# HG changeset patch # User IBBoard # Date 1437929192 -3600 # Node ID ce8eaaca6a340b16e89fb96085e856d6673a1968 # Parent 30f56d6f9d33f4920b2c61f62a62facbbdc0098d Update firewalling so that we block the right ports when using iptables directly diff -r 30f56d6f9d33 -r ce8eaaca6a34 common/fail2ban/jail.local --- a/common/fail2ban/jail.local Sun Jul 26 15:21:00 2015 +0100 +++ b/common/fail2ban/jail.local Sun Jul 26 17:46:32 2015 +0100 @@ -6,7 +6,7 @@ [ssh-firewall-ban] enabled = true filter = sshd -action = firewall-ban[name=SSH] +action = firewall-ban[name=SSH,port=22] logpath = /var/log/secure maxretry = 5 bantime = 604800 @@ -14,7 +14,7 @@ [apache-badbots] enabled = true filter = apache-badbots -action = firewall-ban[name=ApacheBadBots] +action = firewall-ban[name=ApacheBadBots,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -23,7 +23,7 @@ enabled = true maxretry = 1 filter = ibb-apache-exploits-instaban -action = firewall-ban[name=ApacheInstaban] +action = firewall-ban[name=ApacheInstaban,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -32,7 +32,7 @@ enabled = true maxretry = 5 filter = apache-auth -action = firewall-ban[name=ApacheAuth] +action = firewall-ban[name=ApacheAuth,port="80,443"] logpath = /var/log/apache/error_*.log findtime = 86400 bantime = 604800 @@ -41,7 +41,7 @@ enabled = true maxretry = 2 filter = ibb-repeat-offender -action = firewall-ban[name=RepeatOffenders] +action = firewall-ban[name=RepeatOffenders,port="1-65535"] logpath = /var/log/fail2ban.log findtime = 2592000 bantime = 2592000 @@ -50,7 +50,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-spammers -action = firewall-ban[name=SpamEmail] +action = firewall-ban[name=SpamEmail,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -59,7 +59,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-malicious -action = firewall-ban[name=MailAbuse] +action = firewall-ban[name=MailAbuse,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -68,7 +68,7 @@ enabled = true maxretry = 10 filter = ibb-postfix -action = firewall-ban[name=MailRejected] +action = firewall-ban[name=MailRejected,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -77,7 +77,7 @@ enabled = true maxretry = 10 filter = postfix-sasl -action = firewall-ban[name=SASLFailures] +action = firewall-ban[name=SASLFailures,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -86,7 +86,7 @@ enabled = true maxretry = 1 filter = ibb-apache-shellshock -action = firewall-ban[name=Shellshock] +action = firewall-ban[name=Shellshock,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 diff -r 30f56d6f9d33 -r ce8eaaca6a34 manifests/templates.pp --- a/manifests/templates.pp Sun Jul 26 15:21:00 2015 +0100 +++ b/manifests/templates.pp Sun Jul 26 17:46:32 2015 +0100 @@ -254,9 +254,16 @@ file { '/etc/fail2ban/action.d/apf.conf': source => 'puppet:///common/fail2ban/apf.conf', } + + if $firewall_cmd == 'iptables' { + $firewall_ban_cmd = 'iptables-multiport' + } else { + $firewall_ban_cmd = $firewall_cmd + } + file { '/etc/fail2ban/action.d/firewall-ban.conf': ensure => link, - target => "/etc/fail2ban/action.d/${firewall_cmd}.conf", + target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf', @@ -564,9 +571,9 @@ hour => 3, minute => 2 } - # Since we're only managing the local server, use "puppet apply" instead of PuppetMaster + # Since we're only managing the local server, use our script that wraps "puppet apply" instead of PuppetMaster cron { 'puppet': - command => 'puppet apply /etc/puppet/manifests/site.pp | grep -v "Finished catalog run in"', + command => 'puppet-apply | grep -v "Finished catalog run in"', hour => '*/6', minute => 5 }