class exim::mx inherits exim {
include clamav
include postgrey
+ include fail2ban::exim
file { '/etc/exim4/ccTLD.txt':
source => 'puppet:///modules/exim/common/ccTLD.txt',
--- /dev/null
+#
+
+[INCLUDES]
+before = exim-common.conf
+
+[Definition]
+failregex = ^%(pid)s SMTP protocol error in "AUTH LOGIN" .* \[<HOST>\] AUTH command used when not advertised$
--- /dev/null
+[dsa-exim]
+enabled = true
+filter = dsa-exim
+port = smtp,ssmtp
+logpath = /var/log/exim4/mainlog
+maxretry = 4
+# action = %(action_mwl)s
+# destemail = root-fail2ban@$DOMAIN
+bantime = 3600
--- /dev/null
+class fail2ban::exim inherits fail2ban {
+ file { '/etc/fail2ban/filter.d/dsa-exim.conf':
+ source => 'puppet:///modules/fail2ban/filter/dsa-exim.conf',
+ notify => Service['fail2ban'],
+ }
+ file { '/etc/fail2ban/jail.d/dsa-exim.conf':
+ source => 'puppet:///modules/fail2ban/jail/dsa-exim.conf',
+ notify => Service['fail2ban'],
+ }
+}
--- /dev/null
+class fail2ban {
+ package { 'fail2ban':
+ ensure => installed,
+ }
+
+ service { 'fail2ban':
+ ensure => running,
+ }
+
+ @ferm::conf { 'f2b':
+ content => @(EOF),
+ @hook post "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
+ @hook flush "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true";
+ | EOF
+ }
+
+}
projects / mirror / dsa-puppet.git / commitdiff