Mercurial > repos > other > Puppet
changeset 55:ce8eaaca6a34 puppet-3.6
Update firewalling so that we block the right ports when using iptables directly
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 26 Jul 2015 17:46:32 +0100 |
| parents | 30f56d6f9d33 |
| children | 2c1e222300f6 |
| files | common/fail2ban/jail.local manifests/templates.pp |
| diffstat | 2 files changed, 20 insertions(+), 13 deletions(-) [+] |
line wrap: on
line diff
--- a/common/fail2ban/jail.local Sun Jul 26 15:21:00 2015 +0100 +++ b/common/fail2ban/jail.local Sun Jul 26 17:46:32 2015 +0100 @@ -6,7 +6,7 @@ [ssh-firewall-ban] enabled = true filter = sshd -action = firewall-ban[name=SSH] +action = firewall-ban[name=SSH,port=22] logpath = /var/log/secure maxretry = 5 bantime = 604800 @@ -14,7 +14,7 @@ [apache-badbots] enabled = true filter = apache-badbots -action = firewall-ban[name=ApacheBadBots] +action = firewall-ban[name=ApacheBadBots,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -23,7 +23,7 @@ enabled = true maxretry = 1 filter = ibb-apache-exploits-instaban -action = firewall-ban[name=ApacheInstaban] +action = firewall-ban[name=ApacheInstaban,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800 @@ -32,7 +32,7 @@ enabled = true maxretry = 5 filter = apache-auth -action = firewall-ban[name=ApacheAuth] +action = firewall-ban[name=ApacheAuth,port="80,443"] logpath = /var/log/apache/error_*.log findtime = 86400 bantime = 604800 @@ -41,7 +41,7 @@ enabled = true maxretry = 2 filter = ibb-repeat-offender -action = firewall-ban[name=RepeatOffenders] +action = firewall-ban[name=RepeatOffenders,port="1-65535"] logpath = /var/log/fail2ban.log findtime = 2592000 bantime = 2592000 @@ -50,7 +50,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-spammers -action = firewall-ban[name=SpamEmail] +action = firewall-ban[name=SpamEmail,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -59,7 +59,7 @@ enabled = true maxretry = 1 filter = ibb-postfix-malicious -action = firewall-ban[name=MailAbuse] +action = firewall-ban[name=MailAbuse,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -68,7 +68,7 @@ enabled = true maxretry = 10 filter = ibb-postfix -action = firewall-ban[name=MailRejected] +action = firewall-ban[name=MailRejected,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -77,7 +77,7 @@ enabled = true maxretry = 10 filter = postfix-sasl -action = firewall-ban[name=SASLFailures] +action = firewall-ban[name=SASLFailures,port="465,25"] logpath = /var/log/maillog findtime = 604800 bantime = 604800 @@ -86,7 +86,7 @@ enabled = true maxretry = 1 filter = ibb-apache-shellshock -action = firewall-ban[name=Shellshock] +action = firewall-ban[name=Shellshock,port="80,443"] logpath = /var/log/apache/access_*.log findtime = 604800 bantime = 604800
--- a/manifests/templates.pp Sun Jul 26 15:21:00 2015 +0100 +++ b/manifests/templates.pp Sun Jul 26 17:46:32 2015 +0100 @@ -254,9 +254,16 @@ file { '/etc/fail2ban/action.d/apf.conf': source => 'puppet:///common/fail2ban/apf.conf', } + + if $firewall_cmd == 'iptables' { + $firewall_ban_cmd = 'iptables-multiport' + } else { + $firewall_ban_cmd = $firewall_cmd + } + file { '/etc/fail2ban/action.d/firewall-ban.conf': ensure => link, - target => "/etc/fail2ban/action.d/${firewall_cmd}.conf", + target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf', @@ -564,9 +571,9 @@ hour => 3, minute => 2 } - # Since we're only managing the local server, use "puppet apply" instead of PuppetMaster + # Since we're only managing the local server, use our script that wraps "puppet apply" instead of PuppetMaster cron { 'puppet': - command => 'puppet apply /etc/puppet/manifests/site.pp | grep -v "Finished catalog run in"', + command => 'puppet-apply | grep -v "Finished catalog run in"', hour => '*/6', minute => 5 }