Theodore Baschak

BOFH. Open Source Guru. Founder/Operator of Hextet Systems, AS395089 and Network Architect for Daemon Defense Systems, AS55101.

Deploying a Host-Specific Fail2Ban Config with SaltStack

Sat, 16 Aug 2014 12:54:56 -0500 » Nerd Projects, Network Monitoring, CLI, Programming, Virtualization, SaltStack, System Administration

Let me start this off by saying in this particular example, this is the wrong way to solve the problem. I should be learning more about fail2ban, and deploying files in the action.d and filter.d directories, however this is a really quick and dirty solution to the problem, and shows off jinja templating in SaltStack.

This solution builds on my previous post, Deploying Fail2ban Using SaltStack. You may wish to familiarize yourself with this post first.

In this particular case I wanted to deploy a different jail.local to my mail server, which would watch my dovecot and postfix files for auth failures as well as SSH.

fail2ban.slslink
fail2ban:
pkg:
- installed
service:
- running
- require:
- pkg: fail2ban
- watch:
- file: /etc/fail2ban/jail.local
/etc/fail2ban/jail.local:
file:
- managed
{% if 'iredmail' in grains['roles'] %}
- source: salt://settings/fail2ban/mail-jail.local
{% else %}
- source: salt://settings/fail2ban/jail.local
{% endif %}
- require:
- pkg: fail2ban
{% if 'iredmail' in grains['roles'] %}
/etc/fail2ban/filter.d/postfix-sasl.conf:
file:
- managed
- source: salt://settings/fail2ban/mail/filter.d/postfix-sasl.conf
- require:
- pkg: fail2ban
/etc/fail2ban/filter.d/dovecot.conf:
file:
- managed
- source: salt://settings/fail2ban/mail/filter.d/dovecot.conf
- require:
- pkg: fail2ban
/etc/fail2ban/filter.d/roundcube-auth.conf:
file:
- managed
- source: salt://settings/fail2ban/mail/filter.d/roundcube-auth.conf
- require:
- pkg: fail2ban
{% endif %}

This enforces the fail2ban policy suggested on the iRedMail wiki, Addition/Harden.iRedMail.with.Fail2ban. I have also downloaded the latest master filter.d files as suggested, and put them into /srv/salt/settings/fail2ban/mail/filter.d, and required them as well.

I will be converting this from requiring ID, to being based on a role: grain in the near future. This will allow me to roll out mail server protection to new mail servers.

© Theodore Baschak - https://github.com/tbaschak - Powered by Jekyll.
Powered by Les.net.
CiscoDude.net is a personal website. Opinions expressed are not necessarily those of his employer.