Skip to content

Bump fail2ban to v7.0.0 #568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cmd-ntrf merged 4 commits into from
Jun 12, 2026
Merged

Bump fail2ban to v7.0.0 #568

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b0c5fd6
Bump puppet-fail2ban to v7.0.0
cmd-ntrf Jun 11, 2026
ede47c8
Replace custom_jails by our own jail creation
cmd-ntrf Jun 11, 2026
ffad405
Disable fail2ban firewalld
cmd-ntrf Jun 11, 2026
5bf853c
Update README.md
cmd-ntrf Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Puppetfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ mod 'puppet-consul', '10.0.0'
mod 'puppet-cron', '5.0.0'
mod 'puppet-epel', '5.0.0'
mod 'puppet-extlib', '7.0.0'
mod 'puppet-fail2ban', '4.2.0'
mod 'puppet-fail2ban', '7.0.0'
mod 'puppet-healthcheck', '2.1.0'
mod 'puppet-kmod', '4.0.0'
mod 'puppet-logrotate', '7.0.0'
Expand Down
34 changes: 32 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -596,15 +596,45 @@ This class installs and configures fail2ban.

| Variable | Description | Type |
| :---------------- | :--------------- | :------ |
| `ignoreip` | List of IP addresses that can never be banned (compatible with CIDR notation) | Array[String] |
| `ignoreip` | List of IP addresses, CIDR ranges, or hostnames that can never be banned | Array[Fail2ban::IP] |
| `jails` | Custom jail definitions rendered as `/etc/fail2ban/jail.d/<name>.local` | Hash |
| `filters` | Custom filter definitions rendered as `/etc/fail2ban/filter.d/<name>.local` | Hash |
| `actions` | Custom action definitions rendered as `/etc/fail2ban/action.d/<name>.local` | Hash |

Refer to [puppet-fail2ban](https://github.com/voxpupuli/puppet-fail2ban) for more parameters to configure.
Each `jails`, `filters`, and `actions` entry is passed to the matching
`fail2ban::jail`, `fail2ban::filter`, or `fail2ban::action` resource. The value is the content hash
used by puppet-fail2ban v7, where the first level is the section name and the second level contains
the options written in that section.

Refer to [puppet-fail2ban](https://github.com/voxpupuli/puppet-fail2ban) for more fail2ban
parameters to configure.

<details>
<summary>default values</summary>

```yaml
profile::fail2ban::ignoreip: []
profile::fail2ban::jails:
ssh-ban-root:
enabled: true
findtime: 3600
bantime: 86400
maxretry: 0
action: route
filter: ssh-ban-root
logpath: '%(sshd_log)s'

profile::fail2ban::filters:
ssh-ban-root:
Init:
journalmatch: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
maxlines: 10
INCLUDES:
before: common.conf
Definition:
failregex: '^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$'

profile::fail2ban::actions: {}
```
</details>

Expand Down
19 changes: 13 additions & 6 deletions data/common.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ epel::epel_testing_source_managed: false
epel::epel_testing_debuginfo_managed: false

fail2ban::package_name: fail2ban-server
fail2ban::jails: ['ssh-route', 'ssh-ban-root']
fail2ban::custom_jails:
fail2ban::el_firewalld_conf_ensure: absent
profile::fail2ban::jails:
'ssh-route':
enabled: true
filter: 'sshd'
Expand All @@ -50,11 +50,18 @@ fail2ban::custom_jails:
bantime: 86400
maxretry: 0
action: 'route'
filter: 'filter-ssh-root'
logpath: '%(sshd_log)s'
journalmatch: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
filter_maxlines: 10
filter_includes: 'before = common.conf'
filter_failregex: '^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$'

profile::fail2ban::filters:
filter-ssh-root:
Init:
journalmatch: '_SYSTEMD_UNIT=sshd.service + _COMM=sshd'
maxlines: 10
INCLUDES:
before: 'common.conf'
Definition:
failregex: '^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\S*\s*user=(root|admin)\s.*$'

jupyterhub::kernel::install_method: venv
jupyterhub::jupyterhub_config_hash:
Expand Down
9 changes: 8 additions & 1 deletion site/profile/manifests/fail2ban.pp
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,19 @@
class profile::fail2ban (
Array[String] $ignoreip = [],
Hash $actions = {},
Hash $filters = {},
Hash $jails = {},
) {
include epel

class { 'fail2ban' :
whitelist => ['127.0.0.1/8', profile::getcidr()] + $ignoreip,
ignoreip => ['127.0.0.1/8', profile::getcidr()] + $ignoreip,
}

create_resources('fail2ban::filter', $filters.reduce({})|$memo, $filter| { $memo + { $filter[0] => { 'filter_name' => $filter[0], 'filter_content' => $filter[1] } } })
create_resources('fail2ban::jail', $jails.reduce({})|$memo, $jail| { $memo + { $jail[0] => { 'jail_name' => $jail[0], 'jail_content' => { $jail[0] => $jail[1] } } } })
create_resources('fail2ban::action', $actions.reduce({})|$memo, $action| { $memo + { $action[0] => { 'action_name' => $action[0], 'action_content' => $action[1] } } })

file_line { 'fail2ban_sshd_recv_disconnect':
ensure => present,
path => '/etc/fail2ban/filter.d/sshd.conf',
Expand Down