diff options
| author | Julien Dessaux | 2018-05-02 13:41:00 +0200 |
|---|---|---|
| committer | Julien Dessaux | 2018-05-02 14:23:30 +0200 |
| commit | b5de62baf8703d3597edd5e2bf7a7212c7d41a05 (patch) | |
| tree | 995a6ddd04b1dc40839caa19f7f1923cbae7a295 | |
| parent | Finished adding ipv6 addresses on all openvpn intercos (diff) | |
| download | masterfiles-b5de62baf8703d3597edd5e2bf7a7212c7d41a05.tar.gz masterfiles-b5de62baf8703d3597edd5e2bf7a7212c7d41a05.tar.bz2 masterfiles-b5de62baf8703d3597edd5e2bf7a7212c7d41a05.zip | |
Added fail2ban support for sshd on linux
| -rw-r--r-- | services/applications.cf | 1 | ||||
| -rw-r--r-- | services/applications/fail2ban.cf | 31 | ||||
| -rw-r--r-- | services/main.cf | 3 | ||||
| -rw-r--r-- | templates/fail2ban/jail.local | 11 | ||||
| -rw-r--r-- | update.cf | 3 |
5 files changed, 47 insertions, 2 deletions
diff --git a/services/applications.cf b/services/applications.cf index 84b1938..944b990 100644 --- a/services/applications.cf +++ b/services/applications.cf @@ -3,6 +3,7 @@ body file control inputs => { "services/applications/bareos_fd.cf", "services/applications/check_mk.cf", + "services/applications/fail2ban.cf", "services/applications/fcgiwrap.cf", "services/applications/nagios.cf", "services/applications/nginx.cf", diff --git a/services/applications/fail2ban.cf b/services/applications/fail2ban.cf new file mode 100644 index 0000000..f2a5ff7 --- /dev/null +++ b/services/applications/fail2ban.cf @@ -0,0 +1,31 @@ +bundle agent fail2ban +{ + files: + linux:: + "/etc/fail2ban/." + create => "true", + perms => system_owned("755"), + classes => if_repaired("fail2ban_folder_repaired"); + "/etc/fail2ban/jail.local" + perms => system_owned("444"), + copy_from => local_cp("$(sys.inputdir)/templates/fail2ban/jail.local"), + classes => if_repaired("fail2ban_jail_local_repaired"); + methods: + centos:: + "any" usebundle => install_package("$(this.bundle)", "fail2ban-shorewall"); + debian|ubuntu:: + "any" usebundle => install_package("$(this.bundle)", "fail2ban"); + services: + linux:: + "fail2ban" + service_policy => "start", + classes => if_repaired("fail2ban_service_repaired"); + commands: + any:: + "/usr/sbin/service fail2ban restart" classes => if_repaired("fail2ban_service_repaired"), ifvarclass => "fail2ban_jail_local_repaired"; + reports: + any:: + "$(this.bundle): /etc/fail2ban folder repaired" ifvarclass => "fail2ban_folder_repaired"; + "$(this.bundle): jail.local repaired" ifvarclass => "fail2ban_jail_local_repaired"; + "$(this.bundle): fail2ban service repaired" ifvarclass => "fail2ban_service_repaired"; +} diff --git a/services/main.cf b/services/main.cf index 31e20d5..6a688d4 100644 --- a/services/main.cf +++ b/services/main.cf @@ -58,7 +58,8 @@ bundle agent main { methods: linux.!containers:: - "andromeda" usebundle => openvpn; + "any" usebundle => fail2ban; + "any" usebundle => openvpn; nagios:: "nagios" usebundle => nagios; } diff --git a/templates/fail2ban/jail.local b/templates/fail2ban/jail.local new file mode 100644 index 0000000..c43a87b --- /dev/null +++ b/templates/fail2ban/jail.local @@ -0,0 +1,11 @@ +############################################################################### +# \_o< WARNING : This file is being managed by cfengine! >o_/ # +# ~~~~ ~~~~ # +############################################################################### +[DEFAULT] +ignoreip = 127.0.0.1/8 10.1.0.0/24 37.187.103.36 137.74.173.247 90.85.207.113 +bantime = 3600 +banaction = shorewall + +[sshd] +enabled = true @@ -19,6 +19,7 @@ bundle agent main ".*\.cfg", ".*\.conf", ".*\.json", + ".*\.local", ".*\.mustache", ".*\.pl", ".*\.py", @@ -135,4 +136,4 @@ body classes results(scope, class_prefix) "$(class_prefix)_error", "$(class_prefix)_not_kept", "$(class_prefix)_timeout" }; -}
\ No newline at end of file +} |