Defined Type: fail2ban::jail

Defined in:
manifests/jail.pp

Overview

Activate or define a fail2ban jail.

All parameters are optional; providing any of them overrides the system-provided defaults in /etc/fail2ban/jail.conf; /etc/fail2ban/jail.local, /etc/fail2ban/fail2ban.conf, and /etc/fail2ban/fail2ban.local

Examples:

To activate a jail that is pre-configured in Fail2ban's jail.conf or jail.local

::fail2ban::jail {'sshd':}

To activate a pre-configured jail, altering one or more parameters

::fail2ban::jail {'sshd':
     bantime => 3600,
}

To define a custom jail

::fail2ban::jail {'myjail':
     port   => 2718,
     filter => 'myfilter',
     log_path => '/var/log/myapp/log',
     protocol => 'tcp',
     maxretry => 4,
     findtime => 300,
     action   => '%(action_mw)s',
     banaction => 'iptables-multiport',
     bantime   => 360,
     ignoreip  => ['172.24.8.0/24', 'localhost', 'myserver.com'],
     backend   => 'auto',
}

Parameters:

  • port (Optional[Variant[String, Integer[1,6535]]]) (defaults to: undef)

    The port this jail should manage.

  • filter (Optional[String]) (defaults to: undef)

    The filter to use. Corresponds to a file in /etc/fail2ban/filter.d/*.conf

  • log_path (Optional[Stdlib::Absolutepath]) (defaults to: undef)

    the log file to examine for this jail, to detect break-in attempts. (note the underlying option is 'logpath' but that is a reserved metaparameter name in Puppet.

  • ensure (Enum['present', 'absent']) (defaults to: present)

    install or remove the jail.

  • enabled (Boolean) (defaults to: true)

    enable or disable the jail.

  • protocol (Optional[Enum['udp', 'tcp', 'icmp', 'all']]) (defaults to: undef)

    the protocol to manage for this jail.

  • maxretry (Optional[Integer]) (defaults to: undef)

    the number of tries, beyond which an error is considered a break-in attempt.

  • findtime (Optional[Integer]) (defaults to: undef)

    the number of seconds to look back to identify repeat tries.

  • action (Optional[String]) (defaults to: undef)

    A reference to one of the action templates defined in jail.conf or jail.local.

  • banaction (Optional[String]) (defaults to: undef)

    The ban action; a reference to a file in /etc/fail2ban/action.d/*.conf.

  • bantime (Optional[Integer]) (defaults to: undef)

    the number of seconds to ban a host.

  • ignoreip (Array[Variant[IP::Address::NoSubnet, IP::Address::V4::CIDR, String]]) (defaults to: [])

    Hosts to ignore when applying this jail

  • order (Optional[Integer]) (defaults to: undef)

    Jails are applied in ascending order according to this parameter; Only for Debian < 7.

  • backend (Optional[Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto']]) (defaults to: undef)

    The backend to use for this jail.



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# File 'manifests/jail.pp', line 46

define fail2ban::jail (
  Optional[Variant[String, Integer[1,6535]]] $port = undef,
  Optional[String]  $filter = undef,
  Optional[Stdlib::Absolutepath] $log_path = undef,
  Enum['present', 'absent'] $ensure    = present,
  Boolean $enabled   = true,
  Optional[Enum['udp', 'tcp', 'icmp', 'all']] $protocol = undef,
  Optional[Integer] $maxretry  = undef,
  Optional[Integer] $findtime  = undef,
  Optional[String]  $action    = undef,
  Optional[String]  $banaction = undef,
  Optional[Integer] $bantime   = undef,
  Array[Variant[IP::Address::NoSubnet, IP::Address::V4::CIDR, String]] $ignoreip = [],
  Optional[Integer] $order     = undef,
  Optional[Enum['pyinotify', 'gamin', 'polling', 'systemd', 'auto']] $backend  = undef,
  ) {

  include ::fail2ban::config

  # Debian wheezy and older does not use jail.d
  if $::operatingsystem == 'Debian' and versioncmp($::operatingsystemrelease, '8') < 1 {
    if $ensure != present {
      notify {'no_ensure_wheezy':
        message => 'The $ensure parameter cannot be used on Debian 7 or older.',
      }
    }
    concat::fragment { "jail_${name}":
      target  => '/etc/fail2ban/jail.local',
      content => template("${module_name}/jail.erb"),
      order   => $order,
    }
  }
  else {
    if $order {
      notify {'order_only_with_wheezy':
        message => 'The parameter $order makes sense only with Debian 7 or older.',
      }
    }
    file { "/etc/fail2ban/jail.d/${name}.conf":
      ensure  => $ensure,
      content => template("${module_name}/jail.erb"),
      owner   => 'root',
      group   => $::fail2ban::config::root_group,
      mode    => '0644',
    }
  }
  }