From c278e5cab5759b45c1cbbdbf8a690c95d6276228 Mon Sep 17 00:00:00 2001 From: Gabriel Filion Date: Fri, 23 Aug 2024 18:30:04 -0400 Subject: [PATCH] Add missing options on main class and jail (Close: #47) This time the list is exhaustive since I've gone and read the python code for fail2ban. The most interesting options that were missing were bantime.* that lets one tune up exponential banning for repeat offenders. --- REFERENCE.md | 104 +++++++++++++++++++++++++++++++++ manifests/config.pp | 3 + manifests/init.pp | 36 ++++++++++++ manifests/jail.pp | 14 +++++ templates/debian/jail.conf.epp | 38 ++++++++++-- templates/jail.epp | 9 ++- types/bantime_extra.pp | 12 ++++ 7 files changed, 209 insertions(+), 7 deletions(-) create mode 100644 types/bantime_extra.pp diff --git a/REFERENCE.md b/REFERENCE.md index 7db4e35..e5436d2 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -27,6 +27,7 @@ services running on a computer. * [`Fail2ban::AutoOrFlag`](#Fail2ban--AutoOrFlag): A boolean flag that can also be set to the string 'auto'. * [`Fail2ban::Backend`](#Fail2ban--Backend): Backend names that fail2ban understands Can be one of the pre-defined backend names, "systemd" with optionally a list of parameters between s +* [`Fail2ban::Bantime_extra`](#Fail2ban--Bantime_extra): Optional additional bantime.* options. See manifests/init.pp for details about what each option means. * [`Fail2ban::Dbfile`](#Fail2ban--Dbfile): Where fail2ban's database gets stored. None disables storage * [`Fail2ban::Loglevel`](#Fail2ban--Loglevel): How much logging is needed from fail2ban * [`Fail2ban::Logtarget`](#Fail2ban--Logtarget): Where logs are sent @@ -101,6 +102,7 @@ The following parameters are available in the `fail2ban` class: * [`logpath`](#-fail2ban--logpath) * [`logencoding`](#-fail2ban--logencoding) * [`logtimezone`](#-fail2ban--logtimezone) +* [`datepattern`](#-fail2ban--datepattern) * [`prefregex`](#-fail2ban--prefregex) * [`failregex`](#-fail2ban--failregex) * [`ignoreregex`](#-fail2ban--ignoreregex) @@ -109,10 +111,12 @@ The following parameters are available in the `fail2ban` class: * [`ignorecommand`](#-fail2ban--ignorecommand) * [`ignorecache`](#-fail2ban--ignorecache) * [`maxretry`](#-fail2ban--maxretry) +* [`maxlines`](#-fail2ban--maxlines) * [`maxmatches`](#-fail2ban--maxmatches) * [`findtime`](#-fail2ban--findtime) * [`action`](#-fail2ban--action) * [`bantime`](#-fail2ban--bantime) +* [`bantime_extra`](#-fail2ban--bantime_extra) * [`banaction`](#-fail2ban--banaction) * [`banaction_allports`](#-fail2ban--banaction_allports) * [`chain`](#-fail2ban--chain) @@ -352,6 +356,17 @@ Force a timezone by default for logs that don't specify them on timestamps. Default value: `undef` +##### `datepattern` + +Data type: `Optional[String]` + +Change the default format of recognized dates. Warning: it is generally +not recommended to change the global value, if at all. If you need to +change the datepattern for some reason, it is usually recommended to set +this paramter at filter level. + +Default value: `undef` + ##### `prefregex` Data type: `Optional[String]` @@ -424,6 +439,16 @@ for it to get banned. Default value: `3` +##### `maxlines` + +Data type: `Optional[Integer[1]]` + +Default number of lines to buffer for regex search. Used for multi-line +regexes. Note that it is rather unsual to set a default global value for +this, and it is usually rather set on a filter itself. + +Default value: `undef` + ##### `maxmatches` Data type: `Variant[Integer[1], String]` @@ -457,6 +482,36 @@ Default duration in number of seconds to ban an IP address for. Default value: `'10m'` +##### `bantime_extra` + +Data type: `Optional[Fail2ban::Bantime_extra]` + +Set of additional optional settings relating to bantime. The keys in this +structure are set in the configuration file as `bantime.$key`. The +different possible keys are: + * increment: boolean. set to true to make IP search happen across all + jails instead of only the one being processed. + * maxtime: string. maximum number of seconds that the formula (see below) + can reach. + * rndtime: string. upper bounds in seconds for ban time randomization (to + prevent bots from guessing the exact ban time) + * formula: string. python mathematical expression used for calculating + next value of ban time. The values provided by the formula are + multiplied by `bantime` and by the factor exponent coefficient to give + the actual amount of time that an IP gets banned. + * factor: sting. coefficient to calculate exponent growing of the + ban times. The default value is 1, thus the bantime grows by 1, 2, 4, + 8, 16... + * multipliers: string. if set, used to calculate the next ban times + instead of the formula. numbers are used sequentially until the last + one is reached, at which point the same value will be used for all + subsequent bantimes. + * overalljails: boolean. if set to true, search for IP in the database + will be done across all jails instead of only the currently processed + jail. + +Default value: `undef` + ##### `banaction` Data type: `String` @@ -925,6 +980,7 @@ The following parameters are available in the `fail2ban::jail` defined type: * [`logpath`](#-fail2ban--jail--logpath) * [`logencoding`](#-fail2ban--jail--logencoding) * [`logtimezone`](#-fail2ban--jail--logtimezone) +* [`datepattern`](#-fail2ban--jail--datepattern) * [`prefregex`](#-fail2ban--jail--prefregex) * [`failregex`](#-fail2ban--jail--failregex) * [`ignoreregex`](#-fail2ban--jail--ignoreregex) @@ -933,10 +989,12 @@ The following parameters are available in the `fail2ban::jail` defined type: * [`ignorecommand`](#-fail2ban--jail--ignorecommand) * [`ignorecache`](#-fail2ban--jail--ignorecache) * [`maxretry`](#-fail2ban--jail--maxretry) +* [`maxlines`](#-fail2ban--jail--maxlines) * [`maxmatches`](#-fail2ban--jail--maxmatches) * [`findtime`](#-fail2ban--jail--findtime) * [`action`](#-fail2ban--jail--action) * [`bantime`](#-fail2ban--jail--bantime) +* [`bantime_extra`](#-fail2ban--jail--bantime_extra) * [`banaction`](#-fail2ban--jail--banaction) * [`banaction_allports`](#-fail2ban--jail--banaction_allports) * [`chain`](#-fail2ban--jail--chain) @@ -1041,6 +1099,14 @@ Force a timezone if the logs don't specify them on timestamps. Default value: `undef` +##### `datepattern` + +Data type: `Optional[String]` + +Change the format of dates recognized by the filter this jail uses. + +Default value: `undef` + ##### `prefregex` Data type: `Optional[String[1]]` @@ -1115,6 +1181,15 @@ Number of failregex matches during findtime after which an IP gets banned. Default value: `undef` +##### `maxlines` + +Data type: `Optional[Integer[1]]` + +Number of lines to buffer for filter's regex search when looking for +multi-line regex matches. + +Default value: `undef` + ##### `maxmatches` Data type: `Optional[Variant[Integer[1], String]]` @@ -1150,6 +1225,16 @@ failregex happen for the same IP during findtime. Default value: `undef` +##### `bantime_extra` + +Data type: `Optional[Fail2ban::Bantime_extra]` + +Set of additional optional settings relating to bantime. The keys in this +structure are set in the configuration file as `bantime.$key`. See the +same parameter in class fail2ban for more details on the possible values. + +Default value: `undef` + ##### `banaction` Data type: `Optional[String]` @@ -1262,6 +1347,25 @@ of parameters between square brackets or a python-style variable Alias of `Variant[Enum['auto','pyinotify','gamin','polling'], Pattern[/^systemd(\[.*\]$)?/], Pattern[/%\(\w+\)s/]]` +### `Fail2ban::Bantime_extra` + +Optional additional bantime.