[Lsb-messages] /var/www/bzr/lsb/devel/puppet-lsb r706: Add fail2ban to buildslaves.

[Jeff Licquia]

------------------------------------------------------------
revno: 706
committer: Jeff Licquia <licquia at linuxfoundation.org
branch nick: puppet-lsb
timestamp: Fri 2017-05-19 10:36:12 -0400
message:
  Add fail2ban to buildslaves.
added:
  modules/fail2ban/
  modules/fail2ban/files/
  modules/fail2ban/files/buildslave
  modules/fail2ban/manifests/
  modules/fail2ban/manifests/init.pp
modified:
  modules/buildbot/manifests/slave.pp
-------------- next part --------------
=== modified file 'modules/buildbot/manifests/slave.pp'
--- a/modules/buildbot/manifests/slave.pp	2016-09-21 15:35:12 +0000
+++ b/modules/buildbot/manifests/slave.pp	2017-05-19 14:36:12 +0000
@@ -2,6 +2,9 @@
 
     include buildbot::virtualenv
 
+    # Security precaution; we should protect all slaves this way.
+    include fail2ban
+
     # Slave package info has its own module.
     include buildbot::slavepkgs
 

=== added directory 'modules/fail2ban'
=== added directory 'modules/fail2ban/files'
=== added file 'modules/fail2ban/files/buildslave'
--- a/modules/fail2ban/files/buildslave	1970-01-01 00:00:00 +0000
+++ b/modules/fail2ban/files/buildslave	2017-05-19 14:36:12 +0000
@@ -0,0 +1,264 @@
+#       RPH
+
+[DEFAULT]
+findtime  = 3600
+
+bantime = 3600
+
+enabled = true
+
+ignoreip = 127.0.0.1/8 10.0.0.0/8 198.178.231.0/24 198.49.244.0/24
+
+usedns = no
+
+# destemail = fail2ban at owlriver.com
+
+# sender = blocklist at owlriver.com
+
+### reporting
+
+# Report block via blocklist.de fail2ban reporting service API
+# 
+# See the IMPORTANT note in action.d/blocklist_de.conf for when to
+# use this action. Create a file jail.d/blocklist_de.local containing
+### RPH -- this needs to be keyed by each differing server
+# [Init]
+# blocklist_de_apikey = xxx 
+#
+
+
+############# this is the entire tamale
+# [sshd]
+enabled = true
+
+[sshd-ddos]
+enabled = true
+
+[dropbear]
+enabled = true
+
+[selinux-ssh]
+enabled = true
+
+[apache-auth]
+enabled = false
+
+[apache-badbots]
+enabled = false
+
+[apache-noscript]
+enabled = false
+
+[apache-overflows]
+enabled = false
+
+[apache-nohome]
+enabled = false
+
+[apache-botsearch]
+enabled = false
+
+[apache-fakegooglebot]
+enabled = false
+
+[apache-modsecurity]
+enabled = false
+
+[apache-shellshock]
+enabled = false
+
+[openhab-auth]
+enabled = false
+
+[nginx-http-auth]
+enabled = false
+
+[nginx-limit-req]
+enabled = false
+
+[nginx-botsearch]
+enabled = false
+
+[php-url-fopen]
+enabled = false
+
+[suhosin]
+enabled = false
+
+[lighttpd-auth]
+enabled = false
+
+[roundcube-auth]
+enabled = false
+
+[openwebmail]
+enabled = false
+
+[horde]
+enabled = false
+
+[groupoffice]
+enabled = false
+
+[sogo-auth]
+enabled = false
+
+[tine20]
+enabled = false
+
+[drupal-auth]
+enabled = false
+
+[guacamole]
+enabled = false
+
+[monit]
+enabled = false
+
+[webmin-auth]
+enabled = false
+
+[froxlor-auth]
+enabled = false
+
+[squid]
+enabled = false
+
+[3proxy]
+enabled = false
+
+[proftpd]
+enabled = false
+
+[pure-ftpd]
+enabled = false
+
+[gssftpd]
+enabled = false
+
+[wuftpd]
+enabled = false
+
+[vsftpd]
+enabled = false
+
+[assp]
+enabled = false
+
+[courier-smtp]
+enabled = false
+
+[postfix]
+enabled = false
+
+[postfix-rbl]
+enabled = false
+
+[sendmail-auth]
+enabled = true
+
+[sendmail-reject]
+enabled = true
+
+[qmail-rbl]
+enabled = false
+
+[dovecot]
+enabled = false
+
+[sieve]
+enabled = false
+
+[solid-pop3d]
+enabled = false
+
+[exim]
+enabled = false
+
+[exim-spam]
+enabled = false
+
+[kerio]
+enabled = false
+
+[courier-auth]
+enabled = false
+
+[postfix-sasl]
+enabled = false
+
+[perdition]
+enabled = false
+
+[squirrelmail]
+enabled = false
+
+[cyrus-imap]
+enabled = true
+
+[uwimap-auth]
+enabled = false
+
+[named-refused]
+enabled = false
+
+[nsd]
+enabled = false
+
+[asterisk]
+enabled = false
+
+[freeswitch]
+enabled = false
+
+[mysqld-auth]
+enabled = false
+
+[mongodb-auth]
+enabled = false
+
+[recidive]
+enabled = false
+
+[pam-generic]
+enabled = true
+
+[xinetd-fail]
+enabled = false
+
+[stunnel]
+enabled = false
+
+[ejabberd-auth]
+enabled = false
+
+[counter-strike]
+enabled = false
+
+[nagios]
+enabled = true
+
+[oracleims]
+enabled = false
+
+[directadmin]
+enabled = false
+
+[portsentry]
+enabled = false
+
+[pass2allow-ftp]
+enabled = false
+
+[murmur]
+enabled = false
+
+[screensharingd]
+enabled = false
+
+[haproxy-http-auth]
+enabled = false
+
+[slapd]
+enabled = false
+

=== added directory 'modules/fail2ban/manifests'
=== added file 'modules/fail2ban/manifests/init.pp'
--- a/modules/fail2ban/manifests/init.pp	1970-01-01 00:00:00 +0000
+++ b/modules/fail2ban/manifests/init.pp	2017-05-19 14:36:12 +0000
@@ -0,0 +1,22 @@
+class fail2ban {
+
+    package { 'fail2ban':
+        ensure => present
+    }
+
+    package { 'jwhois':
+        ensure => present
+    }
+
+    file { '/etc/fail2ban/jail.d/buildslave':
+        source  => 'puppet:///modules/fail2ban/buildslave',
+        require => Package['fail2ban'],
+        notify  => Service['fail2ban'],
+    }
+
+    service { "fail2ban":
+        ensure => running,
+        require => [ Package['fail2ban'], File['/etc/fail2ban/jail.d/buildslave'] ].
+    }
+
+}