Set up fail2ban for nginx, move IPFS gateway to proxy role

cookbooks/fail2ban/templates/fail2ban.conf.erb

@@ -0,0 +1,60 @@
+# DO NOT EDIT - This file is being maintained by Chef Infra
+
+# Fail2Ban main configuration file
+#
+# Comments: use '#' for comment lines and ';' (following a space) for inline comments
+
+[Definition]
+
+# Option: loglevel
+# Notes.: Set the log level output.
+#         CRITICAL
+#         ERROR
+#         WARNING
+#         NOTICE
+#         INFO
+#         DEBUG
+# Values: [ LEVEL ]  Default: ERROR
+loglevel = <%= node['fail2ban']['loglevel'] %>
+
+# Option: logtarget
+# Notes.: Set the log target. This could be a file, SYSLOG, STDERR or STDOUT.
+#         Only one log target can be specified.
+#         If you change logtarget from the default value and you are
+#         using logrotate -- also adjust or disable rotation in the
+#         corresponding configuration file
+#         (e.g. /etc/logrotate.d/fail2ban on Debian systems)
+# Values: [ STDOUT | STDERR | SYSLOG | FILE ]  Default: STDERR
+logtarget = <%= node['fail2ban']['logtarget'] %>
+
+# Option: syslogsocket
+# Notes: Set the syslog socket file. Only used when logtarget is SYSLOG
+#        auto uses platform.system() to determine predefined paths
+# Values: [ auto | FILE ]  Default: auto
+syslogsocket = <%= node['fail2ban']['syslogsocket'] %>
+
+# Option: socket
+# Notes.: Set the socket file. This is used to communicate with the daemon. Do
+#         not remove this file when Fail2ban runs. It will not be possible to
+#         communicate with the server afterwards.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.sock
+socket = <%= node['fail2ban']['socket'] %>
+
+# Option: pidfile
+# Notes.: Set the PID file. This is used to store the process ID of the
+#         fail2ban server.
+# Values: [ FILE ]  Default: /var/run/fail2ban/fail2ban.pid
+pidfile = <%= node['fail2ban']['pidfile'] %>
+
+# Options: dbfile
+# Notes.: Set the file for the fail2ban persistent data to be stored.
+#         A value of ":memory:" means database is only stored in memory
+#         and data is lost when fail2ban is stopped.
+#         A value of "None" disables the database.
+# Values: [ None :memory: FILE ] Default: /var/lib/fail2ban/fail2ban.sqlite3
+dbfile = <%= node['fail2ban']['dbfile'] %>
+
+# Options: dbpurgeage
+# Notes.: Sets age at which bans should be purged from the database
+# Values: [ SECONDS ] Default: 86400 (24hours)
+dbpurgeage = <%= node['fail2ban']['dbpurgeage'] %>

cookbooks/fail2ban/templates/filter.conf.erb

@@ -0,0 +1,7 @@
+# DO NOT EDIT - This file is being maintained by Chef Infra
+[Definition]
+
+failregex = <%= @failregex.join("\n            ") %>
+
+ignoreregex = <%= @ignoreregex.join("\n              ") %>
+

cookbooks/fail2ban/templates/filter.erb

@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef Infra
+
+[Definition]
+failregex = <%= Array(@failregex).join("\n            ") %>
+ignoreregex = <%= Array(@ignoreregex).join("\n              ") %>

