changeset 341:3a1b19f6a054

Add a "repeat offender" ban to Apache IP block We can now have multiple lists (currently hardcoded at two) so that expiring the instaban doesn't remove the longer repeat offence ban
author IBBoard <dev@ibboard.co.uk>
date Wed, 27 May 2020 19:00:28 +0100
parents b2acbea872e7
children 445aaaf228cc
files modules/fail2ban/files/ibb-apache-ip-block.conf modules/fail2ban/files/jail.local modules/fail2ban/manifests/init.pp
diffstat 3 files changed, 20 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/modules/fail2ban/files/ibb-apache-ip-block.conf	Sat May 16 19:41:37 2020 +0100
+++ b/modules/fail2ban/files/ibb-apache-ip-block.conf	Wed May 27 19:00:28 2020 +0100
@@ -3,6 +3,10 @@
 # with PROXY protocol support so we can see the originating
 # IPv4 address
 
+[Init]
+# Blank chain by default
+chain =
+
 [Definition]
 
 actionstart =
@@ -11,6 +15,6 @@
 
 actioncheck =
 
-actionban = /usr/local/bin/apache-ip-ban ban <ip>
+actionban = /usr/local/bin/apache-ip-ban ban <ip> <chain>
 
-actionunban = /usr/local/bin/apache-ip-ban unban <ip>
+actionunban = /usr/local/bin/apache-ip-ban unban <ip> <chain>
--- a/modules/fail2ban/files/jail.local	Sat May 16 19:41:37 2020 +0100
+++ b/modules/fail2ban/files/jail.local	Wed May 27 19:00:28 2020 +0100
@@ -56,11 +56,14 @@
 findtime = 86400
 bantime  = 604800
 
+# Repeat offenders only operates on Apache because we're not
+# seeing much on anything else anymore (or we can't filter
+# because of IPv6-to-v4 proxying)
 [repeat-offenders]
 enabled  = true
 maxretry = 2
 filter   = ibb-repeat-offender
-action   = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"]
+action   = ibb-apache-ip-block[chain=repeat]
 logpath  = /var/log/fail2ban.log
 findtime = 2592000
 bantime  = 2592000
--- a/modules/fail2ban/manifests/init.pp	Sat May 16 19:41:37 2020 +0100
+++ b/modules/fail2ban/manifests/init.pp	Wed May 27 19:00:28 2020 +0100
@@ -38,6 +38,16 @@
 		ensure => present,
 		seltype => 'httpd_config_t',
 	}
+	# Create an empty repeat banlist file if it doesn't exist
+	exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_repeat_banlist.db':
+		path => '/usr/bin',
+		unless => 'test -f /etc/httpd/conf.custom/apache_repeat_banlist.db',
+		before => Service['httpd'],
+	}
+	file { '/tmp/apache_repeat_banlist.txt':
+		ensure => present,
+		seltype => 'httpd_config_t',
+	}
 	# And let the httxt2dbm process work the rest of the time
 	file { '/etc/selinux/apache-ip-banlist.pp':
 		source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp',