Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make 'ssh' and 'ssh-ddos' jail names be consistent across operating systems #50

Merged
merged 8 commits into from
May 4, 2018
Merged

Make 'ssh' and 'ssh-ddos' jail names be consistent across operating systems #50

merged 8 commits into from
May 4, 2018

Conversation

saibot94
Copy link
Contributor

Pull Request (PR) description

Adding the following code in the manifest:

    class { 'fail2ban': }

and deploying it on a CentOS machine will result in no jails being configured, even though the documentation mentions that '['ssh', 'ssh-ddos']' are configured to run by default.

The problem is that the parameters the config is looking for on the CentOS templates are sshd and sshd-ddos.

This Pull Request (PR) fixes the following issues

Fixes #34

traylenator
traylenator reviewed Apr 30, 2018
View reviewed changes
Copy link
Contributor

@traylenator traylenator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are quite a few other references to sshd-ddos in
templates/Tikanga/etc/fail2ban/jail.conf.erb

@saibot94
Copy link
Contributor Author

The other names are either the name of the jail or the name of the filters.

The filters seem to be "sshd-ddos" and "sshd" for all of them, which I guess is correct. The jail names seem to be [ssh*] for the Debian templates and [sshd*] for the RedHat / CentOS ones. I don't think the naming of the jails has any impact, though.

@traylenator traylenator merged commit 0a8f8be into voxpupuli:master May 4, 2018
@traylenator
Copy link
Contributor

@saibot94 nice to get the acceptance tests running as well.

traylenator
traylenator reviewed May 4, 2018
View reviewed changes
Copy link
Contributor

@traylenator traylenator left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to be done a different way

spec/acceptance/class_spec.rb
ssh_log_file = '/var/log/secure'
ssh_jail = 'ssh'
# EPEL needs to be installed, otherwise it won't work
shell('wget http://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missed this, should not have been merged.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By default ensuring the package epel-release is installed works on CentOS since it's carried in the extras repo.

@saibot94 saibot94 deleted the bugfix/ssh-jail-names branch May 4, 2018 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@traylenator traylenator traylenator left review comments

@ekohl ekohl ekohl left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CentOS ssh jail template actually needs "sshd"
3 participants
@saibot94 @traylenator @ekohl