| # = Class: fail2ban |
| # |
| # This is the main fail2ban class |
| # |
| # |
| # == Parameters |
| # |
| # Standard class parameters |
| # Define the general class behaviour and customizations |
| # |
| # [*source*] |
| # Sets the content of source parameter for main configuration file |
| # (fail2ban.local) |
| # If defined, fail2ban main config file will have the param: source => $source |
| # Can be defined also by the (top scope) variable $fail2ban_source |
| # |
| # [*source_dir*] |
| # If defined, the whole fail2ban.configuration directory content is retrieved |
| # recursively from the specified source |
| # (source => $source_dir , recurse => true) |
| # Can be defined also by the (top scope) variable $fail2ban_source_dir |
| # |
| # [*source_dir_purge*] |
| # If set to true (default false) the existing configuration directory is |
| # mirrored with the content retrieved from source_dir |
| # (source => $source_dir , recurse => true , purge => true) |
| # Can be defined also by the (top scope) variable $fail2ban_source_dir_purge |
| # |
| # [*source_dir_owner*] |
| # Configuration directory owner |
| # Default: root |
| # |
| # [*source_dir_group*] |
| # Configuration directory group |
| # Default: root |
| # |
| # [*template*] |
| # Sets the path to the template to use as content for main configuration file |
| # If defined, fail2ban main config file has: content => content("$template") |
| # Note source and template parameters are mutually exclusive: don't use both |
| # Can be defined also by the (top scope) variable $fail2ban_template |
| # |
| # [*ignoreip*] |
| # Fail2ban will not ban a host which matches an address in this list. |
| # Can an IP address, a CIDR mask or a DNS host. Several addresses can be |
| # definedin an array. |
| # Default: 127.0.0.1/8 |
| # |
| # [*bantime*] |
| # Value in seconds that a host is banned |
| # Default: 600 |
| # |
| # [*maxretry*] |
| # Is the number of failures before a host get banned. |
| # Default: 5 |
| # |
| # [*findtime*] |
| # A host is banned if it has generated "maxretry" during the last "findtime" |
| # seconds. |
| # Default: 600 |
| # |
| # [*backend*] |
| # Specifies the backend used to get files modification. |
| # Available options are "gamin", "polling" and "auto". |
| # Default: auto |
| # |
| # [*mailto*] |
| # Destination email address used solely for the interpolations in |
| # jail.{conf,local} configuration files. |
| # Default: "hostmaster@${::domain}" |
| # |
| # [*banaction*] |
| # Default banning action (e.g. iptables, iptables-new, iptables-multiport, |
| # shorewall, etc) It is used to define action_* variables. |
| # Can be overridden globally or per section within jail.local file |
| # Default: iptables-multiport |
| # |
| # [*mta*] |
| # Since 0.8.1 upstream fail2ban uses sendmail MTA for the mailing. |
| # Change mta configuration parameter to 'mail' if you want to revert |
| # to conventional 'mail'. |
| # Default: sendmail |
| # |
| # [*jails_file*] |
| # Path to 'jail.local' file |
| # Default: /etc/fail2ban/jail.local |
| # |
| # [*jails_config*] |
| # Define how you want to manage jails configuration: |
| # "file" - To provide jail.local as a normal file. If you choose this |
| # option,set ONE of [*jails_source*] or [*jails_template*] |
| # "concat" - To build it up using different fragments |
| # - This option, (preferred), permits the use of the |
| # fail2ban::jail define |
| # Default: empty. Uses "jail.local" from distribution, if any. |
| # |
| # [*jails_source*] |
| # Sets the content of source parameter for the jail.local configuration file |
| # |
| # [*jails_template*] |
| # Sets the path to the template to use as content for the jail.local |
| # configuration file |
| # If defined, fail2ban jails config file has: |
| # content => content("$jails_template") |
| # Note source and template parameters are mutually exclusive: don't use both |
| # |
| # [*jails*] |
| # When using [*jails_template*] you can have some control on what jail is |
