Heute moechte ich mein fail2ban Modul vorstellen. Neu dabei ist, dass der Service neu gestartet wird, wenn sich eine Datei aendert. Das ist wichtig, damit die Einstellungen auch uebernommen werden.
Die Verzeichnisstruktur sieht wie folgt aus:
├── files
│ └── etc
│ └── fail2ban
│ └── action.d
│ └── sendmail-whois-lines.conf
├── manifests
│ └── init.pp
└── templates
└── jail.local.erb |
├── files
│ └── etc
│ └── fail2ban
│ └── action.d
│ └── sendmail-whois-lines.conf
├── manifests
│ └── init.pp
└── templates
└── jail.local.erb
In der init.pp ist wird in dem file Abschnitt ein „notify“ in Richtung des Services aufgerufen. Das fuehrt dazu, dass wenn die Datei auf dem Node geaendert wird, auch der Service benachrichtigt wird damit dieser neu startet. Siehe dazu auch „Restart service when file changes“ aus dem Puppet CookBook. Folgendermassen sieht die init.pp aus:
# class to configure fail2ban
class fail2ban (
$jails = [],
$sshport = 'ssh',
$apacheport = 'http,https',
$proftpdport = 'ftp,ftp-data,ftps,ftps-data',
$postfixport = 'smtp,ssmtp',
$dovecotport = 'smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s',
) {
package { 'fail2ban':
ensure => installed
}
service { 'fail2ban':
ensure => running,
enable => true,
}
file { '/etc/fail2ban/jail.local':
ensure => 'present',
content => template('fail2ban/jail.local.erb'),
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['fail2ban'],
}
file { '/etc/fail2ban/action.d/sendmail-whois-lines.conf':
ensure => 'present',
source => 'puppet:///modules/fail2ban/etc/fail2ban/action.d/sendmail-whois-lines.conf',
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['fail2ban'],
}
} |
# class to configure fail2ban
class fail2ban (
$jails = [],
$sshport = 'ssh',
$apacheport = 'http,https',
$proftpdport = 'ftp,ftp-data,ftps,ftps-data',
$postfixport = 'smtp,ssmtp',
$dovecotport = 'smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s',
) {
package { 'fail2ban':
ensure => installed
}
service { 'fail2ban':
ensure => running,
enable => true,
}
file { '/etc/fail2ban/jail.local':
ensure => 'present',
content => template('fail2ban/jail.local.erb'),
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['fail2ban'],
}
file { '/etc/fail2ban/action.d/sendmail-whois-lines.conf':
ensure => 'present',
source => 'puppet:///modules/fail2ban/etc/fail2ban/action.d/sendmail-whois-lines.conf',
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['fail2ban'],
}
}
Mein Template jail.local.erb ist wie folgt:
#############################################################################
# #
# !!! This file is managed by puppet, all manual changes will be lost !!! #
# #
#############################################################################
#
# Local Fail2Ban configuration file.
#
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
backend = auto
destemail = fail2ban@localhost
#
# ACTIONS
#
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_mwl)s
#
# JAILS
#
[ssh]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "ssh" %>
port = <%= sshport %>
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[ssh-ddos]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "ssh-ddos" %>
port = <%= sshport %>
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[apache]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "apache" %>
port = <%= apacheport %>
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[proftpd]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "proftpd" %>
port = <%= proftpdport %>
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[postfix]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "postfix" %>
port = <%= postfixport %>
filter = postfix
logpath = /var/log/mail.log
[dovecot]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "dovecot" %>
port = <%= dovecotport %>
filter = dovecot
logpath = /var/log/mail.log |
#############################################################################
# #
# !!! This file is managed by puppet, all manual changes will be lost !!! #
# #
#############################################################################
#
# Local Fail2Ban configuration file.
#
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
maxretry = 3
backend = auto
destemail = fail2ban@localhost
#
# ACTIONS
#
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
%(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
action = %(action_mwl)s
#
# JAILS
#
[ssh]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "ssh" %>
port = <%= sshport %>
filter = sshd
logpath = /var/log/auth.log
maxretry = 6
[ssh-ddos]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "ssh-ddos" %>
port = <%= sshport %>
filter = sshd-ddos
logpath = /var/log/auth.log
maxretry = 6
[apache]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "apache" %>
port = <%= apacheport %>
filter = apache-auth
logpath = /var/log/apache*/*error.log
maxretry = 6
[proftpd]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "proftpd" %>
port = <%= proftpdport %>
filter = proftpd
logpath = /var/log/proftpd/proftpd.log
maxretry = 6
[postfix]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "postfix" %>
port = <%= postfixport %>
filter = postfix
logpath = /var/log/mail.log
[dovecot]
enabled = <%= scope.lookupvar('fail2ban::jails').include? "dovecot" %>
port = <%= dovecotport %>
filter = dovecot
logpath = /var/log/mail.log
Auch im Template gab es den scope.lookupvar Aufruf bisher nicht. Die Rueckgabe ist true oder false und so kann man nur die Dienste aktivieren, die auch manuell definiert wurden. Weitere Informationen gibt es in der Puppetlabs Doku unter Out-of-Scope Variables.
Definiert wird das ganze dann in der sites.pp wie folgt:
node 'node1.example.org' inherits default {
class { 'fail2ban':
jails => [ 'ssh', 'ssh-ddos', 'apache' ],
sshport => '2222',
}
} |
node 'node1.example.org' inherits default {
class { 'fail2ban':
jails => [ 'ssh', 'ssh-ddos', 'apache' ],
sshport => '2222',
}
}
Zu der sendmail-whois-lines.conf gibts noch nen separaten Blogeintrag