Mercurial > repos > other > Puppet

changeset 72:33682e5b34fc puppet-3.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge latest changes from Default
author IBBoard <dev@ibboard.co.uk>
date Sun, 25 Oct 2015 20:17:52 +0000
parents 1a985a58dea5 (current diff) 565b788f7ac1 (diff)
children f413aba301be
files manifests/templates.pp modules/website/files/zzz-custom.conf modules/website/manifests/php.pp
diffstat 5 files changed, 215 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/fail2ban/fail2ban.local	Sun Oct 25 20:17:52 2015 +0000
@@ -0,0 +1,3 @@
+[Definition]
+loglevel = NOTICE
+logtarget = /var/log/fail2ban.log
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/logwatch/services-fail2ban	Sun Oct 25 20:17:52 2015 +0000
@@ -0,0 +1,191 @@
+##########################################################################
+# $Id: fail2ban 226 2014-09-09 11:07:27Z stefjakobs $
+##########################################################################
+# $Log: fail2ban,v $
+# Revision 1.5a - IBBoard
+# Patched up to what we see on CentOS 6 w/fail2ban-0.9.2
+#
+# Revision 1.5  2008/08/18 16:07:46  mike
+# Patches from Paul Gear <paul at libertysys.com> -mgt
+#
+# Revision 1.4  2008/06/30 23:07:51  kirk
+# fixed copyright holders for files where I know who they should be
+#
+# Revision 1.3  2008/03/24 23:31:26  kirk
+# added copyright/license notice to each script
+#
+# Revision 1.2  2006/12/15 04:53:59  bjorn
+# Additional filtering, by Willi Mann.
+#
+# Revision 1.1  2006/05/30 19:04:26  bjorn
+# Added fail2ban service, written by Yaroslav Halchenko.
+#
+# Written by Yaroslav Halchenko <debian@onerussian.com> for fail2ban
+#
+##########################################################################
+
+########################################################
+## Copyright (c) 2008  Yaroslav Halchenko
+## Covered under the included MIT/X-Consortium License:
+##    http://www.opensource.org/licenses/mit-license.php
+## All modifications and contributions by other persons to
+## this script are assumed to have been donated to the
+## Logwatch project and thus assume the above copyright
+## and licensing terms.  If you want to make contributions
+## under your own copyright or a different license this
+## must be explicitly stated in the contribution an the
+## Logwatch project reserves the right to not accept such
+## contributions.  If you have made significant
+## contributions to this script and want to claim
+## copyright please contact logwatch-devel@lists.sourceforge.net.
+#########################################################
+
+use strict;
+use Logwatch ':all';
+
+my $Debug = $ENV{'LOGWATCH_DEBUG'} || 0;
+my $Detail = $ENV{'LOGWATCH_DETAIL_LEVEL'} || 0;
+my $IgnoreHost = $ENV{'sshd_ignore_host'} || "";
+my $DebugCounter = 0;
+my $ReInitializations = 0;
+my @IptablesErrors = ();
+my @ActionErrors = ();
+my $NotValidIP = 0;		# reported invalid IPs number
+my @OtherList = ();
+
+my %ServicesBans = ();
+
+if ( $Debug >= 5 ) {
+	print STDERR "\n\nDEBUG: Inside Fail2Ban Filter \n\n";
+	$DebugCounter = 1;
+}
+
+while (defined(my $ThisLine = <STDIN>)) {
+    if ( $Debug >= 5 ) {
+	print STDERR "DEBUG($DebugCounter): $ThisLine";
+	$DebugCounter++;
+    }
+    chomp($ThisLine);
+    if ( ($ThisLine =~ /..,... DEBUG: /) or
+	 ($ThisLine =~ /..,... \S*\s*: DEBUG /) or # syntax of 0.7.? fail2ban
+	 ($ThisLine =~ /..,... INFO: (Fail2Ban v.* is running|Exiting|Enabled sections:)/) or
+	 ($ThisLine =~ /INFO\s+Log rotation detected for/) or
+	 ($ThisLine =~ /INFO\s+Jail.+(?:stopped|started|uses poller|uses pyinotify)/) or
+	 ($ThisLine =~ /INFO\s+Changed logging target to/) or
+	 ($ThisLine =~ /INFO\s+Creating new jail/) or
