Extend search period and ban time for trackpoint jail

[chef.git] / cookbooks / web / recipes / frontend.rb

diff --git a/cookbooks/web/recipes/frontend.rb b/cookbooks/web/recipes/frontend.rb
index 63dabd9c0fbe34bd7c2cac3c857d9fcdb8e569cb..ec7ce92f533ea7426483151b3a9ac3fa310b6006 100644 (file)
--- a/cookbooks/web/recipes/frontend.rb
+++ b/cookbooks/web/recipes/frontend.rb
@@ -21,6 +21,7 @@ node.default[:memcached][:ip_address] = node.internal_ipaddress || "127.0.0.1"
 
 include_recipe "memcached"
 include_recipe "apache"
+include_recipe "fail2ban"
 include_recipe "web::rails"
 include_recipe "web::cgimap"
 
@@ -64,6 +65,38 @@ template "/etc/logrotate.d/apache2" do
   mode "644"
 end
 
+fail2ban_filter "apache-request-timeout" do
+  failregex '^<ADDR> .* "-" 408 .*$'
+end
+
+fail2ban_jail "apache-request-timeout" do
+  filter "apache-request-timeout"
+  logpath "/var/log/apache2/access.log"
+  ports [80, 443]
+end
+
+fail2ban_filter "apache-trackpoints-timeout" do
+  failregex '^<ADDR> .* "GET /api/0\.6/trackpoints\?.*" 408 .*$'
+end
+
+fail2ban_jail "apache-trackpoints-timeout" do
+  filter "apache-trackpoints-timeout"
+  logpath "/var/log/apache2/access.log"
+  ports [80, 443]
+  bantime "12h"
+  findtime "30m"
+end
+
+fail2ban_filter "apache-notes-search" do
+  failregex '^<ADDR> .* "GET /api/0\.6/notes/search\?q=abcde&.*$'
+end
+
+fail2ban_jail "apache-notes-search" do
+  filter "apache-notes-search"
+  logpath "/var/log/apache2/access.log"
+  ports [80, 443]
+end
+
 if %w[database_offline database_readonly].include?(node[:web][:status])
   service "rails-jobs@mailers" do
     action :stop
@@ -98,3 +131,11 @@ else
     subscribes :restart, "systemd_service[rails-jobs@]"
   end
 end
+
+template "/usr/local/bin/deliver-message" do
+  source "deliver-message.erb"
+  owner "rails"
+  group "rails"
+  mode "0700"
+  variables :secret_key_base => web_passwords["secret_key_base"]
+end