| # enabled or not setting an array named "jails", containing the names of the |
| # jail you want enabled. |
| # |
| # [*jails_template_header*] |
| # Path to the template to use as header with concat |
| # Used by fail2ban::jails |
| # |
| # [*jails_template_footer*] |
| # Path to the template to use as footer with concat |
| # Used by fail2ban::jails |
| # |
| # [*jails_protocol*] |
| # Default: tcp |
| # |
| # [*jails_chain*] |
| # Specify chain where jumps would need to be added in iptables-* actions |
| # Default: INPUT |
| # |
| # [*options*] |
| # A hash of custom options to be used in templates for arbitrary settings. |
| # Can be defined also by the (top scope) variable $fail2ban_options |
| # |
| # [*service_autorestart*] |
| # Automatically restarts the fail2ban service when there is a change in |
| # configuration files. Default: true, Set to false if you don't want to |
| # automatically restart the service. |
| # |
| # [*version*] |
| # The package version, used in the ensure parameter of package type. |
| # Default: present. Can be 'latest' or a specific version number. |
| # Note that if the argument absent (see below) is set to true, the |
| # package is removed, whatever the value of version parameter. |
| # |
| # [*absent*] |
| # Set to 'true' to remove package(s) installed by module |
| # Can be defined also by the (top scope) variable $fail2ban_absent |
| # |
| # [*disable*] |
| # Set to 'true' to disable service(s) managed by module |
| # Can be defined also by the (top scope) variable $fail2ban_disable |
| # |
| # [*disableboot*] |
| # Set to 'true' to disable service(s) at boot, without checks if it's running |
| # Use this when the service is managed by a tool like a cluster software |
| # Can be defined also by the (top scope) variable $fail2ban_disableboot |
| # |
| # [*monitor*] |
| # Set to 'true' to enable monitoring of the services provided by the module |
| # Can be defined also by the (top scope) variables $fail2ban_monitor |
| # and $monitor |
| # |
| # [*monitor_tool*] |
| # Define which monitor tools (ad defined in Example42 monitor module) |
| # you want to use for fail2ban checks |
| # Can be defined also by the (top scope) variables $fail2ban_monitor_tool |
| # and $monitor_tool |
| # |
| # [*monitor_target*] |
| # The Ip address or hostname to use as a target for monitoring tools. |
| # Default is the fact $ipaddress |
| # Can be defined also by the (top scope) variables $fail2ban_monitor_target |
| # and $monitor_target |
| # |
| # [*puppi*] |
| # Set to 'true' to enable creation of module data files that are used by puppi |
| # Can be defined also by the (top scope) variables $fail2ban_puppi and $puppi |
| # |
| # [*puppi_helper*] |
| # Specify the helper to use for puppi commands. The default for this module |
| # is specified in params.pp and is generally a good choice. |
| # You can customize the output of puppi commands for this module using another |
| # puppi helper. Use the define puppi::helper to create a new custom helper |
| # Can be defined also by the (top scope) variables $fail2ban_puppi_helper |
| # and $puppi_helper |
| # |
| # [*debug*] |
| # Set to 'true' to enable modules debugging |
| # Can be defined also by the (top scope) variables $fail2ban_debug and $debug |
| # |
| # [*audit_only*] |
| # Set to 'true' if you don't intend to override existing configuration files |
| # and want to audit the difference between existing files and the ones |
| # managed by Puppet. |
| # Can be defined also by the (top scope) variables $fail2ban_audit_only |
| # and $audit_only |
| # |
| # [*noops*] |
| # Set noop metaparameter to true for all the resources managed by the module. |
| # Basically you can run a dryrun for this specific module if you set |
| # this to true. Default: undef |
| # |
| # Default class params - As defined in fail2ban::params. |
| # Note that these variables are mostly defined and used in the module itself, |
