# Define: fail2ban::jail # # Adds a custom fail2ban jail # Supported arguments: # $jailname - The name you want to give the jail. # If not set, defaults to == $title # $order - The order in the jail.local file. # Default 50. Generally you don't need to change it # $status - enabled / disabled. If disabled, the rule _IS ADDED_ to the # jail.local file but it will not be active. Compare with the # next one. # Defaults to enabled # $enable - true / false. If false, the rule _IS NOT ADDED_ to the # jail.local file # Defaults to true # $filter - The filter rule to use. # If empty, defaults to == $jailname. # $ignoreip - Don't ban a host which matches an address in this list. # $port - The port to filter. It can be an array of ports. # $protocol - The protocol for this jail's action. # $logpath - The log file to monitor # $maxretry - How many fails are acceptable # $action - The action to take when fail2ban finds $maxretry $filter-matching # records in $logpath # $bantime - How much time to apply the ban, in seconds # $findtime - The counter is set to zero if no match is found within "findtime" # seconds. define fail2ban::jail ( $jailname = '', $order = '', $status = '', $filter = '', $ignoreip = '', $port = '', $protocol = '', $action = '', $logpath = '', $maxretry = '', $bantime = '', $findtime = '', $enable = true ) { include fail2ban $real_jailname = $jailname ? { '' => $title, default => $jailname, } # If (concat) order is not defined we find out the right one $real_order = $order ? { '' => '50', default => $order, } $real_status = $status ? { /(?i:disabled)/ => false, default => true, } # If we don't specify a filter, we take as a default the # jailname as filtername $real_filter = $filter ? { '' => $real_jailname, default => $filter, } $array_ignoreip = is_array($ignoreip) ? { false => $ignoreip ? { '' => [], default => [$ignoreip], }, default => $ignoreip, } $array_port = is_array($port) ? { false => $port ? { '' => [], default => [$port], }, default => $port, } $real_protocol = $protocol ? { '' => undef, default => $protocol, } $array_action = is_array($action) ? { false => $action ? { '' => [], default => [$action], }, default => $action, } $array_logpath = is_array($logpath) ? { false => $logpath ? { '' => [], default => [$logpath], }, default => $logpath, } $real_maxretry = $maxretry ? { '' => '', default => $maxretry, } $real_bantime = $bantime ? { '' => '', default => $bantime, } $ensure = bool2ensure($enable) if ! defined(Concat[$fail2ban::jails_file]) { concat { $fail2ban::jails_file: mode => $fail2ban::jails_file_mode, warn => true, owner => $fail2ban::jails_file_owner, group => $fail2ban::jails_file_group, notify => Service['fail2ban'], require => Package[$fail2ban::package], } concat::fragment{ 'fail2ban_jails_header': target => $fail2ban::jails_file, content => template($fail2ban::jails_template_header), order => 01, notify => Service['fail2ban'], } # The jail.local footer concat::fragment{ 'fail2ban_jails_footer': target => $fail2ban::jails_file, content => template($fail2ban::jails_template_footer), order => 99, notify => Service['fail2ban'], } } concat::fragment{ "fail2ban_jail_${name}": ensure => $ensure, target => $fail2ban::jails_file, content => template('fail2ban/concat/jail.local-stanza.erb'), order => $real_order, notify => Service['fail2ban'], } }