Add predefined Samba Ransomware Filter

[peterbeck]

Hi @lelutin,

Could we add a predefined ransomware filter to this module ? There are Scripts to generate such filters (like this one).

As far as I can see, there is no way to provide a predefined file as filter with this module, am I correct ? Currrently I am using

  fail2ban::jail { 'samba':
    port     => '135,139,445,137,138',
    filter   => 'samba',
    logpath  => '/var/log/syslog',
    maxretry => 1,
    bantime  => 86400, # 1 day ban
  }

  file { '/etc/fail2ban/filter.d/samba.conf':
    ensure => 'present',
    source => 'puppet:///modules/foo/filter_samba.conf',
  }

or is there another option ?

Thanks Peter

[lelutin]

Hi @peterbeck ,

this module has a fail2ban::filter resource type, but currently it doesn't have a method of specifying the contents of the filter file with an external file: you'd need to extract the filter lines, ignore regexes and other relevant details to pass them on to the defined type's parameters.

I'd be hesitant to add a new default filter that needs to dynamically download some file from the internet, and if we include a snapshot of that file in the module we'll probably quickly have an outdated list of regexes..

you can either have something that digests the downloaded file into a list of regexes or, maybe easier for you we can add a source parameter to the filter defined type that can let you just update the one file in your control repository.

If the latter is more desirable for you, I'm open to the idea of adding the parameter: do you mind sending a pull request for implementing this? otherwise I can help when I can find some free time and energy (which might take a little while).

cheers!