Install and manage fail2ban with puppet
To use this module just include the jail2ban class. To change default configurations in /etc/fail2ban/jail.conf, you can pass values to parameters to the fail2ban class. See section below for full list of parameters.
Here's an example that sets default ignored IP address to local host and another non-routed IP:
class { 'fail2ban':
ignoreip => '127.0.0.1 10.0.0.1',
}
You can create a jail with the fail2ban::jail defined type (see section below) or you can use one of the predefined fail2ban::jail::* classes.
You can also create a filter for use with jails with the fail2ban::filter defined type (see section below).
This module depends on the following modules to function:
- puppetlabs' stdlib module (at least version 3.0.0)
- puppetlabs' concat module (at least version 1.0.0)
This module supports
- Debian 7 and 8
- RHEL 6 and 7
- CentOs 6 and 7
Please note that a bug in puppet 3.x with regards to package dependencies will make it print warnings about missing dependencies. This issue was fixed in puppet 4.0.0. Unfortunately, since puppet 3.x is currently getting security patches only, there is no plan to backport the fix.
For more details, see : https://tickets.puppetlabs.com/browse/PUP-3121
-
ensureparameter deprecated in fail2ban::jail since 1.2.0. Will be removed for 2.x. Since the jail define uses puppetlabs-concat to define a fragment for each jail to be concatenated in/etc/fail2ban/jail.local, we're purposefully avoiding to use the ensure parameter. This is because the 2.x branch of puppetlabs-concat has deprecated this parameter and issues warnings to users that are using it. Users of the fail2ban module should instead remove the resources for the jails that must be removed. -
The directory
/etc/fail2ban/jail.dis now getting purged by default. Users who would like to preserve files in this directory that are not managed by puppet should now set thepurge_jail_dot_dparameter to thefail2banclass to false.
All of the values configured through the fail2ban class are used to configure
global default values. These values can be overridden by individual jails.
ignoreipDefault ignored IP(s) when parsing logs. Default value is '127.0.0.1'. Multiple values should be separated by spacesbantimeNumber of seconds during which reaching maxretry gets an IP banned. Default value is '600'findtimeTime interval (in seconds) before the current time where failures will count towards a ban. Default is '600'.maxretryNumber of times an IP address must trigger failgregexes to get banned. Default value is '3'backendHow should fail2ban look for modifications on log files. Default value is 'polling'destemailDefault email address that should get notifications with the actions that send emails. Default value is 'root@localhost'banactionDefault action to use for jails. Default value is 'iptables-multiport'mtaMail Transfer Agent program used for sending out email for actions that send out emails. Default value is 'sendmail'protocolDefault protocol for jails. Default value is 'tcp'actionDefault action for jails. Default value is '%(action_)s', which is defined as '%(banaction)s[name=%(name)s, port="%(port)s", protocol="%(protocol)s]' in jail.conf.purge_jail_dot_dBoolean value that decides whether/etc/fail2ban/jail.d/is purged of files that are not managed by puppet. Default value is true.
To define a jail, you can use one of the predefined jails (see list below). Or you can define your own with the fail2ban::jail defined type:
fail2ban::jail { 'jenkins':
port => 'all',
filter => 'jenkins',
logpath => '/var/log/jenkins.log',
}
Here's the full list of parameters you can use:
portList of port names, separated by commas, that will get blocked for a banned IP. Can be "all" to block all ports. This parameter is mandatory.filterName of the filter to use. This parameter is mandatory.logpathPath of the log to monitor. This parameter is mandatory.enabledShould this jail be enabled or not. The subtility betweenensureand this parameter is that ensure will make the contents of the jail appear or disappear, while this parameter will let the jail contents be present injail.localbut the jail will be marked as disabled. Default value is 'true'protocolOverride default protocol to ban ports for.maxretryOverride default number of trials that bans someone.findtimeOverride default interval during which maxretry failures triggers a ban.actionOverride default action used.banactionOverride defaultbanaction. If you don't also overrideaction, you will use the same default action template but with a different action name.bantimeOverride default duration of a ban for an IP.ignoreipOverride default IP(s) to ignore (e.g. don't ban this IP).orderOptional numerical position. This lets you order jails as you see fit.
To remove a jail, simply remove the resource for it from your manifests: puppetlabs-concat will automatically remove all fragments that are not managed with a concat::fragment resource (which the fail2ban::jail define uses).
- apache_noscript
- apache_overflows
- apache
- asterisk
- courierauth
- couriersmtp
- dovecot
- dropbear
- named_refused_tcp
- pam_generic
- postfix
- proftpd
- pure_ftpd
- sasl
- sendmailauth
- sendmailreject
- ssh_ddos
- ssh
- vsftpd
- wuftpd
- xinetd_fail
You might want to define new filters for your new jails. To do that, you can use the fail2ban::filter defined type:
fail2ban::filter { 'jenkins':
failregexes => [
# Those regexes are really arbitrary examples.
'Invalid login to Jenkins by user mooh by IP \'<HOST>\'',
'Forced entry trial by <HOST>',
],
}
Here's the full list of parameters you can use with the defined type:
failregexesList of regular expressions (strings) that, if matched, will increase IP's maxretry count. This parameter is mandatory.ensureShould this filter be present or not. Default value is presentignoreregexesList of regular expressions (strings) that, if matched, will invalidate failregex matching. Default value is an empty list.additional_defsList of lines that could define more arbitrary values. Lines will be placed in the file as they are in the list. Default value is an empty list.