
119 | # matches of failregex has happened for an IP during findtime.
120 | # @param bantime
121 | # Time period in seconds for which an IP is banned if maxretry matches of
122 | # failregex happen for the same IP during findtime.
123 | # @param bantime_extra
124 | # Set of additional optional settings relating to bantime. The keys in this
125 | # structure are set in the configuration file as `bantime.$key`. See the
126 | # same parameter in class fail2ban for more details on the possible values.
127 | # @param banaction
128 | # Name of the action that is extrapolated in default action definitions, or
129 | # in the action param. This can let you override the action name but keep the
130 | # default parameters to the action.
131 | # @param banaction_allports
132 | # Action name that can be extrapolated by some of the default actions. This
133 | # one is meant to ban all ports at once instead of specific ones. Setting
134 | # this will change the action for this jail.
135 | # @param chain
136 | # Name of the iptables chain used by iptables-based actions.
137 | # @param port
138 | # Comma separated list of ports, port ranges or service names (as found in
139 | # /etc/services) that should get blocked by the ban action.
140 | # @param protocol
141 | # Name of the protocol to ban using the action.
142 | # @param mta
143 | # Program name used for sending out email by actions that do so.
144 | # @param destemail
145 | # Email address used as recipient by actions that send out emails. Setting
146 | # this will override destemail for this jail only.
147 | # @param sender
148 | # Email address set as sender by actions that send out emails.
149 | # @param fail2ban_agent
150 | # User-agent sent on HTTP requests that are made by some actions.
151 | # @param additional_options
152 | # Hash of additional values that should be declared for the jail. Keys
153 | # represent the jail configuration value names and hash values are placed to
154 | # the right of the "=". This can be used to declare arbitrary values for
155 | # filters or actions to use. No syntax checking is done on the contents of
156 | # this hash.
157 | # Note that any keys in this hash that correspond to a parameter name for
158 | # this defined type will get overridden by the value that the defined type's
159 | # parameter was given (e.g. if there is mode => '0600' in additional_options,
160 | # the value of mode in the file on disk will not take on the value '0600'
161 | # since there is a resource parameter that already corresponds to this key
162 | # name).
163 | #
164 | define fail2ban::jail (
165 | Enum['present','absent'] $ensure = 'present',
166 | String $config_file_mode = '0644',
167 | # Params that override default settings for a particular jail
168 | Boolean $enabled = true,
169 | Optional[String] $mode = undef,
170 | Optional[Fail2ban::Backend] $backend = undef,
171 | Optional[Fail2ban::Usedns] $usedns = undef,
172 | Optional[String] $filter = undef,
173 | Array[String] $logpath = [],
174 | Optional[String] $logencoding = undef,
175 | Optional[String] $logtimezone = undef,
176 | Optional[String] $datepattern = undef,
177 | Optional[String[1]] $prefregex = undef,
178 | Optional[Array[String[1]]] $failregex = undef,
179 | Optional[Array[String[1]]] $ignoreregex = undef,
180 | Optional[Boolean] $ignoreself = undef,
181 | Optional[Array[String, 1]] $ignoreip = undef,
182 | Optional[String] $ignorecommand = undef,
183 | Optional[String] $ignorecache = undef,
184 | Optional[Integer[1]] $maxretry = undef,
185 | Optional[Integer[1]] $maxlines = undef,
186 | Optional[Variant[Integer[1], String]] $maxmatches = undef,
187 | Optional[Fail2ban::Time] $findtime = undef,
188 | Optional[Variant[String, Array[String, 1]]] $action = undef,
189 | Optional[Fail2ban::Time] $bantime = undef,
190 | Optional[Fail2ban::Bantime_extra] $bantime_extra = undef,
191 | Optional[String] $banaction = undef,
192 | Optional[String] $banaction_allports = undef,
193 | Optional[String] $chain = undef,
194 | Optional[Fail2ban::Port] $port = undef,
195 | Optional[Fail2ban::Protocol] $protocol = undef,
196 | Optional[String] $mta = undef,
197 | Optional[String] $destemail = undef,
198 | Optional[String] $sender = undef,
199 | Optional[String] $fail2ban_agent = undef,
200 | Hash[String, String] $additional_options = {},
201 | ) {
202 | include fail2ban::config
203 |
204 | if $action =~ String {
205 | deprecation('fail2ban_action_param', 'The $action parameter will only take an array of strings in 5.x')
206 |
207 | $real_action = [$action]
208 | }
209 | else {
210 | $real_action = $action
211 | }
212 |
213 | if $backend == 'systemd' {
214 | if ! empty($logpath) {
215 | fail("The backend for fail2ban jail ${name} is 'systemd' so \$logpath must be empty.")
216 | }
217 | }
218 | else {
219 | if empty($logpath) {
220 | fail("You must set \$logpath for fail2ban jail ${name}.")
