To avoid this error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, Could not find template 'fail2ban/xenial/etc/fail2ban/jail.conf.erb' at /etc/puppetlabs/code/environments/production/modules/fail2ban/manifests/init.pp:65:26 on node core

When using fail2ban like this:

class { 'fail2ban':
    config_file_template => "fail2ban/${::lsbdistcodename}/etc/fail2ban/jail.conf.erb",
    package_ensure => 'latest',
  }

What are you seeing

Debian 12 does not currently have any template. Copying Debian 11's template seems to work fine, however.

Output log

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Could not find template 'fail2ban/Debian/12/etc/fail2ban/jail.conf.epp'

I'm getting the following deprecation warnings when running Puppet 4.10 and puppet-fail2ban 1.3.4:

Warning: This method is deprecated, please use the stdlib validate_legacy function, with Pattern[]. There is further documentation for validate_legacy function in the README. at [".../fail2ban/manifests/init.pp", 40]
   (at .../stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')
Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib::Compat::String. There is further documentation for validate_legacy function in the README. at [".../fail2ban/manifests/init.pp", 41]
   (at .../stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')
Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib::Compat::Absolute_Path. There is further documentation for validate_legacy function in the README. at [".../fail2ban/manifests/init.pp", 44]
   (at .../stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')
Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib::Compat::Bool. There is further documentation for validate_legacy function in the README. at [".../fail2ban/manifests/init.pp", 45]
   (at .../stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')
Warning: This method is deprecated, please use the stdlib validate_legacy function, with Stdlib::Compat::Hash. There is further documentation for validate_legacy function in the README. at [".../fail2ban/manifests/init.pp", 60]
   (at .../stdlib/lib/puppet/functions/deprecation.rb:25:in `deprecation')
Warning: The function 'hiera_hash' is deprecated in favor of using 'lookup'. See https://docs.puppet.com/puppet/4.10/reference/deprecated_language.html
   (file & line not available)

Looks like it is time to upgrade a few things?

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.5.1
• Distribution: CentOS 6

How to reproduce

Run in your command line:

PUPPET_INSTALL_TYPE=agent BEAKER_debug=true BEAKER_set=docker/centos-6 bundle exec rake beaker

What are you seeing

Acceptance tests fail for CentOS 6

What behaviour did you expect instead

The tests should be working

Additional info

@traylenator started working on #54 but I've discussed the issues with him and will be picking this up.

CentOS Linux release 7.6.1810 (Core)

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Could not find template 'fail2ban//etc/fail2ban/jail.conf.erb'

Hi,

We have a few servers that have fail2ban pre-installed (thanks Rackspace), and have had issues with puppetlabs-firewall removing the rules that fail2ban creates. Do you have any examples of a working setup with a puppet "managed" firewall and fail2ban coexisting properly?

Thanks,
Tommy

Hi,

We're using
class { 'fail2ban': }

and configure with hiera:

fail2ban::package_ensure: 'latest'
fail2ban::jails:
  - ssh
  - ssh-ddos
  - apache-auth
  - apache-overflows

on ubuntu 18.04. but no jails are being installed?
Did we miss anything?

fail2ban-client status
Status
|- Number of jail: 0
`- Jail list:

I am pretty sure this is just a matter of fixing a syntax typo.

ignoreip = <% $ignoreip.join(' ') -%>

should be

ignoreip = <%= $ignoreip.join(' ') -%>

This change "Inserts the value of a single expression" instead of just executing it.

We should allow multiple data types for the parameter bantime, because Fail2ban allows values like 10m instead of 600. They already changed this in 2014.

Trying to use librarian to install this puppet module I get a dependency error on dhoppe/mysql not being found.

Was dhoppe/mysql removed? Does fail2ban really need dhoppe/puppet? Thanks!

Hi,

I want to configure a ssh jail in my system. The only parameter I need to change from default configuration is the logpath and the action. What is the correct way to do it?

If I use a custom_jail like:

enabled: true
logpath: '/var/log/messages'
filter: 'sshd'
action: 'dummy'

then all predefined filters for sshd are deleted.

And I wouldn't like to duplicate the default ssh filters in my hiera.

Where is the correct way to do this? Is it possible?

