Mercurial > repos > other > Puppet
annotate modules/fail2ban/manifests/init.pp @ 430:79e5fed321fa
Break up SSH bad users regexes
The list had got so long that it was failing to compile!
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sun, 11 Dec 2022 20:27:08 +0000 |
parents | a7eaf17bff26 |
children | c84f5efa999e |
rev | line source |
---|---|
292 | 1 class fail2ban ( |
2 $firewall_cmd, | |
3 ) { | |
4 package { 'fail2ban': | |
5 ensure => installed, | |
6 } | |
7 service { 'fail2ban': | |
8 ensure => running, | |
9 enable => true | |
10 } | |
11 File<| tag == 'fail2ban' |> { | |
12 ensure => present, | |
13 require => Package['fail2ban'], | |
14 notify => Service['fail2ban'], | |
15 } | |
16 file { '/etc/fail2ban/fail2ban.local': | |
17 source => 'puppet:///modules/fail2ban/fail2ban.local', | |
18 } | |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
19 if $osfamily == 'RedHat' { |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
20 $ssh_log = '/var/log/secure' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
21 $mail_log = '/var/log/maillog' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
22 } |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
23 elsif $osfamily == 'Debian' { |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
24 $ssh_log = '/var/log/auth.log' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
25 $mail_log = '/var/log/mail.log' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
26 } |
292 | 27 file { '/etc/fail2ban/jail.local': |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
28 content => epp('fail2ban/jail.local.epp', {'ssh_log' => $ssh_log, 'mail_log' => $mail_log}) |
292 | 29 } |
30 file { '/etc/fail2ban/action.d/apf.conf': | |
31 source => 'puppet:///modules/fail2ban/apf.conf', | |
32 } | |
33 | |
34 if $firewall_cmd == 'iptables' { | |
35 $firewall_ban_cmd = 'iptables-multiport' | |
36 } else { | |
37 $firewall_ban_cmd = $firewall_cmd | |
38 } | |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
39 |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
40 if $osfamily == 'RedHat' { |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
41 $apache_conf_custom = '/etc/httpd/conf.custom/' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
42 } |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
43 elsif $osfamily == 'Debian' { |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
44 $apache_conf_custom = '/etc/apache2/conf.custom/' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
45 } |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
46 |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
47 # Create an empty banlist file if it doesn't exist |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
48 exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_banlist.db": |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
49 path => '/sbin:/usr/bin', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
50 unless => "test -f ${apache_conf_custom}apache_banlist.db", |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
51 require => Class['website'], |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
52 before => Service['httpd'], |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
53 } |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
54 file { '/tmp/apache_banlist.txt': |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
55 ensure => present, |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
56 seltype => 'httpd_config_t', |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
57 } |
341
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
58 # Create an empty repeat banlist file if it doesn't exist |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
59 exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_repeat_banlist.db": |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
60 path => '/sbin:/usr/bin', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
61 unless => "test -f ${apache_conf_custom}apache_repeat_banlist.db", |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
62 require => Class['website'], |
341
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
63 before => Service['httpd'], |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
64 } |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
65 file { '/tmp/apache_repeat_banlist.txt': |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
66 ensure => present, |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
67 seltype => 'httpd_config_t', |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
68 } |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
69 if $operatingsystem == 'CentOS' { |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
70 # And let the httxt2dbm process work the rest of the time |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
