Home

Awesome

fail2ban Cookbook

Cookbook Version CI State OpenCollective OpenCollective License

Installs and configures fail2ban, a utility that watches logs for failed login attempts and blocks repeat offenders with firewall rules. On Redhat systems this cookbook will enable the EPEL repository in order to retrieve the fail2ban package.

Maintainers

This cookbook is maintained by the Sous Chefs. The Sous Chefs are a community of Chef cookbook maintainers working together to maintain important cookbooks. If you’d like to know more please visit sous-chefs.org or come chat with us on the Chef Community Slack in #sous-chefs.

Requirements

Platforms

Chef

Cookbooks

Recipes

default

Installs the fail2ban package, manages 2 templates: /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf, and manages the fail2ban service.

Attributes

This cookbook has a set of configuration options for fail2ban

This cookbook has a set of configuration options for jail.conf

This cookbook makes use of a hash to compile the jail.local-file and filter config files:

default['fail2ban']['services'] = {
  'ssh' => {
        "enabled" => "true",
        "port" => "ssh",
        "filter" => "sshd",
        "logpath" => node['fail2ban']['auth_log'],
        "maxretry" => "6"
     },
  'smtp' => {
        "enabled" => "true",
        "port" => "smtp",
        "filter" => "smtp",
        "logpath" => node['fail2ban']['auth_log'],
        "maxretry" => "6"
     }
}

The following attributes can be used per service:

Creating custom fail2ban filters:

default['fail2ban']['filters'] = {
  'nginx-proxy' => {
        "failregex" => ["^<HOST> -.*GET http.*"],
        "ignoreregex" => []
     },
}

In the case you would like to get Slack notifications on IP addresses banned/unbanned, this cookbook supports it by setting the following attributes:

# A Slack webhook looks like this:
# https://hooks.slack.com/services/A123BCD4E/FG5HI6KLM/7n8opqrsT9UVWxyZ0AbCdefG
default['fail2ban']['slack_webhook'] = nil
# Then setting the Slack channel name without the hashtag (#)
default['fail2ban']['slack_channel'] = 'general'

Then you will get notifications like this:

[hostname] Banned 🇳🇬 217.117.13.12 in the jail sshd after 5 attempts

Resources

fail2ban_filter

Manages fail2ban filters in /etc/fail2ban/filters.d/.

Actions

Properties

Examples

Configure a file for webmin authentication with multiple regular expressions matching the failure.

fail2ban_filter 'webmin-auth' do
  failregex ["^%(__prefix_line)sNon-existent login as .+ from <HOST>\s*$",
             "^%(__prefix_line)sInvalid login as .+ from <HOST>\s*$"]
end

fail2ban_jail

Manages fail2ban jails in /etc/fail2ban/jail.d/.

Actions

Properties

Examples

Create a new fail2ban jail for SSH that uses existing filter sshd and which bans client after 3 tries.

fail2ban_jail 'ssh' do
  ports %w(ssh)
  filter 'sshd'
  logpath node['fail2ban']['auth_log']
  maxretry 3
end

Issues related to rsyslog

If you are using rsyslog parameter "$RepeatedMsgReduction on" in rsyslog.conf file then you can get "Last message repeated N times" in system log file (for example auth.log). Fail2ban will not work because the internal counter maxretry will not expand the repeated messages. Change parameter "$RepeatedMsgReduction off" in rsyslog.conf file for maximum accuracy of failed login attempts.

This rsyslog parameter is default ON for ubuntu 12.04 LTS for example.

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers!

https://opencollective.com/sous-chefs#backers

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website.

https://opencollective.com/sous-chefs/sponsor/0/website https://opencollective.com/sous-chefs/sponsor/1/website https://opencollective.com/sous-chefs/sponsor/2/website https://opencollective.com/sous-chefs/sponsor/3/website https://opencollective.com/sous-chefs/sponsor/4/website https://opencollective.com/sous-chefs/sponsor/5/website https://opencollective.com/sous-chefs/sponsor/6/website https://opencollective.com/sous-chefs/sponsor/7/website https://opencollective.com/sous-chefs/sponsor/8/website https://opencollective.com/sous-chefs/sponsor/9/website