From ad8f13659e6b61eda0d81106368777ec999d3641 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 18 Nov 2013 21:12:48 +0000
Subject: [PATCH] Setup fail2ban everywhere

---
 cookbooks/fail2ban/README.md                  | 57 +++++++++++++++++++
 cookbooks/fail2ban/metadata.rb                |  6 ++
 cookbooks/fail2ban/recipes/default.rb         | 33 +++++++++++
 cookbooks/fail2ban/templates/default/jail.erb |  6 ++
 roles/base.rb                                 |  3 +-
 5 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 cookbooks/fail2ban/README.md
 create mode 100644 cookbooks/fail2ban/metadata.rb
 create mode 100644 cookbooks/fail2ban/recipes/default.rb
 create mode 100644 cookbooks/fail2ban/templates/default/jail.erb

diff --git a/cookbooks/fail2ban/README.md b/cookbooks/fail2ban/README.md
new file mode 100644
index 000000000..6b087690a
--- /dev/null
+++ b/cookbooks/fail2ban/README.md
@@ -0,0 +1,57 @@
+DESCRIPTION
+===========
+
+Configures networking.
+
+USAGE
+=====
+
+Set the networking attributes in a role, for example from my base.rb:
+
+    :networking => {
+      :nameservers => [ "10.13.37.120", "10.13.37.40" ],
+      :search => [ "int.example.org". "example.org" ]
+    }
+
+The resulting /etc/resolv.conf will look like:
+
+    search int.example.org example.org
+    nameserver 10.13.37.120
+    nameserver 10.13.37.40
+
+LICENSE AND AUTHOR
+==================
+
+Author:: OpenStreetMap Administrators (<admins@openstreetmap.org>)
+
+Copyright 2010, OpenStreetMap Foundation.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Based on resolver cookbook:
+
+Author:: Joshua Timberman (<joshua@opscode.com>)
+
+Copyright 2009, Opscode, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/cookbooks/fail2ban/metadata.rb b/cookbooks/fail2ban/metadata.rb
new file mode 100644
index 000000000..e29f3cd55
--- /dev/null
+++ b/cookbooks/fail2ban/metadata.rb
@@ -0,0 +1,6 @@
+maintainer        "OpenStreetMap Administrators"
+maintainer_email  "admins@openstreetmap.org"
+license           "Apache 2.0"
+description       "Configures fail2ban"
+long_description  IO.read(File.join(File.dirname(__FILE__), 'README.md'))
+version           "1.0.0"
diff --git a/cookbooks/fail2ban/recipes/default.rb b/cookbooks/fail2ban/recipes/default.rb
new file mode 100644
index 000000000..3b1752a98
--- /dev/null
+++ b/cookbooks/fail2ban/recipes/default.rb
@@ -0,0 +1,33 @@
+#
+# Cookbook Name:: fail2ban
+# Recipe:: default
+#
+# Copyright 2013, OpenStreetMap Foundation
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package "fail2ban"
+
+template "/etc/fail2ban/jail.local" do
+  source "jail.erb"
+  owner "root"
+  group "root"
+  mode 0644
+end
+
+service "fail2ban" do
+  action [ :enable, :start ]
+  supports :status => true, :reload => true, :restart => true
+  subscribes :reload, "template[/etc/fail2ban/jail.local]"
+end
diff --git a/cookbooks/fail2ban/templates/default/jail.erb b/cookbooks/fail2ban/templates/default/jail.erb
new file mode 100644
index 000000000..fc0f8bdc8
--- /dev/null
+++ b/cookbooks/fail2ban/templates/default/jail.erb
@@ -0,0 +1,6 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+[DEFAULT]
+destemail = admins@openstreetmap.org
+banaction = shorewall
+bantime = 14400
diff --git a/roles/base.rb b/roles/base.rb
index 2e2805142..06bcaf9a2 100644
--- a/roles/base.rb
+++ b/roles/base.rb
@@ -79,5 +79,6 @@ run_list(
   "recipe[openssh]",
   "recipe[sysctl]",
   "recipe[sysfs]",
-  "recipe[tools]"
+  "recipe[tools]",
+  "recipe[fail2ban]"
 )
-- 
2.43.2