Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for RHEL/CentOS 8 #126

Closed
cf-sewe opened this issue Dec 18, 2019 · 1 comment
Closed

Support for RHEL/CentOS 8 #126

cf-sewe opened this issue Dec 18, 2019 · 1 comment

Comments

@cf-sewe
Copy link

cf-sewe commented Dec 18, 2019
edited
Loading

On RHEL/CentOS 8 with fail2ban version 0.10.4, the fail2ban puppet module does not work anymore. It seems the whole /etc/fail2ban/jail.conf is not touched by Puppet fail2ban.

the most basic configuration, where I simply would like to enable the ssh jail, does not work anymore.
Also fail2ban recommends now to change a jail.local instead of the system provided jail.conf file.
A custom jail (nginx-cplace) is successfully added and initialized.

Debug: /Package[fail2ban]: Provider dnf does not support features targetable; not managing attribute command
Debug: /Service[fail2ban]: Provider systemd does not support features configurable_timeout; not managing attribute timeout
Info: Applying configuration version '[Fix fail2ban](http://collaborationFactory/ops-puppet-internal/tree/f79264b30752c4143736a1fc58de71b6c3bf270e)'
Debug: /Stage[main]/Fail2ban/Anchor[fail2ban::begin]/before: before to Class[Fail2ban::Install]
Debug: /Stage[main]/Fail2ban::Install/before: before to Class[Fail2ban::Config]
Debug: /Stage[main]/Fail2ban::Config/notify: notify to Class[Fail2ban::Service]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.dir]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.dir]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Service/before: before to Anchor[fail2ban::end]
Debug: /Stage[main]/Profile::Fw/Firewall[010 accept SSH]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Adding autorequire relationship with User[root]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]: Adding autorequire relationship with User[root]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]: Adding autorequire relationship with User[root]
Debug: Executing: '/usr/bin/rpm -q fail2ban --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n'
Debug: Executing: '/usr/bin/rpm -q fail2ban --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n --whatprovides'
Debug: Package[fail2ban](provider=dnf): Ensuring => present
Debug: Executing: '/usr/bin/dnf -d 0 -e 1 -y install fail2ban'
Notice: /Stage[main]/Fail2ban::Install/Package[fail2ban]/ensure: created (corrective)
Debug: /Package[fail2ban]: The container Class[Fail2ban::Install] will propagate my refresh event
Debug: Class[Fail2ban::Install]: The container Stage[main] will propagate my refresh event
Info: Computing checksum on file /etc/fail2ban/jail.d/00-firewalld.conf
Info: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Filebucketed /etc/fail2ban/jail.d/00-firewalld.conf to puppet with sum ea523e49f854737b3f3c8dbf612ae764
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Removing existing file for replacement with absent
Notice: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/ensure: removed (corrective)
Info: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Scheduling refresh of Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: The container Class[Fail2ban::Config] will propagate my refresh event
Debug: Class[Fail2ban::Config]: The container Stage[main] will propagate my refresh event
Info: Class[Fail2ban::Config]: Scheduling refresh of Class[Fail2ban::Service]
Info: Class[Fail2ban::Service]: Scheduling refresh of Service[fail2ban]
Debug: Executing: '/usr/bin/systemctl is-active -- fail2ban'
Debug: Executing: '/usr/bin/systemctl is-enabled -- fail2ban'
Debug: Executing: '/usr/bin/systemctl show --property=NeedDaemonReload -- fail2ban'
Debug: Executing: '/usr/bin/systemctl unmask -- fail2ban'
Debug: Executing: '/usr/bin/systemctl start -- fail2ban'
Debug: Executing: '/usr/bin/systemctl is-enabled -- fail2ban'
Debug: Executing: '/usr/bin/systemctl unmask -- fail2ban'
Debug: Executing: '/usr/bin/systemctl enable -- fail2ban'
Notice: /Stage[main]/Fail2ban::Service/Service[fail2ban]/ensure: ensure changed 'stopped' to 'running' (corrective)
Debug: /Service[fail2ban]: The container Class[Fail2ban::Service] will propagate my refresh event
Info: /Service[fail2ban]: Unscheduling refresh on Service[fail2ban]
Debug: Class[Fail2ban::Service]: The container Stage[main] will propagate my refresh event

LSB System Info:

lsbdistrelease | 8.0.1905
lsbdistid | CentOS
lsbdistdescription | CentOS Linux release 8.0.1905 (Core)
lsbdistcodename | Core
@cf-sewe
Copy link
Author

cf-sewe commented Dec 18, 2019

Ok I added this part (which is of course documented already) and now it works.
But maybe the module can still adjust to the recommendation from fail2ban, to perform changes only in jail.local file :)

fail2ban::config_file_template: "fail2ban/%{::lsbdistcodename}/etc/fail2ban/jail.conf.epp"

(on centos7 i didnt add that due to not available lsb tools on my system, and it still worked)

@cf-sewe cf-sewe closed this as completed Dec 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@cf-sewe