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.10.12
• Ruby: 2.1.0 (included with puppet)
• Distribution: Ubuntu 16.04
• Module version: 2.4.1

How to reproduce (e.g Puppet code you use)

Add the line ignoreip: ['127.0.0.1', '192.168.1.1/24'] for your custom jail as per documentation

What are you seeing

in my custom jail, I get the following line for ignoreip:
ignoreip =

What behaviour did you expect instead

I expected to see ignoreip = 127.0.0.1 192.168.1.1/24 in my custom jail config file

Any additional information you'd like to impart

If I modify templates/common/custom_jail.conf.epp and change the following line (line 25 for me) from:
ignoreip = <% $ignoreip.join(' ') -%>
to:
ignoreip = <%= $ignoreip.join(' ') -%>

Then the ignoreip in my custom jail populates correctly.

Is it possible to bump the puppet-extlib version to 7.0.0? Should i create a pull request?

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet:
• Ruby:
• Distribution:
• Module version:

How to reproduce (e.g Puppet code you use)

What are you seeing

What behaviour did you expect instead

Output log

Any additional information you'd like to impart

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.8.2
• Ruby: ruby 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
• Distribution: Debian 9 (Stretch
• Module version: 2.2.0

How to reproduce (e.g Puppet code you use)

Only define the class in the PE console.

What are you seeing

Info: Using configured environment 'testing'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Unknown function: 'default_content'. at /etc/puppetlabs/code/environments/testing/modules/fail2ban/manifests/init.pp:43:26 on node puppettest.backend.responseconcepts.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

What behaviour did you expect instead

No errors

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 7.17.0
• Facter: 4.2.10
• Ruby: 2.5.9p229 (2021-04-05 revision 67939) [aarch64-linux-gnu]
• Distribution: openSUSE 15.4
• Module version: latest

How to reproduce (e.g Puppet code you use)

just calling in the module to write jail.conf

What are you seeing

cannot find template file

What behaviour did you expect instead

found template file

Output log

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Error while evaluating a Function Call, Could not find template 'fail2ban/openSUSE/15/etc/fail2ban/jail.conf.epp' (file: /etc/puppetlabs/code/environments/dev/modules/fail2ban/manifests/init.pp, line: 51, column: 26) on node blah

Any additional information you'd like to impart

It seems the newer version of facter is reporting the operating system name differently:
facter 3.14.12 reports OpenSuSE
facter 4.2.10 reports openSUSE

This will fix it:

git diff

diff --git a/manifests/init.pp b/manifests/init.pp
index bebc12b..806408b 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -48,7 +48,7 @@ class fail2ban (
   Hash $sendmail_config = {},
   Hash $sendmail_actions = {},
 ) {
-  $config_file_content = extlib::default_content($config_file_string, $config_file_template)
+  $config_file_content = extlib::default_content($config_file_string, $config_file_template.downcase)

   if $config_file_hash {
     create_resources('fail2ban::define', $config_file_hash)

	renamed:    CentOS/6/etc/fail2ban/jail.conf.epp -> centos/6/etc/fail2ban/jail.conf.epp
	renamed:    CentOS/7/etc/fail2ban/jail.conf.epp -> centos/7/etc/fail2ban/jail.conf.epp
	renamed:    Debian/10/etc/fail2ban/jail.conf.epp -> debian/10/etc/fail2ban/jail.conf.epp
	renamed:    Debian/11/etc/fail2ban/jail.conf.epp -> debian/11/etc/fail2ban/jail.conf.epp
	renamed:    Debian/8/etc/fail2ban/jail.conf.epp -> debian/8/etc/fail2ban/jail.conf.epp
	renamed:    Debian/9/etc/fail2ban/jail.conf.epp -> debian/9/etc/fail2ban/jail.conf.epp
	renamed:    OpenSuSE/15/etc/fail2ban/jail.conf.epp -> opensuse/15/etc/fail2ban/jail.conf.epp
	renamed:    RedHat/6/etc/fail2ban/jail.conf.epp -> redhat/6/etc/fail2ban/jail.conf.epp
	renamed:    RedHat/7/etc/fail2ban/jail.conf.epp -> redhat/7/etc/fail2ban/jail.conf.epp
	renamed:    RedHat/8/etc/fail2ban/jail.conf.epp -> redhat/8/etc/fail2ban/jail.conf.epp
	renamed:    RedHat/9/etc/fail2ban/jail.conf.epp -> redhat/9/etc/fail2ban/jail.conf.epp
	renamed:    Ubuntu/16.04/etc/fail2ban/jail.conf.epp -> ubuntu/16.04/etc/fail2ban/jail.conf.epp
	renamed:    Ubuntu/18.04/etc/fail2ban/jail.conf.epp -> ubuntu/18.04/etc/fail2ban/jail.conf.epp
	renamed:    Ubuntu/20.04/etc/fail2ban/jail.conf.epp -> ubuntu/20.04/etc/fail2ban/jail.conf.epp

I'm happy to submit a PR for this, but I imagine all the test cases need to be updated also. Since this is not a PDK module, how do I run the test cases to check whether they need updating. Also are people happy with this strategy - I'm not sure how else to get both situations to work.

module: dhoppe-fail2ban
Version: 1.3.4
OS tested: Fedora release 26

Summary:
config_file_ensure is listed as a parameter. However, when calling it, the following error occurs at compilation.

Puppet::PreformattedError:
Evaluation Error: Error while evaluating a Resource Statement, Class[Fail2ban]: has no parameter named 'config_file_ensure'

Thank you for a very useful module. Unfortunately, my tests with strict variable checking are failing because there's a typo in puppet-fail2ban/manifests/jail.pp:12:

$maxretry                    = $fail2ban::maxtretry,

righthand side has an extra t, should be $fail2ban::maxretry

This isn't so much an issue, but, I'm hoping someone can update puppet forge with an updated version of puppet-fail2ban.

Personally, I'm looking for bionic support.

I also realize there are other ways of adding this module to my project.

Thanks for your time!

I have the following config:
class { 'fail2ban':
config_file_template => "fail2ban/${::lsbdistcodename}/etc/fail2ban/jail.conf.erb",
config_file_options_hash => {
'::fail2ban:whitelist' => '127.0.0.1/8 192.168.2.0/23',
},
}
However config_file_options_hash is not applied.
On first sight there aren't any code paths that handles this variable at all?

https://github.com/dhoppe/puppet-fail2ban/search?utf8=%E2%9C%93&q=config_file_options_hash

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.10.12
• Ruby:
• Distribution: CentOS Linux release 7.7.1908 (Core)
• Module version: 3.2.0
• Fail2ban version: 0.10.5

How to reproduce (e.g Puppet code you use)

class { 'fail2ban':
    config_dir_purge     => false,
    email                => "[email protected]",
    action               => "action_mwl",
    bantime              => 600,
    maxretry             => 5,
    whitelist            => ['127.0.0.1/8','192.168.0.0/24'],
    jails                => ['recidive','ssh','ssh-ddos','apache-auth','apache-badbots','apache-noscript','apache-overflows','apache-nohome','apache-botsearch','apache-fakegooglebot','apache-modsecurity','apache-shellshock','php-url-fopen'],
}

What are you seeing

I updated the fail2ban module and fail2ban, but I had many errors later and the original configuration file (jail.conf) of the package was all deteriorated.

I believe that the way the module is configured, is not ideal. Jail.conf will always be modified by new versions and distributions, and the demand for new changes to the module will always be very high as jail.conf evolves.

Wouldn't it be better if the module kept the jail.conf intact and created a jail.local (example) with all the customized settings? The module would be cleaner and without the need for updating because of new versions.

The module turned my jail.conf into a Frankenstein and it doesn't even work. And look that there are few configurations and very simple.

I debugged the puppet agent and pasted it into pastebin for you to see all the modifications to the jail.conf file.

Output log

May 11 21:04:02 server puppet-agent[28991]: (/Stage[main]/Fail2ban::Service/Service[fail2ban]/ensure) ensure changed 'stopped' to 'running'
May 11 21:04:02 server fail2ban-server[29647]: 2020-05-11 21:04:02,115 fail2ban.configreader [29647]: ERROR Found no accessible config files for 'filter.d/sshd-ddos' under /etc/fail2ban
May 11 21:04:02 server fail2ban-server[29647]: 2020-05-11 21:04:02,115 fail2ban.jailreader [29647]: ERROR Unable to read the filter 'sshd-ddos'
May 11 21:04:02 server fail2ban-server[29647]: 2020-05-11 21:04:02,115 fail2ban.jailsreader [29647]: ERROR Errors in jail 'sshd-ddos'. Skipping...
May 11 21:04:02 server fail2ban-server[29647]: 2020-05-11 21:04:02,141 fail2ban [29647]: ERROR Failed during configuration: Bad value substitution:
May 11 21:04:02 server fail2ban-server[29647]: section: [recidive]
May 11 21:04:02 server fail2ban-server[29647]: option : action
May 11 21:04:02 server fail2ban-server[29647]: key : port
May 11 21:04:02 server fail2ban-server[29647]: rawval : ", protocol="%(protocol)s", chain="%(chain)s"]
May 11 21:04:02 server fail2ban-server[29647]: %(mta)s-whois-lines[name=%(name)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
May 11 21:04:02 server fail2ban-server[29647]: 2020-05-11 21:04:02,146 fail2ban [29647]: ERROR Async configuration of server failed
May 11 21:04:02 server systemd[1]: fail2ban.service: main process exited, code=exited, status=255/n/a
May 11 21:04:02 server fail2ban-client[29653]: 2020-05-11 21:04:02,201 fail2ban [29653]: ERROR Failed to access socket path: /var/run/fail2ban/fail2ban.sock. Is fail2ban running?
May 11 21:04:02 server systemd[1]: fail2ban.service: control process exited, code=exited status=255
May 11 21:04:02 server systemd[1]: Unit fail2ban.service entered failed state.
May 11 21:04:02 server systemd[1]: fail2ban.service failed.
May 11 21:04:04 server puppet-agent[28991]: Applied catalog in 11.04 seconds

