sous-chefs / fail2ban Goto Github PK
View Code? Open in Web Editor NEWDevelopment repository for the fail2ban cookbook
Home Page: https://supermarket.chef.io/cookbooks/fail2ban
License: Apache License 2.0
Development repository for the fail2ban cookbook
Home Page: https://supermarket.chef.io/cookbooks/fail2ban
License: Apache License 2.0
The current base images for CentOS and RHEL on Softlayer are logging ssh errors to /var/log/messages rather than /var/log/secure. Because fail2ban is monitoring the other one, the cookbook configuration doesn't work by default:
http://serverfault.com/questions/646167/why-is-fail2ban-not-banning-this-attack/673112
I would suggest modifying the default for the cookbook to monitor both log files for CentOS and RHEL, either by having two paths in the logpath directive or defining two separate jails, one for /var/log/secure and one for /var/log/messages
5.0.0
12.7.2
CentOS 7.2 via Kitchen
$ ohai --version
Ohai: 8.10.0
Installing fail2ban via the default
recipe.
I'm using the following .kitchen.yml file:
---
driver:
name: vagrant
provisioner:
name: chef_solo
require_chef_omnibus: 12.7.2
platforms:
- name: centos-7.2
suites:
- name: default
run_list:
- recipe[fail2ban::default]
attributes:
and execute kitchen converge
.
fail2ban is installed.
chef-client throws an error:
Recipe: fail2ban::default
* yum_package[fail2ban] action install
- install version 0.9.7-1.el7 of package fail2ban
* ohai[reload package list] action reload
- re-run ohai and merge results into node attributes
* ohai[reload package list] action nothing (skipped due to action :nothing)
* template[/etc/fail2ban/fail2ban.conf] action create
================================================================================
Error executing action `create` on resource 'template[/etc/fail2ban/fail2ban.conf]'
================================================================================
NoMethodError
-------------
undefined method `[]' for nil:NilClass
Cookbook Trace:
---------------
/tmp/kitchen/cookbooks/fail2ban/recipes/default.rb:46:in `block (2 levels) in from_file'
/tmp/kitchen/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/property.rb:11:in `get'
/tmp/kitchen/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/mixin/params_validate.rb:11:in `get'
/tmp/kitchen/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/runner.rb:78:in `run_action'
/tmp/kitchen/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/runner.rb:106:in `block (2 levels) in converge'
/tmp/kitchen/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/runner.rb:106:in `each'
/tmp/kitchen/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/runner.rb:106:in `block in converge'
/tmp/kitchen/cookbooks/compat_resource/files/lib/chef_compat/monkeypatches/chef/runner.rb:105:in `converge'
Resource Declaration:
---------------------
# In /tmp/kitchen/cookbooks/fail2ban/recipes/default.rb
41: template '/etc/fail2ban/fail2ban.conf' do
42: source 'fail2ban.conf.erb'
43: owner 'root'
44: group 'root'
45: mode '0644'
46: variables(lazy { { f2b_version: node['packages']['fail2ban']['version'].match(/^[0-9]+\.[0-9]+/)[0].to_f } })
47: notifies :restart, 'service[fail2ban]'
48: end
49:
Compiled Resource:
------------------
# Declared in /tmp/kitchen/cookbooks/fail2ban/recipes/default.rb:41:in `from_file'
template("/etc/fail2ban/fail2ban.conf") do
action [:create]
retries 0
retry_delay 2
default_guard_interpreter :default
source "fail2ban.conf.erb"
variables #<Chef::DelayedEvaluator:0x00000003d85e98@/tmp/kitchen/cookbooks/fail2ban/recipes/default.rb:46>
declared_type :template
cookbook_name :fail2ban
recipe_name "default"
owner "root"
group "root"
mode "0644"
atomic_update true
path "/etc/fail2ban/fail2ban.conf"
end
Running handlers:
[2018-02-15T08:52:36+00:00] ERROR: Running exception handlers
Running handlers complete
[2018-02-15T08:52:36+00:00] ERROR: Exception handlers complete
Chef Client failed. 7 resources updated in 21 seconds
[2018-02-15T08:52:36+00:00] FATAL: Stacktrace dumped to /tmp/kitchen/cache/chef-stacktrace.out
[2018-02-15T08:52:36+00:00] FATAL: Please provide the contents of the stacktrace.out file if you file a bug report
[2018-02-15T08:52:36+00:00] ERROR: template[/etc/fail2ban/fail2ban.conf] (fail2ban::default line 41) had an error: NoMethodError: undefined method `[]' for nil:NilClass
[2018-02-15T08:52:37+00:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)
I've added the kitchen config file to make it easier for you to reproduce the issue. We are also seeing the same error on our servers.
