Exempt out web server from nominatim fail2ban jail

author Tom Hughes <tom@compton.nu>

Fri, 24 Mar 2017 18:44:23 +0000 (18:44 +0000)

committer Tom Hughes <tom@compton.nu>

Fri, 24 Mar 2017 18:57:23 +0000 (18:57 +0000)
author Tom Hughes <tom@compton.nu>
Fri, 24 Mar 2017 18:44:23 +0000 (18:44 +0000)
committer Tom Hughes <tom@compton.nu>
Fri, 24 Mar 2017 18:57:23 +0000 (18:57 +0000)
diff --git a/cookbooks/fail2ban/providers/jail.rb b/cookbooks/fail2ban/providers/jail.rb

index 8adcea11c612b90de2e2cba46df85e40c9696ac5..e12ad22efcb86924a8c76bb1771f550ddb69fbb0 100644 (file)
--- a/cookbooks/fail2ban/providers/jail.rb
+++ b/cookbooks/fail2ban/providers/jail.rb
@@ -35,7 +35,8 @@ action :create do
                :logpath => new_resource.logpath,
                :protocol => new_resource.protocol,
                :ports => new_resource.ports,
-              :maxretry => new_resource.maxretry
+              :maxretry => new_resource.maxretry,
+              :ignoreips => new_resource.ignoreips
    end
  end
  
diff --git a/cookbooks/fail2ban/resources/jail.rb b/cookbooks/fail2ban/resources/jail.rb

index f51e06188b00caf5f6664e5f4dc40cadb7c0a27e..65d1d3b514617c50d98c39f22db93b2546acd4c3 100644 (file)
--- a/cookbooks/fail2ban/resources/jail.rb
+++ b/cookbooks/fail2ban/resources/jail.rb
@@ -26,6 +26,7 @@ attribute :logpath, :kind_of => String
  attribute :protocol, :kind_of => String
  attribute :ports, :kind_of => Array, :default => []
  attribute :maxretry, :kind_of => Integer
+attribute :ignoreips, :kind_of => Array
  
  def after_created
    notifies :reload, "service[fail2ban]"
diff --git a/cookbooks/fail2ban/templates/default/jail.erb b/cookbooks/fail2ban/templates/default/jail.erb

index 08fb7ed16d618d7aae3e9139ce8664d61a0844eb..c155e0f6c484ad1d531655be39f98568bb633deb 100644 (file)
--- a/cookbooks/fail2ban/templates/default/jail.erb
+++ b/cookbooks/fail2ban/templates/default/jail.erb
@@ -11,3 +11,6 @@ logpath = <%= @logpath %>
  <% if @maxretry -%>
  maxretry = <%= @maxretry %>
  <% end -%>
+<% if @ignoreips -%>
+ignoreip = <%= @ignoreips.join(",") %>
+<% end -%>
diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb

index 22947a06d94514e3ad2d7745e9b19abffc1799a5..19e48909f9f0bfb4c8f19f537222ac8a0ccbac60 100644 (file)
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -352,6 +352,10 @@ end
  
  include_recipe "fail2ban"
  
+web_servers = search(:node, "recipes:web\\:\\:frontend").collect do |n| # ~FC010
+  n.ipaddresses(:role => :external)
+end.flatten
+
  fail2ban_filter "nominatim" do
    failregex '^<HOST> - - \[\] "[^"]+" (400|429) '
  end
@@ -361,6 +365,7 @@ fail2ban_jail "nominatim" do
    logpath "/var/log/apache2/nominatim.openstreetmap.org-access.log"
    ports [80, 443]
    maxretry 100
+  ignoreips web_servers
  end
  
  munin_plugin_conf "nominatim" do
author	Tom Hughes <tom@compton.nu>
	Fri, 24 Mar 2017 18:44:23 +0000 (18:44 +0000)
committer	Tom Hughes <tom@compton.nu>
	Fri, 24 Mar 2017 18:57:23 +0000 (18:57 +0000)
cookbooks/fail2ban/providers/jail.rb		patch \| blob \| history
cookbooks/fail2ban/resources/jail.rb		patch \| blob \| history
cookbooks/fail2ban/templates/default/jail.erb		patch \| blob \| history
cookbooks/nominatim/recipes/default.rb		patch \| blob \| history