221 | }
222 | }
223 |
224 | if $port == 'all' {
225 | $portrange = '1:65535'
226 | }
227 | else {
228 | $portrange = $port
229 | }
230 |
231 | $jail_options = {
232 | enabled => $enabled,
233 | mode => $mode,
234 | backend => $backend,
235 | usedns => $usedns,
236 | filter => $filter,
237 | logpath => $logpath,
238 | logencoding => $logencoding,
239 | logtimezone => $logtimezone,
240 | prefregex => $prefregex,
241 | failregex => $failregex,
242 | ignoreregex => $ignoreregex,
243 | ignoreself => $ignoreself,
244 | ignoreip => $ignoreip,
245 | ignorecommand => $ignorecommand,
246 | ignorecache => $ignorecache,
247 | maxretry => $maxretry,
248 | maxlines => $maxlines,
249 | maxmatches => $maxmatches,
250 | findtime => $findtime,
251 | action => $real_action,
252 | bantime => $bantime,
253 | bantime_extra => $bantime_extra,
254 | banaction => $banaction,
255 | banaction_allports => $banaction_allports,
256 | chain => $chain,
257 | port => $portrange,
258 | protocol => $protocol,
259 | mta => $mta,
260 | destemail => $destemail,
261 | sender => $sender,
262 | fail2ban_agent => $fail2ban_agent,
263 | }
264 |
265 | $jail_template_values = {
266 | jail_name => $name,
267 | options => merge($additional_options, $jail_options),
268 | }
269 | file { "/etc/fail2ban/jail.d/${name}.conf":
270 | ensure => $ensure,
271 | content => epp('fail2ban/jail.epp', $jail_template_values),
272 | owner => 'root',
273 | group => 0,
274 | mode => $config_file_mode,
275 | notify => Class['fail2ban::service'],
276 | }
277 | }
278 |
--------------------------------------------------------------------------------
/manifests/service.pp:
--------------------------------------------------------------------------------
1 | # fail2ban/manifests/service.pp
2 | #
3 | # This class should not be included directly. Users must use the fail2ban
4 | # class.
5 | #
6 | # @summary Enable fail2ban daemon
7 | #
8 | # @api private
9 | #
10 | class fail2ban::service {
11 | if $fail2ban::manage_service {
12 | service { 'fail2ban':
13 | ensure => running,
14 | enable => true,
15 | hasstatus => true,
16 | }
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/metadata.json:
--------------------------------------------------------------------------------
1 | {
2 | "name": "LeLutin-fail2ban",
3 | "version": "4.1.0",
4 | "author": "LeLutin",
5 | "summary": "Manage fail2ban bruteforce protector",
6 | "license": "GPL-3.0+",
7 | "source": "https://github.com/lelutin/puppet-fail2ban",
8 | "project_page": "https://github.com/lelutin/puppet-fail2ban",
9 | "issues_url": "https://github.com/lelutin/puppet-fail2ban/issues",
10 | "dependencies": [
11 | {
12 | "name": "puppetlabs/stdlib",
13 | "version_requirement": ">= 4.6.0 < 10.0.0"
14 | }
15 | ],
16 | "requirements": [
17 | {
18 | "name": "puppet",
19 | "version_requirement": ">= 6.0 < 9.0.0"
20 | }
21 | ],
22 | "operatingsystem_support": [
23 | {
24 | "operatingsystem": "Debian",
25 | "operatingsystemrelease": [
26 | "11",
27 | "12"
28 | ]
29 | },
30 | {
31 | "operatingsystem": "Ubuntu",
32 | "operatingsystemrelease": [
33 | "20.04",
34 | "22.04",
35 | "24.04"
36 | ]
37 | },
38 | {
39 | "operatingsystem": "RedHat",
40 | "operatingsystemrelease": [
41 | "8",
42 | "9"
43 | ]
44 | }
45 | ],
46 | "tags": [
47 | "fail2ban",
48 | "iptables",
49 | "nftables",
50 | "bruteforce",
51 | "firewall"
52 | ]
53 | }
54 |
--------------------------------------------------------------------------------
/renovate.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json",
3 | "extends": [
4 | "config:base",
5 | ":disableDependencyDashboard"
6 | ]
7 | }
8 |
--------------------------------------------------------------------------------
/spec/classes/init_spec.rb:
--------------------------------------------------------------------------------
1 | require 'spec_helper'
2 | describe 'fail2ban' do
3 | let(:title) { 'fail2ban' }
4 | let(:facts) do
5 | {
6 | # We still need the two following facts since the "init" provider to
7 | # service is still relying on them. For some reason tests use that provider
8 | # when running on travic.ci.
9 | operatingsystem: 'Debian',
10 | osfamily: 'Debian',
11 |
12 | os: {
13 | family: 'Debian',
14 | release: {
15 | major: '10',
16 | },
17 | },
18 | }
19 | end
20 |
21 | it { is_expected.to contain_class('fail2ban::install') }
22 | it { is_expected.to contain_class('fail2ban::config') }
23 | it { is_expected.to contain_class('fail2ban::service') }
24 | end
25 |
--------------------------------------------------------------------------------
/spec/spec_helper.rb:
--------------------------------------------------------------------------------
1 | require 'puppetlabs_spec_helper/module_spec_helper'
2 | require 'rspec-puppet-facts'
3 |
--------------------------------------------------------------------------------
/templates/action.epp:
--------------------------------------------------------------------------------
1 | # Fail2Ban configuration file
2 | #
3 |
4 | <% if ! $includes.empty or ! $includes_after.empty { -%>
5 | [INCLUDES]
6 | <% if ! $includes.empty { -%>
7 | before = <%= $includes.join("\n ") %>
8 | <% } -%>
9 | <% if ! $includes_after.empty { -%>
10 | after = <%= $includes_after.join("\n ") %>
11 | <% } -%>
12 |
13 | <% } -%>
14 | [Definition]
15 |
16 | <% $additional_defs.each |String $line| { -%>
17 | <%= $line %>
18 | <% } -%>
19 | ##
20 | <% if ! $actionstart.empty { -%>
21 | actionstart = <%= $actionstart.join("\n ") %>
22 |
23 | <% } -%>
24 | <% if ! $actionstop.empty { -%>
25 | actionstop = <%= $actionstop.join("\n ") %>
26 |
27 | <% } -%>
28 | <% if ! $actioncheck.empty { -%>
29 | actioncheck = <%= $actioncheck.join("\n ") %>
30 |
31 | <% } -%>
32 | actionban = <%= $actionban.join("\n ") %>
33 |
34 | actionunban = <%= $actionunban.join("\n ") %>
35 |
36 | [Init]
37 |
38 | <% if $timeout !~ Undef { -%>
39 | timeout = <%= $timeout %>
40 | <% } -%>
41 | <% $init.each |String $line| { -%>
42 | <%= $line %>
43 | <% } -%>
44 |
--------------------------------------------------------------------------------
/templates/debian/jail.conf.epp:
--------------------------------------------------------------------------------
1 | #
2 | # WARNING: heavily refactored in 0.9.0 release. Please review and
3 | # customize settings for your setup.
