changeset 35:1bb941522ebf puppet-3.6

Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 Mar 2015 20:01:17 +0000
parents 5c7fc7b7262c
children 37675581a273
files common/fail2ban/jail.local manifests/nodes.pp manifests/templates.pp
diffstat 3 files changed, 28 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/common/fail2ban/jail.local	Sat Mar 14 19:38:50 2015 +0000
+++ b/common/fail2ban/jail.local	Sat Mar 14 20:01:17 2015 +0000
@@ -1,10 +1,12 @@
+# Disable ssh-iptables because some versions auto-enable it
+# and we want to use our own version (which may use non-iptables)
 [ssh-iptables]
 enabled = false
 
-[ssh-apf]
+[ssh-firewall-ban]
 enabled  = true
 filter   = sshd
-action   = apf[name=SSH]
+action   = firewall-ban[name=SSH]
 logpath  = /var/log/secure
 maxretry = 5
 bantime  = 604800
@@ -12,7 +14,7 @@
 [apache-badbots]
 enabled  = true
 filter   = apache-badbots
-action   = apf[name=ApacheBadBots]
+action   = firewall-ban[name=ApacheBadBots]
 logpath  = /var/log/apache/access_*.log
 findtime = 604800
 bantime  = 604800
@@ -21,7 +23,7 @@
 enabled  = true
 maxretry = 1
 filter   = ibb-apache-exploits-instaban
-action   = apf[name=ApacheInstaban]
+action   = firewall-ban[name=ApacheInstaban]
 logpath  = /var/log/apache/access_*.log
 findtime = 604800
 bantime  = 604800
@@ -30,7 +32,7 @@
 enabled  = true
 maxretry = 5
 filter   = apache-auth
-action   = apf[name=ApacheAuth]
+action   = firewall-ban[name=ApacheAuth]
 logpath  = /var/log/apache/error_*.log
 findtime = 86400
 bantime  = 604800
@@ -39,7 +41,7 @@
 enabled  = true
 maxretry = 2
 filter   = ibb-repeat-offender
-action   = apf[name=RepeatOffenders]
+action   = firewall-ban[name=RepeatOffenders]
 logpath  = /var/log/fail2ban.log
 findtime = 2592000
 bantime  = 2592000
@@ -48,7 +50,7 @@
 enabled = true
 maxretry = 1
 filter = ibb-postfix-spammers
-action = apf[name=SpamEmail]
+action = firewall-ban[name=SpamEmail]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -57,7 +59,7 @@
 enabled = true
 maxretry = 1
 filter = ibb-postfix-malicious
-action = apf[name=MailAbuse]
+action = firewall-ban[name=MailAbuse]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -66,7 +68,7 @@
 enabled = true
 maxretry = 10
 filter = ibb-postfix
-action = apf[name=MailRejected]
+action = firewall-ban[name=MailRejected]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -75,7 +77,7 @@
 enabled = true
 maxretry = 10
 filter = postfix-sasl
-action = apf[name=SASLFailures]
+action = firewall-ban[name=SASLFailures]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -84,7 +86,7 @@
 enabled = true
 maxretry = 1
 filter = ibb-apache-shellshock
-action = apf[name=Shellshock]
+action = firewall-ban[name=Shellshock]
 logpath = /var/log/apache/access_*.log
 findtime = 604800
 bantime  = 604800
--- a/manifests/nodes.pp	Sat Mar 14 19:38:50 2015 +0000
+++ b/manifests/nodes.pp	Sat Mar 14 20:01:17 2015 +0000
@@ -5,6 +5,7 @@
 		secondary_ip => '143.95.92.165',
 		mailserver => 'mail.ibboard.co.uk',
 		imapserver => 'imap.ibboard.co.uk',
+		firewall_cmd => 'apf',
 	}
 }
 
@@ -14,5 +15,6 @@
 		secondary_ip => '192.168.56.4',
 		mailserver => 'mail.ibboard.co.uk',
 		imapserver => 'imap.ibboard.co.uk',
+		firewall_cmd => 'iptables',
 	}
 }
--- a/manifests/templates.pp	Sat Mar 14 19:38:50 2015 +0000
+++ b/manifests/templates.pp	Sat Mar 14 20:01:17 2015 +0000
@@ -29,6 +29,7 @@
 	$secondary_ip,
 	$mailserver,
 	$imapserver,
+	$firewall_cmd = 'iptables',
 	) {
 	#VPS is a self-mastered Puppet machine, so bodge a Hosts file
 	file { '/etc/hosts':
@@ -48,7 +49,9 @@
 	}
 	include cronjobs
 	include logrotate
-	include fail2ban
+	class { 'fail2ban':
+		firewall_cmd => $firewall_cmd,
+	}
 	include tools
 	class { 'email':
 		mailserver => $mailserver,
@@ -179,7 +182,9 @@
 	}
 }
 
-class fail2ban {
+class fail2ban (
+	$firewall_cmd,
+	) {
 	package { 'fail2ban':
 		ensure => latest,
 	}
@@ -198,6 +203,10 @@
 	file { '/etc/fail2ban/action.d/apf.conf':
 		source => 'puppet:///common/fail2ban/apf.conf',
 	}
+	file { '/etc/fail2ban/action.d/firewall-ban.conf':
+		ensure => link,
+		target => "/etc/fail2ban/action.d/${firewall_cmd}.conf",
+	}
 	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
 		source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf',
 	}
@@ -275,12 +284,14 @@
 	$secondary_ip,
 	$mailserver,
 	$imapserver,
+	$firewall_cmd = 'iptables',
 	){
 	class { 'basevpsnode':
 		primary_ip => $primary_ip,
 		secondary_ip => $secondary_ip,
 		mailserver => $mailserver,
 		imapserver => $imapserver,
+		firewall_cmd => $firewall_cmd,
 	}
 
 	# Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things)