puppet-fail2ban
puppet-fail2ban copied to clipboard
voxpupuli
Support overriding configuration for default jails
The PR addresses the same issue as #48 but with a bit more generic approach.
Using 2 level Hash might be possible to override basically any attribute in the template.
fail2ban::jails:
- ssh
- ssh-ddos
fail2ban::jails_config:
ssh:
port: 'ssh,2200'
ssh-ddos:
port: 'ssh,2200'
Using lookup() in templates might not be the best approach, but I can't think of better alternative. Passing explicitly each variable explicitly to the template would generate loads of code. Another option is to write a custom function for checking key existence in the configuration hash (but it doesn't add much to code readability).
Let me know if you're ok with this, so that I'm able to proceed with modifying rest of jails.
Dear @deric, thanks for the PR!
This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?
You can find my sourcecode at voxpupuli/vox-pupuli-tasks
![vox-pupuli-tasks[bot] avatar](https://avatars.githubusercontent.com/in/37588?v=4 "Published by a pub.dev verified publisher"){kind=small}
Dear @deric, thanks for the PR!
This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?
You can find my sourcecode at voxpupuli/vox-pupuli-tasks
Dear @deric, thanks for the PR!
This is pccibot, your friendly Vox Pupuli GitHub Bot. I noticed that your pull request contains merge conflict. Can you please rebase?
You can find my sourcecode at voxpupuli/vox-pupuli-tasks
@bastelfreak There's slight inconsistency in naming. The sshd jail is enabled using ssh:
fail2ban::jails:
- ssh
while for all other jails it seems to match the jail name. I guess this should be kept for backward compatibility?
mmh good question. I guess we should stay backwards compatible. There are no other breaking changes at the moment (sometimes they are needed, but we try to always release a bunch of them).
@deric since you're at it, there's no ssh-ddos on centos 7 either.... (at least none of my installs has it)
@r3pek Yeah, I've noticed. It looks like Debian 8 it the only anomaly with ssh and ssh-ddos jails (probably with much older fail2ban version than in other distributions).
It will avoid confusion in the future if we will support both names and documentation should probably mention just sshd and sshd-ddos.
Debian 8
- is running on very old version
0.8.13 - config file is very different from other distributions
- many jail might be supported, just missing config section (
vsftpd,squid, ...). But probably doesn't matter since Debian 8 is long after EOL.
Ubuntu 18.04 and 20.04
eximwas missingenabledline:
enabled = <%= 'exim' in $fail2ban::jails %>
Ubuntu 16.04
courier-authwas searching forcourierauthkey (missing dash) in$fail2ban::jails(Debian 8 uses the same but there's consistent name of the jail).- In
postfix-sasljail config key is calledsasl
CentOS 6, 7, RedHat 8, 8, OpenSuse 15
enabledlooked forsquierrelmail(typo) config key instead ofsquirrelmail
CentOS 6, 7
- is missing
mongodb-authjail config (should be supported, haven't tested yet)
The config hash jails_config currently supports mixture of Strings and Integers:
fail2ban::jails_config:
ssh:
port: ssh,2200
dropbear:
port:
- ssh
- 2201
selinux-ssh:
port:
- 'ssh'
- '2202'
with little extra effort it might be possible to convert current Array config:
fail2ban::jails:
- ssh
- ssh-ddos
to Hash:
fail2ban::jails:
ssh:
port: 22
nginx-botsearch:
while supporting the old syntax (in order to change ports converting to Hash would be necessary).
@bastelfreak , @igalic Let me know, what you think. Making this change later might be complicated.
For most jails it should be possible to change the port, the remaining ones might be modified in separate PRs. Please squash the commits before merging.