Puppet Class: fail2ban

Defined in:

manifests/init.pp

Summary

Manage fail2ban

Overview

Examples:

Manage fail2ban and add sshd jail

class { 'fail2ban':
  jails => ['sshd'],
}

Parameters:

• ensure (Enum['present', 'absent']) (defaults to: 'present') —

  Determines presence of fail2ban.

• package_ensure (String) (defaults to: 'present') —

  The ensure property of fail2ban package.

• package_name (String) (defaults to: 'fail2ban-server') —

  The fail2ban package name.

• manage_repo (Boolean) (defaults to: true) —

  Boolean that sets if fail2ban repo is managed. For EL systems this enables management of EPEL repo.

• service_name (String) (defaults to: 'fail2ban') —

  fail2ban service name.

• service_ensure (String) (defaults to: 'running') —

  fail2ban service ensure property.

• service_enable (Boolean) (defaults to: true) —

  fail2ban service enable property.

• service_hasstatus (Boolean) (defaults to: true) —

  fail2ban service hasstatus property.

• service_hasrestart (Boolean) (defaults to: true) —

  fail2ban service hasrestart property.

• config_path (Stdlib::Absolutepath) (defaults to: '/etc/fail2ban/fail2ban.local') —

  Path to fail2ban.local.

• jail_config_path (Stdlib::Absolutepath) (defaults to: '/etc/fail2ban/jail.local') —

  Path to jail.local.

• default_ignoreip (Array[String]) (defaults to: ['127.0.0.1/8']) —

  Global ignoreip value.

• default_bantime (Integer) (defaults to: 600) —

  Global bantime value.

• default_findtime (Integer) (defaults to: 600) —

  Global findtime value.

• default_maxretry (Integer) (defaults to: 5) —

  Global maxretry value.

• logtarget (Variant[Enum['SYSLOG','STDOUT','STDERR'],Stdlib::Absolutepath]) (defaults to: '/var/log/fail2ban.log') —

  Location of logtarget.

• jails (Optional[Variant[Array, Hash]]) (defaults to: undef) —

  Array or Hash of jails. Value is passed to fail2ban::jail defined type.

# File 'manifests/init.pp', line 44

class fail2ban (
  Enum['present', 'absent'] $ensure       = 'present',
  String $package_ensure                  = 'present',
  String $package_name                    = 'fail2ban-server',
  Boolean $manage_repo                    = true,
  String $service_name                    = 'fail2ban',
  String $service_ensure                  = 'running',
  Boolean $service_enable                 = true,
  Boolean $service_hasstatus              = true,
  Boolean $service_hasrestart             = true,
  Stdlib::Absolutepath $config_path       = '/etc/fail2ban/fail2ban.local',
  Stdlib::Absolutepath $jail_config_path  = '/etc/fail2ban/jail.local',
  Array[String] $default_ignoreip         = ['127.0.0.1/8'],
  Integer $default_bantime                = 600,
  Integer $default_findtime               = 600,
  Integer $default_maxretry               = 5,
  Variant[Enum['SYSLOG','STDOUT','STDERR'],Stdlib::Absolutepath]
    $logtarget                            = '/var/log/fail2ban.log',
  Optional[Variant[Array, Hash]] $jails   = undef,
) {

  case $ensure {
    'present': {
      $_package_ensure = $package_ensure
      $_service_ensure = $service_ensure
      $_config_ensure  = 'file'
      $_service_enable = $service_enable
    }
    'absent': {
      $_package_ensure = 'absent'
      $_service_ensure = 'stopped'
      $_config_ensure  = 'absent'
      $_service_enable = false
    }
    default: {}
  }

  contain fail2ban::install
  contain fail2ban::config
  contain fail2ban::service

  if $ensure == 'present' {
    Class['fail2ban::install']
    -> Class['fail2ban::config']
    ~> Class['fail2ban::service']
  } else {
    Class['fail2ban::service']
    -> Class['fail2ban::config']
    -> Class['fail2ban::install']
  }


  if $jails and $ensure == 'present' {
    if $jails =~ Array {
      fail2ban::jail { $jails: }
    } elsif $jails =~ Hash {
      create_resources('fail2ban::jail', $jails)
    }
  }

}