cookbooks/fail2ban/templates/jail.conf.erb

@@ -0,0 +1,116 @@
+# DO NOT EDIT - This file is being maintained by Chef Infra
+
+# Fail2Ban configuration file.
+#
+# The configuration here inherits from /etc/fail2ban/jail.conf. Any setting
+# omitted here will take it's value from that file
+#
+# Author: Yaroslav O. Halchenko <debian@onerussian.com>
+#
+#
+
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host
+ignoreip = <%= node['fail2ban']['ignoreip']  %>
+findtime = <%= node['fail2ban']['findtime'] %>
+bantime  = <%= node['fail2ban']['bantime'] %>
+maxretry = <%= node['fail2ban']['maxretry'] %>
+
+# "backend" specifies the backend used to get files modification. Available
+# options are "gamin", "polling" and "auto".
+# yoh: For some reason Debian shipped python-gamin didn't work as expected
+#      This issue left ToDo, so polling is default backend for now
+backend = <%= node['fail2ban']['backend'] %>
+
+#
+# Destination email address used solely for the interpolations in
+# jail.{conf,local} configuration files.
+destemail = <%= node['fail2ban']['email'] %>
+
+#
+# Name of the sender for mta actions
+sendername = <%= node['fail2ban']['sendername'] %>
+
+#
+# ACTIONS
+#
+
+# Default banning action (e.g. iptables, iptables-new,
+# iptables-multiport, shorewall, etc) It is used to define
+# action_* variables. Can be overridden globally or per
+# section within jail.local file
+banaction = <%= node['fail2ban']['banaction'] %>
+
+# email action. Since 0.8.1 upstream fail2ban uses sendmail
+# MTA for the mailing. Change mta configuration parameter to mail
+# if you want to revert to conventional 'mail'.
+mta = <%= node['fail2ban']['mta'] %>
+
+# Default protocol
+protocol = <%= node['fail2ban']['protocol'] %>
+
+# Specify chain where jumps would need to be added in iptables-* actions
+chain = <%= node['fail2ban']['chain'] %>
+
+#
+# Action shortcuts. To be used to define action parameter
+
+# The simplest action to take: ban only
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+
+# ban & send an e-mail with whois report to the destemail.
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
+
+# ban & send an e-mail with whois report and relevant log lines
+# to the destemail.
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
+
+<% if @slack_webhook %>
+action_with_slack_notification = %(banaction)s[name=%(__name__)s, bantime="%(bantime)s", port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+                                 slack[name=%(__name__)s]
+<% end %>
+
+# Choose default action.  To change, just override value of 'action' with the
+# interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
+# globally (section [DEFAULT]) or per specific section
+action = %(<%= @slack_webhook ? 'action_with_slack_notification' : node['fail2ban']['action'] %>)s
+
+#
+# JAILS
+#
+
+# Next jails can inherit from the configuration in /etc/fail2ban/jail.conf.
+# Enable any defined in that file jail by including
+#
+# [SECTION_NAME]
+# enabled = true
+#
+# Optionally you may override any other parameter (e.g. banaction,
+# action, port, logpath, etc) in that section within jail.local
+
+
+<% @node['fail2ban']['services'].each do |service, param| %>
+[<%= service %>]
+
+enabled = <%= param['enabled'] %>
+<% %w{ port filter logpath findtime bantime maxretry protocol banaction backend ignorecommand }.each do |key| %>
+<% if param[key] %>
+<%=key%> = <%= param[key] %>
+<% end %>
+<% end %>
+<% if param['action'] %>
+<% if param['action'] =~ /action_/ %>
+action = %(<%= param['action'] %>)s
+<% else %>
+action = <%= param['action'] %>
+<% end %>
+<% end %>
+
+<% end %>
+

cookbooks/fail2ban/templates/jail.erb

@@ -0,0 +1,23 @@
+# DO NOT EDIT - This file is being maintained by Chef Infra
+
+[<%= @name %>]
+enabled = true
+<% if @protocol -%>
+protocol = <%= @protocol %>
+<% end -%>
+<% unless @ports.empty? -%>
+port = <%= @ports.join(",") %>
+<% end -%>
+filter = <%= @filter %>
+<% if @logpath -%>
+logpath = <%= @logpath %>
+<% end -%>
+<% if @maxretry -%>
+maxretry = <%= @maxretry %>
+<% end -%>
+<% if @ignoreips -%>
+ignoreip = <%= @ignoreips.sort.join(" ") %>
+<% end -%>
+<% if @bantime -%>
+bantime = <%= @bantime %>
+<% end -%>

cookbooks/fail2ban/templates/slack.conf.erb

@@ -0,0 +1,4 @@
+[Definition]
+
+actionban = /bin/bash /etc/fail2ban/slack_notify.sh "Banned _country_ <ip> in the jail <name> after <failures> attempts" "<ip>" > /dev/null 2>&1
+actionunban = /bin/bash /etc/fail2ban/slack_notify.sh "Unbanned _country_ <ip> in the jail <name>" "<ip>" > /dev/null 2>&1

cookbooks/fail2ban/templates/slack_notify.sh.erb

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# message first command argument
+MESSAGE=$1
+HOOK_URL=<%= @slack_webhook %>
+HOST=$(hostname)
+
+CHANNEL="#<%= @slack_channel %>"
+USERNAME="fail2ban"
+ICON=":cop:"
+
+# ip second command argument
+IP=$2
+# lets find out from what country we have our hacker
+COUNTRY=$(curl ipinfo.io/${IP}/country)
+# converting country to lover case. I love you bash script =\
+COUNTRY=$(echo "$COUNTRY" | tr -s  '[:upper:]'  '[:lower:]')
+# slack emoji
+COUNTRY=":flag-$COUNTRY:"
+
+# replace _country_ template to the country emoji
+MESSAGE="${MESSAGE/_country_/$COUNTRY}"
+
+curl -X POST --data-urlencode "payload={\"channel\": \"${CHANNEL}\", \"username\": \"${USERNAME}\", \"text\": \"[${HOST}] ${MESSAGE}\", \"icon_emoji\": \"${ICON}\"}" ${HOOK_URL}
+
+exit 0