4.0.1
13.6.4
Fedora 27
Start and enable fail2ban
Run on Fedora 27
Run should enable and start fail2ban
Doesn't start or enable due to platform_family not matching in recipes/default.rb
service 'fail2ban' do
supports [status: true, restart: true]
action [:enable, :start] if platform_family?('rhel')
action [:enable] if platform_family?('debian')
end
Adding fedora
as a platform_family in my wrapper cookbook fixed it.
ohai | grep platform_family
[2018-01-07T21:31:23+00:00] INFO: The plugin path /etc/chef/ohai/plugins does not exist. Skipping...
"platform_family": "fedora",
6.0.0
14.12.9
CentOS 7
Create Fail2Ban Jail Configuration using fail2ban_jail resource (here for SSH service).
fail2ban_jail 'ssh' do
ports %w(ssh)
filter 'sshd'
logpath node['fail2ban']['auth_log']
maxretry 6
end
Created Fail2Ban Jail Configuration (here for SSH service).
The fail2ban_jail resource does not provide a filter property. The following may work:
property :filter, String, required: true
Results in the following error:
NoMethodError
-------------
undefined method `filter' for Custom resource fail2ban_jail from cookbook fail2ban
Cookbook Trace:
---------------
/tmp/kitchen/cache/cookbooks/fail2ban-wrapper/recipes/default.rb:11:in `block in from_file'
/tmp/kitchen/cache/cookbooks/fail2ban-wrapper/recipes/default.rb:9:in `from_file'
Relevant File Content:
----------------------
/tmp/kitchen/cache/cookbooks/fail2ban-wrapper/recipes/default.rb:
6:
7: include_recipe 'fail2ban'
8:
9: fail2ban_jail 'ssh' do
10: ports %w(ssh)
11>> filter 'sshd'
12: logpath node['fail2ban']['auth_log']
13: end
14:
System Info:
------------
chef_version=14.12.9
platform=centos
platform_version=7.6.1810
ruby=ruby 2.5.5p157 (2019-03-15 revision 67260) [x86_64-linux]
program_name=/opt/chef/bin/chef-client
executable=/opt/chef/bin/chef-client
Additionally the wrong attribute is given to internal template resource of fail2ban_jail resource. The problematic code is the following line:
# ...
property :source, String, default: 'jail.erb'
# ...
template "/etc/fail2ban/jail.d/50-#{new_resource.jail}.conf" do
# ...
source new_resource.filter # Prolematic code
# ...
end
# ...
Should be:
# ...
property :source, String, default: 'jail.erb'
# ...
template "/etc/fail2ban/jail.d/50-#{new_resource.jail}.conf" do
# ...
source new_resource.source # Fix
# ...
end
# ...
Without this fix the fail2ban_jail resource will not work properly. See: https://github.com/chef-cookbooks/fail2ban/blob/v6.0.0/resources/jail.rb#L33
6.0.0
14.12.9
CentOS 7
I want to set the priority of the Fail2Ban Jail in conf.d directory.
Call fail2ban_jail resource. This should be an improvement.
Expect to create Fail2Ban Jail with priority in conf.d directory for Jail.
Priority is hardcoded to 50.
# ...
action :create do
template "/etc/fail2ban/jail.d/50-#{new_resource.jail}.conf" do # priority hardcoded to 50
# ...
end
end
# ...
Should be something like:
# ...
property :priority, [String, Integer], default: '50'
# ...
action :create do
template "/etc/fail2ban/jail.d/#{new_resource.priority}-#{new_resource.jail}.conf" do # priority hardcoded to 50
# ...
end
end
# ...
See https://github.com/chef-cookbooks/fail2ban/blob/v6.0.0/resources/jail.rb#L31.
Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.
The delivery check is failing.
Version of the cookbook where you are encountering the issue.
Version of chef-client in your environment.
