modules/fail2ban/manifests/init.pp - Issue 29364214: Issue 2487 - Introduce fail2ban module

Side by Side Diff: modules/fail2ban/manifests/init.pp

Issue 29364214: Issue 2487 - Introduce fail2ban module (Closed)

Patch Set: Created Nov. 28, 2016, 3:59 p.m.

Left:
Right:

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 # == Class: fail2ban

	2 #

	3 # Create and maintain fail2ban (http://www.fail2ban.org/) setups.

	4 #

	5 # == Parameters:

	6 #

	7 # [jail_config]

	8 # Adds jail.local to the default configuration of fail2ban.
	f.nicolaisen 2016/11/29 00:38:54 "Provisions a jail.local adjacent to the default f "Provisions a jail.local adjacent to the default fail2ban configuration." f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > "Provisions a jail.local adjacent to the default fail2ban configuration." Acknowledged.
	9 # By default it will have the following parameters:
	f.nicolaisen 2016/11/29 00:38:54 s/it/entries s/it/entries f.lopez 2016/11/29 10:46:57 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > s/it/entries Acknowledged.
	10 # 'enabled' => 'true',

	11 # 'port' => 'all',

	12 # 'maxretry' => 6,

	13 # 'banaction' => 'iptables-allports',

	14 # 'bantime' => 3600,

	15 #

	16 # Note that 'port' parameter needs to be an actual port

	17 # otherwise it will fail if there is no 'banaction' declared.
	f.nicolaisen 2016/11/29 00:38:54 I would formulate it like this: For the default ba I would formulate it like this: For the default banaction iptables-allports, the port parameter is not used and only set here for documentation purposes. Note that if 'banaction' is set to iptables-multiport, it requires that the 'port' parameter contains one or more comma-separated ports or protocols. f.lopez 2016/11/29 10:46:57 Like it, gonna use your instead :) Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > I would formulate it like this: > For the default banaction iptables-allports, the port parameter is not used and > only set here for documentation purposes. Note that if 'banaction' is set to > iptables-multiport, it requires that the 'port' parameter contains one or more > comma-separated ports or protocols. Like it, gonna use your instead :)
	18 # Some options can be: http, https, ftp, etc.

	19 #

	20 # [package]

	21 # Overwrite the default package options, to fine-tune the target version (i.e.

	22 # ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')

	23 #

	24 # [service]

	25 # Overwrite the default service options.

	26 #

	27 # [filters]

	28 # Adds adittional filters to the filters.d folder.

	29 # === Examples:

	30 #

	31 # class {'fail2ban':

	32 # package => {ensure => 'present',},

	33 # service => {},

	34 # jail_config => {

	35 # 'CVE-2013-0235' => {

	36 # logpath => '/var/log/nginx/access_log_hg',
	f.nicolaisen 2016/11/29 00:38:54 Remove trailing WS (white space) Remove trailing WS (white space) f.nicolaisen 2016/11/29 00:38:55 Maybe we should add banaction multiport: http,http Maybe we should add banaction multiport: http,https in this example. f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Remove trailing WS (white space) Acknowledged. f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Remove trailing WS (white space) Acknowledged.
	37 # }

	38 # },

	39 # filters => {

	40 # 'CVE-2013-0235' => {

	41 # failregex => [

	42 # '^<HOST>.\"WordPress\/.',

	43 # ],

	44 # }

	45 # },

	46 # }

	47 class fail2ban (

	48 $package = {},

	49 $service = {},

	50 $jail_config = {},
	f.nicolaisen 2016/11/29 00:38:54 Now that I think about it, maybe we should call th Now that I think about it, maybe we should call this one 'jail_configs'? Not sure. f.lopez 2016/11/29 10:46:57 I think singular is ok since it is only one jail.l Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Now that I think about it, maybe we should call this one 'jail_configs'? Not > sure. I think singular is ok since it is only one jail.local configuration file we are going to create, I tried using a jail.d folder in order to have more configurations but it doesn't work.
	51 $filters = {},

	52 ) {

	53

	54 include stdlib

	55

	56 $jail_default = {

	57 'enabled' => 'true',

	58 'port' => 'all',

	59 'maxretry' => 6,

	60 'banaction' => 'iptables-allports',

	61 'bantime' => 3600,

	62 }

	63

	64 ensure_resource('package', $title, $package)

	65

	66 # Used as default $ensure parameter for most resources below

	67 $ensure = getparam(Package[$title], 'ensure') ? {

	68 /^(absent\|purged)$/ => 'absent',
	f.nicolaisen 2016/11/29 00:38:54 WS WS f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > WS Acknowledged.
	69 default => 'present',

	70 }

	71

	72 # Service resources don't properly support the concept of absence

	73 if ($ensure == 'present') {

	74

	75 ensure_resource('service', $title, $service)

	76 # See modules/fail2ban/manifests/filter.pp

	77 create_resources('fail2ban::filter', $filters)

	78
	f.nicolaisen 2016/11/29 00:38:54 WS WS f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > WS Acknowledged.
	79 # According to the docs one can also enable filters that are

	80 # already in there, so the config file should be done separately

	81 # of the filters, another thing to conside is the possibility of
	f.nicolaisen 2016/11/29 00:38:54 Typo: 'conside'. Typo: 'conside'. f.nicolaisen 2016/11/29 00:38:54 Split the sentences: "... filters. Another thing t Split the sentences: "... filters. Another thing to..." f.lopez 2016/11/29 10:46:58 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > Typo: 'conside'. Acknowledged.
	82 # having the filters configured but not activated, so no conf is

	83 # passed.
	f.nicolaisen 2016/11/29 00:38:55 The whole above comment is a bit "loose" and undec The whole above comment is a bit "loose" and undecided. Try instead to declare exactly how to do what. "Filters already present in the fail2ban distribution can also be activated. Configure deactivated filters so that ... (when is that a good idea?)." f.lopez 2016/11/29 10:46:58 Well you can have filters for specific situations Show quoted text On 2016/11/29 00:38:55, f.nicolaisen wrote: > The whole above comment is a bit "loose" and undecided. Try instead to declare > exactly how to do what. "Filters already present in the fail2ban distribution > can also be activated. Configure deactivated filters so that ... (when is that a > good idea?)." Well you can have filters for specific situations and then deactivate them.
	84 if jail_config != undef {

	85 file {'/etc/fail2ban/jail.local':

	86 ensure => present,

	87 group => 'root',

	88 mode => '0644',

	89 owner => 'root',

	90 content => template("fail2ban/jail.erb"),

	91 notify => Service[$title],

	92 }

	93 }

	94

	95 Package[$title] -> File['/etc/fail2ban/jail.local']

	96 }

	97

	98 }
	f.nicolaisen 2016/11/29 00:38:54 No empty line at end of file No empty line at end of file f.lopez 2016/11/29 10:46:57 Acknowledged. Show quoted text On 2016/11/29 00:38:54, f.nicolaisen wrote: > No empty line at end of file Acknowledged.
OLD	NEW

« modules/fail2ban/manifests/filter.pp ('K') | « modules/fail2ban/manifests/filter.pp ('k') | modules/fail2ban/templates/filter.erb » ('j') | modules/fail2ban/templates/jail.erb » ('J')