Any additional information you'd like to impart

https://pastebin.com/bMw3mwpR

Service start/stop notifications are generating too many emails. I don't want to disable email notifications completely, but only on these actions.

Probably the best approach seems to be overriding actionstart and actionstop defined in /etc/fail2ban/action.d/sendmail-common.conf with another config /etc/fail2ban/action.d/sendmail-common.local:

# Override the Fail2Ban defaults in sendmail-common.conf with these entries
[Definition]
# Disable email notifications of jails stopping or starting
actionstart =
actionstop =

Or is there some better way supported by this module?

I'm seeing this error on (only) one of my nodes where the same configuration is working on other similar nodes.

Usage is simply:

	class { 'fail2ban':
		config_file_template => "fail2ban/${codename}/etc/fail2ban/jail.conf.erb",
		package_ensure       => 'latest',
	}

Error: Systemd start for fail2ban failed!
journalctl log for fail2ban:
-- Logs begin at Fri 2017-06-23 21:32:14 UTC, end at Tue 2017-06-27 19:57:29 UTC. --
Jun 27 19:57:29 myServer systemd[1]: Starting Fail2Ban Service...
Jun 27 19:57:29 myServer fail2ban-client[26333]: ERROR  There is no directory /var/run/fail2ban to contain the socket file /var/run/fail2ban/fail2ban.sock.
Jun 27 19:57:29 myServer systemd[1]: fail2ban.service: control process exited, code=exited status=255
Jun 27 19:57:29 myServer systemd[1]: Failed to start Fail2Ban Service.
Jun 27 19:57:29 myServer systemd[1]: Unit fail2ban.service entered failed state.
Jun 27 19:57:29 myServer systemd[1]: fail2ban.service failed.

...

Notice: /Stage[main]/Fail2ban/Anchor[fail2ban::end]: Dependency Service[fail2ban] has failures: true
Warning: /Stage[main]/Fail2ban/Anchor[fail2ban::end]: Skipping because of failed dependencies

attempted workaround

I tried mkdir /var/run/fail2ban && chmod 777 /var/run/fail2ban before puppet agent --test and now I get /var/run/fail2ban exists but not accessible for writing

Jun 27 20:17:35 myServer fail2ban-client[25399]: ERROR  Directory /var/run/fail2ban exists but not accessible for writing
Jun 27 20:17:35 myServer systemd[1]: fail2ban.service: control process exited, code=exited status=255
Jun 27 20:17:35 myServer systemd[1]: Failed to start Fail2Ban Service.
Jun 27 20:17:35 myServer systemd[1]: Unit fail2ban.service entered failed state.
Jun 27 20:17:35 myServer systemd[1]: fail2ban.service failed.

Which is weird because

[me@myServer ~]# ll /var/run/
drwxrwxrwx.  2 root    root     40 Jun 27 19:59 fail2ban

Node info:

• CentOS Linux release 7.2.1511 (Core).

$::fail2ban::custom_jails parameter is not being referenced in class fail2ban::config; Instead it is performing a hiera lookup

Please add a template for Rocky Linux 8 too. Currently I am seeing Could not find template 'fail2ban/Rocky/8/etc/fail2ban/jail.conf.epp' on these hosts. It should be similar to Centos 8 I guess. Thank you.

Good day

It looks like templates are renamed to epp, but then you get

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Could not find template 'fail2ban/stretch/etc/fail2ban/jail.conf.erb' (file: /etc/puppetlabs/code/modules/fail2ban/manifests/init.pp, line: 44, column: 26) on node REMOVED

hello , please anyone for help me to load custom_jails on debian ?

thanks for your time

Being a rebuild of RH it's a simple matter of patching config.pp.

--- config.pp.bak	2017-01-17 13:15:40.681058922 -0500
+++ config.pp	2017-01-17 13:16:06.890730918 -0500
@@ -38,7 +38,7 @@
 
   # Operating system specific configuration
   case $::operatingsystem {
-    /^(RedHat|CentOS|Scientific)$/: {
+    /^(RedHat|CentOS|Scientific|OracleLinux)$/: {
       # Not using firewalld by now
       file { '00-firewalld.conf':
         ensure  => 'absent',

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.5.3
• Distribution: Debian 9.5
• Module version: v2.3.0

How to reproduce (e.g Puppet code you use)

class { 'fail2ban':
  config_file_template => "fail2ban/${::lsbdistcodename}/etc/fail2ban/jail.conf.epp",
}

What are you seeing

Syntax error since v2.3.0

Output log

Info: Using configured environment 'dev'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error: org.jruby.exceptions.RaiseException: (SyntaxError) /etc/puppetlabs/code/environments/production/modules/fail2ban/templates/stretch/etc/fail2ban/jail.conf.epp:232: syntax error, unexpected kIN
; _erbout.concat(( "ssh" in $fail2ban::jails ).to_s); _erbout.concat "\nport = ssh\nlogpath = %(sshd_log)s\nbackend = %(sshd_backend)s\n\n\n[sshd-ddos]\n# This jail corresponds to the standard configuration in Fail2ban.\n# The mail-whois action send a notification e-mail with a whois request\n# in the body.\nenabled = "
^
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

The template headers contain the file path:

#
# THIS FILE IS MANAGED BY PUPPET
# <%= file %>
#

This path is interpreted as the server side file path:

/etc/puppetlabs/code/environments/*********/fail2ban/templates/xenial/etc/fail2ban/jail.conf

and is placed on a client-side file

this causes one of two issues:

1. Bleeds puppetmaster internal file structure over to the agents unnecessarily
2. Whenever you change the node's environment (eg for debugging purposes) if you use directory environments, this causes the file path to change from

/etc/puppetlabs/code/environments/env1/modules/fail2ban/templates/xenial/etc/fail2ban/jail.conf

to

/etc/puppetlabs/code/environments/env2/modules/fail2ban/templates/xenial/etc/fail2ban/jail.conf

and this causes a subsequent (unnecessary) service restart:

Info: Computing checksum on file /etc/fail2ban/jail.conf
Info: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Filebucketed /etc/fail2ban/jail.conf to puppet with sum 49cf86b38fbf358131a35d93da5cb9bb
Notice: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]/content: content changed '{md5}49cf86b38fbf358131a35d93da5cb9bb' to '{md5}48402a8a8491bcb926c3be3667a0d7bc'
Info: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Scheduling refresh of Service[fail2ban]
Info: Class[Fail2ban::Config]: Scheduling refresh of Class[Fail2ban::Service]
Info: Class[Fail2ban::Service]: Scheduling refresh of Service[fail2ban]

I'm more than happy to fork the repo and submit a PR fixing this, however I'd like to know what you think is the best solution. I would just remove the file path comment entirely.

I'm guessing this is a typo but it may be something intentional. The template for CentOS (/templates/Final/etc/fail2ban/jail.conf.erb) contains the following lines:

enabled = <%= scope['::fail2ban::jails'].include? "sshd" %>
...
enabled = <%= scope['::fail2ban::jails'].include? "sshd-ddos" %>

This means that by default no jails are activated on CentOS, because default jails include

fail2ban::jails:
    - 'ssh'
    - 'ssh-ddos'

but the centos template is checking for sshd and sshd-ddos.

A workaround to apply the same config to CentOS and other (Ubuntu for example) machines is to include the (undocumented) sshd jails as well as the ssh ones:

fail2ban::jails:
    - 'ssh'
    - 'sshd'
    - 'ssh-ddos'
    - 'sshd-ddos'

The fail2ban::jail define attempts to create the custom jail in the file ${::fail2ban::params::config_dir_path}/jail.d/${name}.conf. The version of fail2ban that is available on Debian Wheezy is 0.8.6, whereas support for custom jails in the 'jail.d' subdirectory was only added with fail2ban 0.8.9.

The end result is that fail2ban::jail is not working on Debian Wheezy, because fail2ban uses the jail.local file rather than the newer jail.d subdirectory.

It would be great if this module would use virtual resources to define and collect standard jails. Right now you have to pass all bundled jails when declaring the fail2ban class, e.g.:

class { '::fail2ban':
  jails => ['ssh', 'proftpd', ...]
  ...

It would be nicer to exclude the default jails from the bundled config file templates and make fragments that can be declared and collected like e.g.

class { '::fail2ban':
  dotheotherthings
}

@fail2ban::bundled { 'ssh':
  ...
}

@fail2ban::bundled { 'proftpd':
  ...
}

Fail2ban::Bundled <<| |>>

This way you can couple fail2ban more conveniently with services instead of having to think about modifying the class declaration anytime you add a service to a system. Unfortunately I don't have the time right now to write a PR, but maybe someone else thinks this is a good idea too and likes to create a PR.

The specification in readme.md of custom jails is ill-defined-- Where do you put this yaml configuration? How do you specify it to be loaded by the hiera_hash function from the $custom_jails variable?

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.5.1
• Ruby:
• Distribution: CentOS 7
• Module version:

How to reproduce (e.g Puppet code you use)

Try to change the config using hiera like:
fail2ban::jails:

• monit
  fail2ban::bantime: 3600

What are you seeing

Not only is the jails not altered, but there are no changes applied beyond installing the package.

What behaviour did you expect instead

The jail be enabled and configuration be applied

Output log

Any additional information you'd like to impart

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.10.10
• Ruby: ruby 2.1.9p490 (2016-03-30 revision 54437) [x86_64-linux]
• Distribution: `Ubuntu Server 14.04 (Trusty)
• Module version: 2.4.1

How to reproduce (e.g Puppet code you use)

class { 'fail2ban':
  config_file_template => "fail2ban/${::lsbdistcodename}/etc/fail2ban/jail.conf.epp",
  action               => 'action_',
  whitelist            => ['127.0.0.1/8'],
}

What are you seeing

2019-01-14 22:50:21,673 ERROR [p.p.command] [251,279] [replace catalog] Retrying after attempt 0 for <node>, due to: org.postgresql.util.PSQLException: ERROR: character with byte sequence 0xe2 0x80 0x93 in encoding "UTF8" has no equivalent in encoding "LATIN1"
org.postgresql.util.PSQLException: ERROR: character with byte sequence 0xe2 0x80 0x93 in encoding "UTF8" has no equivalent in encoding "LATIN1"

What behaviour did you expect instead

No errors, standard run

Output log

See What are you seeing

Any additional information you'd like to impart

This error causes exported resources to not properly save and share with other nodes. I'm not 100% sure that the template file is the culprit, but it is the only file deployed containing the byte sequence puppetdb is logging. It appears that U+2018 and U+2019 (LEFT SINGLE QUOTATION MARK and RIGHT SINGLE QUOTATION MARK respectively) cause this issue as well, and they also appear in both the trust and jessie templates

The templates are currently in directories based on the OS codename. The fact for codename isn't always available. We should move the templates to directories based on the standard OS facts.
This is a breaking change, but the next released version is scheduled to be a major anyway.

See #122 (comment)

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 6
• Ruby:
• Distribution:
• Module version:

How to reproduce (e.g Puppet code you use)

class { 'fail2ban':
    package_ensure => 'latest',
    config_file_source => "puppet:///modules/base_sys/jail.local",
  }

What are you seeing

Error: Failed to apply catalog: Validation of File[fail2ban.conf] failed: You cannot specify more than one of content, source, target (file: /etc/puppetlabs/code/environments/production/modules/fail2ban/manifests/config.pp, line: 17)

What behaviour did you expect instead

Should work

Output log

Any additional information you'd like to impart

There are couple of missing directories when you configure the module to use custom jails.

Error: Could not set 'file' on ensure: No such file or directory @ dir_s_mkdir - /etc/fail2ban/filter.d/keycloak.conf20191010-753-xx1ht4.lock (file: /mnt/puppetnfsdir/environments/dev_danielfr/modules/fail2ban/manifests/jail.pp, line: 32)
Error: Could not set 'file' on ensure: No such file or directory @ dir_s_mkdir - /etc/fail2ban/filter.d/keycloak.conf20191010-753-xx1ht4.lock (file: /mnt/puppetnfsdir/environments/dev_danielfr/modules/fail2ban/manifests/jail.pp, line: 32)
Wrapped exception:
No such file or directory @ dir_s_mkdir - /etc/fail2ban/filter.d/keycloak.conf20191010-753-xx1ht4.lock
Error: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[keycloak]/File[custom_filter_keycloak]/ensure: change from 'absent' to 'file' failed: Could not set 'file' on ensure: No such file or directory @ dir_s_mkdir - /etc/fail2ban/filter.d/keycloak.conf20191010-753-xx1ht4.lock (file: /mnt/puppetnfsdir/environments/dev_danielfr/modules/fail2ban/manifests/jail.pp, line: 32) (corrective)

Namely filter.d and jail.d.

I'll add a PR to fix this soon.
Thanks.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: ALL
• Ruby: ALL
• Distribution: ALL
• Module version: ALL

How to reproduce (e.g Puppet code you use)

What are you seeing

What behaviour did you expect instead

I expect the sender email to be variabilized as for destemail.

Output log

Any additional information you'd like to impart

Hi @dhoppe

The module currently separates out functionality that should be in one class (fail2ban) into many subclasses (install, config, service). Each class should provide functionality on its own without having to chain them together with the anchor pattern, which has come to be an anti-pattern in puppet coding. I'm looking at adding support for EL6 and ensuring there is full spec coverage and wondering if it would be OK to refactor the module to get rid of the anchor pattern and subclasses.

Best regards,
-g

Hi,

I tryed to use your puppet module on an Ubuntu 15.04, AKA Vivid Vervet, and so ${::lsbdistcodename} resolve to "vivid" in my config :

  class { fail2ban:
    config_file_template => "fail2ban/${::lsbdistcodename}/etc/fail2ban/jail.conf.erb",
    bantime   => 3600,
    email     => "",
    whitelist => $whitelisted_hosts,
  }

I get this error message :

Error: Could not find template 'fail2ban/vivid/etc/fail2ban/jail.conf.erb' at /etc/puppet/modules/fail2ban/manifests/init.pp:65 on node ...

As templates folder https://github.com/dhoppe/puppet-fail2ban/tree/master/templates does not contains a vivid subfolder I can tell why I get this error, but starting there, as I am new to puppet, I do not know what to do. :(

Is there any way to fix that?

The latest version on puppet force is still 4.2.0 from Nov 2022. Would we be able to get a new release with the updated dependencies and puppet 8 support? This is one of 3 modules still holding me back from updating stdlib and puppet.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.8.2
• Ruby: 2.3.3p222 (2016-11-21) [x86_64-linux-gnu]
• Distribution: Debian 9 (Stretch)
• Module version: 2.2.0

How to reproduce (e.g Puppet code you use)

Including the class by itself produces this error.

What are you seeing

Info: Using configured environment 'testing'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Resource Statement, Evaluation Error: Unknown function: 'default_content'. at /etc/puppetlabs/code/environments/testing/modules/fail2ban/manifests/init.pp:43:26 on node puppettest.backend.responseconcepts.com
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run

What behaviour did you expect instead

No error

Good day
A management and a template for Debian Stretch is needed.

Kind Regards
Brent Clark

OS: Debian 8 Jessie

enabled = false
# pam-generic filter can be customized to monitor specific subset of 'tty's
filter = pam-generic
# port actually must be irrelevant but lets leave it all for some possible uses
port = all
banaction = iptables-allports
port = anyport <= Duplicate option
logpath = /var/log/auth.log
maxretry = 6

/etc/init.d/fail2ban start fail2ban-client[49999]: ERROR Failed during configuration: While reading from '/etc/fail2ban/jail.conf' [line 164]: option 'port' in section 'pam-generic' already exists

On RHEL/CentOS 8 with fail2ban version 0.10.4, the fail2ban puppet module does not work anymore. It seems the whole /etc/fail2ban/jail.conf is not touched by Puppet fail2ban.

the most basic configuration, where I simply would like to enable the ssh jail, does not work anymore.
Also fail2ban recommends now to change a jail.local instead of the system provided jail.conf file.
A custom jail (nginx-cplace) is successfully added and initialized.