4 | #
5 | # Changes: in most of the cases you should not modify this
6 | # file, but provide customizations in jail.local file,
7 | # or separate .conf files under jail.d/ directory, e.g.:
8 | #
9 | # HOW TO ACTIVATE JAILS:
10 | #
11 | # YOU SHOULD NOT MODIFY THIS FILE.
12 | #
13 | # It will probably be overwritten or improved in a distribution update.
14 | #
15 | # Provide customizations in a jail.local file or a jail.d/customisation.local.
16 | # For example to change the default bantime for all jails and to enable the
17 | # ssh-iptables jail the following (uncommented) would appear in the .local file.
18 | # See man 5 jail.conf for details.
19 | #
20 | # [DEFAULT]
21 | # bantime = 1h
22 | #
23 | # [sshd]
24 | # enabled = true
25 | #
26 | # See jail.conf(5) man page for more information
27 |
28 |
29 |
30 | # Comments: use '#' for comment lines and ';' (following a space) for inline comments
31 |
32 |
33 | [INCLUDES]
34 |
35 | #before = paths-distro.conf
36 | before = paths-debian.conf
37 |
38 | # The DEFAULT allows a global definition of the options. They can be overridden
39 | # in each jail afterwards.
40 |
41 | [DEFAULT]
42 |
43 | #
44 | # MISCELLANEOUS OPTIONS
45 | #
46 |
47 | <% if $bantime_extra !~ Undef { -%>
48 | <% if $bantime_extra['increment'] !~ Undef { -%>
49 | # "bantime.increment" allows to use database for searching of previously banned ip's to increase a
50 | # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32...
51 | bantime.increment = <%= $bantime_extra['increment'] %>
52 |
53 | <% } -%>
54 | <% if $bantime_extra['rndtime'] !~ Undef { -%>
55 | # "bantime.rndtime" is the max number of seconds using for mixing with random time
56 | # to prevent "clever" botnets calculate exact time IP can be unbanned again:
57 | bantime.rndtime = <%= $bantime_extra['rndtime'] %>
58 |
59 | <% } -%>
60 | <% if $bantime_extra['maxtime'] !~ Undef { -%>
61 | # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further)
62 | bantime.maxtime = <%= $bantime_extra['maxtime'] %>
63 |
64 | <% } -%>
65 | <% if $bantime_extra['factor'] !~ Undef { -%>
66 | # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier,
67 | # default value of factor is 1 and with default value of formula, the ban time
68 | # grows by 1, 2, 4, 8, 16 ...
69 | bantime.factor = <%= $bantime_extra['factor'] %>
70 |
71 | <% } -%>
72 | <% if $bantime_extra['formula'] !~ Undef { -%>
73 | # "bantime.formula" used by default to calculate next value of ban time, default value below,
74 | # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32...
75 | #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor
76 | #
77 | # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" :
78 | #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)
79 | bantime.formula = <%= $bantime_extra['formula'] %>
80 |
81 | <% } -%>
82 | <% if $bantime_extra['multipliers'] !~ Undef { -%>
83 | # "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding
84 | # previously ban count and given "bantime.factor" (for multipliers default is 1);
85 | # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count,
86 | # always used last multiplier (64 in example), for factor '1' and original ban time 600 - 10.6 hours
87 | #bantime.multipliers = 1 2 4 8 16 32 64
88 | # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin,
89 | # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
90 | bantime.multipliers = <%= $bantime_extra['multipliers'] %>
91 |
92 | <% } -%>
93 | <% if $bantime_extra['multipliers'] !~ Undef { -%>
94 | # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed
95 | # cross over all jails, if false (dafault), only current jail of the ban IP will be searched
96 | bantime.overalljails = <%= $bantime_extra['multipliers'] %>
97 |
98 | <% } -%>
99 | <% } -%>
100 | # --------------------
101 |
102 | # "ignoreself" specifies whether the local resp. own IP addresses should be ignored
103 | # (default is true). Fail2ban will not ban a host which matches such addresses.
104 | ignoreself = <%= $ignoreself %>
105 |
106 | # "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
107 | # will not ban a host which matches an address in this list. Several addresses
108 | # can be defined using space (and/or comma) separator.
109 | ignoreip = <%= $ignoreip.join(" ") %>
110 |
111 | # External command that will take an tagged arguments to ignore, e.g. ,
112 | # and return true if the IP is to be ignored. False otherwise.
113 | #
114 | # ignorecommand = /path/to/command
115 | ignorecommand = <%= $ignorecommand %>
116 | <% if $ignorecache !~ Undef { -%>
117 | # Cache results of ignorecommand to avoid repeatedly calling it.
118 | ignorecache = <%= $ignorecache %>
119 | <% } -%>
120 |
121 | # "bantime" is the number of seconds that a host is banned.
122 | bantime = <%= $bantime %>
123 |
124 | # A host is banned if it has generated "maxretry" during the last "findtime"
125 | # seconds.
126 | findtime = <%= $findtime %>
127 |
128 | # "maxretry" is the number of failures before a host get banned.
129 | maxretry = <%= $maxretry %>
130 | <% if $maxlines !~ Undef { -%>
131 |
132 | # "maxlines" sets the number of lines to buffer for regex search
133 | maxlines = <%= $maxlines %>
134 | <% } -%>
135 |
136 | # "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions).
