search

lelutin / puppet-fail2ban

Manage fail2ban and its jails with puppet
GNU General Public License v3.0
8 stars 31 forks source link

fail2ban::jail is missing many parameters #47

Open lelutin opened 2 years ago

lelutin commented 2 years ago

accoring to documentation, there are many parameters to a jail definition that this module is not exposing.

https://manpages.debian.org/testing/fail2ban/jail.conf.5.en.html#JAIL_CONFIGURATION_FILE(S)_(jail.conf)

The missing parameters should be added as params to fail2ban::jail

hubide commented 1 month ago

There's a nice feature for bantime increment that's been available for a while in the debian version. https://visei.com/2020/05/incremental-banning-with-fail2ban/

I might add this feature if I find the time

lelutin commented 1 month ago

huh wait... that's a thing? why did I miss those previously :( ...sometimes finding fail2ban's documentation is actually pretty hard. those values are still not documented in the manpage in debian sid.

good find though! from what I can see Vox Pupuli has not implemented this yet in their similar module https://github.com/voxpupuli/puppet-fail2ban

I'm interested in reviewing and merging your changes if you happen to implement this :)

I guess now the big question is "what name should we give those new parameters?" $bantime is already taken and AFAIR puppet doesn't permit dots in variable names. so.... mabye we permit $bantime to be either a string of the current format, or a hash with certain expected keys (e.g. with a type alias we can restrict which keys should be found)?

I wonder where the current value for $bantime would live in the hash-form of the variable. a key that's an empty string? (i.e. bantime => { "" => "1d" } -- meh) a repeat of bantime for the key name? (i.e. bantime => { "bantime" => "1d" } -- slightly more meh)

lelutin commented 1 month ago

also fyi, on the main branch I've "recently" implemented more parameters for a couple of the different resources -- although none of the bantime.* ones. I haven't released this new work yet on forge since I hit a snag when enabling puppet-lint in CI. but that won't be a blocker to your addition if you send something this way

hubide commented 1 month ago

well, until we can use v.4+ in our aging puppet setup, I don't think I'll be able to jump in here :/ In the mean time, I've used this on each jail I want to implement the increment feature 'additional_options' => { 'bantime.increment' => 'true', },

This option can also be specified in local.conf/fail.conf

As for the name, maybe split existing bantime var and new features. New parameters could be a hash named 'bantime-extra' or something.