cookbook 'fail2ban', '= 7.0.5'
fail2ban
(54) Versions
7.0.5
-
-
7.0.23
-
7.0.22
-
7.0.21
-
7.0.20
-
7.0.19
-
7.0.18
-
7.0.17
-
7.0.16
-
7.0.15
-
7.0.14
-
7.0.13
-
7.0.12
-
7.0.11
-
7.0.10
-
7.0.9
-
7.0.8
-
7.0.7
-
7.0.6
-
7.0.5
-
7.0.4
-
7.0.3
-
7.0.2
-
7.0.1
-
7.0.0
-
6.3.3
-
6.3.2
-
6.3.1
-
6.3.0
-
6.2.1
-
6.2.0
-
6.1.0
-
6.0.0
-
5.0.2
-
5.0.1
-
5.0.0
-
4.0.1
-
4.0.0
-
3.1.0
-
2.3.1
-
2.3.0
-
2.2.1
-
2.2.0
-
2.1.2
-
2.1.0
-
2.0.4
-
2.0.2
-
2.0.0
-
1.2.4
-
1.2.2
-
1.2.0
-
1.1.0
-
1.0.2
-
1.0.0
-
0.7.0
Follow85
- 7.0.23
- 7.0.22
- 7.0.21
- 7.0.20
- 7.0.19
- 7.0.18
- 7.0.17
- 7.0.16
- 7.0.15
- 7.0.14
- 7.0.13
- 7.0.12
- 7.0.11
- 7.0.10
- 7.0.9
- 7.0.8
- 7.0.7
- 7.0.6
- 7.0.5
- 7.0.4
- 7.0.3
- 7.0.2
- 7.0.1
- 7.0.0
- 6.3.3
- 6.3.2
- 6.3.1
- 6.3.0
- 6.2.1
- 6.2.0
- 6.1.0
- 6.0.0
- 5.0.2
- 5.0.1
- 5.0.0
- 4.0.1
- 4.0.0
- 3.1.0
- 2.3.1
- 2.3.0
- 2.2.1
- 2.2.0
- 2.1.2
- 2.1.0
- 2.0.4
- 2.0.2
- 2.0.0
- 1.2.4
- 1.2.2
- 1.2.0
- 1.1.0
- 1.0.2
- 1.0.0
- 0.7.0
Installs and configures fail2ban
cookbook 'fail2ban', '= 7.0.5', :supermarket
knife supermarket install fail2ban
knife supermarket download fail2ban
fail2ban Cookbook
Installs and configures fail2ban
, a utility that watches logs for failed login attempts and blocks repeat offenders with firewall rules. On Redhat systems this cookbook will enable the EPEL repository in order to retrieve the fail2ban package.
Maintainers
This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.
Requirements
Platforms
- Debian/Ubuntu
- RHEL/CentOS/Scientific/Amazon/Oracle
- Fedora
- OpenSUSE
Chef
- Chef 15.3+
Cookbooks
- yum-epel
Recipes
default
Installs the fail2ban package, manages 2 templates: /etc/fail2ban/fail2ban.conf
and /etc/fail2ban/jail.conf
, and manages the fail2ban service.
