dinislage/puppet-fail2ban
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #16 from lazyfrosch/master

Browse Source 
Added protocol as parameter to fail2ban jails
This commit is contained in:
Javier Bértoli
2014-09-15 06:36:04 -03:00
parent de94a58c3e 7ae861c216
commit 95b1d1231f
6 changed files with 23 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.travis.yml
View File

@@ -4,7 +4,7 @@ rvm:
- 1.8.7 - 1.8.7
- 1.9.3 - 1.9.3
- 2.0.0 - 2.0.0
script: "bundle exec rake spec SPEC_OPTS='--format documentation'" script: "bundle exec rake spec SPEC_OPTS='--format documentation' && bundle exec rake test"
branches: branches:
only: only:
master master

1
Rakefile
View File

@@ -17,6 +17,7 @@ end
PuppetLint.configuration.send("disable_80chars") PuppetLint.configuration.send("disable_80chars")
PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}" PuppetLint.configuration.log_format = "%{path}:%{linenumber}:%{check}:%{KIND}:%{message}"
PuppetLint.configuration.fail_on_warnings = true PuppetLint.configuration.fail_on_warnings = true
PuppetLint.configuration.relative = true
# Forsake support for Puppet 2.6.2 for the benefit of cleaner code. # Forsake support for Puppet 2.6.2 for the benefit of cleaner code.
# http://puppet-lint.com/checks/class_parameter_defaults/ # http://puppet-lint.com/checks/class_parameter_defaults/

7
manifests/jail.pp
View File

@@ -17,6 +17,7 @@
# If empty, defaults to == $jailname. # If empty, defaults to == $jailname.
# $ignoreip - Don't ban a host which matches an address in this list. # $ignoreip - Don't ban a host which matches an address in this list.
# $port - The port to filter. It can be an array of ports. # $port - The port to filter. It can be an array of ports.
# $protocol - The protocol for this jail's action.
# $logpath - The log file to monitor # $logpath - The log file to monitor
# $maxretry - How many fails are acceptable # $maxretry - How many fails are acceptable
# $action - The action to take when fail2ban finds $maxretry $filter-matching # $action - The action to take when fail2ban finds $maxretry $filter-matching
@@ -32,6 +33,7 @@ define fail2ban::jail (
$filter = '', $filter = '',
$ignoreip = '', $ignoreip = '',
$port = '', $port = '',
$protocol = '',
$action = '', $action = '',
$logpath = '', $logpath = '',
$maxretry = '', $maxretry = '',
@@ -80,6 +82,11 @@ define fail2ban::jail (
default => $port, default => $port,
} }
$real_protocol = $protocol ? {
'' => undef,
default => $protocol,
}
$array_action = is_array($action) ? { $array_action = is_array($action) ? {
false => $action ? { false => $action ? {
'' => [], '' => [],

2
spec/defines/fail2ban_jail_spec.rb
View File

@@ -37,6 +37,7 @@ filter = fail2ban::jail
{ {
:name => 'sample1', :name => 'sample1',
:port => ['42', '43'], :port => ['42', '43'],
:protocol => 'udp',
:logpath => '/path/to/somelog', :logpath => '/path/to/somelog',
:enable => true, :enable => true,
:ignoreip => [ '10.3.2.0/24', '192.168.56.0/24' ], :ignoreip => [ '10.3.2.0/24', '192.168.56.0/24' ],
@@ -56,6 +57,7 @@ enabled = true
filter = fail2ban::jail filter = fail2ban::jail
ignoreip = 10.3.2.0/24 192.168.56.0/24 ignoreip = 10.3.2.0/24 192.168.56.0/24
port = 42,43 port = 42,43
protocol = udp
action = iptables[name=SSH, port=ssh, protocol=tcp] action = iptables[name=SSH, port=ssh, protocol=tcp]
mail-whois[name=SSH, dest=yourmail@mail.com] mail-whois[name=SSH, dest=yourmail@mail.com]
logpath = /path/to/somelog logpath = /path/to/somelog

3
templates/concat/jail.local-stanza.erb
View File

@@ -10,6 +10,9 @@ ignoreip = <%= @array_ignoreip * ' ' %>
<% if @array_port != [] -%> <% if @array_port != [] -%>
port = <%= @array_port * ',' %> port = <%= @array_port * ',' %>
<% end -%> <% end -%>
<% if @real_protocol -%>
protocol = <%= @real_protocol %>
<% end -%>
<% if @array_action != [] -%> <% if @array_action != [] -%>
action = <%= @array_action.join("\n\t") %> action = <%= @array_action.join("\n\t") %>
<% end -%> <% end -%>