From b5de62baf8703d3597edd5e2bf7a7212c7d41a05 Mon Sep 17 00:00:00 2001 From: Julien Dessaux Date: Wed, 2 May 2018 13:41:00 +0200 Subject: Added fail2ban support for sshd on linux --- services/applications.cf | 1 + services/applications/fail2ban.cf | 31 +++++++++++++++++++++++++++++++ services/main.cf | 3 ++- templates/fail2ban/jail.local | 11 +++++++++++ update.cf | 3 ++- 5 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 services/applications/fail2ban.cf create mode 100644 templates/fail2ban/jail.local diff --git a/services/applications.cf b/services/applications.cf index 84b1938..944b990 100644 --- a/services/applications.cf +++ b/services/applications.cf @@ -3,6 +3,7 @@ body file control inputs => { "services/applications/bareos_fd.cf", "services/applications/check_mk.cf", + "services/applications/fail2ban.cf", "services/applications/fcgiwrap.cf", "services/applications/nagios.cf", "services/applications/nginx.cf", diff --git a/services/applications/fail2ban.cf b/services/applications/fail2ban.cf new file mode 100644 index 0000000..f2a5ff7 --- /dev/null +++ b/services/applications/fail2ban.cf @@ -0,0 +1,31 @@ +bundle agent fail2ban +{ + files: + linux:: + "/etc/fail2ban/." + create => "true", + perms => system_owned("755"), + classes => if_repaired("fail2ban_folder_repaired"); + "/etc/fail2ban/jail.local" + perms => system_owned("444"), + copy_from => local_cp("$(sys.inputdir)/templates/fail2ban/jail.local"), + classes => if_repaired("fail2ban_jail_local_repaired"); + methods: + centos:: + "any" usebundle => install_package("$(this.bundle)", "fail2ban-shorewall"); + debian|ubuntu:: + "any" usebundle => install_package("$(this.bundle)", "fail2ban"); + services: + linux:: + "fail2ban" + service_policy => "start", + classes => if_repaired("fail2ban_service_repaired"); + commands: + any:: + "/usr/sbin/service fail2ban restart" classes => if_repaired("fail2ban_service_repaired"), ifvarclass => "fail2ban_jail_local_repaired"; + reports: + any:: + "$(this.bundle): /etc/fail2ban folder repaired" ifvarclass => "fail2ban_folder_repaired"; + "$(this.bundle): jail.local repaired" ifvarclass => "fail2ban_jail_local_repaired"; + "$(this.bundle): fail2ban service repaired" ifvarclass => "fail2ban_service_repaired"; +} diff --git a/services/main.cf b/services/main.cf index 31e20d5..6a688d4 100644 --- a/services/main.cf +++ b/services/main.cf @@ -58,7 +58,8 @@ bundle agent main { methods: linux.!containers:: - "andromeda" usebundle => openvpn; + "any" usebundle => fail2ban; + "any" usebundle => openvpn; nagios:: "nagios" usebundle => nagios; } diff --git a/templates/fail2ban/jail.local b/templates/fail2ban/jail.local new file mode 100644 index 0000000..c43a87b --- /dev/null +++ b/templates/fail2ban/jail.local @@ -0,0 +1,11 @@ +############################################################################### +# \_o< WARNING : This file is being managed by cfengine! >o_/ # +# ~~~~ ~~~~ # +############################################################################### +[DEFAULT] +ignoreip = 127.0.0.1/8 10.1.0.0/24 37.187.103.36 137.74.173.247 90.85.207.113 +bantime = 3600 +banaction = shorewall + +[sshd] +enabled = true diff --git a/update.cf b/update.cf index 537f145..127e625 100644 --- a/update.cf +++ b/update.cf @@ -19,6 +19,7 @@ bundle agent main ".*\.cfg", ".*\.conf", ".*\.json", + ".*\.local", ".*\.mustache", ".*\.pl", ".*\.py", @@ -135,4 +136,4 @@ body classes results(scope, class_prefix) "$(class_prefix)_error", "$(class_prefix)_not_kept", "$(class_prefix)_timeout" }; -} \ No newline at end of file +} -- cgit v1.2.3