+	 ($ThisLine =~ /..,... \S+\s*: INFO\s+(Set |Socket|Exiting|Gamin|Created|Added|Using)/) or # syntax of 0.7.? fail2ban
+	 ($ThisLine =~ /..,... WARNING: Verbose level is /) or
+	 ($ThisLine =~ /..,... WARNING: Restoring firewall rules/) or
+	 ($ThisLine =~ /WARNING Determined IP using DNS Lookup: [^ ]+ = \['[^']+'\]/) or
+	 ($ThisLine =~ /INFO\s+(Stopping all jails|Exiting Fail2ban)/) or
+	 ($ThisLine =~ /INFO\s+Initiated 'pyinotify' backend/) or
+	 ($ThisLine =~ /INFO\s+(Added logfile = .*|Set maxRetry = \d+|Set findtime = \d+|Set banTime = \d+)/)
+       )
+    {
+	if ( $Debug >= 6 ) {
+	    print STDERR "DEBUG($DebugCounter): line ignored\n";
+	}
+    } elsif ( ($ThisLine =~ /INFO\s+\[[^\]]+\] Found [0-9\.]+/) ) {
+	if ( $Debug >= 6 ) {
+	    print STDERR "DEBUG($DebugCounter): line ignored\n";
+	}
+    } elsif ( my ($Service,$Action,$Host) = ($ThisLine =~ m/(?:WARNING|NOTICE):?\s+\[?(.*?)[]:]?\s(Ban|Unban)[^\.]* (\S+)/)) {
+	if ( $Debug >= 6 ) {
+	    print STDERR "DEBUG($DebugCounter): Found $Action for $Service from $Host\n";
+	}
+	$ServicesBans{$Service}{$Host}{$Action}++;
+	$ServicesBans{$Service}{"(all)"}{$Action}++;
+    } elsif ( my ($Service,$Host,$NumFailures) = ($ThisLine =~ m/INFO: (\S+): (.+) has (\d+) login failure\(s\). Banned./)) {
+	if ($Debug >= 4) {
+	    print STDERR "DEBUG: Found host $Host trying to access $Service - failed $NumFailures times\n";
+	}
+	push @{$ServicesBans{$Service}{$Host}{'Failures'}}, $NumFailures;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ ERROR:\s(.*):\s(\S+)\salready in ban list/)) {
+   	 $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/(?:INFO|WARNING|NOTICE)\s*\[(.*)\]\s*(\S+)\s*already banned/)) {
+       $ServicesBans{$Service}{$Host}{'AlreadyInTheList'}++;
+    } elsif ( my ($Service,$Host) = ($ThisLine =~ m/ WARNING:\s(.*):\sReBan (\S+)/)) {
+	    $ServicesBans{$Service}{$Host}{'ReBan'}++;
+    } elsif ($ThisLine =~ / ERROR:?\s*(Execution of command )?\'?iptables/) {
+	    push @IptablesErrors, "$ThisLine\n";
+    } elsif ($ThisLine =~ /ERROR.*returned \d+$/) {
+       push @ActionErrors, "$ThisLine\n";
+    } elsif (($ThisLine =~ /..,... WARNING: \#\S+ reinitialization of firewalls/) or
+	    ($ThisLine =~ / ERROR\s*Invariant check failed. Trying to restore a sane environment/)) {
+	    $ReInitializations++;
+    } elsif ($ThisLine =~ /..,... WARNING:  is not a valid IP address/) {
+	# just ignore - this will be fixed within fail2ban and is harmless warning
+    }
+    else
+    {
+	# Report any unmatched entries...
+	push @OtherList, "$ThisLine\n";
+    }
+}
+
+###########################################################
+
+
+if (keys %ServicesBans) {
+    printf("\nBanned services with Fail2Ban:				 Bans:Unbans\n");
+    foreach my $service (sort {$a cmp $b} keys %ServicesBans) {
+	printf("   %-55s [%3d:%-3d]\n", "$service:",
+	       $ServicesBans{$service}{'(all)'}{'Ban'},
+	       $ServicesBans{$service}{'(all)'}{'Unban'});
+	delete $ServicesBans{$service}{'(all)'};
+	my $totalSort = TotalCountOrder(%{$ServicesBans{$service}}, \&SortIP);
+	if ($Detail >= 5) {
+	    foreach my $ip (sort $totalSort keys %{$ServicesBans{$service}}) {
+		   my $name = LookupIP($ip);
+		   printf("      %-53s %3d:%-3d\n",
+		       $name,
+		       $ServicesBans{$service}{$ip}{'Ban'},
+		       $ServicesBans{$service}{$ip}{'Unban'});
+		   if (($Detail >= 10) and ($ServicesBans{$service}{$ip}{'Failures'}>0)) {
+		      print "	   Failed ";
+		      foreach my $fails (@{$ServicesBans{$service}{$ip}{'Failures'}}) {
+			      print " $fails";
+		      }
+		    print " times";
+		    printf("\n	   %d Duplicate Ban attempts", $ServicesBans{$service}{$ip}{'AlreadyInTheList'}) ;
+		    printf("\n	   %d ReBans due to rules reinitilizations", $ServicesBans{$service}{$ip}{'ReBan'}) ;