| # overriding the default values might not affected all the involved components. |
| # Set and override them only if you know what you're doing. |
| # Note also that you can't override/set them via top scope variables. |
| # |
| # [*package*] |
| # The name of fail2ban package |
| # |
| # [*service*] |
| # The name of fail2ban service |
| # |
| # [*service_status*] |
| # If the fail2ban service init script supports status argument |
| # |
| # [*process*] |
| # The name of fail2ban process |
| # |
| # [*process_args*] |
| # The name of fail2ban arguments. Used by puppi and monitor. |
| # Used only in case the fail2ban process name is generic (java, ruby...) |
| # |
| # [*process_user*] |
| # The name of the user fail2ban runs with. Used by puppi and monitor. |
| # |
| # [*config_dir*] |
| # Main configuration directory. Used by puppi |
| # |
| # [*config_file*] |
| # Main configuration file path |
| # |
| # [*config_file_mode*] |
| # Main configuration file path mode |
| # |
| # [*config_file_owner*] |
| # Main configuration file path owner |
| # |
| # [*config_file_group*] |
| # Main configuration file path group |
| # |
| # [*config_file_init*] |
| # Path of configuration file sourced by init script |
| # |
| # [*pid_file*] |
| # Path of pid file. Used by monitor |
| # |
| # [*data_dir*] |
| # Path of application data directory. Used by puppi |
| # |
| # [*log_dir*] |
| # Base logs directory. Used by puppi |
| # |
| # [*log_level*] |
| # Set the log level output. |
| # 1 = ERROR |
| # 2 = WARN |
| # 3 = INFO |
| # 4 = DEBUG |
| # Default: 3 |
| # |
| # [*log_file*] |
| # Log file(s). Used by puppi also. |
| # |
| # [*socket*] |
| # Socket file used by fail2ban-client to communicate with fail2ban. |
| # Default: /var/run/fail2ban/fail2ban.sock |
| # |
| # == Examples |
| # |
| # You can use this class in 2 ways: |
| # - Set variables (at top scope level on in a ENC) and "include fail2ban" |
| # - Call fail2ban as a parametrized class |
| # |
| # See README for details. |
| # |
| # == Author |
| # Alessandro Franceschi <al@lab42.it/> |
| # Javier Bertoli <javier@netmanagers.com.ar/> |
| # |
| class fail2ban ( |
| $source = params_lookup( 'source' ), |
| $source_dir = params_lookup( 'source_dir' ), |
| $source_dir_purge = params_lookup( 'source_dir_purge' ), |
| $source_dir_owner = params_lookup( 'source_dir_owner' ), |
| $source_dir_group = params_lookup( 'source_dir_group' ), |
| $template = params_lookup( 'template' ), |
| $service_autorestart = params_lookup( 'service_autorestart' , 'global' ), |
| $options = params_lookup( 'options' ), |
| $version = params_lookup( 'version' ), |
| $absent = params_lookup( 'absent' ), |
| $disable = params_lookup( 'disable' ), |
| $disableboot = params_lookup( 'disableboot' ), |
| $monitor = params_lookup( 'monitor' , 'global' ), |
| $monitor_tool = params_lookup( 'monitor_tool' , 'global' ), |
| $monitor_target = params_lookup( 'monitor_target' , 'global' ), |
| $puppi = params_lookup( 'puppi' , 'global' ), |
| $puppi_helper = params_lookup( 'puppi_helper' , 'global' ), |
| $firewall = params_lookup( 'firewall' , 'global' ), |
| $firewall_tool = params_lookup( 'firewall_tool' , 'global' ), |
| $firewall_src = params_lookup( 'firewall_src' , 'global' ), |
| $firewall_dst = params_lookup( 'firewall_dst' , 'global' ), |
| $debug = params_lookup( 'debug' , 'global' ), |
| $audit_only = params_lookup( 'audit_only' , 'global' ), |
| $noops = params_lookup( 'noops' ), |
| $package = params_lookup( 'package' ), |
| $service = params_lookup( 'service' ), |
| $service_status = params_lookup( 'service_status' ), |
| $process = params_lookup( 'process' ), |
| $process_args = params_lookup( 'process_args' ), |
| $process_user = params_lookup( 'process_user' ), |
| $config_dir = params_lookup( 'config_dir' ), |
| $config_file = params_lookup( 'config_file' ), |
| $config_file_mode = params_lookup( 'config_file_mode' ), |
| $config_file_owner = params_lookup( 'config_file_owner' ), |
