changeset 195:f70831cc2864 puppet-3.6

Separate out SSH repeats from web/email repeats Hopefully this should prevent accidental lock-outs! Worst case, I trigger a web lock-out and get back in on SSH.
author IBBoard <dev@ibboard.co.uk>
date Wed, 17 Apr 2019 12:00:31 +0100
parents a08de3153548
children d3ef339b53a6
files common/fail2ban/ibb-repeat-offender-ssh.conf common/fail2ban/ibb-repeat-offender.conf common/fail2ban/jail.local manifests/templates.pp
diffstat 4 files changed, 38 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/common/fail2ban/ibb-repeat-offender-ssh.conf	Wed Apr 17 12:00:31 2019 +0100
@@ -0,0 +1,23 @@
+# IBB-Repeat-Offender-SSH configuration file
+#
+# Author: Tom Hendrikx, minor modifications by Amir Caspi
+# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban
+# Renamed and adjusted by IBBoard for consistency
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+#
+failregex = NOTICE\s+\[ssh-[^\]]+\]\s+Ban\s+<HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+#ignoreregex =
--- a/common/fail2ban/ibb-repeat-offender.conf	Wed Apr 10 20:11:55 2019 +0100
+++ b/common/fail2ban/ibb-repeat-offender.conf	Wed Apr 17 12:00:31 2019 +0100
@@ -2,9 +2,7 @@
 #
 # Author: Tom Hendrikx, minor modifications by Amir Caspi
 # See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban
-# Renamed by IBBoard for consistency
-#
-# $Revision: 1 $
+# Renamed and adjusted by IBBoard for consistency
 #
 
 [Definition]
@@ -22,4 +20,4 @@
 # Notes.:  regex to ignore. If this regex matches, the line is ignored.
 # Values:  TEXT
 #
-ignoreregex = fail2ban.actions:\s+NOTICE\s+\[(ibb-repeat-offender|[^\]]+warning)\]\s+Ban\s+<HOST>
+ignoreregex = fail2ban.actions:\s+NOTICE\s+\[(ibb-repeat-offender|ssh-)[^\]]+\]\s+Ban\s+<HOST>
--- a/common/fail2ban/jail.local	Wed Apr 10 20:11:55 2019 +0100
+++ b/common/fail2ban/jail.local	Wed Apr 17 12:00:31 2019 +0100
@@ -51,7 +51,16 @@
 enabled  = true
 maxretry = 2
 filter   = ibb-repeat-offender
-action   = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465,222"]
+action   = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"]
+logpath  = /var/log/fail2ban.log
+findtime = 2592000
+bantime  = 2592000
+
+[repeat-offenders-ssh]
+enabled  = true
+maxretry = 2
+filter   = ibb-repeat-offender-ssh
+action   = firewall-ban[name=RepeatOffendersSSH,chain=Fail2Ban,port="222"]
 logpath  = /var/log/fail2ban.log
 findtime = 2592000
 bantime  = 2592000
--- a/manifests/templates.pp	Wed Apr 10 20:11:55 2019 +0100
+++ b/manifests/templates.pp	Wed Apr 17 12:00:31 2019 +0100
@@ -373,6 +373,9 @@
 	file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
 		source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf',
 	}
+	file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf':
+		source => 'puppet:///common/fail2ban/ibb-repeat-offender-ssh.conf',
+	}
 	file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
 		source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf',
 	}