137 | maxmatches = <%= $maxmatches %>
138 |
139 | # "backend" specifies the backend used to get files modification.
140 | # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
141 | # This option can be overridden in each jail as well.
142 | #
143 | # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
144 | # If pyinotify is not installed, Fail2ban will use auto.
145 | # gamin: requires Gamin (a file alteration monitor) to be installed.
146 | # If Gamin is not installed, Fail2ban will use auto.
147 | # polling: uses a polling algorithm which does not require external libraries.
148 | # systemd: uses systemd python library to access the systemd journal.
149 | # Specifying "logpath" is not valid for this backend.
150 | # See "journalmatch" in the jails associated filter config
151 | # auto: will try to use the following backends, in order:
152 | # pyinotify, gamin, polling.
153 | #
154 | # Note: if systemd backend is chosen as the default but you enable a jail
155 | # for which logs are present only in its own log files, specify some other
156 | # backend for that jail (e.g. polling) and provide empty value for
157 | # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
158 | backend = <%= $backend %>
159 |
160 | # "usedns" specifies if jails should trust hostnames in logs,
161 | # warn when DNS lookups are performed, or ignore all hostnames in logs
162 | #
163 | # yes: if a hostname is encountered, a DNS lookup will be performed.
164 | # warn: if a hostname is encountered, a DNS lookup will be performed,
165 | # but it will be logged as a warning.
166 | # no: if a hostname is encountered, will not be used for banning,
167 | # but it will be logged as info.
168 | # raw: use raw value (no hostname), allow use it for no-host filters/actions (example user)
169 | usedns = <%= $usedns %>
170 |
171 | # "logencoding" specifies the encoding of the log files handled by the jail
172 | # This is used to decode the lines from the log file.
173 | # Typical examples: "ascii", "utf-8"
174 | #
175 | # auto: will use the system locale setting
176 | logencoding = <%= $logencoding %>
177 | <% if ! $logpath.empty { -%>
178 | # Default path for log files used by jails
179 | logpath = <%= $logpath.join("\n ") %>
180 | <% } -%>
181 | <% if $logtimezone !~ Undef { -%>
182 | # Force timezone for all log files by default
183 | logtimezone = <%= $logtimezone %>
184 | <% } -%>
185 | <% if $datepattern !~ Undef { -%>
186 | # Global date pattern
187 | datepattern = <%= $datepattern %>
188 | <% } -%>
189 |
190 | # "enabled" enables the jails.
191 | # By default all jails are disabled, and it should stay this way.
192 | # Enable only relevant to your setup jails in your .local or jail.d/*.conf
193 | #
194 | # true: jail will be enabled and log files will get monitored for changes
195 | # false: jail is not enabled
196 | enabled = <%= $enabled %>
197 |
198 |
199 | # "mode" defines the mode of the filter (see corresponding filter implementation for more info).
200 | mode = <%= $mode %>
201 |
202 | # "filter" defines the filter to use by the jail.
203 | # By default jails have names matching their filter name
204 | #
205 | filter = <%= $filter %>
206 | <% if $prefregex !~ Undef { -%>
207 |
208 | # Regular expression to parse common part in every message.
209 | prefregex = <%= $prefregex %>
210 | <% } -%>
211 | <% if $failregex !~ Undef { -%>
212 |
213 | # Regular expressions to add to all filters' failregex
214 | failregex = <%= [$failregex].flatten().join("\n ") %>
215 | <% } -%>
216 | <% if $ignoreregex !~ Undef { -%>
217 |
218 | # Regular expressions to add to all filters' ignoreregex
219 | ignoreregex = <%= [$ignoreregex].flatten().join("\n ") %>
220 | <% } -%>
221 |
222 |
223 | #
224 | # ACTIONS
225 | #
226 |
227 | # Some options used for actions
228 |
229 | # Destination email address used solely for the interpolations in
230 | # jail.{conf,local,d/*} configuration files.
231 | destemail = <%= $destemail %>
232 |
233 | # Sender email address used solely for some actions
234 | sender = <%= $sender %>
235 |
236 | # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
237 | # mailing. Change mta configuration parameter to mail if you want to
238 | # revert to conventional 'mail'.
239 | mta = <%= $mta %>
240 |
241 | # Default protocol
242 | protocol = <%= $protocol %>
243 |
244 | # Specify chain where jumps would need to be added in ban-actions expecting parameter chain
245 | chain = <%= $chain %>
246 |
247 | # Ports to be banned
248 | # Usually should be overridden in a particular jail
249 | port = <%= $port %>
250 |
251 | # Format of user-agent https://tools.ietf.org/html/rfc7231#section-5.5.3
252 | fail2ban_agent = <%= $fail2ban_agent %>
253 |
254 | #
255 | # Action shortcuts. To be used to define action parameter
256 |
257 | # Default banning action (e.g. iptables, iptables-new,
258 | # iptables-multiport, shorewall, etc) It is used to define
259 | # action_* variables. Can be overridden globally or per
260 | # section within jail.local file
261 | banaction = <%= $banaction %>
262 | banaction_allports = <%= $banaction_allports %>
263 |
264 | # The simplest action to take: ban only
265 | action_ = %(banaction)s[port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
266 |
267 | # ban & send an e-mail with whois report to the destemail.
268 | action_mw = %(action_)s
269 | %(mta)s-whois[sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
270 |
271 | # ban & send an e-mail with whois report and relevant log lines
272 | # to the destemail.
273 | action_mwl = %(action_)s
274 | %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
275 |
276 | # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
277 | #
278 | # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
279 | # to the destemail.