| $config_file_group = params_lookup( 'config_file_group' ), |
| $config_file_init = params_lookup( 'config_file_init' ), |
| $pid_file = params_lookup( 'pid_file' ), |
| $data_dir = params_lookup( 'data_dir' ), |
| $log_dir = params_lookup( 'log_dir' ), |
| $log_file = params_lookup( 'log_file' ), |
| $log_level = params_lookup( 'log_level' ), |
| $socket = params_lookup( 'socket' ), |
| $ignoreip = params_lookup( 'ignoreip' ), |
| $bantime = params_lookup( 'bantime' ), |
| $findtime = params_lookup( 'findtime' ), |
| $maxretry = params_lookup( 'maxretry' ), |
| $backend = params_lookup( 'backend' ), |
| $mailto = params_lookup( 'mailto' ), |
| $banaction = params_lookup( 'banaction' ), |
| $mta = params_lookup( 'mta' ), |
| $jails_config = params_lookup( 'jails_config' ), |
| $jails_protocol = params_lookup( 'jails_protocol' ), |
| $jails_chain = params_lookup( 'jails_chain' ), |
| $jails_file = params_lookup( 'jails_file' ), |
| $jails_file_mode = params_lookup( 'jails_file_mode' ), |
| $jails_file_owner = params_lookup( 'jails_file_owner' ), |
| $jails_file_group = params_lookup( 'jails_file_group' ), |
| $jails = params_lookup( 'jails' ), |
| $jails_source = params_lookup( 'jails_source' ), |
| $jails_template = params_lookup( 'jails_template' ), |
| $jails_template_header = params_lookup( 'jails_template_header' ), |
| $jails_template_footer = params_lookup( 'jails_template_footer' ) |
| ) inherits fail2ban::params { |
| |
| $bool_source_dir_purge=any2bool($source_dir_purge) |
| $bool_service_autorestart=any2bool($service_autorestart) |
| $bool_absent=any2bool($absent) |
| $bool_disable=any2bool($disable) |
| $bool_disableboot=any2bool($disableboot) |
| $bool_monitor=any2bool($monitor) |
| $bool_puppi=any2bool($puppi) |
| $bool_debug=any2bool($debug) |
| $bool_audit_only=any2bool($audit_only) |
| |
| ### Definition of some variables used in the module |
| $manage_package = $fail2ban::bool_absent ? { |
| true => 'absent', |
| false => $fail2ban::version, |
| } |
| |
| $manage_service_enable = $fail2ban::bool_disableboot ? { |
| true => false, |
| default => $fail2ban::bool_disable ? { |
| true => false, |
| default => $fail2ban::bool_absent ? { |
| true => false, |
| false => true, |
| }, |
| }, |
| } |
| |
| $manage_service_ensure = $fail2ban::bool_disable ? { |
| true => 'stopped', |
| default => $fail2ban::bool_absent ? { |
| true => 'stopped', |
| default => 'running', |
| }, |
| } |
| |
| $manage_service_autorestart = $fail2ban::bool_service_autorestart ? { |
| true => Service[fail2ban], |
| false => undef, |
| } |
| |
| $manage_file = $fail2ban::bool_absent ? { |
| true => 'absent', |
| default => 'present', |
| } |
| |
| if $fail2ban::bool_absent == true |
| or $fail2ban::bool_disable == true |
| or $fail2ban::bool_disableboot == true { |
| $manage_monitor = false |
| } else { |
| $manage_monitor = true |
| } |
| |
| $manage_audit = $fail2ban::bool_audit_only ? { |
| true => 'all', |
| false => undef, |
| } |
| |
| $manage_file_replace = $fail2ban::bool_audit_only ? { |
| true => false, |
| false => true, |
| } |
| |
| $manage_file_source = $fail2ban::source ? { |
| '' => undef, |
| default => $fail2ban::source, |
| } |
| |
| $manage_file_content = $fail2ban::template ? { |
| '' => undef, |
| default => template($fail2ban::template), |
| } |
| |
| ### Managed resources |
| package { $fail2ban::package: |
| ensure => $fail2ban::manage_package, |
| noop => $fail2ban::noops, |
| } |
| |
| service { 'fail2ban': |
| ensure => $fail2ban::manage_service_ensure, |
| name => $fail2ban::service, |
| enable => $fail2ban::manage_service_enable, |
| hasstatus => $fail2ban::service_status, |
| pattern => $fail2ban::process, |
| require => Package[$fail2ban::package], |
| noop => $fail2ban::noops, |
| } |
| |
| if $fail2ban::manage_file_source |
| or $fail2ban::manage_file_content |
| or $manage_file == 'absent' |
| or $fail2ban::noops { |
| file { 'fail2ban.local': |
| ensure => $fail2ban::manage_file, |
| path => $fail2ban::config_file, |
