dinislage/puppet-fail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New release

Browse Source 
* Default behaviour is now to install package as distros configure them. If you want to change the
  configuration you need to explicitly modify "jails_config" (see README for details)
* Add support to modifify fail2ban.conf (issue #1)
* Add specs and tests
* Some cleanup
This commit is contained in:
Javier Bértoli
2013-04-30 06:45:57 -03:00
parent 71e189ec6d
commit 0e96b8fa6f
5 changed files with 87 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
Modulefile
View File

@@ -1,5 +1,5 @@
name 'netmanagers-fail2ban'
version '1.0.1'
version '1.0.2'
author 'Javier Bertoli'
license 'Apache2'
project_page 'http://www.netmanagers.com.ar'
@@ -8,5 +8,4 @@ summary 'Puppet module for fail2ban'
description 'This module installs and manages fail2ban. Check README for details.'
dependency 'ripienaar/concat', '>=0.2.0'
dependency 'example42/puppi', '>= 2.0.0'
# dependency 'example42/monitor', '>= 2.0.0'
# dependency 'example42/firewall', '>= 2.0.0'
dependency 'example42/monitor', '>= 2.0.0'

23
README.md
View File

@@ -24,7 +24,28 @@ For detailed info about the logic and usage patterns of Example42 modules check
class { 'fail2ban': }
* You can configure and set a jail using fail2ban::jail
* Configure jails using your own jail.local file
class { 'fail2ban':
jails_config => 'file',
jails_source => 'puppet:///path/to/your/jail.local'.
}
* Configure jails using a template file. An example is provided. In this case, you can enable or
disable jails using an array named "jails"
class { 'fail2ban':
jails_config => 'file',
jails_template => 'fail2ban/jail.local.erb',
jails => ['ssh', 'imap'],
}
* You can configure and set a jail using fail2ban::jail. In this case, stanzas for jail.local are
created using R.I.Pienaar's concat module. This method permits you better handling of your jails.
class { 'fail2ban':
jails_config => 'concat',
}
fail2ban::jail { 'sshd':
port => '22',

70
manifests/init.pp
View File

@@ -83,7 +83,7 @@
#
# [*jails_config*]
# Define how you want to manage jails configuration:
# "file" - To provide jail.local as a normal file. If you choose this option,
# "file" - To provide jail.local as a normal file. If you choose this option,
# set ONE of [*jails_source*] or [*jails_template*]
# "concat" - To build it up using different fragments
# - This option, (preferred), permits the use of the fail2ban::jail define
@@ -438,43 +438,39 @@ class fail2ban (
}
# How to manage fail2ban jail.local configuration
case $fail2ban::jails_config {
'concat': { include fail2ban::jailsconcat }
'file': {
$array_jails = is_array($fail2ban::jails) ? {
false => $fail2ban::jails ? {
'' => [],
default => [$fail2ban::jails],
},
default => $fail2ban::jails,
}
$manage_file_jails_source = $fail2ban::jails_source ? {
'' => undef,
default => $fail2ban::jails_source,
}
$manage_file_jails_content = $fail2ban::jails_template ? {
'' => undef,
default => template($fail2ban::jails_template),
}
file { 'jail.local':
ensure => $fail2ban::manage_file,
path => $fail2ban::jails_file,
mode => $fail2ban::jails_file_mode,
owner => $fail2ban::jails_file_owner,
group => $fail2ban::jails_file_group,
require => Package[$fail2ban::package],
notify => $fail2ban::manage_service_autorestart,
source => $fail2ban::manage_file_jails_source,
content => $fail2ban::manage_file_jails_content,
replace => $fail2ban::manage_file_replace,
audit => $fail2ban::manage_audit,
noop => $fail2ban::bool_noops,
}
if $fail2ban::jails_config == 'file' {
$array_jails = is_array($fail2ban::jails) ? {
false => $fail2ban::jails ? {
'' => [],
default => [$fail2ban::jails],
},
default => $fail2ban::jails,
}
$manage_file_jails_source = $fail2ban::jails_source ? {
'' => undef,
default => $fail2ban::jails_source,
}
$manage_file_jails_content = $fail2ban::jails_template ? {
'' => undef,
default => template($fail2ban::jails_template),
}
file { 'jail.local':
ensure => $fail2ban::manage_file,
path => $fail2ban::jails_file,
mode => $fail2ban::jails_file_mode,
owner => $fail2ban::jails_file_owner,
group => $fail2ban::jails_file_group,
require => Package[$fail2ban::package],
notify => $fail2ban::manage_service_autorestart,
source => $fail2ban::manage_file_jails_source,
content => $fail2ban::manage_file_jails_content,
replace => $fail2ban::manage_file_replace,
audit => $fail2ban::manage_audit,
noop => $fail2ban::bool_noops,
}
default: { }
}
# The whole fail2ban configuration directory can be recursively overriden