Attributes
This cookbook has a set of configuration options for fail2ban
default['fail2ban']['loglevel'] = 'INFO'
default['fail2ban']['logtarget'] = '/var/log/fail2ban.log'
default['fail2ban']['syslogsocket'] = 'auto'
default['fail2ban']['socket'] = '/var/run/fail2ban/fail2ban.sock'
default['fail2ban']['pidfile'] = '/var/run/fail2ban/fail2ban.pid'
default['fail2ban']['dbfile'] = '/var/lib/fail2ban/fail2ban.sqlite3'
default['fail2ban']['dbpurgeage'] = 86_400
This cookbook has a set of configuration options for jail.conf
default['fail2ban']['ignoreip'] = '127.0.0.1/8'
default['fail2ban']['findtime'] = 600
default['fail2ban']['bantime'] = 300
default['fail2ban']['maxretry'] = 5
default['fail2ban']['backend'] = 'polling'
default['fail2ban']['email'] = 'root@localhost'
default['fail2ban']['sendername'] = 'Fail2Ban'
default['fail2ban']['action'] = 'action_'
default['fail2ban']['banaction'] = 'iptables-multiport'
default['fail2ban']['mta'] = 'sendmail'
default['fail2ban']['protocol'] = 'tcp'
default['fail2ban']['chain'] = 'INPUT'
This cookbook makes use of a hash to compile the jail.local-file and filter config files:
default['fail2ban']['services'] = {
'ssh' => {
"enabled" => "true",
"port" => "ssh",
"filter" => "sshd",
"logpath" => node['fail2ban']['auth_log'],
"maxretry" => "6"
},
'smtp' => {
"enabled" => "true",
"port" => "smtp",
"filter" => "smtp",
"logpath" => node['fail2ban']['auth_log'],
"maxretry" => "6"
}
}
The following attributes can be used per service:
- backend
- banaction
- bantime
- enabled
- filter
- findtime
- ignorecommand
- logpath
- maxretry
- port
- protocol
Creating custom fail2ban filters:
default['fail2ban']['filters'] = {
'nginx-proxy' => {
"failregex" => ["^ -.*GET http.*"],
"ignoreregex" => []
},
}
In the case you would like to get Slack notifications on IP addresses banned/unbanned, this cookbook supports it by setting the following attributes:
# A Slack webhook looks like this: # https://hooks.slack.com/services/A123BCD4E/FG5HI6KLM/7n8opqrsT9UVWxyZ0AbCdefG default['fail2ban']['slack_webhook'] = nil # Then setting the Slack channel name without the hashtag (#) default['fail2ban']['slack_channel'] = 'general'
Then you will get notifications like this:
[hostname] Banned 🇳🇬 217.117.13.12 in the jail sshd after 5 attempts
Resources
fail2ban_filter
Manages fail2ban filters in /etc/fail2ban/filters.d/
.
Actions
-
create
- Default. Creates a fail2ban filter. -
delete
- Deletes a fail2ban filter.
Properties
-
filter
- Specifies the name of the filter. This is the name property. -
source
- Specifies the template source. By default, this is set tofilter.erb
. -
cookbook
- Specifies the template cookbook. By default, this is set tofail2ban
. -
failregex
- Specifies one or multiple regular expressions matching the failure. -
ignoreregex
- Specifies one or multiple regular expressions to ignore.
Examples
Configure a file for webmin authentication with multiple regular expressions matching the failure.
fail2ban_filter 'webmin-auth' do failregex ["^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$", "^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$"] end
fail2ban_jail
Manages fail2ban jails in /etc/fail2ban/jail.d/
.
Actions
-
create
- Default. Creates a fail2ban jail. -
delete
- Deletes a fail2ban jail.
Properties
-
jail
- Specifies the jail name. This is the name property. -
source
- Specifies the template source. By default, this is set tojail.erb
. -
cookbook
- Specifies the template cookbook. By default, this is set tofail2ban
. -
filter
- Specifies the name of the filter to be used by the jail to detect matches. -
logpath
- Specifies the path to the log file which is provided to the filter. -
protocol
- Specifies the protocol type, e.g. tcp, udp or all. -
ports
- Specifies an array of port(s) to watch. -
maxretry
- Specifies the number of matches which triggers ban action. -
ignoreips
- Specifies an array of IP addresses to ignore.
Examples
Create a new fail2ban jail for SSH that uses existing filter sshd
and which bans client after 3 tries.
fail2ban_jail 'ssh' do ports %w(ssh) filter 'sshd' logpath node['fail2ban']['auth_log'] maxretry 3 end
Issues related to rsyslog
If you are using rsyslog parameter "$RepeatedMsgReduction on" in rsyslog.conf file
then you can get "Last message repeated N times" in system log file (for example auth.log).
