# HG changeset patch # User IBBoard # Date 1426363277 0 # Node ID 1bb941522ebf9e72804f712299d33bd1f3c16383 # Parent 5c7fc7b7262cec8f9c741272989ebd79d5e544a0 Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables) diff -r 5c7fc7b7262c -r 1bb941522ebf common/fail2ban/jail.local --- a/common/fail2ban/jail.local Sat Mar 14 19:38:50 2015 +0000 +++ b/common/fail2ban/jail.local Sat Mar 14 20:01:17 2015 +0000 @@ -1,10 +1,12 @@ +# Disable ssh-iptables because some versions auto-enable it +# and we want to use our own version (which may use non-iptables) [ssh-iptables] enabled = false -[ssh-apf] +[ssh-firewall-ban] enabled = true filter = sshd -action = apf[name=SSH] +action = firewall-ban[name=SSH] logpath = /var/log/secure maxretry = 5 bantime = 604800 @@ -12,7 +14,7 @@ [apache-badbots] enabled = true filter = apache-badbots -action = apf[name=ApacheBadBots] +action = firewall-ban[name=ApacheBadBots] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -21,7 +23,7 @@ enabled = true maxretry = 1 filter = ibb-apache-exploits-instaban -action = apf[name=ApacheInstaban] +action = firewall-ban[name=ApacheInstaban] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -30,7 +32,7 @@ enabled = true maxretry = 5 filter = apache-auth -action = apf[name=ApacheAuth] +action = firewall-ban[name=ApacheAuth] logpath = /var/log/apache/error_*.log findtime = 86400 bantime = 604800 @@ -39,7 +41,7 @@ enabled = true maxretry = 2 filter = ibb-repeat-offender -action = apf[name=RepeatOffenders] +action = firewall-ban[name=RepeatOffenders] logpath = /var/log/fail2ban.log findtime = 2592000 bantime = 2592000 @@ -48,7 +50,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-spammers -action = apf[name=SpamEmail] +action = firewall-ban[name=SpamEmail] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -57,7 +59,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-malicious -action = apf[name=MailAbuse] +action = firewall-ban[name=MailAbuse] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -66,7 +68,7 @@ enabled = true maxretry = 10 filter = ibb-postfix -action = apf[name=MailRejected] +action = firewall-ban[name=MailRejected] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -75,7 +77,7 @@ enabled = true maxretry = 10 filter = postfix-sasl -action = apf[name=SASLFailures] +action = firewall-ban[name=SASLFailures] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -84,7 +86,7 @@ enabled = true maxretry = 1 filter = ibb-apache-shellshock -action = apf[name=Shellshock] +action = firewall-ban[name=Shellshock] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 diff -r 5c7fc7b7262c -r 1bb941522ebf manifests/nodes.pp --- a/manifests/nodes.pp Sat Mar 14 19:38:50 2015 +0000 +++ b/manifests/nodes.pp Sat Mar 14 20:01:17 2015 +0000 @@ -5,6 +5,7 @@ secondary_ip => '143.95.92.165', mailserver => 'mail.ibboard.co.uk', imapserver => 'imap.ibboard.co.uk', + firewall_cmd => 'apf', } } @@ -14,5 +15,6 @@ secondary_ip => '192.168.56.4', mailserver => 'mail.ibboard.co.uk', imapserver => 'imap.ibboard.co.uk', + firewall_cmd => 'iptables', } } diff -r 5c7fc7b7262c -r 1bb941522ebf manifests/templates.pp --- a/manifests/templates.pp Sat Mar 14 19:38:50 2015 +0000 +++ b/manifests/templates.pp Sat Mar 14 20:01:17 2015 +0000 @@ -29,6 +29,7 @@ $secondary_ip, $mailserver, $imapserver, + $firewall_cmd = 'iptables', ) { #VPS is a self-mastered Puppet machine, so bodge a Hosts file file { '/etc/hosts': @@ -48,7 +49,9 @@ } include cronjobs include logrotate - include fail2ban + class { 'fail2ban': + firewall_cmd => $firewall_cmd, + } include tools class { 'email': mailserver => $mailserver, @@ -179,7 +182,9 @@ } } -class fail2ban { +class fail2ban ( + $firewall_cmd, + ) { package { 'fail2ban': ensure => latest, } @@ -198,6 +203,10 @@ file { '/etc/fail2ban/action.d/apf.conf': source => 'puppet:///common/fail2ban/apf.conf', } + file { '/etc/fail2ban/action.d/firewall-ban.conf': + ensure => link, + target => "/etc/fail2ban/action.d/${firewall_cmd}.conf", + } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf', } @@ -275,12 +284,14 @@ $secondary_ip, $mailserver, $imapserver, + $firewall_cmd = 'iptables', ){ class { 'basevpsnode': primary_ip => $primary_ip, secondary_ip => $secondary_ip, mailserver => $mailserver, imapserver => $imapserver, + firewall_cmd => $firewall_cmd, } # Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things)