34
manifests/jail.pp
View File

@@ -2,16 +2,16 @@
#
# Adds a custom fail2ban jail
# Supported arguments:
# $jailname - The name you want to give the jail.
# $jailname - The name you want to give the jail.
# If not set, defaults to == $title
# $order - The order in the jail.local file.
# $order - The order in the jail.local file.
# Default 50. Generally you don't need to change it
# $status - enabled / disabled. If disabled, the rule _IS ADDED_ to the jail.local file
# but it will not be active. Compare with the next one.
# Defaults to enabled
# $enable - true / false. If false, the rule _IS NOT ADDED_ to the jail.local file
# Defaults to true
# $filter - The filter rule to use.
# $filter - The filter rule to use.
# If empty, defaults to == $jailname.
# $port - The port to filter. It can be an array of ports.
# $logpath - The log file to monitor
@@ -32,8 +32,8 @@ define fail2ban::jail (
$bantime = '',
$enable = true ) {
include fail2ban
include concat::setup
include fail2ban
$real_jailname = $jailname ? {
'' => $title,
@@ -90,6 +90,32 @@ define fail2ban::jail (
$ensure = bool2ensure($enable)
if ! defined(Concat[$fail2ban::jails_file]) {
concat { $fail2ban::jails_file:
mode => $fail2ban::jails_file_mode,
warn => true,
owner => $fail2ban::jails_file_owner,
group => $fail2ban::jails_file_group,
notify => Service['fail2ban'],
}
concat::fragment{ 'fail2ban_jails_header':
target => $fail2ban::jails_file,
content => template($fail2ban::jails_template_header),
order => 01,
notify => Service['fail2ban'],
}
# The jail.local footer
concat::fragment{ 'fail2ban_jails_footer':
target => $fail2ban::jails_file,
content => template($fail2ban::jails_template_footer),
order => 99,
notify => Service['fail2ban'],
}
}
concat::fragment{ "fail2ban_jail_$name":
ensure => $ensure,
target => $fail2ban::jails_file,

46
manifests/jailsconcat.pp
View File

@@ -1,46 +0,0 @@
#
# Class fail2ban::concat
#
# This class builds the fail2ban jails.local file using RIPienaar's concat module
# We build it using several fragments.
# Being the sequence of lines important we define these boundaries:
# 01 - General header
# Note that the fail2ban::jail define
# inserts (by default) its rules with priority 50.
#
class fail2ban::jailsconcat {
include fail2ban
include concat::setup
concat { $fail2ban::jails_file:
mode => $fail2ban::jails_file_mode,
owner => $fail2ban::jails_file_owner,
group => $fail2ban::jails_file_group,
notify => Service['fail2ban'],
}
# The File Header. With Puppet comment
concat::fragment{ 'fail2ban_header':
target => $fail2ban::jails_file,
content => "# File Managed by Puppet\n",
order => 01,
notify => Service['fail2ban'],
}
# The DEFAULT header with the default policies
concat::fragment{ 'fail2ban_jails_header':
target => $fail2ban::jails_file,
content => template($fail2ban::jails_template_header),
order => 05,
notify => Service['fail2ban'],
}
# The jail.local footer
concat::fragment{ 'fail2ban_jails_footer':
target => $fail2ban::jails_file,
content => template($fail2ban::jails_template_footer),
order => 99,
notify => Service['fail2ban'],
}
}