cookbook 'fail2ban', '= 3.1.0'
fail2ban
(54) Versions
3.1.0
-
-
7.0.23
-
7.0.22
-
7.0.21
-
7.0.20
-
7.0.19
-
7.0.18
-
7.0.17
-
7.0.16
-
7.0.15
-
7.0.14
-
7.0.13
-
7.0.12
-
7.0.11
-
7.0.10
-
7.0.9
-
7.0.8
-
7.0.7
-
7.0.6
-
7.0.5
-
7.0.4
-
7.0.3
-
7.0.2
-
7.0.1
-
7.0.0
-
6.3.3
-
6.3.2
-
6.3.1
-
6.3.0
-
6.2.1
-
6.2.0
-
6.1.0
-
6.0.0
-
5.0.2
-
5.0.1
-
5.0.0
-
4.0.1
-
4.0.0
-
3.1.0
-
2.3.1
-
2.3.0
-
2.2.1
-
2.2.0
-
2.1.2
-
2.1.0
-
2.0.4
-
2.0.2
-
2.0.0
-
1.2.4
-
1.2.2
-
1.2.0
-
1.1.0
-
1.0.2
-
1.0.0
-
0.7.0
Follow85
- 7.0.23
- 7.0.22
- 7.0.21
- 7.0.20
- 7.0.19
- 7.0.18
- 7.0.17
- 7.0.16
- 7.0.15
- 7.0.14
- 7.0.13
- 7.0.12
- 7.0.11
- 7.0.10
- 7.0.9
- 7.0.8
- 7.0.7
- 7.0.6
- 7.0.5
- 7.0.4
- 7.0.3
- 7.0.2
- 7.0.1
- 7.0.0
- 6.3.3
- 6.3.2
- 6.3.1
- 6.3.0
- 6.2.1
- 6.2.0
- 6.1.0
- 6.0.0
- 5.0.2
- 5.0.1
- 5.0.0
- 4.0.1
- 4.0.0
- 3.1.0
- 2.3.1
- 2.3.0
- 2.2.1
- 2.2.0
- 2.1.2
- 2.1.0
- 2.0.4
- 2.0.2
- 2.0.0
- 1.2.4
- 1.2.2
- 1.2.0
- 1.1.0
- 1.0.2
- 1.0.0
- 0.7.0
Installs and configures fail2ban
cookbook 'fail2ban', '= 3.1.0', :supermarket
knife supermarket install fail2ban
knife supermarket download fail2ban
fail2ban Cookbook
Installs and configures fail2ban
, a utility that watches logs for failed login attempts and blocks repeat offenders with firewall rules. On Redhat systems this cookbook will enable the EPEL repository in order to retrieve the fail2ban package.
Requirements
Platforms
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- Fedora
- OpenSUSE
Chef
- Chef 12.1+
Cookbooks
- yum-epel
Recipes
default
Installs the fail2ban package, manages 2 templates: /etc/fail2ban/fail2ban.conf
and /etc/fail2ban/jail.conf
, and manages the fail2ban service.
Usage
Typically, include recipe[fail2ban]
in a base role applied to all nodes.
Attributes
This cookbook has a set of configuration options for fail2ban
- default['fail2ban']['loglevel'] = 3
- default['fail2ban']['socket'] = '/var/run/fail2ban/fail2ban.sock'
- default['fail2ban']['logtarget'] = '/var/log/fail2ban.log'
- default['fail2ban']['pidfile'] = '/var/run/fail2ban/fail2ban.pid'
- default['fail2ban']['dbfile'] = '/var/lib/fail2ban/fail2ban.sqlite3'
- default['fail2ban']['dbpurgeage'] = 86_400
This cookbook has a set of configuration options for jail.conf
- default['fail2ban']['ignoreip'] = '127.0.0.1/8'
- default['fail2ban']['findtime'] = 600
- default['fail2ban']['bantime'] = 300
- default['fail2ban']['maxretry'] = 5
- default['fail2ban']['backend'] = 'polling'
- default['fail2ban']['email'] = 'root@localhost'
- default['fail2ban']['sendername'] = 'Fail2Ban'
- default['fail2ban']['action'] = 'action_'
- default['fail2ban']['banaction'] = 'iptables-multiport'
- default['fail2ban']['mta'] = 'sendmail'
- default['fail2ban']['protocol'] = 'tcp'
- default['fail2ban']['chain'] = 'INPUT'
This cookbook makes use of a hash to compile the jail.local-file and filter config files:
default['fail2ban']['services'] = {
'ssh' => {
"enabled" => "true",
"port" => "ssh",
"filter" => "sshd",
"logpath" => node['fail2ban']['auth_log'],
"maxretry" => "6"
},
'smtp' => {
"enabled" => "true",
"port" => "smtp",
"filter" => "smtp",
"logpath" => node['fail2ban']['auth_log'],
"maxretry" => "6"
}
}
The following attributes can be used per service:
- enabled
- port
- filter
- logpath
- maxretry
- protocol
- banaction
- bantime
Creating custom fail2ban filters:
default['fail2ban']['filters'] = {
'nginx-proxy' => {
"failregex" => ["^ -.*GET http.*"],
"ignoreregex" => []
},
}
Particular those related to rsyslog
If you are using rsyslog parameter "$RepeatedMsgReduction on" in rsyslog.conf file then you can get "Last message repeated N times" in system log file (for example auth.log). And it will affect the work of fail2ban, so that fail2ban will not work because the internal counter maxretry will not extend their Then you can change parameter "$RepeatedMsgReduction off" in rsyslog.conf file for maximum accuracy of maximum failed login attempts
This rsyslog parameter is default ON for ubuntu 12.04 LTS for example.
