This project aims to install the Shared Fail2Ban Client (host) and API Server with an easy to implement and read Puppet module.
Hopefully this won't significantly clash with other modules from PuppetForge but we cannot gurantee it.
This is a sanitised version of an internal module but we do welcome and issues or PRs that may fix any significant issues or add simple features.
This module contains a static version of the Shared Fail2Ban Project. As such there may be bugs, that have since been fixed, we suggest updating the files in the files/shared directory with the latest.
The authors of this project are currently Adam Boutcher and Paul Clark.
This has been developed at the Durham GridPP Site (UKI-SCOTGRID-DURHAM) and the Institute for Particle Physics Phenomenology, Durham University.
Related works and partial works have been presented too the WLCG Security Operations Centre at Cern
- Create a new directory in your module directory named "fail2ban".
- Copy this repo (or git clone) into the fail2ban directory.
- Update your environment (if using foreman).
- Ensure you have the mysql module from PuppetForge and SELinux module from PuppetForge installed as the server depends on them.
- Update your database details under fail2ban::server
- Add a user for each client intending to connect
- Only apply the class fail2ban::server to your server
- Update your database details under fail2ban::server and files/shared_server/api_cfg.py - Ensure the api.wsgi file is correct for your distro (eg Python 3.6 or 3.9 etc)
- Only apply the class fail2ban::server::api to your API server
- We highly recommend enabling SSL, LetsEncrypt/Certbot is simple and easy - You will need to uncomment the last few lines in (files/shared_server/http_api.conf) to force redirects to SSL
- Update your database details if using sql or api token for api on the server
- Update your database details if using sql or api token for the api in the client (manifests/params.pp)
- Only apply the class fail2ban::shared to your clients
All warngins and notices mentioned in the parent project apply to this.
In no way do we endorse the current scripts as production ready (although they are currently deployed in some producation environments), we cannot gurantee their safety, especially as these are aimed for Cyber Security deployments.
Please read and understand before you deploy into your environments.
This module is aimed at deploying onto CentOS 7, EL8 and EL9. Other distros probably wont work.
Released under the GPLv3 related works may be different.