Mercurial > repos > other > Puppet
annotate modules/fail2ban/manifests/init.pp @ 430:79e5fed321fa
Break up SSH bad users regexes
The list had got so long that it was failing to compile!
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 11 Dec 2022 20:27:08 +0000 |
| parents | a7eaf17bff26 |
| children | c84f5efa999e |
| rev | line source |
|---|---|
| 292 | 1 class fail2ban ( |
| 2 $firewall_cmd, | |
| 3 ) { | |
| 4 package { 'fail2ban': | |
| 5 ensure => installed, | |
| 6 } | |
| 7 service { 'fail2ban': | |
| 8 ensure => running, | |
| 9 enable => true | |
| 10 } | |
| 11 File<| tag == 'fail2ban' |> { | |
| 12 ensure => present, | |
| 13 require => Package['fail2ban'], | |
| 14 notify => Service['fail2ban'], | |
| 15 } | |
| 16 file { '/etc/fail2ban/fail2ban.local': | |
| 17 source => 'puppet:///modules/fail2ban/fail2ban.local', | |
| 18 } | |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
19 if $osfamily == 'RedHat' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
20 $ssh_log = '/var/log/secure' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
21 $mail_log = '/var/log/maillog' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
22 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
23 elsif $osfamily == 'Debian' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
24 $ssh_log = '/var/log/auth.log' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
25 $mail_log = '/var/log/mail.log' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
26 } |
| 292 | 27 file { '/etc/fail2ban/jail.local': |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
28 content => epp('fail2ban/jail.local.epp', {'ssh_log' => $ssh_log, 'mail_log' => $mail_log}) |
| 292 | 29 } |
| 30 file { '/etc/fail2ban/action.d/apf.conf': | |
| 31 source => 'puppet:///modules/fail2ban/apf.conf', | |
| 32 } | |
| 33 | |
| 34 if $firewall_cmd == 'iptables' { | |
| 35 $firewall_ban_cmd = 'iptables-multiport' | |
| 36 } else { | |
| 37 $firewall_ban_cmd = $firewall_cmd | |
| 38 } | |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
39 |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
40 if $osfamily == 'RedHat' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
41 $apache_conf_custom = '/etc/httpd/conf.custom/' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
42 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
43 elsif $osfamily == 'Debian' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
44 $apache_conf_custom = '/etc/apache2/conf.custom/' |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
45 } |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
46 |
|
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
47 # Create an empty banlist file if it doesn't exist |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
48 exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_banlist.db": |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
49 path => '/sbin:/usr/bin', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
50 unless => "test -f ${apache_conf_custom}apache_banlist.db", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
51 require => Class['website'], |
|
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
52 before => Service['httpd'], |
|
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
53 } |
|
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
54 file { '/tmp/apache_banlist.txt': |
|
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
55 ensure => present, |
|
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
56 seltype => 'httpd_config_t', |
|
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
57 } |
|
341
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
58 # Create an empty repeat banlist file if it doesn't exist |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
59 exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_repeat_banlist.db": |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
60 path => '/sbin:/usr/bin', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
61 unless => "test -f ${apache_conf_custom}apache_repeat_banlist.db", |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
62 require => Class['website'], |
|
341
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
63 before => Service['httpd'], |
|
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
64 } |
|
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
65 file { '/tmp/apache_repeat_banlist.txt': |
|
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
66 ensure => present, |
|
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
67 seltype => 'httpd_config_t', |
|
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
68 } |
|
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
69 if $operatingsystem == 'CentOS' { |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
70 # And let the httxt2dbm process work the rest of the time |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
71 file { '/etc/selinux/apache-ip-banlist.pp': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
72 source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
73 } ~> |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
74 exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp': |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
75 path => '/usr/sbin', |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
76 refreshonly => true, |
|
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
77 } |
|
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
78 } |
| 292 | 79 file { '/etc/fail2ban/action.d/firewall-ban.conf': |
| 80 ensure => link, | |
| 81 target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", | |
| 82 } | |
|
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
83 file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf': |
|
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
84 source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf', |
|
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
85 } |
| 292 | 86 file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': |
| 87 source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', | |
| 88 } | |
| 89 file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': | |
| 90 source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', | |
| 91 } | |
| 92 file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': | |
| 93 source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', | |
| 94 } | |
| 95 file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': | |
| 96 source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', | |
| 97 } | |
| 98 file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': | |
| 99 source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', | |
| 100 } | |
| 101 file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': | |
| 102 source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', | |
| 103 } | |
| 104 file { '/etc/fail2ban/filter.d/ibb-postfix.conf': | |
| 105 source => 'puppet:///modules/fail2ban/ibb-postfix.conf', | |
| 106 } | |
| 107 file { '/etc/fail2ban/filter.d/ibb-sshd.conf': | |
| 108 source => 'puppet:///modules/fail2ban/ibb-sshd.conf', | |