280 | action_xarf = %(action_)s
281 | xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath="%(logpath)s", port="%(port)s"]
282 |
283 | # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
284 | # to the destemail.
285 | action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
286 | %(mta)s-whois-lines[sender="%(sender)s", dest="%(destemail)s", logpath="%(logpath)s", chain="%(chain)s"]
287 |
288 | # Report block via blocklist.de fail2ban reporting service API
289 | #
290 | # See the IMPORTANT note in action.d/blocklist_de.conf for when to use this action.
291 | # Specify expected parameters in file action.d/blocklist_de.local or if the interpolation
292 | # `action_blocklist_de` used for the action, set value of `blocklist_de_apikey`
293 | # in your `jail.local` globally (section [DEFAULT]) or per specific jail section (resp. in
294 | # corresponding jail.d/my-jail.local file).
295 | #
296 | action_blocklist_de = blocklist_de[email="%(sender)s", service="%(__name__)s", apikey="%(blocklist_de_apikey)s", agent="%(fail2ban_agent)s"]
297 |
298 | # Report ban via badips.com, and use as blacklist
299 | #
300 | # See BadIPsAction docstring in config/action.d/badips.py for
301 | # documentation for this action.
302 | #
303 | # NOTE: This action relies on banaction being present on start and therefore
304 | # should be last action defined for a jail.
305 | #
306 | action_badips = badips.py[category="%(__name__)s", banaction="%(banaction)s", agent="%(fail2ban_agent)s"]
307 | #
308 | # Report ban via badips.com (uses action.d/badips.conf for reporting only)
309 | #
310 | action_badips_report = badips[category="%(__name__)s", agent="%(fail2ban_agent)s"]
311 |
312 | # Report ban via abuseipdb.com.
313 | #
314 | # See action.d/abuseipdb.conf for usage example and details.
315 | #
316 | action_abuseipdb = abuseipdb
317 |
318 | # Choose default action. To change, just override value of 'action' with the
319 | # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
320 | # globally (section [DEFAULT]) or per specific section
321 | action = <%= [$action].flatten().join("\n ") %>
322 |
323 |
--------------------------------------------------------------------------------
/templates/fail2ban.conf.epp:
--------------------------------------------------------------------------------
1 | # Fail2Ban main configuration file
2 | #
3 | # Comments: use '#' for comment lines and ';' (following a space) for inline comments
4 | #
5 | # Changes: in most of the cases you should not modify this
6 | # file, but provide customizations in fail2ban.local file, e.g.:
7 | #
8 | # [DEFAULT]
9 | # loglevel = DEBUG
10 | #
11 |
12 | [DEFAULT]
13 |
14 | # Option: loglevel
15 | # Notes.: Set the log level output.
16 | # CRITICAL
17 | # ERROR
18 | # WARNING
19 | # NOTICE
20 | # INFO
21 | # DEBUG
22 | # Values: [ LEVEL ] Default: INFO
23 | #
24 | loglevel = <%= $loglvl %>
25 |
26 | # Option: logtarget
27 | # Notes.: Set the log target. This could be a file, SYSTEMD-JOURNAL, SYSLOG, STDERR or STDOUT.
28 | # Only one log target can be specified.
29 | # If you change logtarget from the default value and you are
30 | # using logrotate -- also adjust or disable rotation in the
31 | # corresponding configuration file
32 | # (e.g. /etc/logrotate.d/fail2ban on Debian systems)
33 | # Values: [ STDOUT | STDERR | SYSLOG | SYSOUT | SYSTEMD-JOURNAL | FILE ] Default: STDERR
34 | #
35 | logtarget = <%= $logtarget %>
36 |
37 | # Option: syslogsocket
38 | # Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
39 | # auto uses platform.system() to determine predefined paths
40 | # Values: [ auto | FILE ] Default: auto
41 | syslogsocket = <%= $syslogsocket %>
42 |
43 | # Option: socket
44 | # Notes.: Set the socket file. This is used to communicate with the daemon. Do
45 | # not remove this file when Fail2ban runs. It will not be possible to
46 | # communicate with the server afterwards.
47 | # Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.sock
48 | #
49 | socket = <%= $socket %>
50 |
51 | # Option: pidfile
52 | # Notes.: Set the PID file. This is used to store the process ID of the
53 | # fail2ban server.
54 | # Values: [ FILE ] Default: /var/run/fail2ban/fail2ban.pid
55 | #
56 | pidfile = <%= $pidfile %>
57 |
58 | # Option: allowipv6
59 | # Notes.: Allows IPv6 interface:
60 | # Default: auto
61 | # Values: [ auto yes (on, true, 1) no (off, false, 0) ] Default: auto
62 | allowipv6 = <%= $allowipv6 %>
63 |
64 | # Options: dbfile
65 | # Notes.: Set the file for the fail2ban persistent data to be stored.
66 | # A value of ":memory:" means database is only stored in memory
67 | # and data is lost when fail2ban is stopped.
68 | # A value of "None" disables the database.
69 | # Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
70 | dbfile = <%= $dbfile %>
71 |
72 | # Options: dbpurgeage
73 | # Notes.: Sets age at which bans should be purged from the database
74 | # Values: [ SECONDS ] Default: 86400 (24hours)
75 | dbpurgeage = <%= $dbpurgeage %>
76 |
77 | # Options: dbmaxmatches
78 | # Notes.: Number of matches stored in database per ticket (resolvable via
79 | # tags / in actions)
80 | # Values: [ INT ] Default: 10
81 | dbmaxmatches = <%= $dbmaxmatches %>
82 |
83 | [Definition]
84 |
85 |
86 | [Thread]
87 |
88 | # Options: stacksize
89 | # Notes.: Specifies the stack size (in KiB) to be used for subsequently created threads,
90 | # and must be 0 or a positive integer value of at least 32.
