From 722833be07c07adb4b487e1c57fb98b31c4c30f3 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 20 Nov 2013 21:08:15 +0000 Subject: [PATCH] Apply fail2ban to wordpress --- .../fail2ban/definitions/fail2ban_jail.rb | 31 +++++++++++++++++++ cookbooks/fail2ban/recipes/default.rb | 1 + cookbooks/fail2ban/templates/default/jail.erb | 14 +++++++++ .../wordpress/definitions/wordpress_site.rb | 4 +++ cookbooks/wordpress/recipes/default.rb | 14 +++++++++ 5 files changed, 64 insertions(+) create mode 100644 cookbooks/fail2ban/definitions/fail2ban_jail.rb diff --git a/cookbooks/fail2ban/definitions/fail2ban_jail.rb b/cookbooks/fail2ban/definitions/fail2ban_jail.rb new file mode 100644 index 000000000..b73889638 --- /dev/null +++ b/cookbooks/fail2ban/definitions/fail2ban_jail.rb @@ -0,0 +1,31 @@ +# +# Cookbook Name:: networking +# Definition:: fail2ban_jail +# +# Copyright 2013, OpenStreetMap Foundation +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +define :fail2ban_jail, :action => :create do + config = resources(:template => "/etc/fail2ban/jail.local") + + config.variables[:jails] << Hash[ + :name => params[:name], + :filter => params[:filter], + :logpath => params[:logpath], + :protocol => params[:protocol], + :port => Array(params[:ports]).join(","), + :maxretry => params[:maxretry] + ] +end diff --git a/cookbooks/fail2ban/recipes/default.rb b/cookbooks/fail2ban/recipes/default.rb index 3b1752a98..1fe3840cc 100644 --- a/cookbooks/fail2ban/recipes/default.rb +++ b/cookbooks/fail2ban/recipes/default.rb @@ -24,6 +24,7 @@ template "/etc/fail2ban/jail.local" do owner "root" group "root" mode 0644 + variables :jails => [] end service "fail2ban" do diff --git a/cookbooks/fail2ban/templates/default/jail.erb b/cookbooks/fail2ban/templates/default/jail.erb index fc0f8bdc8..20010d1b2 100644 --- a/cookbooks/fail2ban/templates/default/jail.erb +++ b/cookbooks/fail2ban/templates/default/jail.erb @@ -4,3 +4,17 @@ destemail = admins@openstreetmap.org banaction = shorewall bantime = 14400 +<% @jails.each do |jail| -%> + +[<%= jail[:name] %>] +enabled = true +<% if jail[:protocol] -%> +protocol = <%= jail[:protocol] %> +<% end -%> +port = <%= jail[:port] %> +filter = <%= jail[:filter] %> +logpath = <%= jail[:logpath] %> +<% if jail[:maxretry] -%> +maxretry = <%= jail[:maxretry] %> +<% end -%> +<% end -%> diff --git a/cookbooks/wordpress/definitions/wordpress_site.rb b/cookbooks/wordpress/definitions/wordpress_site.rb index b418f9615..d2aea619d 100644 --- a/cookbooks/wordpress/definitions/wordpress_site.rb +++ b/cookbooks/wordpress/definitions/wordpress_site.rb @@ -135,4 +135,8 @@ define :wordpress_site, :action => [ :create, :enable ] do url "http://#{name}/wp-admin/upgrade.php?step=1" subscribes :get, "subversion[#{directory}]" end + + wordpress_plugin "wp-fail2ban" do + site name + end end diff --git a/cookbooks/wordpress/recipes/default.rb b/cookbooks/wordpress/recipes/default.rb index 36485d244..bb004f606 100644 --- a/cookbooks/wordpress/recipes/default.rb +++ b/cookbooks/wordpress/recipes/default.rb @@ -30,3 +30,17 @@ package "php-apc" apache_module "php5" apache_module "rewrite" + +remote_file "/etc/fail2ban/filter.d/wordpress.conf" do + action :create_if_missing + source "http://plugins.svn.wordpress.org/wp-fail2ban/trunk/wordpress.conf" + owner "root" + group "root" + mode 0644 +end + +fail2ban_jail "wordpress" do + filter "wordpress" + logpath "/var/log/auth.log" + ports 80, 443 +end -- 2.43.2