+		    print "\n";
+		   }
+	    }
+	   }
+    }
+}
+
+
+if ($Detail>0) {
+    if ($#IptablesErrors > 0) {
+	   printf("\n%d faulty iptables invocation(s)", $#IptablesErrors);
+	   if ($Detail > 5) {
+	    print ":\n";
+	    print @IptablesErrors ;
+	   }
+    }
+    if ($#ActionErrors > 0) {
+       printf("\n%d error(s) returned from actions", $#ActionErrors);
+       if ($Detail > 5) {
+           print ":\n";
+           print @ActionErrors ;
+       }
+    }
+    if ($ReInitializations > 0) {
+	   printf("\n%d fail2ban rules reinitialization(s)", $ReInitializations);
+    }
+    if ($#OtherList >= 0) {
+	   print "\n**Unmatched Entries**\n";
+	   print @OtherList;
+    }
+}
+
+exit(0);
+
+# vi: shiftwidth=3 tabstop=3 syntax=perl et
+# Local Variables:
+# mode: perl
+# perl-indent-level: 3
+# indent-tabs-mode: nil
+# End:
--- a/manifests/templates.pp	Sun Oct 18 19:39:46 2015 +0100
+++ b/manifests/templates.pp	Sun Oct 25 20:17:52 2015 +0000
@@ -202,6 +202,9 @@
 	file { '/etc/logwatch/scripts/shared/':
 		ensure => directory,
 	}
+	file { '/etc/logwatch/scripts/services/fail2ban':
+		source => 'puppet:///common/logwatch/services-fail2ban',
+	}
 	file { '/etc/logwatch/scripts/services/http-error':
 		source => 'puppet:///common/logwatch/http-error',
 	}
@@ -261,6 +264,9 @@
 		require => Package['fail2ban'],
 		notify => Service['fail2ban'],
 	}
+	file { '/etc/fail2ban/fail2ban.local':
+		source => 'puppet:///common/fail2ban/fail2ban.local',
+	}
 	file { '/etc/fail2ban/jail.local':
 		source => 'puppet:///common/fail2ban/jail.local',
 	}
@@ -296,10 +302,6 @@
 	file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
 		source => 'puppet:///common/fail2ban/ibb-postfix.conf',
 	}
-	file { '/etc/fail2ban/fail2ban.local':
-		content => '[Definition]
-logtarget = /var/log/fail2ban.log'
-	}
 	# Because one of our rules checks fail2ban's log, but the service dies without the file
 	file { '/var/log/fail2ban.log':
 		ensure => present,
@@ -328,6 +330,7 @@
 	class { 'website::php':
 		suffix => '55ibb', #IBBoard's rebuild of Webtatic's PHP 5.5
 		opcache => 'opcache',
+		extras => [ 'process' ],
 	}
 
 	#Setup MySQL, using (private) templates to make sure that we set non-std passwords and a default user
@@ -449,7 +452,7 @@
 		custom_fragment => template("private/apache/hwt.fragment"),
 	}
 	website::https::multitld { 'forums.hiveworldterra': 
-		custom_fragment => 'ErrorDocument 404 /error.php'
+		custom_fragment => template("private/apache/forums.fragment"),
 	}
 	website::https::multitld { 'skins.hiveworldterra':
 		custom_fragment => template("private/apache/skins.fragment"),
--- a/modules/website/files/zzz-custom.conf	Sun Oct 18 19:39:46 2015 +0100
+++ b/modules/website/files/zzz-custom.conf	Sun Oct 25 20:17:52 2015 +0000
@@ -55,6 +55,10 @@
         Require all denied
     </IfVersion>
 </Location>
+<Location /.well-known>
+	Order Deny,Allow
+	Allow from all
+</Location>
 <FilesMatch ^\.>
     <IfVersion < 2.4>
         Order Allow,Deny
--- a/modules/website/manifests/php.pp	Sun Oct 18 19:39:46 2015 +0100
+++ b/modules/website/manifests/php.pp	Sun Oct 25 20:17:52 2015 +0000
@@ -1,6 +1,7 @@
 class website::php(
     $suffix = '',
     $opcache = undef,
+    $extras = [],
     ) {
   File {
       notify => Service['httpd'],
@@ -11,6 +12,14 @@
       tag => 'website',
   }
   Package <| tag == 'website' |> -> File <| tag == 'website' |>
+  define website::php::extra_php ($pkg = $title) {
+    package { "php${website::php::suffix}-${pkg}":
+      ensure => latest,
+    }
+  }
+
+  website::php::extra_php { $extras: }
+
   $packages = [ "php${suffix}", "php${suffix}-mcrypt", "php${suffix}-mbstring", "php${suffix}-xml", "php${suffix}-gd" ]
   package { $packages:
     ensure => latest,