From b0c5fd60d4c7d808438547bb80bf183f5e5b26e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 11 Jun 2026 09:22:10 -0400 Subject: [PATCH 1/4] Bump puppet-fail2ban to v7.0.0 --- Puppetfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Puppetfile b/Puppetfile index d59cb0bdd..5efa88c4c 100644 --- a/Puppetfile +++ b/Puppetfile @@ -15,7 +15,7 @@ mod 'puppet-consul', '10.0.0' mod 'puppet-cron', '5.0.0' mod 'puppet-epel', '5.0.0' mod 'puppet-extlib', '7.0.0' -mod 'puppet-fail2ban', '4.2.0' +mod 'puppet-fail2ban', '7.0.0' mod 'puppet-healthcheck', '2.1.0' mod 'puppet-kmod', '4.0.0' mod 'puppet-logrotate', '7.0.0' From ede47c8b3c3d31f0c9336732f8b507f66d24b4a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 11 Jun 2026 09:50:14 -0400 Subject: [PATCH 2/4] Replace custom_jails by our own jail creation Also add action and filter creation --- data/common.yaml | 18 ++++++++++++------ site/profile/manifests/fail2ban.pp | 9 ++++++++- 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/data/common.yaml b/data/common.yaml index 7fefe1fe9..b360dc600 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -34,8 +34,7 @@ epel::epel_testing_source_managed: false epel::epel_testing_debuginfo_managed: false fail2ban::package_name: fail2ban-server -fail2ban::jails: ['ssh-route', 'ssh-ban-root'] -fail2ban::custom_jails: +profile::fail2ban::jails: 'ssh-route': enabled: true filter: 'sshd' @@ -50,11 +49,18 @@ fail2ban::custom_jails: bantime: 86400 maxretry: 0 action: 'route' + filter: 'filter-ssh-root' logpath: '%(sshd_log)s' - journalmatch: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' - filter_maxlines: 10 - filter_includes: 'before = common.conf' - filter_failregex: '^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\S*\s*user=(root|admin)\s.*$' + +profile::fail2ban::filters: + filter-ssh-root: + Init: + journalmatch: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' + maxlines: 10 + INCLUDES: + before: 'common.conf' + Definition: + failregex: '^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\S*\s*user=(root|admin)\s.*$' jupyterhub::kernel::install_method: venv jupyterhub::jupyterhub_config_hash: diff --git a/site/profile/manifests/fail2ban.pp b/site/profile/manifests/fail2ban.pp index 29a64d61c..53da426c5 100644 --- a/site/profile/manifests/fail2ban.pp +++ b/site/profile/manifests/fail2ban.pp @@ -1,12 +1,19 @@ class profile::fail2ban ( Array[String] $ignoreip = [], + Hash $actions = {}, + Hash $filters = {}, + Hash $jails = {}, ) { include epel class { 'fail2ban' : - whitelist => ['127.0.0.1/8', profile::getcidr()] + $ignoreip, + ignoreip => ['127.0.0.1/8', profile::getcidr()] + $ignoreip, } + create_resources('fail2ban::filter', $filters.reduce({})|$memo, $filter| { $memo + { $filter[0] => { 'filter_name' => $filter[0], 'filter_content' => $filter[1] } } }) + create_resources('fail2ban::jail', $jails.reduce({})|$memo, $jail| { $memo + { $jail[0] => { 'jail_name' => $jail[0], 'jail_content' => { $jail[0] => $jail[1] } } } }) + create_resources('fail2ban::action', $actions.reduce({})|$memo, $action| { $memo + { $action[0] => { 'action_name' => $action[0], 'action_content' => $action[1] } } }) + file_line { 'fail2ban_sshd_recv_disconnect': ensure => present, path => '/etc/fail2ban/filter.d/sshd.conf', From ffad405c7197277ed66bfc93b0a0c9c51863a089 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 11 Jun 2026 10:16:19 -0400 Subject: [PATCH 3/4] Disable fail2ban firewalld --- data/common.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/data/common.yaml b/data/common.yaml index b360dc600..3f86511e3 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -34,6 +34,7 @@ epel::epel_testing_source_managed: false epel::epel_testing_debuginfo_managed: false fail2ban::package_name: fail2ban-server +fail2ban::el_firewalld_conf_ensure: absent profile::fail2ban::jails: 'ssh-route': enabled: true From 5bf853c29d7e65550d18949ef63640009a8c0cdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?= Date: Thu, 11 Jun 2026 10:22:22 -0400 Subject: [PATCH 4/4] Update README.md --- README.md | 34 ++++++++++++++++++++++++++++++++-- 1 file changed, 32 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1327edb0d..a77b6eabd 100644 --- a/README.md +++ b/README.md @@ -596,15 +596,45 @@ This class installs and configures fail2ban. | Variable | Description | Type | | :---------------- | :--------------- | :------ | -| `ignoreip` | List of IP addresses that can never be banned (compatible with CIDR notation) | Array[String] | +| `ignoreip` | List of IP addresses, CIDR ranges, or hostnames that can never be banned | Array[Fail2ban::IP] | +| `jails` | Custom jail definitions rendered as `/etc/fail2ban/jail.d/.local` | Hash | +| `filters` | Custom filter definitions rendered as `/etc/fail2ban/filter.d/.local` | Hash | +| `actions` | Custom action definitions rendered as `/etc/fail2ban/action.d/.local` | Hash | -Refer to [puppet-fail2ban](https://github.com/voxpupuli/puppet-fail2ban) for more parameters to configure. +Each `jails`, `filters`, and `actions` entry is passed to the matching +`fail2ban::jail`, `fail2ban::filter`, or `fail2ban::action` resource. The value is the content hash +used by puppet-fail2ban v7, where the first level is the section name and the second level contains +the options written in that section. + +Refer to [puppet-fail2ban](https://github.com/voxpupuli/puppet-fail2ban) for more fail2ban +parameters to configure.
default values ```yaml profile::fail2ban::ignoreip: [] +profile::fail2ban::jails: + ssh-ban-root: + enabled: true + findtime: 3600 + bantime: 86400 + maxretry: 0 + action: route + filter: ssh-ban-root + logpath: '%(sshd_log)s' + +profile::fail2ban::filters: + ssh-ban-root: + Init: + journalmatch: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd' + maxlines: 10 + INCLUDES: + before: common.conf + Definition: + failregex: '^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\S*\s*user=(root|admin)\s.*$' + +profile::fail2ban::actions: {} ```