Skip to content
Snippets Groups Projects
Normal view Permalink
defense.pp 885 B
Newer Older
Adam Lewenberg's avatar
master branch commit
Adam Lewenberg committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 
# Similar to base::ssh::global but with protection against a brute force attack by
# blocking too-frequent connections from one source.  Also ignore failed login
# attempts.

# FIXME: Change parameters to something more meaningful and make variables
# used by the template match the parameter names.
class base::ssh::defense(
  $secs  = 300,
  $limit = 5
) inherits base::ssh::ignore_fail {
  $ssh_lock_secs  = $secs
  $ssh_lock_count = $limit

  base::iptables::fragment-template { 'ssh-defense':
    ensure  => present,
    content => template('base/iptables/ssh-defense.erb'),
  }
  file { '/etc/filter-syslog/ssh-defense':
    source => 'puppet:///modules/base/ssh/etc/filter-syslog/ssh-defense',
  }

  # Reduce the number of allowed auth failures to 2 to cut down on brute-force
  # password guessing.
  Base::Ssh::Config::Sshd['/etc/ssh/sshd_config'] {
    max_tries => 2,
  }
}