Mercurial > repos > other > Puppet
changeset 64:3bb824dabaae puppet-3.6
Make sure Fail2Ban rules are in right order (using separate chain) and whitelist Googlebot (which keeps hitting Script Kiddy targets for unknown reasons)
Less painful than I expected :)
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 13 Sep 2015 20:48:18 +0100 |
| parents | e5c999fa15e2 |
| children | 9ebb9e8203a0 |
| files | common/fail2ban/jail.local manifests/templates.pp |
| diffstat | 2 files changed, 23 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/common/fail2ban/jail.local Sun Sep 13 19:48:35 2015 +0100 +++ b/common/fail2ban/jail.local Sun Sep 13 20:48:18 2015 +0100 @@ -6,7 +6,7 @@ [ssh-firewall-ban] enabled = true filter = sshd -action = firewall-ban[name=SSH,port=22] +action = firewall-ban[name=SSH,chain=Fail2Ban,port=22] logpath = /var/log/secure maxretry = 5 bantime = 604800 @@ -14,7 +14,7 @@ [apache-badbots] enabled = true filter = apache-badbots -action = firewall-ban[name=ApacheBadBots,port="80,443"] +action = firewall-ban[name=ApacheBadBots,chain=Fail2Ban,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -23,7 +23,7 @@ enabled = true maxretry = 1 filter = ibb-apache-exploits-instaban -action = firewall-ban[name=ApacheInstaban,port="80,443"] +action = firewall-ban[name=ApacheInstaban,chain=Fail2Ban,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -32,7 +32,7 @@ enabled = true maxretry = 5 filter = apache-auth -action = firewall-ban[name=ApacheAuth,port="80,443"] +action = firewall-ban[name=ApacheAuth,chain=Fail2Ban,port="80,443"] logpath = /var/log/apache/error_*.log findtime = 86400 bantime = 604800 @@ -41,7 +41,7 @@ enabled = true maxretry = 2 filter = ibb-repeat-offender -action = firewall-ban[name=RepeatOffenders,port="1:65535"] +action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="1:65535"] logpath = /var/log/fail2ban.log findtime = 2592000 bantime = 2592000 @@ -50,7 +50,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-spammers -action = firewall-ban[name=SpamEmail,port="465,25"] +action = firewall-ban[name=SpamEmail,chain=Fail2Ban,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -59,7 +59,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-malicious -action = firewall-ban[name=MailAbuse,port="465,25"] +action = firewall-ban[name=MailAbuse,chain=Fail2Ban,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -68,7 +68,7 @@ enabled = true maxretry = 10 filter = ibb-postfix -action = firewall-ban[name=MailRejected,port="465,25"] +action = firewall-ban[name=MailRejected,chain=Fail2Ban,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -77,7 +77,7 @@ enabled = true maxretry = 10 filter = postfix-sasl -action = firewall-ban[name=SASLFailures,port="465,25"] +action = firewall-ban[name=SASLFailures,chain=Fail2Ban,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -86,7 +86,7 @@ enabled = true maxretry = 1 filter = ibb-apache-shellshock -action = firewall-ban[name=Shellshock,port="80,443"] +action = firewall-ban[name=Shellshock,chain=Fail2Ban,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800
--- a/manifests/templates.pp Sun Sep 13 19:48:35 2015 +0100 +++ b/manifests/templates.pp Sun Sep 13 20:48:18 2015 +0100 @@ -84,6 +84,12 @@ } class { ['my_fw::pre', 'my_fw::post']: } class { 'firewall': } + firewall { '010 Whitelist Googlebot': + source => '66.249.64.0/19', + port => [80,443], + proto => tcp, + action => accept, + } firewallchain { 'GREATFIREWALLOFCHINA:filter:IPv4': ensure => present, } @@ -91,6 +97,13 @@ chain => 'INPUT', jump => 'GREATFIREWALLOFCHINA', } + firewallchain { 'Fail2Ban:filter:IPv4': + ensure => present, + } + firewall { '060 Check Fail2Ban': + chain => 'INPUT', + jump => 'Fail2Ban', + } firewall { '100 allow https and http': port => [80, 443], proto => tcp,