91 | # Values: [ SIZE ] Default: 0 (use platform or configured default)
92 | stacksize = <%= $stacksize %>
93 |
--------------------------------------------------------------------------------
/templates/filter.epp:
--------------------------------------------------------------------------------
1 | # Fail2Ban configuration file
2 | #
3 |
4 | <% if ! $includes.empty or ! $includes_after.empty { -%>
5 | [INCLUDES]
6 | <% if ! $includes.empty { -%>
7 | before = <%= $includes.join("\n ") %>
8 | <% } -%>
9 | <% if ! $includes_after.empty { -%>
10 | after = <%= $includes_after.join("\n ") %>
11 | <% } -%>
12 |
13 | <% } -%>
14 | [Definition]
15 |
16 | <% $additional_defs.each |String $line| { -%>
17 | <%= $line %>
18 | <% } -%>
19 |
20 | <%
21 | if $maxlines !~ Undef {
22 | -%>
23 | maxlines = <%= $maxlines %>
24 |
25 | <%
26 | }
27 | -%>
28 | <%
29 | if $datepattern !~ Undef {
30 | -%>
31 | datepattern = <%= $datepattern %>
32 |
33 | <%
34 | }
35 | -%>
36 | <%
37 | if $journalmatch !~ Undef {
38 | -%>
39 | journalmatch = <%= $journalmatch %>
40 |
41 | <%
42 | }
43 | -%>
44 | <%
45 | if $prefregex !~ Undef {
46 | -%>
47 | prefregex = <%= $prefregex %>
48 |
49 | <%
50 | }
51 | -%>
52 | # Option: failregex
53 | # Notes.: regex to match the password failures messages in the logfile. The
54 | # host must be matched by a group named "host". The tag "" can
55 | # be used for standard IP/hostname matching and is only an alias for
56 | # (?:::f{4,6}:)?(?P[\w\-.^_]+)
57 | # Values: TEXT
58 | #
59 | failregex = <%= $failregexes.join("\n ") %>
60 |
61 | # Option: ignoreregex
62 | # Notes.: regex to ignore. If this regex matches, the line is ignored.
63 | # Values: TEXT
64 | #
65 | ignoreregex = <%= $ignoreregexes.join("\n ") %>
66 | <%
67 | if ! $init.empty {
68 | -%>
69 |
70 | [Init]
71 | <%
72 | $init.each |String $line| {
73 | -%>
74 | <%= $line %>
75 | <%
76 | }
77 | }
78 | -%>
79 |
--------------------------------------------------------------------------------
/templates/jail.epp:
--------------------------------------------------------------------------------
1 | [<%= $jail_name %>]
2 | <%
3 | $options.each |String $opt, Any $value| {
4 | if $opt.stdlib::start_with('bantime_extra') and $value !~ Undef {
5 | $value.each |String $bt_opt, Any $bt_value| {
6 | -%>
7 | bantime.<%= $bt_opt %> = <%= $bt_value %>
8 | <%
9 | }
10 | }
11 | elsif $value !~ Undef {
12 | if $value =~ Array {
13 | # This looks horrible but the Puppet DSL doesn't seem to offer a better
14 | # way to generate a string of x repetitions of a substring more easily
15 | # than this.
16 | $offset = range(1,length($opt)+3).map |$x| { " " }.join("")
17 | -%>
18 | <%= $opt %> = <%= $value.join("\n${offset}") %>
19 | <%
20 | }
21 | else {
22 | -%>
23 | <%= $opt %> = <%= $value %>
24 | <%
25 | }
26 | }
27 | }
28 | -%>
29 |
--------------------------------------------------------------------------------
/templates/rhel/jail.conf.epp:
--------------------------------------------------------------------------------
1 | # Fail2Ban configuration file.
2 | #
3 | # Managed by Puppet, do not change manually
4 | #
5 | # This file was composed for RHEL systems from the
6 | # original file provided by the RPM
7 | #
8 | # Changes: in most of the cases you should not modify this
9 | # file, but provide customizations in jail.local file,
10 | # or separate .conf files under jail.d/ directory, e.g.
11 | #
12 | #
13 | #
14 | [INCLUDES]
15 | before = paths-fedora.conf
16 |
17 | [DEFAULT]
18 | #
19 | # MISCELLANEOUS OPTIONS
20 | #
21 | # "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
22 | # ban a host which matches an address in this list. Several addresses can be
23 | # defined using space separator.
24 | ignoreip = <%= $ignoreip.join(" ") %>
25 |
26 |
27 | # External command that will take an tagged arguments to ignore, e.g. ,
28 | # and return true if the IP is to be ignored. False otherwise.
29 | #
30 | # ignorecommand = /path/to/command
31 | ignorecommand = <%= $ignorecommand %>
32 | <% if $ignorecache !~ Undef { -%>
33 | # Cache results of ignorecommand to avoid repeatedly calling it.
34 | ignorecache = <%= $ignorecache %>
35 | <% } -%>
36 |
37 | # "bantime" is the number of seconds that a host is banned.
38 | bantime = <%= $bantime %>
39 |
40 | # A host is banned if it has generated "maxretry" during the last "findtime"
41 | # seconds.
42 | findtime = <%= $findtime %>
43 |
44 | # "maxretry" is the number of failures before a host get banned.
45 | maxretry = <%= $maxretry %>
46 |
47 | #"backend" specifies the backend used to get files modification.
48 | # Available options are "pyinotify", "gamin", "polling", "systemd" and "auto".
49 | # This option can be overridden in each jail as well.
50 | #
51 | # pyinotify: requires pyinotify (a file alteration monitor) to be installed.
52 | # If pyinotify is not installed, Fail2ban will use auto.