71 file { '/etc/selinux/apache-ip-banlist.pp': |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
72 source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
73 } ~> |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
74 exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp': |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
75 path => '/usr/sbin', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
76 refreshonly => true, |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
77 } |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
78 } |
292 | 79 file { '/etc/fail2ban/action.d/firewall-ban.conf': |
80 ensure => link, | |
81 target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", | |
82 } | |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
83 file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf': |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
84 source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf', |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
85 } |
292 | 86 file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': |
87 source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', | |
88 } | |
89 file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': | |
90 source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', | |
91 } | |
92 file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': | |
93 source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', | |
94 } | |
95 file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': | |
96 source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', | |
97 } | |
98 file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': | |
99 source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', | |
100 } | |
101 file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': | |
102 source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', | |
103 } | |
104 file { '/etc/fail2ban/filter.d/ibb-postfix.conf': | |
105 source => 'puppet:///modules/fail2ban/ibb-postfix.conf', | |
106 } | |
107 file { '/etc/fail2ban/filter.d/ibb-sshd.conf': | |
108 source => 'puppet:///modules/fail2ban/ibb-sshd.conf', | |
109 } | |
110 | |
111 $bad_users = [ | |
430 | 112 [ |
297 | 113 '[^0-9a-zA-Z]+', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
114 '\.?[0-9]+\.?', |
297 | 115 '[0-9a-zA-Z]{1,3}', |
292 | 116 '([0-9a-z])\2{2,}', |
117 'abused', | |
118 'Admin', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
119 '[aA]dministr[a-z0-9\\]+', # administracion, administrador, administradorweb, administrator, administrat\303\266r (escaped ö) etc |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
120 'admin-?gui', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
121 'adminuser', |
294 | 122 'admissions', |
292 | 123 'altibase', |
124 'alumni', | |
125 'amavisd?', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
126 'amax[0-9]+', |
295 | 127 'amministratore', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
128 'amssys', |
292 | 129 'anwenderschnittstelle', |
130 'anonymous', | |
131 'ansible', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
132 'apache', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
133 'apps', |
292 | 134 'aptproxy', |
297 | 135 'apt-mirror', |
136 'ark(server)?', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
137 'asdfas', |
292 | 138 'asterisk', |
297 | 139 'audio', |
292 | 140 'auser', |
297 | 141 'autologin', |
292 | 142 'avahi', |
143 'avis', | |
144 'backlog', | |
145 'backup(s|er|pc|user)?', | |
297 | 146 'bash', |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
147 'batch', |
297 | 148 'beagleindex', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
149 'benutzer', # German user account |
292 | 150 'bf2', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
151 '.*bitbucket', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
152 'bind', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
153 'biology', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
154 'bitcoin', |
292 | 155 'bitnami', |
156 'bitrix', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
157 'bkroot', |
297 | 158 'blog', |
292 | 159 'boinc', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
160 'bot', |
292 | 161 'botmaster', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
162 'bouncer', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
163 'browser', |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
164 'bugzilla', |
292 | 165 'build', |
166 'buscador', | |
167 'cacti(user)?', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
168 'camera', |
297 | 169 'carrerasoft', |
292 | 170 'catchall', |
297 | 171 'celery', |
292 | 172 'cemergen', |
297 | 173 'centos', |
292 | 174 'chef', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
