Puppet Class: fail2ban

Defined in:
manifests/init.pp

Summary

Manage fail2ban and its configuration to jam bruteforce attempts on services running on a computer.

Overview

fail2ban/manifests/init.pp

  • Copyright (C) 2007 admin@immerda.ch

  • Copyright (C) 2014-2018 gabster@lelutin.ca

Parameters:

  • rm_jail_local (Boolean) (defaults to: true)

    Force removal of file /etc/fail2ban/jail.local if present.

  • purge_jail_dot_d (Boolean) (defaults to: true)

    Remove all unmanaged files in /etc/fail2ban/jail.d/

  • persistent_bans (Boolean) (defaults to: false)

    Write out banned IPs to a file on teardown and restore bans when starting fail2ban back up. This option is deprecated and is bound to be removed in puppet-fail2ban 4.0

  • ignoreip (Array[String, 0]) (defaults to: ['127.0.0.1'])

    Default list of IPs or CIDR prefixes that should not get banned.

  • bantime (Integer) (defaults to: 600)

    Default duration in number of seconds to ban an IP address for.

  • findtime (Integer) (defaults to: 600)

    Default interval during which to count occurences of an IP.

  • maxretry (Integer) (defaults to: 3)

    Default number of times an IP should be detectd by a filter during findtime for it to get banned.

  • ignorecommand (String) (defaults to: '')

    Default command used to determine if an IP should be exempted from being banned.

  • backend (Fail2ban::Backend) (defaults to: 'auto')

    Default method used to get information from logs.

  • destemail (String) (defaults to: 'root@localhost')

    Default email address used by actions that send out emails.

  • banaction (String) (defaults to: 'iptables-multiport')

    Default action name extrapolated when defining some of the default actions.

  • chain (String) (defaults to: 'INPUT')

    Default name of the iptables chain used by iptables-based actions.

  • port (Fail2ban::Port) (defaults to: '0:65535')

    Default comma separated list of ports, port names or port ranges used by actions when banning an IP.

  • mta (String) (defaults to: 'sendmail')

    Default program name used for sending out email by actions that do so.

  • protocol (Fail2ban::Protocol) (defaults to: 'tcp')

    Default protocol name used by actions.

  • action (String) (defaults to: '%(action_)s')

    Default action that gets called when an IP triggers maxretry number of times a filter within findtime.

  • usedns (Fail2ban::Usedns) (defaults to: 'warn')

    Default behaviour whether or not to resolve IPs when they are found in a log by a filter.



55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
# File 'manifests/init.pp', line 55

class fail2ban (
  # Options that change how the module behaves
  Boolean            $rm_jail_local    = true,
  Boolean            $purge_jail_dot_d = true,
  Boolean            $persistent_bans  = false,
  # Options for jail.conf
  Array[String, 0]   $ignoreip         = ['127.0.0.1'],
  Integer            $bantime          = 600,
  Integer            $findtime         = 600,
  Integer            $maxretry         = 3,
  String             $ignorecommand    = '',
  Fail2ban::Backend  $backend          = 'auto',
  String             $destemail        = 'root@localhost',
  String             $banaction        = 'iptables-multiport',
  String             $chain            = 'INPUT',
  Fail2ban::Port     $port             = '0:65535',
  String             $mta              = 'sendmail',
  Fail2ban::Protocol $protocol         = 'tcp',
  String             $action           = '%(action_)s',
  Fail2ban::Usedns   $usedns           = 'warn',
) {

  contain fail2ban::install
  contain fail2ban::config
  contain fail2ban::service

  Class['fail2ban::install']
  -> Class['fail2ban::config']
  ~> Class['fail2ban::service']

}