Issue 2487 - Introduce fail2ban module

modules/fail2ban/manifests/init.pp

Index: modules/fail2ban/manifests/init.pp
===================================================================
new file mode 100644
--- /dev/null
+++ b/modules/fail2ban/manifests/init.pp
@@ -0,0 +1,101 @@
+# == Class: fail2ban
+#
+# Create and maintain fail2ban (http://www.fail2ban.org/) setups.
+#
+# == Parameters:
+#
+# [*jail_config*]
+#   Provisions a jail.local adjacent to the default configuration.
+#   By default entries will have the following parameters:
+#     'enabled' => 'true',
+#     'port' => 'all',
+#     'maxretry' => 6,
+#     'banaction' => 'iptables-allports',
+#     'bantime' => 3600,
+#
+#   For the default banaction iptables-allports, the port parameter
+#   is not used and only set here for documentation purposes. Note
+#   that if 'banaction' is set to iptables-multiport, it requires that
+#   the 'port' parameter contains one or more comma-separated ports or protocols.
+#
+# [*package*]
+#   Overwrite the default package options, to fine-tune the target version (i.e.
+#   ensure => 'latest') or remove fail2ban (ensure => 'absent' or 'purged')
+#
+# [*service*]
+#   Overwrite the default service options.
+#
+# [*filters*]
+#   Adds adittional filters to the filters.d folder.

[mathias, 2016/11/29 13:21:24]

Another comment-line (hash-tag in the beginning, otherwise empty) should follow
here.

[f.lopez, 2016/12/01 09:13:49]

Acknowledged.

+# === Examples:
+#
+#  class {'fail2ban':
+#    package => {ensure => 'present',},
+#    service => {},
+#    jail_config => {
+#      'CVE-2013-0235' => {
+#        'logpath' => '/var/log/nginx/access_log_hg',
+#        'banaction' => 'iptables-multiport',
+#        'port' => 'https, http',
+#      }
+#    },
+#    filters => {
+#      'CVE-2013-0235' => {
+#        failregex => [
+# 	   '^<HOST>.*\"WordPress\/.*',
+# 	 ],
+#      }
+#    },
+#  }

[mathias, 2016/11/29 13:21:25]

Another comment-line (hash-tag in the beginning, otherwise empty) should follow
here.

[f.lopez, 2016/12/01 09:13:50]

Acknowledged.

+class fail2ban (
+  $package = {},
+  $service = {},
+  $jail_config = {},
+  $filters = {},
+) {
+
+  include stdlib
+
+  $jail_default = {
+    'enabled' => 'true',
+    'port' => 'all',
+    'maxretry' => 6,
+    'banaction' => 'iptables-allports',
+    'bantime' => 3600,
+  }
+
+  ensure_resource('package', $title, $package)
+
+  # Used as default $ensure parameter for most resources below
+  $ensure = getparam(Package[$title], 'ensure') ? {
+    /^(absent|purged)$/ => 'absent',
+    default => 'present',
+  }
+
+  # Service resources don't properly support the concept of absence

[mathias, 2016/11/29 13:21:25]

There is more than just a service resource taken care of below, so this comment
should either be more inclusive or more abstract or absent.

[f.lopez, 2016/12/01 09:13:49]

Acknowledged.

+  if ($ensure == 'present') {
+
+    ensure_resource('service', $title, $service)

[mathias, 2016/11/29 13:21:25]

What about the $hasrestart and $hasstatus parameters? With fail2ban, can't we
set those to true by default?

[f.lopez, 2016/12/01 09:13:49]

We can, indeed, set those params to true

+    # See modules/fail2ban/manifests/filter.pp
+    create_resources('fail2ban::filter', $filters)
+
+    # Filters already present in the fail2ban distribution can
+    # also be activated.
+    # One can aslo decide not to configure any extra filters
+    # so no configuration file would be created then.
+    if jail_config != undef {

[mathias, 2016/11/29 13:21:25]

This condition should check for empty($jail_config) instead; undef even being
recognized/supported is rather hidden magic. And then this conditional is IMHO
not necessary anyway: It should be no problem to have the template iterate
through an empty hash, always creating a jail.local file. That would also
obsolete the second phrase in the commend above, including the "aslo" typo.

[f.lopez, 2016/12/01 09:13:50]

You are right, if we iterate over an empty param it won't matter since it just
won't merge any configurations with the jail.conf file

+      file {'/etc/fail2ban/jail.local':
+        ensure => present,
+        group => 'root',
+        mode => '0644',
+        owner => 'root',
+        content => template("fail2ban/jail.erb"),
+        notify => Service[$title],
+      }
+    }
+
+    Package[$title] -> File['/etc/fail2ban/jail.local']

[mathias, 2016/11/29 13:21:25]

A relationship declaring the Service[$title] being dependent on the
Package[$title] is missing here.

[f.lopez, 2016/12/01 09:13:49]

Acknowledged.

+  }
+
+}
+