Issue 2487 - Introduce fail2ban module

modules/fail2ban/manifests/init.pp

Index: modules/fail2ban/manifests/init.pp
===================================================================
new file mode 100644
--- /dev/null
+++ b/modules/fail2ban/manifests/init.pp
@@ -0,0 +1,98 @@
+# == Class: fail2ban
+#
+# Create and maintain fail2ban (http://www.fail2ban.org/) setups.
+#
+# == Parameters:
+#
+# [*jail_config*]
+#   Adds jail.local to the default configuration of fail2ban.

[f.nicolaisen, 2016/11/29 00:38:54]

"Provisions a jail.local adjacent to the default fail2ban configuration."

[f.lopez, 2016/11/29 10:46:58]

Acknowledged.

+#   By default it will have the following parameters:

[f.nicolaisen, 2016/11/29 00:38:54]

s/it/entries

[f.lopez, 2016/11/29 10:46:57]

Acknowledged.

+#     'enabled' => 'true',
+#     'port' => 'all',
+#     'maxretry' => 6,
+#     'banaction' => 'iptables-allports',
+#     'bantime' => 3600,
+#
+#   Note that 'port' parameter needs to be an actual port
+#   otherwise it will fail if there is no 'banaction' declared.

[f.nicolaisen, 2016/11/29 00:38:54]

I would formulate it like this:
For the default banaction iptables-allports, the port parameter is not used and
only set here for documentation purposes. Note that if 'banaction' is set to
iptables-multiport, it requires that the 'port' parameter contains one or more
comma-separated ports or protocols.

[f.lopez, 2016/11/29 10:46:57]

Like it, gonna use your instead :)

+#   Some options can be: http, https, ftp, etc.
+#
+# [*package*]
+#   Overwrite the default package options, to fine-tune the target version (i.e.
+#   ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')
+#
+# [*service*]
+#   Overwrite the default service options.
+#
+# [*filters*]
+#   Adds adittional filters to the filters.d folder.
+# === Examples:
+#
+#  class {'fail2ban':
+#    package => {ensure => 'present',},
+#    service => {},
+#    jail_config => {
+#      'CVE-2013-0235' => {
+#        logpath => '/var/log/nginx/access_log_hg',        

[f.nicolaisen, 2016/11/29 00:38:54]

Remove trailing WS (white space)

[f.nicolaisen, 2016/11/29 00:38:55]

Maybe we should add banaction multiport: http,https in this example.

[f.lopez, 2016/11/29 10:46:58]

Acknowledged.

[f.lopez, 2016/11/29 10:46:58]

Acknowledged.

+#      }
+#    },
+#    filters => {
+#      'CVE-2013-0235' => {
+#        failregex => [
+# 	   '^<HOST>.*\"WordPress\/.*',
+# 	 ],
+#      }
+#    },
+#  }
+class fail2ban (
+  $package = {},
+  $service = {},
+  $jail_config = {},

[f.nicolaisen, 2016/11/29 00:38:54]

Now that I think about it, maybe we should call this one 'jail_configs'? Not
sure.

[f.lopez, 2016/11/29 10:46:57]

I think singular is ok since it is only one jail.local configuration file we are
going to create, I tried using a jail.d folder in order to have more
configurations but it doesn't work.

+  $filters = {},
+) {
+
+  include stdlib
+
+  $jail_default = {
+    'enabled' => 'true',
+    'port' => 'all',
+    'maxretry' => 6,
+    'banaction' => 'iptables-allports',
+    'bantime' => 3600,
+  }
+
+  ensure_resource('package', $title, $package)
+
+  # Used as default $ensure parameter for most resources below
+  $ensure = getparam(Package[$title], 'ensure') ? {
+    /^(absent|purged)$/ => 'absent',	

[f.nicolaisen, 2016/11/29 00:38:54]

WS

[f.lopez, 2016/11/29 10:46:58]

Acknowledged.

+    default => 'present',
+  }
+
+  # Service resources don't properly support the concept of absence
+  if ($ensure == 'present') {
+
+    ensure_resource('service', $title, $service)
+    # See modules/fail2ban/manifests/filter.pp
+    create_resources('fail2ban::filter', $filters)
+    

[f.nicolaisen, 2016/11/29 00:38:54]

WS

[f.lopez, 2016/11/29 10:46:58]

Acknowledged.

+    # According to the docs one can also enable filters that are
+    # already in there, so the config file should be done separately
+    # of the filters, another thing to conside is the possibility of

[f.nicolaisen, 2016/11/29 00:38:54]

Typo: 'conside'.

[f.nicolaisen, 2016/11/29 00:38:54]

Split the sentences: "... filters. Another thing to..."

[f.lopez, 2016/11/29 10:46:58]

Acknowledged.

+    # having the filters configured but not activated, so no conf is
+    # passed.

[f.nicolaisen, 2016/11/29 00:38:55]

The whole above comment is a bit "loose" and undecided. Try instead to declare
exactly how to do what. "Filters already present in the fail2ban distribution
can also be activated. Configure deactivated filters so that ... (when is that a
good idea?)."

[f.lopez, 2016/11/29 10:46:58]

Well you can have filters for specific situations and then deactivate them.

+    if jail_config != undef {
+      file {'/etc/fail2ban/jail.local':
+        ensure => present,
+        group => 'root',
+        mode => '0644',
+        owner => 'root',
+        content => template("fail2ban/jail.erb"),
+        notify => Service[$title],
+      }
+    }
+
+    Package[$title] -> File['/etc/fail2ban/jail.local']
+  }
+
+}

[f.nicolaisen, 2016/11/29 00:38:54]

No empty line at end of file

[f.lopez, 2016/11/29 10:46:57]

Acknowledged.