+# fail2ban setup
+#
+# Checks that are only used on particular systems are defined elsewhere,
+# generally in subclasses.
class fail2ban {
package { 'fail2ban':
ensure => installed,
ensure => running,
}
- @ferm::conf { 'f2b':
+ file { '/etc/fail2ban/jail.d/dsa-00-default.conf':
+ source => 'puppet:///modules/fail2ban/jail/dsa-00-default.conf',
+ notify => Service['fail2ban'],
+ }
+
+ ferm::conf { 'f2b':
content => @(EOF),
@hook post "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
@hook flush "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
| EOF
}
+ ferm::rule { 'dsa-f2b-setup1':
+ prio => '005',
+ description => 'f2b master rule',
+ chain => 'dsa-f2b',
+ domain => '(ip ip6)',
+ rule => '',
+ notarule => true,
+ }
+ ferm::rule { 'dsa-f2b-setup2':
+ prio => '005',
+ description => 'f2b master rule',
+ chain => 'INPUT',
+ domain => '(ip ip6)',
+ rule => 'jump dsa-f2b',
+ }
+
# XXX Maybe this will be automatically done in buster, it is certainly needed in stretch. So maybe: versioncmp($::lsbmajdistrelease, '9') <= 0
- concat::fragment { 'dsa-puppet-stuff--fail2ban-cleanup':
- target => '/etc/cron.d/dsa-puppet-stuff',
- content => @(EOF)
- 17 * * * * root python3 -c "import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.INFO); from fail2ban.server.database import Fail2BanDb; db = Fail2BanDb('/var/lib/fail2ban/fail2ban.sqlite3'); db.purge(); db._db.cursor().execute('VACUUM')"
+ concat::fragment { 'puppet-crontab--fail2ban-cleanup':
+ target => '/etc/cron.d/puppet-crontab',
+ content => @(EOF)
+ 17 * * * * root chronic python3 -c "import sys, logging; logging.basicConfig(stream=sys.stdout, level=logging.INFO); from fail2ban.server.database import Fail2BanDb; db = Fail2BanDb('/var/lib/fail2ban/fail2ban.sqlite3'); db.purge(); db._db.cursor().execute('VACUUM')"
| EOF
}
projects / mirror / dsa-puppet.git / blobdiff