82 lines
3.1 KiB
Ruby
82 lines
3.1 KiB
Ruby
#
|
|
# Cookbook:: fail2ban
|
|
# Attributes:: default
|
|
#
|
|
# Copyright:: 2013-2018, Chef Software, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the 'License');
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an 'AS IS' BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
# fail2ban.conf configuration options
|
|
default['fail2ban']['loglevel'] = 'INFO'
|
|
default['fail2ban']['logtarget'] = '/var/log/fail2ban.log'
|
|
default['fail2ban']['syslogsocket'] = 'auto'
|
|
default['fail2ban']['socket'] = '/var/run/fail2ban/fail2ban.sock'
|
|
default['fail2ban']['pidfile'] = '/var/run/fail2ban/fail2ban.pid'
|
|
default['fail2ban']['dbfile'] = '/var/lib/fail2ban/fail2ban.sqlite3'
|
|
default['fail2ban']['dbpurgeage'] = 86_400
|
|
|
|
# jail.conf configuration options
|
|
default['fail2ban']['ignoreip'] = '127.0.0.1/8'
|
|
default['fail2ban']['findtime'] = 600
|
|
default['fail2ban']['bantime'] = 300
|
|
default['fail2ban']['maxretry'] = 5
|
|
default['fail2ban']['backend'] = 'polling'
|
|
default['fail2ban']['email'] = 'root@localhost'
|
|
default['fail2ban']['sendername'] = 'Fail2Ban'
|
|
default['fail2ban']['action'] = 'action_'
|
|
default['fail2ban']['banaction'] = 'iptables-multiport'
|
|
default['fail2ban']['mta'] = 'sendmail'
|
|
default['fail2ban']['protocol'] = 'tcp'
|
|
default['fail2ban']['chain'] = 'INPUT'
|
|
# Create and copy/past your Slack webhook in the following attribute and you'll
|
|
# get Slack message on banning/unbanning IP like this:
|
|
# [hostname] Banned 🇳🇬 217.117.13.12 in the jail sshd after 5 attempts
|
|
#
|
|
# A Slack webhook looks like this:
|
|
# https://hooks.slack.com/services/A123BCD4E/FG5HI6KLM/7n8opqrsT9UVWxyZ0AbCdefG
|
|
default['fail2ban']['slack_webhook'] = nil
|
|
# Then setting the Slack channel name without the hashtag (#)
|
|
default['fail2ban']['slack_channel'] = 'general'
|
|
|
|
# Using attributes to specify the fail2ban filters is now deprecated in favor
|
|
# of the fail2ban_filter resource which provides a more Chef native way of defining
|
|
# individual filters in recipes using resources
|
|
# format: { name: { failregex: '', ignoreregex: ''} }
|
|
default['fail2ban']['filters'] = {}
|
|
|
|
case node['platform_family']
|
|
when 'rhel', 'fedora', 'amazon'
|
|
default['fail2ban']['auth_log'] = '/var/log/secure'
|
|
when 'debian'
|
|
default['fail2ban']['auth_log'] = '/var/log/auth.log'
|
|
end
|
|
|
|
# Using attributes to specify the fail2ban jails is now deprecated in favor
|
|
# of the fail2ban_filter resource which provides a more Chef native way of defining
|
|
# individual filters in recipes using resources
|
|
default['fail2ban']['services'] = {
|
|
'ssh' => {
|
|
'enabled' => 'true',
|
|
'port' => 'ssh',
|
|
'filter' => 'sshd',
|
|
'logpath' => node['fail2ban']['auth_log'],
|
|
'maxretry' => '6',
|
|
},
|
|
}
|
|
|
|
if platform_family?('rhel', 'fedora', 'amazon')
|
|
default['fail2ban']['services']['ssh-iptables'] = {
|
|
'enabled' => false,
|
|
}
|
|
end
|