Operating system distribution and release version. Cloud provider if running in the cloud.
Steps to reproduce the behavior:
All checks including integration tests should pass.
Add any other context about the problem here. e.g. related issues or existing pull requests.
Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.
Chef have released updated cookstyle rules, we should therefore run the auto fix against the cookbook
chef-workstation
cookstyle -a
Issue sprouted from sous-chefs/meta/issues/111. If not applicable then issue should be closed.
Modern versions of fail2ban support .d folders, which should allow for failban LWRPs and the removal of the monolithic config. Lets see what OS releases include the versions supporting this and get a LWRP going.
A meta-issue.. If I open a ticket here, it asks me to see the guidelines for contributing. They say to open a ticket in Jira, but Jira tells me to open a ticket here.
I'm pretty sure here is the right location?
In version 4.0 of this cookbook it's impossible to change the log level of fail2ban. In version 3.1.0 of this cookbook it was possible to change it but it was removed.
Is there a reason why?
At least for Ubuntu 16.04 LTS which has version 0.9.3 of fail2ban you can set the log level using one of these values.
Ubuntu 14.04 LTS seems to use 0.8.x where the values are different.
Does that mean that Ubuntu 14.04 is not supported anymore after version 4.0 of this cookbook?
3.1.0
[Version of chef-client in your environment]
Ubuntu 16.04
0.9.3-1
Install cookbook as is - fails to start fail2ban
cookbook works on current version of ubuntu
cookbook doesn't work
Including this recipe and the community/chef iptables recipe doesn't always end up putting fail2ban rules in the current iptables chains.
"fail2ban","version":"5.0.1"
chef-12.20.3-1.el7.x86_64
chef-server-core-12.15.8-1.el7.x86_64
Red Hat Enterprise Linux Server release 7.4 (Maipo)
Linux 3.10.0-693.17.1.el7.x86_64 x86_64 GNU/Linux
Fail2ban cannot start with command: "systemctl start fail2ban.service"
Error captured in /var/log/messages
chef fail2ban-client: ERROR There is no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock.
chef systemd: fail2ban.service: control process exited, code=exited status=255
chef systemd: Failed to start Fail2Ban Service.
chef systemd: Unit fail2ban.service entered failed state.
3. Manually create missing dir (mkdir -p /var/run/fail2ban)
4. Fail2ban was properly started with command: systemctl start fail2ban.service
There should be possible to start Fail2ban without changing the paths (when Fail2ban cookbook is included with Berksfile).
Actually, Fail2ban was included with Berksfile, variables are overwritten with environment variables.
If we change the path to fail2ban.sock file from /var/run/fail2ban/fail2ban.sock into /var/run/fail2ban.sock - other installation parts will still use old path. Temporary fix would be to manually created missing /var/run/fail2ban dir.
Hello
Using fail2ban on CentoS 7, tries for smtp relay are not blocked.
Adding this regex solve the problem on postfix.conf. Can you add it by default ?
^%(__prefix_line)sNOQUEUE: reject: RCPT from \S+[]: 454 4.7.1 .*$
For info, log lines for these tries are :
Mar 1 18:26:24 server postfix/smtpd[14970]: NOQUEUE: reject: RCPT from unknown[50.60.146.24]: 454 4.7.1 [email protected]: Relay access denied; from=[email protected] to=[email protected] proto=SMTP helo=<relaytest.mydnstools.info>
Mar 1 18:26:25 server postfix/smtpd[14970]: NOQUEUE: reject: RCPT from unknown[50.60.146.24]: 454 4.7.1 returntest%[email protected]: Relay access denied; from=[email protected] to=returntest%[email protected] proto=SMTP helo=<relaytest.mydnstools.info>
Mar 1 18:26:25 server postfix/smtpd[14970]: NOQUEUE: reject: RCPT from unknown[50.60.146.24]: 454 4.7.1 [email protected]: Relay access denied; from=[email protected] to=[email protected] proto=SMTP helo=<relaytest.mydnstools.info>
Thanks
Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.
Update all CHANGELOGs to follow standard defined at https://keepachangelog.com/
Issue sprouted from sous-chefs/meta/issues/101. If not applicable then issue should be closed.
Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.