175 'chimistry', |
297 | 176 'cgi', |
177 'chromeuser', | |
292 | 178 'cinema', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
179 'cinstall', |
297 | 180 'cisco', |
292 | 181 'clamav', |
182 'cliente?[0-9]*', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
183 'CloudSigma', |
292 | 184 'clouduser', |
185 'com', | |
186 'comercial', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
187 'configure', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
188 'console', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
189 'contact', |
292 | 190 'control', |
191 'couchdb', | |
192 'cpanel', | |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
193 'cpanelrrdtool', |
292 | 194 'create', |
195 'cron', | |
297 | 196 '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', |
197 'cs-?go1?', | |
198 'CumulusLinux!', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
199 'customer', |
292 | 200 'cyrus[0-9]*', |
201 'daemon', | |
202 'danger', | |
297 | 203 'darwin', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
204 'dasuse?r[0-9]*', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
205 'data(ba?se)?', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
206 'db2inst[0-9]*', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
207 'dbcloud', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
208 'dbus', |
292 | 209 'debian(-spamd)?', |
210 'default', | |
211 'dell', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
212 'demo', |
297 | 213 'deploy(er)?[0-9]*', |
292 | 214 'desktop', |
215 'developer', | |
297 | 216 'devdata', |
292 | 217 'devops', |
218 'devteam', | |
219 'dietpi', | |
297 | 220 'discordbot', |
221 'disklessadmin', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
222 'display', |
292 | 223 'django', |
297 | 224 'dmarc', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
225 'dpvirtual', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
226 'docker(user)?', |
292 | 227 'dotblot', |
228 'download', | |
229 'dovecot', | |
297 | 230 'dovenull', |
294 | 231 'duplicity', |
292 | 232 'easy', |
233 'ec2-user', | |
297 | 234 'ecquser', |
292 | 235 'edu(cation)?[0-9]*', |
236 'e-shop', | |
297 | 237 'elastic', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
238 'elsearch', |
292 | 239 'engin(eer)?', |
240 'esadmin', | |
241 'events', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
242 'exploit', |
292 | 243 'exports?', |
244 'facebook', | |
245 'factorio', | |
246 'fax', | |
297 | 247 'fcweb', |
248 'fetchmail', | |
292 | 249 'filter', |
250 'firebird', | |
297 | 251 'firefox', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
252 'ftp(admin)?', |
292 | 253 'fuser', |
430 | 254 ],[ |
292 | 255 'games', |
256 'gdm', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
257 'geometry', |
292 | 258 'geniuz', |
297 | 259 'getmail', |
292 | 260 'ggc_user', |
261 'ghost', | |
297 | 262 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
263 'glassfish', |
292 | 264 'gmail', |
294 | 265 'gmodserver', |
266 'gnuhealth', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
267 'google', |
292 | 268 'gopher', |
297 | 269 'government', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
270 'gpadmin', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
271 'grape', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
272 'grid', |
292 | 273 'guest', |
274 'hacker', | |
275 'hadoop', | |
297 | 276 'haldaemon', |
292 | 277 'harvard', |
297 | 278 'hduser', |
279 'headmaster', | |
292 | 280 'helpdesk', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
281 'hive', |
292 | 282 'home', |
283 'host', | |
284 'httpd?', | |
294 | 285 'httpfs', |
292 | 286 'huawei', |
297 | 287 'iamroot', |
292 | 288 'iceuser', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
289 'image', |
292 | 290 'imscp', |
297 | 291 'info(rmix)?[0-9]*', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
292 'inst[0-9]+', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
293 'install(er)?', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
294 'interadmin', |
297 | 295 'inventario', |
292 | 296 'java', |
297 'jboss', | |
298 'jenkins', | |
299 'jira', | |
297 | 300 'jmeter', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
301 'joomla', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
302 'jquery', |
292 | 303 'jsboss', |
297 | 304 'juniper', |
292 | 305 'kafka', |
306 'kodi', | |
295 | 307 'kms', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
308 'ldap', |
297 | 309 'legacy', |
292 | 310 'library', |
311 'libsys', | |
312 'libuuid', | |
313 'linode', | |
314 'linux', | |
295 | 315 'localadmin', |
297 | 316 'logcheck', |
292 | 317 'login', |
318 'logout', | |
295 | 319 'logstash', |
297 | 320 'logview(er)?', |
321 'lsfadmin', | |
292 | 322 'lynx', |