* options. See manifests/init.pp for details +about what each option means. + +Alias of + +```puppet +Struct[{ + Optional[increment] => Boolean, + Optional[factor] => String[1], + Optional[formula] => String[1], + Optional[multipliers] => String[1], + Optional[maxtime] => String[1], + Optional[rndtime] => String[1], + Optional[overalljails] => Boolean, +}] +``` + ### `Fail2ban::Dbfile` Where fail2ban's database gets stored. None disables storage diff --git a/manifests/config.pp b/manifests/config.pp index 3bdb731..6cdc24a 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -58,13 +58,16 @@ ignorecommand => $fail2ban::ignorecommand, ignorecache => $fail2ban::ignorecache, bantime => $fail2ban::bantime, + bantime_extra => $fail2ban::bantime_extra, findtime => $fail2ban::findtime, maxretry => $fail2ban::maxretry, + maxlines => $fail2ban::maxlines, maxmatches => $fail2ban::maxmatches, backend => $fail2ban::backend, usedns => $fail2ban::usedns, logencoding => $fail2ban::logencoding, logtimezone => $fail2ban::logtimezone, + datepattern => $fail2ban::datepattern, logpath => $fail2ban::logpath, enabled => $fail2ban::enabled, mode => $fail2ban::mode, diff --git a/manifests/init.pp b/manifests/init.pp index c5b3e98..363202d 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -103,6 +103,11 @@ # is set in the system's locale setting. # @param logtimezone # Force a timezone by default for logs that don't specify them on timestamps. +# @param datepattern +# Change the default format of recognized dates. Warning: it is generally +# not recommended to change the global value, if at all. If you need to +# change the datepattern for some reason, it is usually recommended to set +# this paramter at filter level. # @param prefregex # Regular expression to parse common part in every message. # @param failregex @@ -127,6 +132,10 @@ # @param maxretry # Default number of times an IP should be detectd by a filter during findtime # for it to get banned. +# @param maxlines +# Default number of lines to buffer for regex search. Used for multi-line +# regexes. Note that it is rather unsual to set a default global value for +# this, and it is usually rather set on a filter itself. # @param maxmatches # Number of matches stored in ticket. # @param findtime @@ -136,6 +145,30 @@ # of times a filter within findtime. # @param bantime # Default duration in number of seconds to ban an IP address for. +# @param bantime_extra +# Set of additional optional settings relating to bantime. The keys in this +# structure are set in the configuration file as `bantime.$key`. The +# different possible keys are: +# * increment: boolean. set to true to make IP search happen across all +# jails instead of only the one being processed. +# * maxtime: string. maximum number of seconds that the formula (see below) +# can reach. +# * rndtime: string. upper bounds in seconds for ban time randomization (to +# prevent bots from guessing the exact ban time) +# * formula: string. python mathematical expression used for calculating +# next value of ban time. The values provided by the formula are +# multiplied by `bantime` and by the factor exponent coefficient to give +# the actual amount of time that an IP gets banned. +# * factor: sting. coefficient to calculate exponent growing of the +# ban times. The default value is 1, thus the bantime grows by 1, 2, 4, +# 8, 16... +# * multipliers: string. if set, used to calculate the next ban times +# instead of the formula. numbers are used sequentially until the last +# one is reached, at which point the same value will be used for all +# subsequent bantimes. +# * overalljails: boolean. if set to true, search for IP in the database +# will be done across all jails instead of only the currently processed +# jail. # @param banaction # Default action name extrapolated when defining some of the default actions. # @param banaction_allports @@ -188,6 +221,7 @@ Array[String] $logpath = [], String $logencoding = 'auto', Optional[String] $logtimezone = undef, + Optional[String] $datepattern = undef, Optional[String] $prefregex = undef, Optional[Variant[String, Array[String[1]]]] $failregex = undef, Optional[Variant[String, Array[String[1]]]] $ignoreregex = undef, @@ -196,10 +230,12 @@ Optional[String] $ignorecommand = undef, Optional[String] $ignorecache = undef, Integer[1] $maxretry = 3, + Optional[Integer[1]] $maxlines = undef, Variant[Integer[1], String] $maxmatches = '%(maxretry)s', Fail2ban::Time $findtime = '10m', Variant[String, Array[String, 1]] $action = ['%(action_)s'], Fail2ban::Time $bantime = '10m', + Optional[Fail2ban::Bantime_extra] $bantime_extra = undef, String $banaction = 'iptables-multiport', String $banaction_allports = 'iptables-allports', String $chain = 'INPUT', diff --git a/manifests/jail.pp b/manifests/jail.pp index 87c3658..abf36c3 100644 --- a/manifests/jail.pp +++ b/manifests/jail.pp @@ -78,6 +78,8 @@ # is set in the system's locale setting. # @param logtimezone # Force a timezone if the logs don't specify them on timestamps. +# @param datepattern +# Change the format of dates recognized by the filter this jail uses. # @param prefregex # Regular expression to parse common part in every message for this jail. # @param failregex @@ -104,6 +106,9 @@ # repeatedly. # @param maxretry # Number of failregex matches during findtime after which an IP gets banned. +# @param maxlines +# Number of lines to buffer for filter's regex search when looking for +# multi-line regex matches. # @param maxmatches # Number of matches stored in ticket. # @param findtime @@ -115,6 +120,10 @@ # @param bantime # Time period in seconds for which an IP is banned if maxretry matches of # failregex happen for the same IP during findtime. +# @param bantime_extra +# Set of additional optional settings relating to bantime. The keys in this +# structure are set in the configuration file as `bantime.$key`. See the +# same parameter in class fail2ban for more details on the possible values. # @param banaction # Name of the action that is extrapolated in default action definitions, or # in the action param. This can let you override the action name but keep the @@ -164,6 +173,7 @@ Array[String] $logpath = [], Optional[String] $logencoding = undef, Optional[String] $logtimezone = undef, + Optional[String] $datepattern = undef, Optional[String[1]] $prefregex = undef, Optional[Array[String[1]]] $failregex = undef, Optional[Array[String[1]]] $ignoreregex = undef, @@ -172,10 +182,12 @@ Optional[String] $ignorecommand = undef, Optional[String] $ignorecache = undef, Optional[Integer[1]] $maxretry = undef, + Optional[Integer[1]] $maxlines = undef, Optional[Variant[Integer[1], String]] $maxmatches = undef, Optional[Fail2ban::Time] $findtime = undef, Optional[Variant[String, Array[String, 1]]] $action = undef, Optional[Fail2ban::Time] $bantime = undef, + Optional[Fail2ban::Bantime_extra] $bantime_extra = undef, Optional[String] $banaction = undef, Optional[String] $banaction_allports = undef, Optional[String] $chain = undef, @@ -233,10 +245,12 @@ ignorecommand => $ignorecommand, ignorecache => $ignorecache, maxretry => $maxretry, + maxlines => $maxlines, maxmatches => $maxmatches, findtime => $findtime, action => $real_action, bantime => $bantime, + bantime_extra => $bantime_extra, banaction => $banaction, banaction_allports => $banaction_allports, chain => $chain, diff --git a/templates/debian/jail.conf.epp b/templates/debian/jail.conf.epp index aafee1f..e000090 100644 --- a/templates/debian/jail.conf.epp +++ b/templates/debian/jail.conf.epp @@ -44,29 +44,42 @@ before = paths-debian.conf # MISCELLANEOUS OPTIONS # +<% if $bantime_extra !~ Undef { -%> +<% if $bantime_extra['increment'] !~ Undef { -%> # "bantime.increment" allows to use database for searching of previously banned ip's to increase a # default ban time using special formula, default it is banTime * 1, 2, 4, 8, 16, 32... -#bantime.increment = true +bantime.increment = <%= $bantime_extra['increment'] %> +<% } -%> +<% if $bantime_extra['rndtime'] !~ Undef { -%> # "bantime.rndtime" is the max number of seconds using for mixing with random time # to prevent "clever" botnets calculate exact time IP can be unbanned again: -#bantime.rndtime = +bantime.rndtime = <%= $bantime_extra['rndtime'] %> +<% } -%> +<% if $bantime_extra['maxtime'] !~ Undef { -%> # "bantime.maxtime" is the max number of seconds using the ban time can reach (doesn't grow further) -#bantime.maxtime = +bantime.maxtime = <%= $bantime_extra['maxtime'] %> +<% } -%> +<% if $bantime_extra['factor'] !