custom_jail overrides default filters or correct way to change just logpath in default jail about puppet-fail2ban HOT 2 OPEN

I'm having this issue, too. EG. I want to change logpath to a glob and affect the bantime for my HTTP(S) service to be different than my SSHD bantime. Further, polling mode works with less complaints than journalmatch for that filter, so I want to use that mode but systemd for sshd.

fail2ban::custom_jails:
  'nginx-botsearch':
    enabled: true
    backend: polling
    bantime: 3600
    port: http,https
    logpath: '/var/log/nginx/*error.log'

However, this destroys the regex data in /etc/fail2ban.d/nginx-botsearch. I can work around this with a differently named jail, EG

fail2ban::custom_jails:
  '10-nginx-botsearch':
    enabled: true
    backend: polling
    bantime: 3600
    port: http,https
    filter: nginx-botsearch                                                            
    logpath: '/var/log/nginx/*error.log'

This is kludgy as is creates an unused filter file, but the jail doesn't load it, rather the desired filter and I am able to function.

Alternatively, I can the regex data in YAML, but will note that there are a few problems with this:

1. Declaring regex in YAML requires a LOT confusing and/or extraneous escape characters, making maintenance a nightmare
2. If the OS-managed package updates the filter, Puppet destroys those updates. This is not bad if I want that... but I want the choice
3. There are parameters in the OS-provided filter I cannot currently express in Puppet, eg before, so while I can do that, I destroy some package setup.

EG

fail2ban::custom_jails:
  'nginx-botsearch':
    enabled: true
    backend: polling
    bantime: 3600
    port: http,https
    filter: nginx-botsearch
    # yamllint disable rule:line-length
    filter_datepattern: "{^LN-BEG}%%ExY(?P<_sep>[-/.])%%m(?P=_sep)%%d[T ]%%H:%%M:%%S(?:[.,]%%f)?(?:\\s*%%z)?\n            ^[^\\[]*\\[({DATE})\n            {^LN-BEG}"
    filter_failregex: "^<HOST> \\- \\S+ \\[\\] \\\"(GET|POST|HEAD) \\/<block> \\S+\\\" 404 .+$\n            ^ \\[error\\] \\d+#\\d+: \\*\\d+ (\\S+ )?\\\"\\S+\\\" (failed|is not found) \\(2\\: No such file or directory\\), client\\: <HOST>\\, server\\: \\S*\\, request: \\\"(GET|POST|HEAD) \\/<block> \\S+\\\"\\, .*?$"
    logpath: '/var/log/nginx/*error.log'

I will point out that I stumbled upon all of this trying to load RedHat sshd-ddos which now has modes for SSH, and no longer ships with a specific sshd-ddos filter. My solution, as advised by the packaged-provided commentary:

fail2ban::custom_jails:
  '01-sshd-ddos':
    enabled: true
    backend: systemd
    port: 'ssh'
    logpath: '%(sshd_log)s'
    filter: 'sshd[mode=ddos]'

My opinion is that defined type at https://github.com/voxpupuli/puppet-fail2ban/blob/master/manifests/jail.pp has some assumptions that create these problems and can be corrected.

My suggestion is to:

1. Create a custom defined type, fail2ban::filter, instead of managing filters and jails in fail2ban::jail. This doesn't necessarily affect function, but would/could allow cleaner coding and logic for the module.
2. Create a Boolean in fail2ban::jail, $manage_filter that allows turning off/on managing the filter.d file in fail2ban::jail

While I am here, I will also mention that I think fail2ban::jail should also have an $ensure variable so that I can clean up my mistaken/old files in jail.d. Right now I have to disable anything I've tried and/or remove legacy files outside of the module.

I am willing to do a PR if you all agree with the logic.

from puppet-fail2ban.

I realized some very quick-n-dirty edits address at least 80% of what's discussed here, so created #161

from puppet-fail2ban.