430 | 323 ],[ |
297 | 324 'magento', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
325 'mail', |
292 | 326 'mailer', |
327 'mailman', | |
297 | 328 'mailtest', |
292 | 329 'maintain', |
330 'majordomo', | |
331 'man', | |
332 'mantis', | |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
333 'mapruser', |
292 | 334 'marketing', |
335 'master', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
336 'member(ship)?', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
337 'merlin', |
297 | 338 'messagebus', |
292 | 339 'minecraft', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
340 'mirc', |
292 | 341 'modem', |
342 'mongo(db|user)?', | |
297 | 343 'monitor(ing)?', |
292 | 344 'more', |
345 'moher', | |
346 'mpiuser', | |
297 | 347 'mqadm', |
292 | 348 'musi[ck]bot', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
349 '(my?|pg)(sq(ue)?l|admin)[0-9]*', |
292 | 350 'mythtv', |
351 'nagios', | |
297 | 352 'named', |
292 | 353 'nasa', |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
354 'ncs', |
297 | 355 'nessus', |
356 'netadmin', | |
357 'netdiag', | |
292 | 358 'netdump', |
297 | 359 'network', |
292 | 360 'netzplatz', |
361 'newadmin', | |
295 | 362 'newuser', |
292 | 363 'nexus', |
297 | 364 'nfinity', |
292 | 365 'nfs', |
366 '(nfs)?nobody', | |
367 'nginx', | |
368 'noc', | |
297 | 369 'node', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
370 'notes', |
292 | 371 'nothing', |
372 'NpC', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
373 'ntps', |
292 | 374 'nux', |
375 'odoo', | |
376 'odroid', | |
297 | 377 'office', |
378 'omsagent', | |
292 | 379 'onyxeye', |
297 | 380 'oozie', |
292 | 381 'openbravo', |
294 | 382 'openfire', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
383 'openerp', |
292 | 384 'openvpn', |
385 'operador', | |
386 'operator', | |
387 'ops(code)?', | |
388 'oprofile', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
389 'ora_?(cle|prod|root|vis)[0-9]*', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
390 'orbital', |
292 | 391 'osmc', |
295 | 392 'owncloud', |
292 | 393 'papernet', |
297 | 394 'passwo?r?d', |
292 | 395 'payments', |
396 'pay_?pal', | |
294 | 397 'pdfbox', |
292 | 398 'pentaho', |
297 | 399 'php[0-9]*', |
400 'platform', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
401 'play', |
292 | 402 'PlcmSpIp(PlcmSpIp)?', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
403 'plesk', |
297 | 404 'plex', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
405 'point', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
406 'polkitd?', |
297 | 407 'popd?3?', |
292 | 408 'popuser', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
409 'portal', |
292 | 410 'postfix', |
297 | 411 'p0stgr3s', |
292 | 412 'postgres', |
413 'postmaster', | |
297 | 414 'pptpd', |
292 | 415 'print', |
416 'privoxy', | |
417 'proba', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
418 'Prometheus', |
292 | 419 'proxy', |
295 | 420 'public', |
292 | 421 'puppet', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
422 'pwla', |
292 | 423 'qhsupport', |
424 'rabbit(mq)?', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
425 'radio', |
292 | 426 'radiusd?', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
427 'raspberry', |
297 | 428 'readonly', |
429 'reboot', | |
430 'recording', | |
292 | 431 'redis', |
432 'redmine', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
433 'remot[eo]', |
297 | 434 'reports', |
292 | 435 'riakcs', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
436 'root[0-9a-zA-Z]+', |
292 | 437 'rpc(user)?', |
297 | 438 'rpm', |
292 | 439 'RPM', |
440 'rtorrent', | |
430 | 441 ],[ |
292 | 442 'rustserver', |
443 'sales[0-9]+', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
444 'samp', |
292 | 445 's?bin', |
446 'saslauth', | |
297 | 447 'scan(n?er)?', |
292 | 448 'screen', |
449 'search', | |
297 | 450 'sekretariat', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
451 'server', |
294 | 452 'serverpilot', |
292 | 453 'service', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
454 'setup', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
455 '(s|u|user|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', |
292 | 456 'sftponly', |
457 'shell', | |
458 'shop', | |
297 | 459 'sinusbot[0-9]*', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
460 'sirius', |
297 | 461 'smbguest', |
462 'smbuse?r', | |
292 | 463 'smmsp', |
464 'socket', | |
465 'software', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
466 'solr', |
292 | 467 'solarus', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
468 'spam', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
469 'spark', |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
470 'speech-dispatcher', |
292 | 471 'splunk', |
