Version information
This version is compatible with:
- Puppet Enterprise 2023.8.x, 2023.7.x, 2023.6.x, 2023.5.x, 2023.4.x, 2023.3.x, 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x
- Puppet >= 7.0.0 < 9.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'markt-wforce', '0.4.0'Learn more about managing modules with a PuppetfileDocumentation
puppet-wforce
Table of Contents
Overview
This module will setup the weakforced Anti-Abuse server, also known as "wforce".
Requirements
- Puppet 7 or higher
- Access to wforce binary packages (either through a subscription or custom builds)
Usage
Beginning with wforce
Basic usage requires only a password for the wforce HTTP server:
class { 'wforce':
password => 'secretpassword'
}
Furthermore, a number of simple options are available:
class { 'wforce':
# Add networks to the access control list for the HTTP server.
acls => [ '172.16.99.0/24', '10.100.200.0/24' ],
# Change settings of the default databases (or add new databases).
databases => {
24HourDB => {
max_size => 750000,
v4prefix => 24,
},
MyDB => {
window_size: 900
num_windows: 32
max_size: 500000
field_map: 'default_field_map'
replication: false
},
},
# Replicate changes to db and blacklist to these hosts.
siblings => [ "10.99.0.1:4001:udp", "10.99.0.2:4001:udp", "10.99.0.3:4001:udp" ],
siblings_key => 'anothersecretpassword',
# On startup, try to replicate databases from the following host.
sync_enable => true,
sync_host => '10.99.0.1',
sync_password => 'secretpassword',
sync_uptime => 3600,
# Whitelist certain IP networks and hosts to avoid accidential blacklisting
whitelist => [ "10.199.0.0/24", "10.222.0.123/32" ],
}
Test wforce
Use cURL to test if wforce is running and accepting authentication requests:
curl -X POST -H "Content-Type: application/json" --data '{"login":"user@example.com", "remote": "10.12.34.56", "pwhash":"1234"}' http://127.0.0.1:8084/?command=allow -u wforce:SECRETPASSWORD
Dovecot integration
Dovecot will use Basic Authentication when communicating with wforce, so we need to generate a base64 encoded authentication string:
echo -n 'wforce:secretpassword' | base64
Next add the following lines to dovecot.conf and restart dovecot afterwards:
auth_policy_server_url = http://localhost:8084/
auth_policy_hash_nonce = <insert_a_long_random_string_here>
auth_policy_server_api_header = Authorization: Basic <insert_base64_string_here>
auth_policy_server_timeout_msecs = 2000
auth_policy_hash_mech = sha256
auth_policy_request_attributes = login=%{requested_username} pwhash=%{hashed_password} remote=%{rip} device_id=%{client_id} protocol=%s
auth_policy_reject_on_fail = no
auth_policy_hash_truncate = 8
auth_policy_check_before_auth = yes
auth_policy_check_after_auth = yes
auth_policy_report_after_auth = yes
Be sure to check the dovecot log to ensure that dovecot is able to communicate with wforce.
I recommend oxc/puppet-dovecot to manage dovecot.
Custom rules
This module contains the example rules from wforce's source distribution. They are not particular useful to block serious attacks, but they should give you an idea how wforce works.
Once you want to deploy your own rules, simply override the default ones:
wforce::functions:
report: |+
if (lt.success)
then
sdb:twAdd(lt.login, "countLogins", 1)
sdb:twAdd(lt.remote, "countLogins", 1)
end
...
Reference
Classes and parameters are documented in REFERENCE.md.
Development
Contributing
Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.
Reference
Table of Contents
Classes
Public Classes
wforce: Install and configure weakforced
Private Classes
wforce::config: Setup configuration fileswforce::package: Install packageswforce::repo: Setup software repositorieswforce::service: Manage the system service
Classes
wforce
Install and configure weakforced
Parameters
The following parameters are available in the wforce class:
aclsaddressconfig_fileconfig_manageconfig_modeconfig_templatedatabase_defaultsdatabasesfieldmapsfunctionsfunction_argsgrouppackage_ensurepackage_managepackage_namepasswordportrepo_manageservice_ensureservice_nameservice_managesiblingssiblings_addresssiblings_keysiblings_portsocket_addresssocket_portsync_enablesync_hostsync_myipsync_passwordsync_portsync_uptimeuse_functionsuserwhitelist
acls
Data type: Array
A list of ACLs for the weakforced service.
address
Data type: String
The listen address for the weakforced webserver.
config_file
Data type: String
Path to the configuration file.
config_manage
Data type: Boolean
Whether configuration files should be managed.
config_mode
Data type: String
File mode to be used for config files.
config_template
Data type: String
Specifies the EPP template to use.
database_defaults
Data type: Hash
Default values for database configuration.
databases
Data type: Hash
A list of databases.
fieldmaps
Data type: Hash
A list of fieldmaps.
functions
Data type: Hash
A list of Lua functions (Lua source code).
function_args
Data type: Hash
A list of arguments that are passed to functions.
group
Data type: String
The group under which the service will run.
package_ensure
Data type: String
The desired state of the package resource.
package_manage
Data type: Boolean
Whether package installation/removal should be managed.
package_name
Data type: String
The name of the package.
password
Data type: String
The weakforced API password.
port
Data type: Integer
The weakforced port number.
repo_manage
Data type: Boolean
Whether package repositories should be managed.
service_ensure
Data type: Enum['absent', 'running', 'stopped']
The desired state of the service resource.
service_name
Data type: String
The name of the service.
service_manage
Data type: Boolean
Whether the service should be managed.
siblings
Data type: Array
A list of replication targets.
siblings_address
Data type: String
The replication address of the local service.
siblings_key
Data type: Optional[String]
The credential key used for replication.
Default value: undef
siblings_port
Data type: Integer
The replication port of the local service.
socket_address
Data type: String
The listen address of the control socket.
socket_port
Data type: Integer
The port number of the control socket.
sync_enable
Data type: Boolean
Whether to enable replication of databases from remote servers.
sync_host
Data type: Optional[String]
The source host for database replication.
Default value: undef
sync_myip
Data type: Optional[String]
The IP address of the local instance.
Default value: undef
sync_password
Data type: Optional[String]
The password used for replication.
Default value: undef
sync_port
Data type: Optional[Integer]
The port used for database replication.
Default value: undef
sync_uptime
Data type: Integer
The minimum uptime (in seconds) of a host before replication is considered.
use_functions
Data type: Hash
A list of Lua functions that will be used to handle weakforced commands.
user
Data type: String
The user under which the service will run.
whitelist
Data type: Array
A list of subnets that are allowed to communicate with the weakforce service.
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
0.4.0 - 2023-06-28
Added
- Add documentation for all parameters
- Add new dependency: puppetlabs/stdlib
- Add Github Actions
Changed
- Update OS versions and Puppet version
- Convert documentation to Puppet Strings
- Update PDK
0.3.0 - 2022-07-26
Changed
- Update OS versions and Puppet version
- Update PDK from 1.8.0 to 2.5.0
- Fix puppet-lint offenses
Fixed
- Unit test fix
0.2.0 - 2018-12-14
Added
- Support alternative args in Lua functions
Fixed
- Add missing default values
- Fixes and improvements for default Lua functions
0.1.0 - 2018-12-14
Summary
Initial release
Dependencies
- puppetlabs/stdlib (>=6.6.0 <10.0.0)
Copyright (C) 2018 Frank Wall All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.