Puppet Class: fail2ban

Defined in:
manifests/init.pp

Overview

Class fail2ban. Install and configure the fail2ban service. The parameters to this class provide defaults for the entire system (via /etc/fail2ban/fail2ban.local) or defaults for all jails (via /etc/fail2ban/jail.local).

Examples:

Declaring the class

include fail2ban

Parameters:

  • package_name (String) (defaults to: 'fail2ban')

    The package name to install.

  • package_ensure (String) (defaults to: 'latest')

    The version number, 'present', installed', 'absent', or 'latest'

  • log_level (Optional[Enum['CRITICAL', 'ERROR', 'WARNING', 'NOTICE', 'INFO', 'DEBUG']]) (defaults to: undef)

    The log level for fail2ban's own logging.

  • logtarget (Optional[Variant[Stdlib::Absolutepath, Enum['STDOUT', 'STDERR', 'SYSLOG']]]) (defaults to: undef)

    The target to which fail2ban's own logging is sent

  • syslogsocket (Optional[String]) (defaults to: undef)

    The socket belonging to syslogd.

  • socket (Optional[String]) (defaults to: undef)

    Fail2ban's own socket.

  • pidfile (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    Fail2ban's pidfile.

  • dbfile (Optional[Variant[Enum[':memory:', 'None'],Stdlib::Absolutepath]]) (defaults to: undef)

    The file in which fail2ban stores its persistent database.

  • dbpurgeage (Optional[Integer]) (defaults to: undef)

    The time, in seconds, after which db entries will be purged.

  • bantime (Optional[Integer]) (defaults to: undef)

    The time, in seconds, for which offending hosts will be banned.

  • findtime (Optional[Integer]) (defaults to: undef)

    The time, in seconds, to look back in the logfile to catch repeated attempts.

  • maxretry (Optional[Integer]) (defaults to: undef)

    The maximum number of retries permitted from the same host before triggering an action

  • backend (Optional[Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto']]) (defaults to: undef)

    the backend to use.

  • destemail (Optional[String]) (defaults to: undef)

    The email address to which to send reports.

  • email_sender (Optional[String]) (defaults to: undef)

    The sender to use as the return address of sent e-mail

  • mta (Optional[String]) (defaults to: undef)

    The mail transport agent to use.

  • chain (String) (defaults to: 'FAIL2BAN')

    The chain into which fail2ban places the jumps to the individual chains belonging to each fail2ban jail.

  • protocol (Optional[Enum['udp', 'tcp', 'icmp', 'all']]) (defaults to: undef)

    The protocol to monitor.

  • banaction (Optional[String]) (defaults to: undef)

    The specific ban action to take.

  • ignoreip (Optional[Array[Variant[IP::Address::NoSubnet, IP::Address::V4::CIDR, String]]]) (defaults to: undef)

    Hosts to ignore when applying a jail.

  • action (Optional[String]) (defaults to: undef)

    A reference to one of the action templates defined in jail.conf or jail.local.

  • usedns (Optional[Enum['yes', 'no', 'warn']]) (defaults to: undef)

    Whether to use reverse DNS in checking and reporting breakin attempts.

  • purge_jail_directory (Boolean) (defaults to: true)

    Whether to remove unmanaged entries from Fail2ban's jail directory.

  • root_group (String) (defaults to: $::operatingsystem)

    The group owner of system files.



34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'manifests/init.pp', line 34

class fail2ban (
  String $package_name                   = 'fail2ban',
  String $package_ensure                 = 'latest',
  Optional[Array[Variant[IP::Address::NoSubnet, IP::Address::V4::CIDR, String]]] $ignoreip = undef,

  Optional[Enum['CRITICAL', 'ERROR',
                'WARNING', 'NOTICE',
                'INFO', 'DEBUG']] $log_level = undef,
  Optional[Variant[Stdlib::Absolutepath, Enum['STDOUT', 'STDERR',
                'SYSLOG']]] $logtarget = undef,
  Optional[String] $syslogsocket = undef,
  Optional[String] $socket = undef,
  Optional[Stdlib::Absolutepath] $pidfile = undef,
  Optional[Variant[Enum[':memory:', 'None'],Stdlib::Absolutepath]] $dbfile = undef,
  Optional[Integer] $dbpurgeage = undef,
  Optional[Integer] $bantime    = undef,
  Optional[Integer] $findtime   = undef,
  Optional[Integer] $maxretry   = undef,
  Optional[Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto']] $backend      = undef,
  Optional[String] $destemail            = undef,
  Optional[String] $email_sender         = undef,
  Optional[String] $mta                  = undef,
  String           $chain                = 'FAIL2BAN',
  Optional[Enum['udp', 'tcp', 'icmp', 'all']] $protocol          = undef,
  Optional[String] $banaction             = undef,
  Optional[String] $action                = undef,
  Optional[Enum['yes', 'no', 'warn']] $usedns = undef,
  Boolean $purge_jail_directory          = true,
  String $root_group                     =  $::operatingsystem ? {
    /(?i:FreeBSD|OpenBSD)/ => 'wheel',
    default                => 'root',
  }
  ) {

  contain ::fail2ban::install
  contain ::fail2ban::config
  contain ::fail2ban::service

  Class['::fail2ban::install'] ->
  Class['::fail2ban::config'] ~>
  Class['::fail2ban::service']

}