{"id":21899713,"url":"https://github.com/zyronix/puppet-ipsets","last_synced_at":"2025-04-15T19:20:04.300Z","repository":{"id":57670406,"uuid":"164953012","full_name":"zyronix/puppet-ipsets","owner":"zyronix","description":"Puppet module to install Update-IPSets which is part of Firehol.","archived":false,"fork":false,"pushed_at":"2019-01-21T10:24:00.000Z","size":46,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-03-29T00:04:40.249Z","etag":null,"topics":["automation","blacklist","firehol","ipsets","puppet","puppet-module","security"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/zyronix.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-01-09T23:14:09.000Z","updated_at":"2023-04-08T12:20:20.000Z","dependencies_parsed_at":"2022-09-26T20:41:03.155Z","dependency_job_id":null,"html_url":"https://github.com/zyronix/puppet-ipsets","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zyronix%2Fpuppet-ipsets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zyronix%2Fpuppet-ipsets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zyronix%2Fpuppet-ipsets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/zyronix%2Fpuppet-ipsets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/zyronix","download_url":"https://codeload.github.com/zyronix/puppet-ipsets/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248681494,"owners_count":21144700,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["automation","blacklist","firehol","ipsets","puppet","puppet-module","security"],"created_at":"2024-11-28T14:46:36.887Z","updated_at":"2025-04-15T19:20:04.273Z","avatar_url":"https://github.com/zyronix.png","language":"Ruby","readme":"[![Build Status](https://travis-ci.org/zyronix/puppet-ipsets.svg?branch=master)](https://travis-ci.org/zyronix/puppet-ipsets)\n\n# ipsets\n\n#### Table of Contents\n\n1. [Description](#description)\n2. [Setup - The basics of getting started with ipsets](#setup)\n    * [What ipsets affects](#what-ipsets-affects)\n    * [Setup requirements](#setup-requirements)\n    * [Beginning with ipsets](#beginning-with-ipsets)\n3. [Usage - Configuration options and additional functionality](#usage)\n4. [Limitations - OS compatibility, etc.](#limitations)\n5. [Development - Guide for contributing to the module](#development)\n\n## Description\n\nThis module installs IPSets, which is part of Firehol. IPsets is a script called: update-ipsets which download ipsets or blacklist on the internet. Those IPSets can be used to analyse logfile. For example during analyse of an attack it might be interested to compare IPs with IPs on black lists. Besides blacklists there are also IPsets of information sources. For example the IPs of Google. Using those IPs it becomes easier to analyse log files.\n\nBasically it setup up a selfhosted: http://iplists.firehol.org/\n\nThis module helps you to install everything for this.\n\n## Setup\n\n### What ipsets affects\n\nWith the default settings it will install ipsets from source, run as the user ipsets and configures apache aswell.\n\n### Setup Requirements\n\nThe only requirement that is there is if you enable SSL and let this module configure the webserver that SSL certicates are available. This is not the case for Redhat / CentOS.\n\nCreate self signed certificates using:\n\n```\nmkdir -p /etc/ssl/private\nchmod 700 /etc/ssl/private\n/etc/ssl/certs/make-dummy-cert /etc/ssl/private/cert.pem\nchmod 600 /etc/ssl/private/cert.pem\n```\n\nNow configure ipsets to use the file:\n\n```\nclass {'ipsets':\n  ssl_cert =\u003e '/etc/ssl/private/cert.pem',\n  ssl_key  =\u003e '/etc/ssl/private/cert.pem',\n}\n```\n\n### Beginning with ipsets\n\nTo use ipsets just include ipsets:\n\n```\ninclude ipsets\n```\n\nNow everything should be setup, you still have to enable sources.\n\n```\n# login on the machine\nsu - ipsets\nupdate-ipsets enable dshield\nupdate-ipsets enable firehol_level1\nupdate-ipsets -s\n```\n\nThis is the minimal setup needed. The module has set up everything to update every 9 minutes.\n\nA beter setup is to enable all sources:\n\n```\n# login on the machine\nsu - ipsets\nupdate-ipsets --enable-all\n```\n\nThis will take a lot of time and will cause a lot of resources (network and diskspace ~30GB)\n\n## Usage\n\n### More advanced\nSome more of the advanced parameters. For example when you have enable all sources it might be beter to place all the data on a different disk. The only way to do this is to set the home directory of the user to the new disk. In our example '/data'.\n\n```\nclass {'ipsets':\n  user          =\u003e 'testuser',\n  group         =\u003e 'testgroup',\n  webroot       =\u003e '/var/www/here',\n  user_home     =\u003e '/data',\n}\n```\n\n### Export IPSets\nWhen all the sources have been downloaded it might be handy to download all the sources at once. For this the export function is available, but this is disabled by default.\n\nThe export function export all the source every 9 minutes aswell and places them as a tar in the webroot folder.\n\n```\nclass {'ipsets':\n  export_enable =\u003e true,\n}\n```\n\nIn case you want to stop exporting a specify source, you can use the export_exclude defined_type. To disable dshield in the export:\n\n```\nipsets::export_exclude { 'dshield*': \n  description =\u003e 'Reason why you want to exclude it',\n}\n```\n\n### Adding additional ipsets\nYou might want to add additional ipsets, for this use the ip_list defined type:\n\n```\nipsets::ip_list { 'dshield': \n  mins           =\u003e 5,\n  aggregation    =\u003e 0,\n  keep           =\u003e 'both',\n  url            =\u003e 'https://www.dshield.org/block.txt',\n  processor      =\u003e trim,\n  category       =\u003e 'attack',\n  info           =\u003e 'Dshield blocklist',\n  maintainer     =\u003e 'Internet Storm Shield',\n  maintainer_url =\u003e 'https://www.dshield.org/',\n}\n```\n\n## Limitations\n\nNot yet tested running under the root user.\n\n## Development\n\nThis module uses PDK, so make sure all the unit test pass and validation pass. Make sure you written new tests for your code and if required any additional documentation. Also remember to generate new references.md file (using puppet strings generate --format markdown).\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzyronix%2Fpuppet-ipsets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fzyronix%2Fpuppet-ipsets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fzyronix%2Fpuppet-ipsets/lists"}