53 | # gamin: requires Gamin (a file alteration monitor) to be installed.
54 | # If Gamin is not installed, Fail2ban will use auto.
55 | # polling: uses a polling algorithm which does not require external libraries.
56 | # systemd: uses systemd python library to access the systemd journal.
57 | # Specifying "logpath" is not valid for this backend.
58 | # See "journalmatch" in the jails associated filter config
59 | # auto: will try to use the following backends, in order:
60 | # pyinotify, gamin, polling.
61 | #
62 | # Note: if systemd backend is choses as the default but you enable a jail
63 | # for which logs are present only in its own log files, specify some other
64 | # backend for that jail (e.g. polling) and provide empty value for
65 | # journalmatch. See https://github.com/fail2ban/fail2ban/issues/959#issuecomment-74901200
66 | backend = <%= $backend %>
67 |
68 | # "usedns" specifies if jails should trust hostnames in logs,
69 | # warn when DNS lookups are performed, or ignore all hostnames in logs
70 | #
71 | # yes: if a hostname is encountered, a DNS lookup will be performed.
72 | # warn: if a hostname is encountered, a DNS lookup will be performed,
73 | # but it will be logged as a warning.
74 | # no: if a hostname is encountered, will not be used for banning,
75 | # but it will be logged as info.
76 | usedns = <%= $usedns %>
77 |
78 | # "logencoding" specifies the encoding of the log files handled by the jail
79 | # This is used to decode the lines from the log file.
80 | # Typical examples: "ascii", "utf-8"
81 | #
82 | # auto: will use the system locale setting
83 | logencoding = <%= $logencoding %>
84 | <% if ! $logpath.empty { -%>
85 | # Default path for log files used by jails
86 | logpath = <%= $logpath.join("\n ") %>
87 | <% } -%>
88 | <% if $logtimezone !~ Undef { -%>
89 | # Force timezone for all log files by default
90 | logtimezone = <%= $logtimezone %>
91 | <% } -%>
92 |
93 | # "enabled" enables the jails.
94 | # By default all jails are disabled, and it should stay this way.
95 | # Enable only relevant to your setup jails in your .local or jail.d/*.conf
96 | #
97 | # true: jail will be enabled and log files will get monitored for changes
98 | # false: jail is not enabled
99 | enabled = <%= $enabled %>
100 |
101 | # Define a default mode.
102 | mode = <%= $mode %>
103 |
104 | # "filter" defines the filter to use by the jail.
105 | # By default jails have names matching their filter name
106 | #
107 | filter = <%= $filter %>
108 | <% if $prefregex !~ Undef { -%>
109 |
110 | # Regular expression to parse common part in every message.
111 | prefregex = <%= $prefregex %>
112 | <% } -%>
113 | <% if $failregex !~ Undef { -%>
114 |
115 | # Regular expressions to add to all filters' failregex
116 | failregex = <%= [$failregex].flatten().join("\n ") %>
117 | <% } -%>
118 | <% if $ignoreregex !~ Undef { -%>
119 |
120 | # Regular expressions to add to all filters' ignoreregex
121 | ignoreregex = <%= [$ignoreregex].flatten().join("\n ") %>
122 | <% } -%>
123 |
124 | # ACTIONS
125 | #
126 | # Some options used for actions
127 | # Destination email address used solely for the interpolations in
128 | # jail.{conf,local,d/*} configuration files.
129 | destemail = <%= $destemail %>
130 |
131 | # Sender email address used solely for some actions
132 | sender = <%= $sender %>
133 |
134 | # E-mail action. Since 0.8.1 Fail2Ban uses sendmail MTA for the
135 | # mailing. Change mta configuration parameter to mail if you want to
136 | # revert to conventional 'mail'.
137 | mta = <%= $mta %>
138 |
139 | # Default protocol
140 | protocol = <%= $protocol %>
141 |
142 | # Specify chain where jumps would need to be added in iptables-* actions
143 | chain = <%= $chain %>
144 |
145 | # Ports to be banned
146 | # Usually should be overridden in a particular jail
147 | port = <%= $port %>
148 |
149 | # Action shortcuts. To be used to define action parameter
150 | # Default banning action (e.g. iptables, iptables-new,
151 | # iptables-multiport, shorewall, etc) It is used to define
152 | # action_* variables. Can be overridden globally or per
153 | # section within jail.local file
154 | banaction = <%= $banaction %>
155 | banaction_allports = <%= $banaction_allports %>
156 |
157 | # The simplest action to take: ban only
158 | action_ = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
159 |
160 | # ban & send an e-mail with whois report to the destemail.
161 | action_mw = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
162 | %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
163 | # ban & send an e-mail with whois report and relevant log lines
164 | # to the destemail.
165 | action_mwl = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
166 | %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
167 |
168 | # See the IMPORTANT note in action.d/xarf-login-attack for when to use this action
169 | #
170 | # ban & send a xarf e-mail to abuse contact of IP address and include relevant log lines
171 | # to the destemail.
172 | action_xarf = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
173 | xarf-login-attack[service=%(__name__)s, sender="%(sender)s", logpath=%(logpath)s, port="%(port)s"]
174 |
175 | # ban IP on CloudFlare & send an e-mail with whois report and relevant log lines
176 | # to the destemail.
177 | action_cf_mwl = cloudflare[cfuser="%(cfemail)s", cftoken="%(cfapikey)s"]
178 | %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
179 |
180 | # Report block via blocklist.de fail2ban reporting service API
181 | #
182 | # See the IMPORTANT note in action.d/blocklist_de.conf for when to
183 | # use this action. Create a file jail.d/blocklist_de.local containing
184 | # [Init]
185 | # blocklist_de_apikey = {api key from registration]
186 | #
187 | action_blocklist_de = blocklist_de[email="%(sender)s", service=%(filter)s, apikey="%(blocklist_de_apikey)s"]
188 |
189 | # Report ban via badips.com, and use as blacklist
190 | #
191 | # See BadIPsAction docstring in config/action.d/badips.py for
192 | # documentation for this action.