As part of our build process we should build each possible operating system separately
dokken list
, you should see a list of builds with dokken as the providerdokken list -j | ./circleci_maker.rb > .circleci/config.yml
Issue sprouted from sous-chefs/meta/issues/112. If not applicable then issue should be closed.
Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.
If the only thing in the .rubocop/yml
is Dangerfile
Run the latest cookstyle
Remove .rubpopo.yml
Issue sprouted from sous-chefs/meta/issues/108. If not applicable then issue should be closed.
Hi ,
I'm able to recieve fail2ban start and stop notifications but i'm not able to get email notification when it is banning the ip address .
Please can you help me out on this ?
Thanks,
Naveen
Expand the specs to cover each OS we support
The fail2ban.conf
created by this cookbook doesn't have a pidfile
entry. On Ubuntu 14.04 this generates warnings on restart/reload/etc:
* Reloading authentication failure monitor fail2ban
WARNING 'pidfile' not defined in 'Definition'. Using default one: '/var/run/fail2ban/fail2ban.pid'
[ OK ]
Warning emails are also generated by the weekly logrotate, so it's pretty annoying.
For ubuntu 10.04~14.04 (the versions I have handy..), it should have:
pidfile = /var/run/fail2ban/fail2ban.pid
in fail2ban.conf
, but this path may be different on Redhat? I'd make a pull request but I don't have any non-ubuntu boxes to test it on sorry.
The attributes fail2ban.syslog_target
& fail2ban.syslog_facility
respectively set syslog-target
& syslog-facility
in the fail2ban.conf
template.
I'm skeptical they do anything. fail2ban/server/server.py:378
indicates this is hardcoded to the daemon
facility. I also have no idea what the syslog-target
line could be about.
Unless there is an actual use for them, they should be removed.
A patch has already been submitted to correct the cookbook on Ubuntu 18.04, but a new release has not been submitted to the Supermarket. Would it be possible to tag and submit a new release so this cookbook will correctly work with Ubuntu 18.04+?
Thank for taking the time to fill this bug report fully. Without it we may not be able to fix the bug, and the issue may be closed without resolution.
On the repo, ensure that Dangerfile
matches https://github.com/sous-chefs/repo-management/blob/master/Dangerfile
Issue sprouted from sous-chefs/meta/issues/110. If not applicable then issue should be closed.
Fail2ban cookbook ( and Chef::Provider::Service ) assumes Upstart for Ubuntu , but from 15.10 fail2ban uses systemd now .. the cookbook adds the wrong entries and seems to break fail2ban installation..
Fix, remove and purge fail2ban
I then added the following to the cookbook ( end of the default.rb )
service 'fail2ban' do
supports [:status => true, :restart => true]
action [:enable, :start]
if platform?('ubuntu') && node['platform_version'].to_f >= 15.10
provider Chef::Provider::Service::Systemd
end
if (platform?('ubuntu') && node['platform_version'].to_f < 12.04) ||
(platform?('debian') && node['platform_version'].to_f < 7)
# status command returns non-0 value only since fail2ban 0.8.6-3 (Debian)
status_command "/etc/init.d/fail2ban status | grep -q 'is running'"
end
end
Happy to propose a change, if someone can give a newbie a pointer or two
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
.github/workflows/ci.yml
sous-chefs/.github 3.1.1
actions/checkout v4
actionshub/chef-install 3.0.0
actionshub/test-kitchen 3.0.0
.github/workflows/stale.yml
actions/stale v9
6.0.0
15.0.300
System Info:
------------
chef_version=15.0.300
platform=centos
platform_version=6.10
ruby=ruby 2.6.3p62 (2019-04-16 revision 67580) [x86_64-linux]
program_name=chef-client worker: ppid=28983;start=20:27:22;
executable=/opt/chef/bin/chef-client
Used to do:
default_attributes fail2ban: {
services: {
'dovecot' => { enabled: 'true' },
'postfix-sasl' => { enabled: 'true' }
}
}
which worked fine, since
[dovecot]
enabled = true
which works perfectly, as other fields end up using defaults.
Trying to update to the new resource-based approach, but this doesn't work.
fail2ban_jail 'dovecot'
fail2ban_jail 'postfix-sasl'
Same result as before.
undefined method `filter' for Custom resource fail2ban_jail from cookbook fail2ban
because of unconditional use of new_resource.filter in fail2ban::default.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.