Mercurial > repos > other > Puppet
diff modules/fail2ban/manifests/init.pp @ 337:a79ad974a548
Implement fail2ban for Apache as mod_rewrite
We can't use pure iptables because IPv4 requests come through our
proxy. BUT we're using PROXY, so Apache sees the true IP.
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 16 May 2020 14:05:09 +0100 |
| parents | b0928653dfc2 |
| children | 3a1b19f6a054 |
line wrap: on
line diff
--- a/modules/fail2ban/manifests/init.pp Wed Apr 22 22:28:52 2020 +0100 +++ b/modules/fail2ban/manifests/init.pp Sat May 16 14:05:09 2020 +0100 @@ -28,11 +28,31 @@ } else { $firewall_ban_cmd = $firewall_cmd } - + # Create an empty banlist file if it doesn't exist + exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_banlist.db': + path => '/usr/bin', + unless => 'test -f /etc/httpd/conf.custom/apache_banlist.db', + before => Service['httpd'], + } + file { '/tmp/apache_banlist.txt': + ensure => present, + seltype => 'httpd_config_t', + } + # And let the httxt2dbm process work the rest of the time + file { '/etc/selinux/apache-ip-banlist.pp': + source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp', + } ~> + exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp': + path => '/usr/sbin', + refreshonly => true, + } file { '/etc/fail2ban/action.d/firewall-ban.conf': ensure => link, target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", } + file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf': + source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf', + } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', }