From: Tom Hughes <tom@compton.nu>
Date: Mon, 15 Jun 2015 20:11:34 +0000 (+0100)
Subject: Use fail2ban to block nominatim abusers
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/9391df3f714e695bd47ed4122065617e8d3461d9?hp=6d1e54ea9e1a63b69b52eff117b0c54be427d6fd

Use fail2ban to block nominatim abusers
---

diff --git a/cookbooks/fail2ban/providers/filter.rb b/cookbooks/fail2ban/providers/filter.rb
index 840dc4825..4e786770e 100644
--- a/cookbooks/fail2ban/providers/filter.rb
+++ b/cookbooks/fail2ban/providers/filter.rb
@@ -24,11 +24,23 @@ end
 use_inline_resources
 
 action :create do
-  remote_file "/etc/fail2ban/filter.d/#{new_resource.name}.conf" do
-    source new_resource.source
-    owner "root"
-    group "root"
-    mode 0644
+  if new_resource.source
+    remote_file "/etc/fail2ban/filter.d/#{new_resource.name}.conf" do
+      source new_resource.source
+      owner "root"
+      group "root"
+      mode 0644
+    end
+  else
+    template "/etc/fail2ban/filter.d/#{new_resource.name}.conf" do
+      cookbook "fail2ban"
+      source "filter.erb"
+      owner "root"
+      group "root"
+      mode 0644
+      variables :failregex => new_resource.failregex,
+                :ignoreregex => new_resource.ignoreregex
+    end
   end
 end
 
diff --git a/cookbooks/fail2ban/resources/filter.rb b/cookbooks/fail2ban/resources/filter.rb
index 0a13c836a..b28e8f6c7 100644
--- a/cookbooks/fail2ban/resources/filter.rb
+++ b/cookbooks/fail2ban/resources/filter.rb
@@ -22,6 +22,8 @@ default_action :create
 
 attribute :name, :kind_of => String, :name_attribute => true
 attribute :source, :kind_of => String
+attribute :failregex, :kind_of => [String, Array]
+attribute :ignoreregex, :kind_of => [String, Array]
 
 def after_created
   notifies :reload, "service[fail2ban]"
diff --git a/cookbooks/fail2ban/templates/default/filter.erb b/cookbooks/fail2ban/templates/default/filter.erb
new file mode 100644
index 000000000..cb46b08af
--- /dev/null
+++ b/cookbooks/fail2ban/templates/default/filter.erb
@@ -0,0 +1,5 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+[Definition]
+failregex = <%= Array(@failregex).join("\n            ") %>
+ignoreregex = <%= Array(@ignoreregex).join("\n              ") %>
diff --git a/cookbooks/nominatim/metadata.rb b/cookbooks/nominatim/metadata.rb
index c587054c0..189873e91 100644
--- a/cookbooks/nominatim/metadata.rb
+++ b/cookbooks/nominatim/metadata.rb
@@ -8,3 +8,4 @@ version           "1.0.0"
 depends           "apache"
 depends           "postgresql"
 depends           "git"
+depends           "fail2ban"
diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index 14b1852b5..df5f6618f 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -284,3 +284,14 @@ directory "/data/postgresql-archive" do
   mode 0700
   only_if { node[:postgresql][:settings][:defaults][:archive_mode] == "on" }
 end
+
+fail2ban_filter "nominatim" do
+  failregex '^<HOST> - - \[[^]]+\] "[^"]+" (403|429) '
+end
+
+fail2ban_jail "nominatim" do
+  filter "nominatim"
+  logpath "/var/log/apache2/nominatim.openstreetmap.org-access.log"
+  ports [80, 443]
+  maxretry 100
+end