~ Undef { -%> # "bantime.factor" is a coefficient to calculate exponent growing of the formula or common multiplier, # default value of factor is 1 and with default value of formula, the ban time # grows by 1, 2, 4, 8, 16 ... -#bantime.factor = 1 +bantime.factor = <%= $bantime_extra['factor'] %> +<% } -%> +<% if $bantime_extra['formula'] !~ Undef { -%> # "bantime.formula" used by default to calculate next value of ban time, default value below, # the same ban time growing will be reached by multipliers 1, 2, 4, 8, 16, 32... #bantime.formula = ban.Time * (1<<(ban.Count if ban.Count<20 else 20)) * banFactor # # more aggressive example of formula has the same values only for factor "2.0 / 2.885385" : #bantime.formula = ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor) +bantime.formula = <%= $bantime_extra['formula'] %> +<% } -%> +<% if $bantime_extra['multipliers'] !~ Undef { -%> # "bantime.multipliers" used to calculate next value of ban time instead of formula, coresponding # previously ban count and given "bantime.factor" (for multipliers default is 1); # following example grows ban time by 1, 2, 4, 8, 16 ... and if last ban count greater as multipliers count, @@ -74,12 +87,16 @@ before = paths-debian.conf #bantime.multipliers = 1 2 4 8 16 32 64 # following example can be used for small initial ban time (bantime=60) - it grows more aggressive at begin, # for bantime=60 the multipliers are minutes and equal: 1 min, 5 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day -#bantime.multipliers = 1 5 30 60 300 720 1440 2880 +bantime.multipliers = <%= $bantime_extra['multipliers'] %> +<% } -%> +<% if $bantime_extra['multipliers'] !~ Undef { -%> # "bantime.overalljails" (if true) specifies the search of IP in the database will be executed # cross over all jails, if false (dafault), only current jail of the ban IP will be searched -#bantime.overalljails = false +bantime.overalljails = <%= $bantime_extra['multipliers'] %> +<% } -%> +<% } -%> # -------------------- # "ignoreself" specifies whether the local resp. own IP addresses should be ignored @@ -110,6 +127,11 @@ findtime = <%= $findtime %> # "maxretry" is the number of failures before a host get banned. maxretry = <%= $maxretry %> +<% if $maxlines !~ Undef { -%> + +# "maxlines" sets the number of lines to buffer for regex search +maxlines = <%= $maxlines %> +<% } -%> # "maxmatches" is the number of matches stored in ticket (resolvable via tag in actions). maxmatches = <%= $maxmatches %> @@ -160,6 +182,10 @@ logpath = <%= $logpath.join("\n ") %> # Force timezone for all log files by default logtimezone = <%= $logtimezone %> <% } -%> +<% if $datepattern !~ Undef { -%> +# Global date pattern +datepattern = <%= $datepattern %> +<% } -%> # "enabled" enables the jails. # By default all jails are disabled, and it should stay this way. diff --git a/templates/jail.epp b/templates/jail.epp index 4d70e4e..2542534 100644 --- a/templates/jail.epp +++ b/templates/jail.epp @@ -1,7 +1,14 @@ [<%= $jail_name %>] <% $options.each |String $opt, Any $value| { - if $value !~ Undef { + if $opt.stdlib::start_with('bantime_extra') { + $value.each |String $bt_opt, Any $bt_value| { +-%> +bantime.<%= $bt_opt %> = <%= $bt_value %> +<% + } + } + elsif $value !~ Undef { if $value =~ Array { # This looks horrible but the Puppet DSL doesn't seem to offer a better # way to generate a string of x repetitions of a substring more easily diff --git a/types/bantime_extra.pp b/types/bantime_extra.pp new file mode 100644 index 0000000..b9c7e66 --- /dev/null +++ b/types/bantime_extra.pp @@ -0,0 +1,12 @@ +# Optional additional bantime.* options. See manifests/init.pp for details +# about what each option means. +# +type Fail2ban::Bantime_extra = Struct[{ + Optional[increment] => Boolean, + Optional[factor] => String[1], + Optional[formula] => String[1], + Optional[multipliers] => String[1], + Optional[maxtime] => String[1], + Optional[rndtime] => String[1], + Optional[overalljails] => Boolean, +}]