82 lines
		
	
	
		
			3.1 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
			
		
		
	
	
			82 lines
		
	
	
		
			3.1 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
| #
 | |
| # Cookbook:: fail2ban
 | |
| # Attributes:: default
 | |
| #
 | |
| # Copyright:: 2013-2018, Chef Software, Inc.
 | |
| #
 | |
| # Licensed under the Apache License, Version 2.0 (the 'License');
 | |
| # you may not use this file except in compliance with the License.
 | |
| # You may obtain a copy of the License at
 | |
| #
 | |
| #     http://www.apache.org/licenses/LICENSE-2.0
 | |
| #
 | |
| # Unless required by applicable law or agreed to in writing, software
 | |
| # distributed under the License is distributed on an 'AS IS' BASIS,
 | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 | |
| # See the License for the specific language governing permissions and
 | |
| # limitations under the License.
 | |
| 
 | |
| # fail2ban.conf configuration options
 | |
| default['fail2ban']['loglevel'] = 'INFO'
 | |
| default['fail2ban']['logtarget'] = '/var/log/fail2ban.log'
 | |
| default['fail2ban']['syslogsocket'] = 'auto'
 | |
| default['fail2ban']['socket'] = '/var/run/fail2ban/fail2ban.sock'
 | |
| default['fail2ban']['pidfile'] = '/var/run/fail2ban/fail2ban.pid'
 | |
| default['fail2ban']['dbfile'] = '/var/lib/fail2ban/fail2ban.sqlite3'
 | |
| default['fail2ban']['dbpurgeage'] = 86_400
 | |
| 
 | |
| # jail.conf configuration options
 | |
| default['fail2ban']['ignoreip'] = '127.0.0.1/8'
 | |
| default['fail2ban']['findtime'] = 600
 | |
| default['fail2ban']['bantime'] = 300
 | |
| default['fail2ban']['maxretry'] = 5
 | |
| default['fail2ban']['backend'] = 'polling'
 | |
| default['fail2ban']['email'] = 'root@localhost'
 | |
| default['fail2ban']['sendername'] = 'Fail2Ban'
 | |
| default['fail2ban']['action'] = 'action_'
 | |
| default['fail2ban']['banaction'] = 'iptables-multiport'
 | |
| default['fail2ban']['mta'] = 'sendmail'
 | |
| default['fail2ban']['protocol'] = 'tcp'
 | |
| default['fail2ban']['chain'] = 'INPUT'
 | |
| # Create and copy/past your Slack webhook in the following attribute and you'll
 | |
| # get Slack message on banning/unbanning IP like this:
 | |
| # [hostname] Banned 🇳🇬 217.117.13.12 in the jail sshd after 5 attempts
 | |
| #
 | |
| # A Slack webhook looks like this:
 | |
| # https://hooks.slack.com/services/A123BCD4E/FG5HI6KLM/7n8opqrsT9UVWxyZ0AbCdefG
 | |
| default['fail2ban']['slack_webhook'] = nil
 | |
| # Then setting the Slack channel name without the hashtag (#)
 | |
| default['fail2ban']['slack_channel'] = 'general'
 | |
| 
 | |
| # Using attributes to specify the fail2ban filters is now deprecated in favor
 | |
| # of the fail2ban_filter resource which provides a more Chef native way of defining
 | |
| # individual filters in recipes using resources
 | |
| # format: { name: { failregex: '', ignoreregex: ''} }
 | |
| default['fail2ban']['filters'] = {}
 | |
| 
 | |
| case node['platform_family']
 | |
| when 'rhel', 'fedora', 'amazon'
 | |
|   default['fail2ban']['auth_log'] = '/var/log/secure'
 | |
| when 'debian'
 | |
|   default['fail2ban']['auth_log'] = '/var/log/auth.log'
 | |
| end
 | |
| 
 | |
| # Using attributes to specify the fail2ban jails is now deprecated in favor
 | |
| # of the fail2ban_filter resource which provides a more Chef native way of defining
 | |
| # individual filters in recipes using resources
 | |
| default['fail2ban']['services'] = {
 | |
|   'ssh' => {
 | |
|     'enabled' => 'true',
 | |
|     'port' => 'ssh',
 | |
|     'filter' => 'sshd',
 | |
|     'logpath' => node['fail2ban']['auth_log'],
 | |
|     'maxretry' => '6',
 | |
|   },
 | |
| }
 | |
| 
 | |
| if platform_family?('rhel', 'fedora', 'amazon')
 | |
|   default['fail2ban']['services']['ssh-iptables'] = {
 | |
|     'enabled' => false,
 | |
|   }
 | |
| end
 |