Introducing confdroid_fail2ban: Automated Brute-Force Protection for Your Puppet-Managed Servers
Brute-force attacks remain one of the most common threats to internet-facing services. Attackers continuously scan for open ports and try thousands of username/password combinations against SSH, web logins, admin panels, and other services. Left unchecked, these attacks can lead to compromised accounts, data breaches, or even full server takeovers.
Fail2Ban has been the go-to open-source solution for years. It monitors log files for suspicious patterns — such as repeated failed login attempts — and automatically bans the offending IP addresses by updating firewall rules (usually via iptables).
Out of the box, Fail2Ban already does an excellent job protecting common services like SSH (sshd jail) and Apache with its default settings. It requires almost no manual tuning for basic protection, making it a set-it-and-forget-it tool that quietly strengthens server security.
Taking Fail2Ban Further with Puppet
While Fail2Ban works great on its own, managing it consistently across multiple servers — especially with custom jails for non-standard services — quickly becomes tedious. That’s where my new Puppet module comes in.
I’m happy to announce the release of confdroid_fail2ban, now available in the Confdroid Forge.
This module provides a clean, declarative way to install, configure, and manage Fail2Ban on RHEL/Rocky 9 systems using Puppet 8. It handles everything from package installation and directory setup (with correct SELinux contexts) to managing the core configuration files and systemd service.
Key Features
- Full management of fail2ban.conf, fail2ban.local, jail.conf, and jail.local (using the standard .local override pattern)
- Proper filesystem permissions and SELinux context handling
- Easy parameter overrides via Foreman ENC or Hiera (e.g., ban time, destination email for notifications, Nagios monitoring integration)
- Support for enabling/disabling the service
- Seamless integration with iptables for automatic IP banning
- Designed to work smoothly alongside other Confdroid modules
Custom Jails for Modern Services
Many self-hosted applications (Gitea, custom Apache setups, Nagios, etc.) are not covered by Fail2Ban’s default jails. The confdroid_fail2ban module makes it simple to add and tune custom jails for these services.
For example, when you use the confdroid_apache module, you can easily enable a tailored Apache authentication jail that monitors the correct log paths and applies appropriate thresholds.
Going forward, other Confdroid modules that expose authentication or admin interfaces will include their own recommended custom jails where needed. This creates a consistent, zero-touch security layer across your entire infrastructure.
Why This Matters
In today’s threat landscape, relying solely on strong passwords or basic firewall rules is no longer enough. Automated brute-force protection like Fail2Ban adds a critical defensive layer that reacts in real time — banning attackers before they succeed.
By managing Fail2Ban declaratively with Puppet, you gain:
- Consistent security posture across all servers
- Version-controlled configuration
- Easy customization without editing files by hand
- Reduced risk of configuration drift
Getting Started
Deploying the module is straightforward. Simply deploy it via R10k and include the class in your node definition:
include confdroid_fail2ban
Via Foreman by adding *confdroid_fail2ban::params * to your hosts or hostgroups.
You can then fine-tune parameters (ban time, email notifications, specific jails, etc.) through your ENC.
Note: If you already have a manually configured Fail2Ban installation, test this module in a non-production environment first, as it manages configuration files comprehensively.
You can find the full module, documentation, and parameter reference here: https://sourcecode.confdroid.com/confdroid/confdroid_fail2ban
Final Thoughts
Security should be automated and consistent. confdroid_fail2ban makes it easy to bring reliable brute-force protection to all your Puppet-managed servers while keeping configuration clean and maintainable.
If you run self-hosted services like Gitea, Apache-based apps, or internal tools, I highly recommend pairing this module with the rest of the Confdroid collection for a cohesive and secure setup.
What services do you protect with Fail2Ban today? Have you run into challenges managing custom jails? Feel free to share your experiences in the comments.
Did you find this post helpful? You can support me.
Top comments (0)