Apply fail2ban to wordpress

diff --git a/cookbooks/fail2ban/definitions/fail2ban_jail.rb b/cookbooks/fail2ban/definitions/fail2ban_jail.rb
new file mode 100644 (file)
index 0000000..b738896
--- /dev/null
+++ b/cookbooks/fail2ban/definitions/fail2ban_jail.rb
@@ -0,0 +1,31 @@
+#
+# Cookbook Name:: networking
+# Definition:: fail2ban_jail
+#
+# Copyright 2013, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+define :fail2ban_jail, :action => :create do
+  config = resources(:template => "/etc/fail2ban/jail.local")
+
+  config.variables[:jails] << Hash[
+    :name => params[:name],
+    :filter => params[:filter],
+    :logpath => params[:logpath],
+    :protocol => params[:protocol],
+    :port => Array(params[:ports]).join(","),
+    :maxretry => params[:maxretry]
+  ]
+end

diff --git a/cookbooks/fail2ban/recipes/default.rb b/cookbooks/fail2ban/recipes/default.rb
index 3b1752a988c3b61566fed4a46a3e7423a9b10cbc..1fe3840cce1e58e3c2c82d39c6352f396013f06a 100644 (file)
--- a/cookbooks/fail2ban/recipes/default.rb
+++ b/cookbooks/fail2ban/recipes/default.rb
@@ -24,6 +24,7 @@ template "/etc/fail2ban/jail.local" do
   owner "root"
   group "root"
   mode 0644
+  variables :jails => []
 end
 
 service "fail2ban" do

diff --git a/cookbooks/fail2ban/templates/default/jail.erb b/cookbooks/fail2ban/templates/default/jail.erb
index fc0f8bdc8befe9ab92434d1d131adb2d3e48ae10..20010d1b217854e12304a2983fa729811f45edb1 100644 (file)
--- a/cookbooks/fail2ban/templates/default/jail.erb
+++ b/cookbooks/fail2ban/templates/default/jail.erb
@@ -4,3 +4,17 @@
 destemail = admins@openstreetmap.org
 banaction = shorewall
 bantime = 14400
+<% @jails.each do |jail| -%>
+
+[<%= jail[:name] %>]
+enabled = true
+<% if jail[:protocol] -%>
+protocol = <%= jail[:protocol] %>
+<% end -%>
+port = <%= jail[:port] %>
+filter = <%= jail[:filter] %>
+logpath = <%= jail[:logpath] %>
+<% if jail[:maxretry] -%>
+maxretry = <%= jail[:maxretry] %>
+<% end -%>
+<% end -%>

diff --git a/cookbooks/wordpress/definitions/wordpress_site.rb b/cookbooks/wordpress/definitions/wordpress_site.rb
index b418f96150f47e495164b64ea05fd8c8bf0c4acc..d2aea619d06524e1d244e95498e517296165f0c8 100644 (file)
--- a/cookbooks/wordpress/definitions/wordpress_site.rb
+++ b/cookbooks/wordpress/definitions/wordpress_site.rb
@@ -135,4 +135,8 @@ define :wordpress_site, :action => [ :create, :enable ] do
     url "http://#{name}/wp-admin/upgrade.php?step=1"
     subscribes :get, "subversion[#{directory}]"
   end
+
+  wordpress_plugin "wp-fail2ban" do
+    site name
+  end
 end

diff --git a/cookbooks/wordpress/recipes/default.rb b/cookbooks/wordpress/recipes/default.rb
index 36485d244b7cb9fa621cdf9f1e1673d5cfd49cfe..bb004f6063de45748a66f47628e7fba4e0fb061a 100644 (file)
--- a/cookbooks/wordpress/recipes/default.rb
+++ b/cookbooks/wordpress/recipes/default.rb
@@ -30,3 +30,17 @@ package "php-apc"
 
 apache_module "php5"
 apache_module "rewrite"
+
+remote_file "/etc/fail2ban/filter.d/wordpress.conf" do
+  action :create_if_missing
+  source "http://plugins.svn.wordpress.org/wp-fail2ban/trunk/wordpress.conf"
+  owner "root"
+  group "root"
+  mode 0644
+end
+
+fail2ban_jail "wordpress" do
+  filter "wordpress"
+  logpath "/var/log/auth.log"
+  ports 80, 443
+end