/puppet-fail2ban

Puppet module to manage fail2ban

Primary LanguagePuppet

Puppet module: fail2ban

WARNING WARNING WARNING

This is a fork of the original puppet-fail2ban module, which is no longer maintained.

Some features, especially the integration with modules from the "example42" organization, have been removed to make it easier to see what is relevant.

Getting started

Released under the terms of Apache 2 License.

USAGE - Basic management

  • All parameters can be set using Hiera. See the manifests to see what can be set.

  • Install fail2ban with default settings. No configuration changes are done, and distro defaults are respected.

      class { 'fail2ban': }

  • Configure jails using your own jail.local file

      class { 'fail2ban':
    jails_config => 'file',
    jails_source => 'puppet:///path/to/your/jail.local'.
  }

  • Configure jails using a template file. An example is provided. In this case, you can enable or disable jails using an array named "jails". See the template "jail.local.erb".

      class { 'fail2ban':
    jails_config   => 'file',
    jails_template => 'fail2ban/jail.local.erb',
    jails          => ['ssh', 'imap'],
  }

  • You can configure and set a jail using fail2ban::jail. In this case, stanzas for jail.local are created using R.I.Pienaar's concat module. This method permits you better handling of your jails.

      class { 'fail2ban':
    jails_config   => 'concat',
  }

  fail2ban::jail { 'sshd':
    port     => '22',
    logpath  => '/var/log/secure',
    maxretry => '2',
  }

  • Install a specific version of fail2ban package

      class { 'fail2ban':
    version => '1.0.1',
  }

  • Disable fail2ban service.

      class { 'fail2ban':
    disable => true
  }

  • Remove fail2ban package

      class { 'fail2ban':
    absent => true
  }

  • Enable auditing without without making changes on existing fail2ban configuration files

      class { 'fail2ban':
    audit_only => true
  }

  • Module dry-run: Do not make any change on all the resources provided by the module

      class { 'fail2ban':
    noops => true
  }

USAGE - Overrides and Customizations

  • Use custom sources for main config file

      class { 'fail2ban':
    source => [ "puppet:///modules/example42/fail2ban/fail2ban.local-${hostname}" , "puppet:///modules/example42/fail2ban/fail2ban.local" ], 
  }

  • Use custom source directory for the whole configuration dir

      class { 'fail2ban':
    source_dir       => 'puppet:///modules/example42/fail2ban/conf/',
    source_dir_purge => false, # Set to true to purge any existing file not present in $source_dir
  }

  • Use custom template for main config file. Note that template and source arguments are alternative. In this new version, and following fail2ban recommendations, fail2ban.conf is untouched and fail2ban.local is created instead, overriding parameters.

      class { 'fail2ban':
    template => 'example42/fail2ban/fail2ban.local.erb',
  }