297 | 472 'sprummlbot', |
292 | 473 'squid', |
297 | 474 'squirrelmail[0-9]+', |
475 'srvadmin', | |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
476 'sshd', |
292 | 477 'sshusr', |
478 'staffc', | |
479 'steam(cmd)?', | |
480 'store', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
481 'stream', |
297 | 482 'stunnel', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
483 'super(user)?', |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
484 'suporte', |
292 | 485 'support', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
486 'svn(root|admin)?', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
487 'sybase', |
297 | 488 'sync[0-9]*', |
292 | 489 'sysadmin', |
490 'system', | |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
491 'teamspeak[234]?(-?use?r)?', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
492 'telecom(admin)?', |
292 | 493 'telkom', |
297 | 494 'telnetd?', |
495 'te?mp(use?r)?[0-9]*', | |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
496 'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
497 'ttest', |
292 | 498 '(test)?username', |
499 'text', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
500 'tiago', |
292 | 501 'tomcat', |
502 'tools', | |
503 'toor', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
504 'ts[123](se?rv(er)?|(musi[ck])?bot|sleep|user)?', |
297 | 505 'tss', |
292 | 506 'tunstall', |
507 'ubnt', | |
508 'unity', | |
297 | 509 'universitaetsrechenzentrum', # University Computing Center |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
510 'unix', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
511 'uplink', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
512 'upload(er)?[0-9]*', |
297 | 513 'user[0-9]*', |
292 | 514 'USERID', |
297 | 515 'username', |
292 | 516 'usuario', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
517 'utente', # Italian user |
292 | 518 'uucp', |
519 'vagrant', | |
520 'vbox', | |
521 'ventrilo', | |
522 'vhbackup', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
523 'video', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
524 'virtual', |
292 | 525 'virusalter', |
526 'vmadmin', | |
527 'vmail', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
528 'vscan?', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
529 'vtms', |
292 | 530 'vyatta', |
531 'wanadoo', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
532 'web', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
533 'webapp', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
534 'webdesign', |
292 | 535 'weblogic', |
536 'webmaster', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
537 'webmin', |
297 | 538 'webportal', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
539 'websync', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
540 'wiki', |
292 | 541 'WinD3str0y', |
542 'wine', | |
297 | 543 'wordpress', |
292 | 544 'wp-?user', |
545 'write', | |
546 'www', | |
297 | 547 'wwAdmin', |
548 '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)', | |
292 | 549 'xbian', |
550 'xbot', | |
297 | 551 'xmpp', |
292 | 552 'xoadmin', |
553 'yahoo', | |
554 'yarn', | |
555 'zabbix', | |
556 'zimbra', | |
557 'zookeeper', | |
430 | 558 ],[ |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
559 # User/admin/other |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
560 '(bwair|api|appl?|ats|cam|cat|db|dev|file|imap|is|my|net|site|tech|virtual|vnc|vpn)?(admins?|app|dev|use?r|server|man|manager|mgr)[0-9]*', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
561 '(abc|account|git|info|redhat|samba|sshd|student|teacher|tomcat|ubuntu|web)[0-9]*', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
562 # Names |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
563 '(aaron|alexander|bill|david|james|sergio|thomas|timson|tom|victor|wang)[0-9]*', |
297 | 564 # And some passwords that turned up as usernames |
565 '1q2w3e4r', | |
566 'abc123', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
567 'letmein', |
292 | 568 '0fordn1on@#\$%%\^&', |
569 'P@\$\$w0rd', | |
297 | 570 'P@ssword1!', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
571 'Pa\$\$word_', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
572 'Passwd123(\$%%\^)', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
573 'password', |
297 | 574 'pass123?4?', |
575 'qwer?[0-9]+', | |
430 | 576 ] |
292 | 577 ] |
578 | |
579 file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': | |
580 content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), | |
581 } | |
582 # Because one of our rules checks fail2ban's log, but the service dies without the file | |
583 file { '/var/log/fail2ban.log': | |
584 ensure => present, | |
585 owner => 'root', | |
586 group => 'root', | |
587 mode => '0600', | |
588 } | |
589 } |