Mercurial > repos > other > Puppet
changeset 341:3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
We can now have multiple lists (currently hardcoded at two)
so that expiring the instaban doesn't remove the longer
repeat offence ban
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Wed, 27 May 2020 19:00:28 +0100 |
parents | b2acbea872e7 |
children | 445aaaf228cc |
files | modules/fail2ban/files/ibb-apache-ip-block.conf modules/fail2ban/files/jail.local modules/fail2ban/manifests/init.pp |
diffstat | 3 files changed, 20 insertions(+), 3 deletions(-) [+] |
line wrap: on
line diff
--- a/modules/fail2ban/files/ibb-apache-ip-block.conf Sat May 16 19:41:37 2020 +0100 +++ b/modules/fail2ban/files/ibb-apache-ip-block.conf Wed May 27 19:00:28 2020 +0100 @@ -3,6 +3,10 @@ # with PROXY protocol support so we can see the originating # IPv4 address +[Init] +# Blank chain by default +chain = + [Definition] actionstart = @@ -11,6 +15,6 @@ actioncheck = -actionban = /usr/local/bin/apache-ip-ban ban <ip> +actionban = /usr/local/bin/apache-ip-ban ban <ip> <chain> -actionunban = /usr/local/bin/apache-ip-ban unban <ip> +actionunban = /usr/local/bin/apache-ip-ban unban <ip> <chain>
--- a/modules/fail2ban/files/jail.local Sat May 16 19:41:37 2020 +0100 +++ b/modules/fail2ban/files/jail.local Wed May 27 19:00:28 2020 +0100 @@ -56,11 +56,14 @@ findtime = 86400 bantime = 604800 +# Repeat offenders only operates on Apache because we're not +# seeing much on anything else anymore (or we can't filter +# because of IPv6-to-v4 proxying) [repeat-offenders] enabled = true maxretry = 2 filter = ibb-repeat-offender -action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"] +action = ibb-apache-ip-block[chain=repeat] logpath = /var/log/fail2ban.log findtime = 2592000 bantime = 2592000
--- a/modules/fail2ban/manifests/init.pp Sat May 16 19:41:37 2020 +0100 +++ b/modules/fail2ban/manifests/init.pp Wed May 27 19:00:28 2020 +0100 @@ -38,6 +38,16 @@ ensure => present, seltype => 'httpd_config_t', } + # Create an empty repeat banlist file if it doesn't exist + exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_repeat_banlist.db': + path => '/usr/bin', + unless => 'test -f /etc/httpd/conf.custom/apache_repeat_banlist.db', + before => Service['httpd'], + } + file { '/tmp/apache_repeat_banlist.txt': + ensure => present, + seltype => 'httpd_config_t', + } # And let the httxt2dbm process work the rest of the time file { '/etc/selinux/apache-ip-banlist.pp': source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp',