From: Tom Hughes <tom@compton.nu>
Date: Tue, 12 Mar 2024 08:52:58 +0000 (+0000)
Subject: Restrict fail2ban to evasive blocks instead of all 403 errors
X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/9528de07d836fa814fd5b66dbe55aea20c9cff6c?ds=sidebyside

Restrict fail2ban to evasive blocks instead of all 403 errors
---

diff --git a/cookbooks/apache/recipes/default.rb b/cookbooks/apache/recipes/default.rb
index f3a62fe43..80e9e473f 100644
--- a/cookbooks/apache/recipes/default.rb
+++ b/cookbooks/apache/recipes/default.rb
@@ -105,12 +105,21 @@ apache_conf "ssl" do
 end
 
 fail2ban_filter "apache-forbidden" do
-  failregex '^<ADDR> .* "[^"]*" 403 .*$'
+  action :delete
 end
 
 fail2ban_jail "apache-forbidden" do
-  filter "apache-forbidden"
-  logpath "/var/log/apache2/access.log"
+  action :delete
+end
+
+fail2ban_filter "apache-evasive" do
+  failregex "^Blacklisting address <ADDR>: possible DoS attack\.$"
+end
+
+fail2ban_jail "apache-evasive" do
+  filter "apache-evasive"
+  backend "systemd"
+  journalmatch "SYSLOG_IDENTIFIER=mod_evasive"
   ports [80, 443]
   findtime "1m"
   maxretry 50
diff --git a/cookbooks/fail2ban/resources/jail.rb b/cookbooks/fail2ban/resources/jail.rb
index f68645054..e5801c065 100644
--- a/cookbooks/fail2ban/resources/jail.rb
+++ b/cookbooks/fail2ban/resources/jail.rb
@@ -23,6 +23,8 @@ default_action :create
 
 property :jail, :kind_of => String, :name_property => true
 property :filter, :kind_of => String
+property :backend, :kind_of => String
+property :journalmatch, :kind_of => String
 property :logpath, :kind_of => String
 property :protocol, :kind_of => String
 property :ports, :kind_of => Array, :default => []
@@ -40,6 +42,8 @@ action :create do
     mode "644"
     variables :name => new_resource.jail,
               :filter => new_resource.filter,
+              :backend => new_resource.backend,
+              :journalmatch => new_resource.journalmatch,
               :logpath => new_resource.logpath,
               :protocol => new_resource.protocol,
               :ports => new_resource.ports,
diff --git a/cookbooks/fail2ban/templates/default/jail.erb b/cookbooks/fail2ban/templates/default/jail.erb
index 6a7e377d8..357e09ea5 100644
--- a/cookbooks/fail2ban/templates/default/jail.erb
+++ b/cookbooks/fail2ban/templates/default/jail.erb
@@ -11,6 +11,12 @@ port = <%= @ports.join(",") %>
 <% if @filter -%>
 filter = <%= @filter %>
 <% end -%>
+<% if @backend -%>
+backend = <%= @backend %>
+<% end -%>
+<% if @journalmatch -%>
+journalmatch = <%= @journalmatch %>
+<% end -%>
 <% if @logpath -%>
 logpath = <%= @logpath %>
 <% end -%>