Debug: /Package[fail2ban]: Provider dnf does not support features targetable; not managing attribute command
Debug: /Service[fail2ban]: Provider systemd does not support features configurable_timeout; not managing attribute timeout
Info: Applying configuration version '[Fix fail2ban](http://collaborationFactory/ops-puppet-internal/tree/f79264b30752c4143736a1fc58de71b6c3bf270e)'
Debug: /Stage[main]/Fail2ban/Anchor[fail2ban::begin]/before: before to Class[Fail2ban::Install]
Debug: /Stage[main]/Fail2ban::Install/before: before to Class[Fail2ban::Config]
Debug: /Stage[main]/Fail2ban::Config/notify: notify to Class[Fail2ban::Service]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.dir]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.dir]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Service/before: before to Anchor[fail2ban::end]
Debug: /Stage[main]/Profile::Fw/Firewall[010 accept SSH]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]/require: require to Package[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]/notify: notify to Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/File[fail2ban.conf]: Adding autorequire relationship with User[root]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_filter_nginx-cplace]: Adding autorequire relationship with User[root]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]: Adding autorequire relationship with File[fail2ban.dir]
Debug: /Stage[main]/Fail2ban::Config/Fail2ban::Jail[nginx-cplace]/File[custom_jail_nginx-cplace]: Adding autorequire relationship with User[root]
Debug: Executing: '/usr/bin/rpm -q fail2ban --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n'
Debug: Executing: '/usr/bin/rpm -q fail2ban --nosignature --nodigest --qf %{NAME} %|EPOCH?{%{EPOCH}}:{0}| %{VERSION} %{RELEASE} %{ARCH}\n --whatprovides'
Debug: Package[fail2ban](provider=dnf): Ensuring => present
Debug: Executing: '/usr/bin/dnf -d 0 -e 1 -y install fail2ban'
Notice: /Stage[main]/Fail2ban::Install/Package[fail2ban]/ensure: created (corrective)
Debug: /Package[fail2ban]: The container Class[Fail2ban::Install] will propagate my refresh event
Debug: Class[Fail2ban::Install]: The container Stage[main] will propagate my refresh event
Info: Computing checksum on file /etc/fail2ban/jail.d/00-firewalld.conf
Info: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Filebucketed /etc/fail2ban/jail.d/00-firewalld.conf to puppet with sum ea523e49f854737b3f3c8dbf612ae764
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Removing existing file for replacement with absent
Notice: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]/ensure: removed (corrective)
Info: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: Scheduling refresh of Service[fail2ban]
Debug: /Stage[main]/Fail2ban::Config/File[00-firewalld.conf]: The container Class[Fail2ban::Config] will propagate my refresh event
Debug: Class[Fail2ban::Config]: The container Stage[main] will propagate my refresh event
Info: Class[Fail2ban::Config]: Scheduling refresh of Class[Fail2ban::Service]
Info: Class[Fail2ban::Service]: Scheduling refresh of Service[fail2ban]
Debug: Executing: '/usr/bin/systemctl is-active -- fail2ban'
Debug: Executing: '/usr/bin/systemctl is-enabled -- fail2ban'
Debug: Executing: '/usr/bin/systemctl show --property=NeedDaemonReload -- fail2ban'
Debug: Executing: '/usr/bin/systemctl unmask -- fail2ban'
Debug: Executing: '/usr/bin/systemctl start -- fail2ban'
Debug: Executing: '/usr/bin/systemctl is-enabled -- fail2ban'
Debug: Executing: '/usr/bin/systemctl unmask -- fail2ban'
Debug: Executing: '/usr/bin/systemctl enable -- fail2ban'
Notice: /Stage[main]/Fail2ban::Service/Service[fail2ban]/ensure: ensure changed 'stopped' to 'running' (corrective)
Debug: /Service[fail2ban]: The container Class[Fail2ban::Service] will propagate my refresh event
Info: /Service[fail2ban]: Unscheduling refresh on Service[fail2ban]
Debug: Class[Fail2ban::Service]: The container Stage[main] will propagate my refresh event

LSB System Info:

lsbdistrelease | 8.0.1905
lsbdistid | CentOS
lsbdistdescription | CentOS Linux release 8.0.1905 (Core)
lsbdistcodename | Core

What are you seeing

Ubuntu 22.04 does not currently have any template. This should be pretty straightfroward and 20.04's template would likely work fine.

Output log

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: Evaluation Error: Error while evaluating a Function Call, Could not find template 'fail2ban/Ubuntu/22.04/etc/fail2ban/jail.conf.epp' (file: /etc/puppetlabs/code/environments/production/modules/fail2ban/manifests/init.pp, line: 51, column: 26) on node xxx.com

OK, not really a bug, unless it can be activated, but since I didn't read anything on the commit log on the why firewalld support is being removed I'm gonna just ask the why and/or if it can be non-deactivated.

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: any
• Ruby: any
• Distribution: any
• Module version: any

What are you seeing

The banaction part of jail.conf is hardcoded.

What behaviour did you expect instead

It would be nice if you'd be able to change this from the class config, especially if you're planning to manage the firewall through Puppet.