Fail2ban will not work because the internal counter maxretry will not expand the repeated messages.
Change parameter "$RepeatedMsgReduction off" in rsyslog.conf file for maximum accuracy of failed login attempts.
This rsyslog parameter is default ON for ubuntu 12.04 LTS for example.
Contributors
This project exists thanks to all the people who contribute.
Backers
Thank you to all our backers!
Sponsors
Support this project by becoming a sponsor. Your logo will show up here with a link to your website.
Changelog
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog,
and this project adheres to Semantic Versioning.
7.0.5 - 2022-12-12
Standardise files with files in sous-chefs/repo-management
7.0.4 - 2022-08-07
- Document missing service attributes
7.0.3 - 2022-08-07
- CI: Switch to shared lint-unit workflow
7.0.2 - 2022-02-17
- Standardise files with files in sous-chefs/repo-management
- Remove delivery folder
7.0.1 - 2021-08-30
- Standardise files with files in sous-chefs/repo-management
7.0.0 - 2021-06-19
- Chef 17 updates: enable
unified_mode
on all resources - Bump required Chef Infra Client to >= 15.3
- Add
bantime
property tofail2ban_jail
resource - Remove unsupported platforms
- Remove logic for fail2ban < 0.9
6.3.3 - 2021-06-01
- Standardise files with files in sous-chefs/repo-management
6.3.2 - 2021-02-26
- Fix jail template to not set
port
orlogpath
if not defined in the resource
6.3.1 - 2020-12-09
- improves resource documentation in README
- fixes jail resource to support priority property in delete action
6.3.0 - 2020-12-01
- Remove deprecated platform in spec tests
- fixed wrong property in
fail2ban_jail
andfail2ban_filter
resources - added documentation for above changes
6.2.1 (2020-05-05)
- Migrated build system to github actions for testing
6.2.0 (2020-01-26)
- Simplify platform check logic
- Fix several parts of the recipe that were not compatible with Amazon Linux
- Update all templates to use the same managed by chef warning
6.1.0 (2019-10-16)
- Adds Slack notifications as a notifier
- Fixup testing
6.0.0 (2019-05-08)
- Require Chef 13 or later
- Add support for Amazon Linux on Chef 13+
- Add support for Ubuntu 18.04
- Add new fail2ban_jail and fain2ban_filter resources that allow you to define individual filters and jails within your own recipes instead of using the monolithic attribute config. With the introduction of these resources the existing attribute driven workflow has been deprecated and will eventually be removed. Thank you OpenStreetMap for these great new resources.
5.0.2 (2018-07-18)
- Update specs to the latest platform versions
- Testing updates
- Delete jail.d/00-firewalld.conf on CentOS like we delete jail.d/defaults-debian.conf on Ubuntu)
- Move templates out of the default directory
5.0.1 (2018-02-15)
- Update the minimum supported Chef release to 12.9 since we're using the Ohai package plugin now. We highly recommend you run at least the very latest Chef 12 reelase which includes additional packabe plugin fixes.
5.0.0 (2018-02-14)
- Add new logic to detect the fail2ban version and apply appropriate config for 0.8 vs > 0.8. This makes sure we're using the current on newer systems while still supporting Ubuntu 14.04
- Remove defunct syslog config statements from very old fail2ban releases
4.0.1 (2017-04-26)
- Update apache2 license string
4.0.0 (2017-03-14)
NOTE The next version of this cookbook will be a rewrite to use custom resources and eliminate attributes. This should be backwards compatible to previous versions of the cookbook, but there are some changes that might break current assumptions so doing a major bump.
- [#33] Fix ubuntu platforms
- Add ubuntu platform guards to default recipe
- Update README to be more clear with regards to rsyslog
- Remove defaults-debian.conf on ubuntu platforms, that assumes ssh enabled on nodes.
