Use fail2ban to block nominatim abusers
authorTom Hughes <tom@compton.nu>
Mon, 15 Jun 2015 20:11:34 +0000 (21:11 +0100)
committerTom Hughes <tom@compton.nu>
Mon, 15 Jun 2015 20:11:34 +0000 (21:11 +0100)
cookbooks/fail2ban/providers/filter.rb
cookbooks/fail2ban/resources/filter.rb
cookbooks/fail2ban/templates/default/filter.erb [new file with mode: 0644]
cookbooks/nominatim/metadata.rb
cookbooks/nominatim/recipes/default.rb

index 840dc48251596d029987b5ebdb05848e841b00df..4e786770eef16e988f4b485b1638cb572e4c412c 100644 (file)
@@ -24,11 +24,23 @@ end
 use_inline_resources
 
 action :create do
-  remote_file "/etc/fail2ban/filter.d/#{new_resource.name}.conf" do
-    source new_resource.source
-    owner "root"
-    group "root"
-    mode 0644
+  if new_resource.source
+    remote_file "/etc/fail2ban/filter.d/#{new_resource.name}.conf" do
+      source new_resource.source
+      owner "root"
+      group "root"
+      mode 0644
+    end
+  else
+    template "/etc/fail2ban/filter.d/#{new_resource.name}.conf" do
+      cookbook "fail2ban"
+      source "filter.erb"
+      owner "root"
+      group "root"
+      mode 0644
+      variables :failregex => new_resource.failregex,
+                :ignoreregex => new_resource.ignoreregex
+    end
   end
 end
 
index 0a13c836a46c0d726a6e2b083366036a2109e681..b28e8f6c7aa673ddea0700bda3429f55c4f79851 100644 (file)
@@ -22,6 +22,8 @@ default_action :create
 
 attribute :name, :kind_of => String, :name_attribute => true
 attribute :source, :kind_of => String
+attribute :failregex, :kind_of => [String, Array]
+attribute :ignoreregex, :kind_of => [String, Array]
 
 def after_created
   notifies :reload, "service[fail2ban]"
diff --git a/cookbooks/fail2ban/templates/default/filter.erb b/cookbooks/fail2ban/templates/default/filter.erb
new file mode 100644 (file)
index 0000000..cb46b08
--- /dev/null
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+[Definition]
+failregex = <%= Array(@failregex).join("\n            ") %>
+ignoreregex = <%= Array(@ignoreregex).join("\n              ") %>
index c587054c079e6c1cc8afce74172a4bae32a9d848..189873e911b2da611df94d7f4cd8fad361107bc1 100644 (file)
@@ -8,3 +8,4 @@ version           "1.0.0"
 depends           "apache"
 depends           "postgresql"
 depends           "git"
+depends           "fail2ban"
index 14b1852b5ff2535b3d6c859228e3546287049dd2..df5f6618f89dcb38d35387f70998a74f4f0f7ed2 100644 (file)
@@ -284,3 +284,14 @@ directory "/data/postgresql-archive" do
   mode 0700
   only_if { node[:postgresql][:settings][:defaults][:archive_mode] == "on" }
 end
+
+fail2ban_filter "nominatim" do
+  failregex '^<HOST> - - \[[^]]+\] "[^"]+" (403|429) '
+end
+
+fail2ban_jail "nominatim" do
+  filter "nominatim"
+  logpath "/var/log/apache2/nominatim.openstreetmap.org-access.log"
+  ports [80, 443]
+  maxretry 100
+end