Restrict fail2ban to evasive blocks instead of all 403 errors

[chef.git] / cookbooks / apache / recipes / default.rb

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index f47d500b5163c60bd240491334ceafaa89f42866..80e9e473f1aa004c302e1f0dceab577fa5634d1a 100644 (file)
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -17,6 +17,7 @@
 # limitations under the License.
 #
 
+include_recipe "fail2ban"
 include_recipe "munin"
 include_recipe "prometheus"
 include_recipe "ssl"
@@ -78,6 +79,16 @@ apache_module "status" do
   variables :hosts => admins["hosts"]
 end
 
+if node[:apache][:evasive]
+  apache_module "evasive" do
+    conf "evasive.conf.erb"
+  end
+else
+  apache_module "evasive" do
+    action :disable
+  end
+end
+
 apache_module "brotli" do
   conf "brotli.conf.erb"
 end
@@ -93,10 +104,38 @@ apache_conf "ssl" do
   template "ssl.erb"
 end
 
+fail2ban_filter "apache-forbidden" do
+  action :delete
+end
+
+fail2ban_jail "apache-forbidden" do
+  action :delete
+end
+
+fail2ban_filter "apache-evasive" do
+  failregex "^Blacklisting address <ADDR>: possible DoS attack\.$"
+end
+
+fail2ban_jail "apache-evasive" do
+  filter "apache-evasive"
+  backend "systemd"
+  journalmatch "SYSLOG_IDENTIFIER=mod_evasive"
+  ports [80, 443]
+  findtime "1m"
+  maxretry 50
+end
+
 munin_plugin "apache_accesses"
 munin_plugin "apache_processes"
 munin_plugin "apache_volume"
 
+template "/var/lib/prometheus/node-exporter/apache.prom" do
+  source "apache.prom.erb"
+  owner "root"
+  group "root"
+  mode "644"
+end
+
 prometheus_exporter "apache" do
   port 9117
   options "--scrape_uri=http://localhost/server-status?auto"