- Modify metadata dependency to Chef 12.5+
- Modify chef spec to remove service start, enable on resources as on debian platforms the service is started by install of package
- Make test kitchen show deprecation errors
- Remove EOL debian and ubuntu logic from default recipe
3.1.0 (2016-11-14)
- Add support for jail ignorecommand
3.0.0 (2016-09-16)
- Testing updates
- Require Chef 12.1+
- Add opensuse and opensuseleap to the metadata
v2.3.1 (2016-07-20)
- Added fixture cookbook
- Cleanup of kitchen configurations
- [#38] Default config values to avoid warning from pbanderas
- [#37] Add support for 'sendername' setting on config from Restless-ET
- [#35] Add support for configuring service backend from ares
- many updates to testing
- [#25] Allow jail actions of either format from rchekaluk
- Add OpenSUSE platform
v2.3.0 (2015-08-22)
- Updated Berksfile to 3.0 format
- Added "generated by chef" comment headers to all templates
- Added missing bantime service attribute to the readme
- Resolved all rubocop warnings
- Added yum-epel to the readme as a dependency
- Removed the dependency on the yum cookbook. This cookbook only requires yum-epel, which handles the yum dependency
- Added a chefignore file to prevent unnecessary files from being uploaded to the chef-server
- Changed fail2ban package to install only vs. upgrading. Administrators should be able to choose when packages are upgraded
- Change file mode definitions to be strings to preserve the leading zeros
- Added testing / cookbook version badges to the readme
- Added source_url and issues_url metadata for Chef 12
- Add basic cookbook convergence chefspec tests
- Updated the testing and contributing docs to more recent versions
- Bumped all development and testing gems to the latest versions
- Expanded Travis testing to ruby 2/2.1/2.2
- Changed Opscode to Chef Software in all locations
v2.2.1 (2014-10-15)
- [#24] Add default value for pidfile
v2.2.0
15 - Fix small typo in README.md for smtp
16 - Support custom fail2ban filters
21 - Service and defaults improvements, Fedora support
v2.1.2
Improvement
- COOK-3899 - Allow action override in service block
v2.1.0
Updating for cookbook yum ~> 3.0 Fixing style or rubocop Updating test bits
v2.0.4
fixing metadata version error. locking to 3.0
v2.0.2
Locking yum dependency to '< 3'
v2.0.0
[COOK-2530] Allow customisation of jail.local
v1.2.4
New Feature
- COOK-3383 - Add clarifying caveat about rsyslog in README
Bug
-
COOK-3249 - Fix default
jail.conf
on CentOS
Improvement
-
COOK-2748 - Handle
/etc.init.d/fail2ban status
for older versions
v1.2.2
Bug
- [COOK-2588]: Fail2ban needs to store the socket in the correct location
- [COOK-2592]: fail2ban: Update jail file template to match current config file
v1.2.0
- [COOK-2292] - Add fail2ban support for RHEL using EPEL
- [COOK-2426] - Fail2ban cookbook needs syslog tunables in config file
- Development repository only: test kitchen 1.0.alpha support
v1.1.0
- [COOK-2291] - Add additional tunables to the fail2ban cookbook
v1.0.2
- [COOK-2217] - Users should be able to configure the email address fail2ban uses to send messages
v1.0.0
- Current public release.
Collaborator Number Metric
7.0.5 passed this metric
Contributing File Metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Cookstyle Metric
7.0.5 passed this metric
No Binaries Metric
7.0.5 passed this metric
Testing File Metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
7.0.5 passed this metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Cookstyle Metric
7.0.5 passed this metric
No Binaries Metric
7.0.5 passed this metric
Testing File Metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
7.0.5 passed this metric
7.0.5 passed this metric
Testing File Metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
7.0.5 failed this metric
7.0.5 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number