193 | #
194 | # NOTE: This action relies on banaction being present on start and therefore
195 | # should be last action defined for a jail.
196 | #
197 | action_badips = badips.py[category="%(name)s", banaction="%(banaction)s"]
198 |
199 | # Choose default action. To change, just override value of 'action' with the
200 | # interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local
201 | # globally (section [DEFAULT]) or per specific section
202 | action = <%= [$action].flatten().join("\n ") %>
203 |
--------------------------------------------------------------------------------
/types/autoorflag.pp:
--------------------------------------------------------------------------------
1 | # A boolean flag that can also be set to the string 'auto'.
2 | #
3 | type Fail2ban::AutoOrFlag = Variant[Boolean, Enum['auto']]
4 |
--------------------------------------------------------------------------------
/types/backend.pp:
--------------------------------------------------------------------------------
1 | # Backend names that fail2ban understands
2 | # Can be one of the pre-defined backend names, "systemd" with optionally a list
3 | # of parameters between square brackets or a python-style variable
4 | type Fail2ban::Backend = Variant[
5 | Enum['auto','pyinotify','gamin','polling'],
6 | Pattern[/^systemd(\[.*\]$)?/],
7 | Pattern[/%\(\w+\)s/],
8 | ]
9 |
--------------------------------------------------------------------------------
/types/bantime_extra.pp:
--------------------------------------------------------------------------------
1 | # Optional additional bantime.* options. See manifests/init.pp for details
2 | # about what each option means.
3 | #
4 | type Fail2ban::Bantime_extra = Struct[{
5 | Optional[increment] => Boolean,
6 | Optional[factor] => String[1],
7 | Optional[formula] => String[1],
8 | Optional[multipliers] => String[1],
9 | Optional[maxtime] => String[1],
10 | Optional[rndtime] => String[1],
11 | Optional[overalljails] => Boolean,
12 | }]
13 |
--------------------------------------------------------------------------------
/types/dbfile.pp:
--------------------------------------------------------------------------------
1 | # Where fail2ban's database gets stored. None disables storage
2 | type Fail2ban::Dbfile = Variant[
3 | Stdlib::Absolutepath,
4 | Enum['None']
5 | ]
6 |
--------------------------------------------------------------------------------
/types/loglevel.pp:
--------------------------------------------------------------------------------
1 | # How much logging is needed from fail2ban
2 | type Fail2ban::Loglevel = Enum['CRITICAL','ERROR','WARNING','NOTICE','INFO','DEBUG', 'TRACEDEBUG', 'HEAVYDEBUG']
3 |
--------------------------------------------------------------------------------
/types/logtarget.pp:
--------------------------------------------------------------------------------
1 | # Where logs are sent
2 | type Fail2ban::Logtarget = Variant[
3 | Stdlib::Absolutepath,
4 | Enum['STDOUT', 'STDERR', 'SYSLOG', 'SYSOUT', 'SYSTEMD-JOURNAL']
5 | ]
6 |
--------------------------------------------------------------------------------
/types/port.pp:
--------------------------------------------------------------------------------
1 | # Possible values for the port parameter
2 | # ports can be specified by number, but you can also pass in a comma-separated
3 | # list of values in a string.
4 | # The values in the string can be port numbers (integers), a range of port
5 | # numbers in the format 'number:number', service names (looked up in
6 | # /etc/services) or 'all' which is translated to '0:65535'
7 | type Fail2ban::Port = Variant[Integer, String]
8 |
--------------------------------------------------------------------------------
/types/protocol.pp:
--------------------------------------------------------------------------------
1 | # Options for protocol type
2 | # This is used by the default action iptables-multiport to defined what
3 | # protocol to ban for the specified ports.
4 | type Fail2ban::Protocol = Enum['tcp','udp','icmp','all']
5 |
--------------------------------------------------------------------------------
/types/syslogsocket.pp:
--------------------------------------------------------------------------------
1 | # Path to a socket for communication with syslog, or 'auto' for letting
2 | # fail2ban auto-discover the path.
3 | type Fail2ban::Syslogsocket = Variant[Stdlib::Absolutepath, Enum['auto']]
4 |
--------------------------------------------------------------------------------
/types/time.pp:
--------------------------------------------------------------------------------
1 | # Time in seconds for some configuration options can be specified either in an
2 | # integer number of seconds, or an abbreviation that can help specify some time
3 | # periods more easily
4 | #
5 | # Time abbreviation can be combined to make a more precise amount. For example
6 | # 1d3h20m
7 | #
8 | # @see https://github.com/fail2ban/fail2ban/blob/master/man/jail.conf.5 jail.conf(5)
9 | #
10 | type Fail2ban::Time = Variant[
11 | Integer[1],
12 | Pattern[/^(\d+(ye(a(r(s)?)?)?|yy?|mo(n(th(s)?)?)?|we(e(k(s)?)?)?|ww?|da(y(s)?)?|dd?|ho(u(r(s)?)?)?|hh?|mi(n(ute(s)?)?)?|mm?|se(c(ond(s)?)?)?|ss?))+$/], # lint:ignore:140chars
13 | ]
14 |
--------------------------------------------------------------------------------
/types/usedns.pp:
--------------------------------------------------------------------------------
1 | # Possible values for usedns parameter
2 | type Fail2ban::Usedns = Enum['yes','no','warn','raw']
3 |
--------------------------------------------------------------------------------