License and Author
Author:: Joshua Timberman ()
Copyright:: 2009-2016, Chef Software, Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
fail2ban Cookbook CHANGELOG
This file is used to list changes made in each version of the fail2ban cookbook.
3.1.0 (2016-11-14)
- Add support for jail ignorecommand
3.0.0 (2016-09-16)
- Testing updates
- Require Chef 12.1+
- Add opensuse and opensuseleap to the metadata
v2.3.1 (2016-07-20)
- Added fixture cookbook
- Cleanup of kitchen configurations
- [#38] Default config values to avoid warning from pbanderas
- [#37] Add support for 'sendername' setting on config from Restless-ET
- [#35] Add support for configuring service backend from ares
- many updates to testing
- [#25] Allow jail actions of either format from rchekaluk
- Add OpenSUSE platform
v2.3.0 (2015-08-22)
- Updated Berksfile to 3.0 format
- Added "generated by chef" comment headers to all templates
- Added missing bantime service attribute to the readme
- Resolved all rubocop warnings
- Added yum-epel to the readme as a dependency
- Removed the dependency on the yum cookbook. This cookbook only requires yum-epel, which handles the yum dependency
- Added a chefignore file to prevent unnecessary files from being uploaded to the chef-server
- Changed fail2ban package to install only vs. upgrading. Administrators should be able to choose when packages are upgraded
- Change file mode definitions to be strings to preserve the leading zeros
- Added testing / cookbook version badges to the readme
- Added source_url and issues_url metadata for Chef 12
- Add basic cookbook convergence chefspec tests
- Updated the testing and contributing docs to more recent versions
- Bumped all development and testing gems to the latest versions
- Expanded Travis testing to ruby 2/2.1/2.2
- Changed Opscode to Chef Software in all locations
v2.2.1 (2014-10-15)
- [#24] Add default value for pidfile
v2.2.0
- #15 - Fix small typo in README.md for smtp
- #16 - Support custom fail2ban filters
- #21 - Service and defaults improvements, Fedora support
v2.1.2
Improvement
- COOK-3899 - Allow action override in service block
v2.1.0
Updating for cookbook yum ~> 3.0
Fixing style or rubocop
Updating test bits
v2.0.4
fixing metadata version error. locking to 3.0
v2.0.2
Locking yum dependency to '< 3'
v2.0.0
[COOK-2530] Allow customisation of jail.local
v1.2.4
New Feature
- COOK-3383 - Add clarifying caveat about rsyslog in README
Bug
-
COOK-3249 - Fix default
jail.conf
on CentOS
Improvement
-
COOK-2748 - Handle
/etc.init.d/fail2ban status
for older versions
v1.2.2
Bug
- [COOK-2588]: Fail2ban needs to store the socket in the correct location
- [COOK-2592]: fail2ban: Update jail file template to match current config file
v1.2.0
- [COOK-2292] - Add fail2ban support for RHEL using EPEL
- [COOK-2426] - Fail2ban cookbook needs syslog tunables in config file
- Development repository only: test kitchen 1.0.alpha support
v1.1.0
- [COOK-2291] - Add additional tunables to the fail2ban cookbook
v1.0.2
- [COOK-2217] - Users should be able to configure the email address fail2ban uses to send messages
v1.0.0
- Current public release.
Collaborator Number Metric
3.1.0 passed this metric
Foodcritic Metric
3.1.0 passed this metric
3.1.0 passed this metric
3.1.0 passed this metric