Mercurial > repos > other > Puppet

changeset 35:1bb941522ebf puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Handle differences in firewalling between ASO (using APF) and most other hosts (using iptables)
author IBBoard <dev@ibboard.co.uk>
date Sat, 14 Mar 2015 20:01:17 +0000
parents 5c7fc7b7262c
children 37675581a273
files common/fail2ban/jail.local manifests/nodes.pp manifests/templates.pp
diffstat 3 files changed, 28 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/common/fail2ban/jail.local	Sat Mar 14 19:38:50 2015 +0000
+++ b/common/fail2ban/jail.local	Sat Mar 14 20:01:17 2015 +0000
@@ -1,10 +1,12 @@
+# Disable ssh-iptables because some versions auto-enable it
+# and we want to use our own version (which may use non-iptables)
 [ssh-iptables]
 enabled = false
 
-[ssh-apf]
+[ssh-firewall-ban]
 enabled  = true
 filter   = sshd
-action   = apf[name=SSH]
+action   = firewall-ban[name=SSH]
 logpath  = /var/log/secure
 maxretry = 5
 bantime  = 604800
@@ -12,7 +14,7 @@
 [apache-badbots]
 enabled  = true
 filter   = apache-badbots
-action   = apf[name=ApacheBadBots]
+action   = firewall-ban[name=ApacheBadBots]
 logpath  = /var/log/apache/access_*.log
 findtime = 604800
 bantime  = 604800
@@ -21,7 +23,7 @@
 enabled  = true
 maxretry = 1
 filter   = ibb-apache-exploits-instaban
-action   = apf[name=ApacheInstaban]
+action   = firewall-ban[name=ApacheInstaban]
 logpath  = /var/log/apache/access_*.log
 findtime = 604800
 bantime  = 604800
@@ -30,7 +32,7 @@
 enabled  = true
 maxretry = 5
 filter   = apache-auth
-action   = apf[name=ApacheAuth]
+action   = firewall-ban[name=ApacheAuth]
 logpath  = /var/log/apache/error_*.log
 findtime = 86400
 bantime  = 604800
@@ -39,7 +41,7 @@
 enabled  = true
 maxretry = 2
 filter   = ibb-repeat-offender
-action   = apf[name=RepeatOffenders]
+action   = firewall-ban[name=RepeatOffenders]
 logpath  = /var/log/fail2ban.log
 findtime = 2592000
 bantime  = 2592000
@@ -48,7 +50,7 @@
 enabled = true
 maxretry = 1
 filter = ibb-postfix-spammers
-action = apf[name=SpamEmail]
+action = firewall-ban[name=SpamEmail]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -57,7 +59,7 @@
 enabled = true
 maxretry = 1
 filter = ibb-postfix-malicious
-action = apf[name=MailAbuse]
+action = firewall-ban[name=MailAbuse]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -66,7 +68,7 @@
 enabled = true
 maxretry = 10
 filter = ibb-postfix
-action = apf[name=MailRejected]
+action = firewall-ban[name=MailRejected]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -75,7 +77,7 @@
 enabled = true
 maxretry = 10
 filter = postfix-sasl
-action = apf[name=SASLFailures]
+action = firewall-ban[name=SASLFailures]
 logpath = /var/log/maillog
 findtime = 604800
 bantime  = 604800
@@ -84,7 +86,7 @@
 enabled = true
 maxretry = 1
 filter = ibb-apache-shellshock
-action = apf[name=Shellshock]
+action = firewall-ban[name=Shellshock]
 logpath = /var/log/apache/access_*.log
 findtime = 604800
 bantime  = 604800
--- a/manifests/nodes.pp	Sat Mar 14 19:38:50 2015 +0000
+++ b/manifests/nodes.pp	Sat Mar 14 20:01:17 2015 +0000
@@ -5,6 +5,7 @@
 		secondary_ip => '143.95.92.165',
 		mailserver => 'mail.ibboard.co.uk',
 		imapserver => 'imap.ibboard.co.uk',
+		firewall_cmd => 'apf',
 	}
 }
 
@@ -14,5 +15,6 @@
 		secondary_ip => '192.168.56.4',
 		mailserver => 'mail.ibboard.co.uk',
 		imapserver => 'imap.ibboard.co.uk',
+		firewall_cmd => 'iptables',
 	}
 }
--- a/manifests/templates.pp	Sat Mar 14 19:38:50 2015 +0000
+++ b/manifests/templates.pp	Sat Mar 14 20:01:17 2015 +0000
@@ -29,6 +29,7 @@
 	$secondary_ip,
 	$mailserver,
 	$imapserver,
+	$firewall_cmd = 'iptables',
 	) {
 	#VPS is a self-mastered Puppet machine, so bodge a Hosts file
 	file { '/etc/hosts':
@@ -48,7 +49,9 @@
 	}
 	include cronjobs
 	include logrotate
-	include fail2ban
+	class { 'fail2ban':
+		firewall_cmd => $firewall_cmd,
+	}
 	include tools
 	class { 'email':
 		mailserver => $mailserver,
@@ -179,7 +182,9 @@
 	}
 }
 
-class fail2ban {
+class fail2ban (
+	$firewall_cmd,
+	) {
 	package { 'fail2ban':
 		ensure => latest,
 	}
@@ -198,6 +203,10 @@
 	file { '/etc/fail2ban/action.d/apf.conf':
 		source => 'puppet:///common/fail2ban/apf.conf',
 	}
+	file { '/etc/fail2ban/action.d/firewall-ban.conf':
+		ensure => link,
+		target => "/etc/fail2ban/action.d/${firewall_cmd}.conf",
+	}
 	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
 		source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf',
 	}
@@ -275,12 +284,14 @@
 	$secondary_ip,
 	$mailserver,
 	$imapserver,
+	$firewall_cmd = 'iptables',
 	){
 	class { 'basevpsnode':
 		primary_ip => $primary_ip,
 		secondary_ip => $secondary_ip,
 		mailserver => $mailserver,
 		imapserver => $imapserver,
+		firewall_cmd => $firewall_cmd,
 	}
 
 	# Common modules used by multiple sites (mod_auth_basic is safe because we HTTPS all the things)