| mode => $fail2ban::config_file_mode, |
| owner => $fail2ban::config_file_owner, |
| group => $fail2ban::config_file_group, |
| require => Package[$fail2ban::package], |
| notify => $fail2ban::manage_service_autorestart, |
| source => $fail2ban::manage_file_source, |
| content => $fail2ban::manage_file_content, |
| replace => $fail2ban::manage_file_replace, |
| audit => $fail2ban::manage_audit, |
| noop => $fail2ban::noops, |
| } |
| } |
| |
| # How to manage fail2ban jail.local configuration |
| if $fail2ban::jails_config == 'file' { |
| $array_jails = is_array($fail2ban::jails) ? { |
| false => $fail2ban::jails ? { |
| '' => [], |
| default => [$fail2ban::jails], |
| }, |
| default => $fail2ban::jails, |
| } |
| |
| $manage_file_jails_source = $fail2ban::jails_source ? { |
| '' => undef, |
| default => $fail2ban::jails_source, |
| } |
| |
| $manage_file_jails_content = $fail2ban::jails_template ? { |
| '' => undef, |
| default => template($fail2ban::jails_template), |
| } |
| |
| if $fail2ban::manage_file_jails_source |
| or $fail2ban::manage_file_jails_content |
| or $manage_file == 'absent' |
| or $fail2ban::noops { |
| file { 'jail.local': |
| ensure => $fail2ban::manage_file, |
| path => $fail2ban::jails_file, |
| mode => $fail2ban::jails_file_mode, |
| owner => $fail2ban::jails_file_owner, |
| group => $fail2ban::jails_file_group, |
| require => Package[$fail2ban::package], |
| notify => $fail2ban::manage_service_autorestart, |
| source => $fail2ban::manage_file_jails_source, |
| content => $fail2ban::manage_file_jails_content, |
| replace => $fail2ban::manage_file_replace, |
| audit => $fail2ban::manage_audit, |
| noop => $fail2ban::noops, |
| } |
| } |
| } |
| |
| # The whole fail2ban.configuration directory can be recursively overriden |
| if $fail2ban::source_dir { |
| file { 'fail2ban.dir': |
| ensure => directory, |
| path => $fail2ban::config_dir, |
| require => Package[$fail2ban::package], |
| notify => $fail2ban::manage_service_autorestart, |
| source => $fail2ban::source_dir, |
| recurse => true, |
| purge => $fail2ban::bool_source_dir_purge, |
| owner => $fail2ban::source_dir_owner, |
| group => $fail2ban::source_dir_group, |
| force => $fail2ban::bool_source_dir_purge, |
| replace => $fail2ban::manage_file_replace, |
| audit => $fail2ban::manage_audit, |
| noop => $fail2ban::noops, |
| } |
| } |
| |
| |
| ### Provide puppi data, if enabled ( puppi => true ) |
| if $fail2ban::bool_puppi == true { |
| $classvars=get_class_args() |
| puppi::ze { 'fail2ban': |
| ensure => $fail2ban::manage_file, |
| variables => $classvars, |
| helper => $fail2ban::puppi_helper, |
| noop => $fail2ban::noops, |
| } |
| } |
| |
| |
| ### Service monitoring, if enabled ( monitor => true ) |
| if $fail2ban::bool_monitor == true { |
| if $fail2ban::port != '' { |
| monitor::port { "fail2ban_${fail2ban::protocol}_${fail2ban::port}": |
| protocol => $fail2ban::protocol, |
| port => $fail2ban::port, |
| target => $fail2ban::monitor_target, |
| tool => $fail2ban::monitor_tool, |
| enable => $fail2ban::manage_monitor, |
| noop => $fail2ban::noops, |
| } |
| } |
| if $fail2ban::service != '' { |
| monitor::process { 'fail2ban_process': |
| process => $fail2ban::process, |
| service => $fail2ban::service, |
| pidfile => $fail2ban::pid_file, |
| user => $fail2ban::process_user, |
| argument => $fail2ban::process_args, |
| tool => $fail2ban::monitor_tool, |
| enable => $fail2ban::manage_monitor, |
| noop => $fail2ban::noops, |
| } |
| } |
| } |
| |
| |
| ### Debugging, if enabled ( debug => true ) |
| if $fail2ban::bool_debug == true { |
| file { 'debug_fail2ban': |
| ensure => $fail2ban::manage_file, |
| path => "${settings::vardir}/debug-fail2ban", |
| mode => '0640', |
| owner => 'root', |
| group => 'root', |
| content => inline_template('<%= scope.to_hash.reject { |k,v| k.to_s =~ /(uptime.*|path|timestamp|free|.*password.*|.*psk.*|.*key)/ }.to_yaml %>'), |
| noop => $fail2ban::noops, |
| } |
| } |
| |
| } |