| 109 } | |
| 110 | |
| 111 $bad_users = [ | |
| 430 | 112 [ |
| 297 | 113 '[^0-9a-zA-Z]+', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
114 '\.?[0-9]+\.?', |
| 297 | 115 '[0-9a-zA-Z]{1,3}', |
| 292 | 116 '([0-9a-z])\2{2,}', |
| 117 'abused', | |
| 118 'Admin', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
119 '[aA]dministr[a-z0-9\\]+', # administracion, administrador, administradorweb, administrator, administrat\303\266r (escaped ö) etc |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
120 'admin-?gui', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
121 'adminuser', |
| 294 | 122 'admissions', |
| 292 | 123 'altibase', |
| 124 'alumni', | |
| 125 'amavisd?', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
126 'amax[0-9]+', |
| 295 | 127 'amministratore', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
128 'amssys', |
| 292 | 129 'anwenderschnittstelle', |
| 130 'anonymous', | |
| 131 'ansible', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
132 'apache', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
133 'apps', |
| 292 | 134 'aptproxy', |
| 297 | 135 'apt-mirror', |
| 136 'ark(server)?', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
137 'asdfas', |
| 292 | 138 'asterisk', |
| 297 | 139 'audio', |
| 292 | 140 'auser', |
| 297 | 141 'autologin', |
| 292 | 142 'avahi', |
| 143 'avis', | |
| 144 'backlog', | |
| 145 'backup(s|er|pc|user)?', | |
| 297 | 146 'bash', |
|
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
147 'batch', |
| 297 | 148 'beagleindex', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
149 'benutzer', # German user account |
| 292 | 150 'bf2', |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
151 '.*bitbucket', |
|
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
152 'bind', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
153 'biology', |
|
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
154 'bitcoin', |
| 292 | 155 'bitnami', |
| 156 'bitrix', | |
|
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
157 'bkroot', |
| 297 | 158 'blog', |
| 292 | 159 'boinc', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
160 'bot', |
| 292 | 161 'botmaster', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
162 'bouncer', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
163 'browser', |
|
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
164 'bugzilla', |
| 292 | 165 'build', |
| 166 'buscador', | |
| 167 'cacti(user)?', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
168 'camera', |
| 297 | 169 'carrerasoft', |
| 292 | 170 'catchall', |
| 297 | 171 'celery', |
| 292 | 172 'cemergen', |
| 297 | 173 'centos', |
| 292 | 174 'chef', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
175 'chimistry', |
| 297 | 176 'cgi', |
| 177 'chromeuser', | |
| 292 | 178 'cinema', |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
179 'cinstall', |
| 297 | 180 'cisco', |
| 292 | 181 'clamav', |
| 182 'cliente?[0-9]*', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
183 'CloudSigma', |
| 292 | 184 'clouduser', |
| 185 'com', | |
| 186 'comercial', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
187 'configure', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
188 'console', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
189 'contact', |
| 292 | 190 'control', |
| 191 'couchdb', | |
| 192 'cpanel', | |
|
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
193 'cpanelrrdtool', |
| 292 | 194 'create', |
| 195 'cron', | |
| 297 | 196 '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', |
| 197 'cs-?go1?', | |
| 198 'CumulusLinux!', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
199 'customer', |
| 292 | 200 'cyrus[0-9]*', |
| 201 'daemon', | |
| 202 'danger', | |
| 297 | 203 'darwin', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
204 'dasuse?r[0-9]*', |
|
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
205 'data(ba?se)?', |
|
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
206 'db2inst[0-9]*', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
207 'dbcloud', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
208 'dbus', |
| 292 | 209 'debian(-spamd)?', |
| 210 'default', | |
| 211 'dell', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
212 'demo', |
| 297 | 213 'deploy(er)?[0-9]*', |
| 292 | 214 'desktop', |
| 215 'developer', | |
| 297 | 216 'devdata', |
| 292 | 217 'devops', |
| 218 'devteam', | |
| 219 'dietpi', | |
| 297 | 220 'discordbot', |
| 221 'disklessadmin', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
222 'display', |
| 292 | 223 'django', |
| 297 | 224 'dmarc', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
225 'dpvirtual', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
226 'docker(user)?', |
| 292 | 227 'dotblot', |
| 228 'download', | |
| 229 'dovecot', | |
| 297 | 230 'dovenull', |
| 294 | 231 'duplicity', |
| 292 | 232 'easy', |
| 233 'ec2-user', | |
| 297 | 234 'ecquser', |
| 292 | 235 'edu(cation)?[0-9]*', |
| 236 'e-shop', | |
| 297 | 237 'elastic', |
|
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
238 'elsearch', |
| 292 | 239 'engin(eer)?', |
| 240 'esadmin', | |
| 241 'events', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
242 'exploit', |
| 292 | 243 'exports?', |
| 244 'facebook', | |
| 245 'factorio', | |
| 246 'fax', | |
| 297 | 247 'fcweb', |
| 248 'fetchmail', | |
| 292 | 249 'filter', |
| 250 'firebird', | |
| 297 | 251 'firefox', |
|
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
252 'ftp(admin)?', |
| 292 | 253 'fuser', |
| 430 | 254 ],[ |
| 292 | 255 'games', |
| 256 'gdm', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
257 'geometry', |
| 292 | 258 'geniuz', |
| 297 | 259 'getmail', |
| 292 | 260 'ggc_user', |
| 261 'ghost', | |
| 297 | 262 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
263 'glassfish', |
| 292 | 264 'gmail', |
| 294 | 265 'gmodserver', |
| 266 'gnuhealth', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
267 'google', |
| 292 | 268 'gopher', |
| 297 | 269 'government', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
270 'gpadmin', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
271 'grape', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
272 'grid', |
| 292 | 273 'guest', |
| 274 'hacker', | |
| 275 'hadoop', | |
| 297 | 276 'haldaemon', |
| 292 | 277 'harvard', |
| 297 | 278 'hduser', |
| 279 'headmaster', | |
| 292 | 280 'helpdesk', |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
281 'hive', |
| 292 | 282 'home', |
| 283 'host', | |
| 284 'httpd?', | |
| 294 | 285 'httpfs', |
| 292 | 286 'huawei', |
| 297 | 287 'iamroot', |
| 292 | 288 'iceuser', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
289 'image', |
| 292 | 290 'imscp', |
| 297 | 291 'info(rmix)?[0-9]*', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
292 'inst[0-9]+', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
293 'install(er)?', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
294 'interadmin', |
| 297 | 295 'inventario', |
| 292 | 296 'java', |
| 297 'jboss', | |
| 298 'jenkins', | |
| 299 'jira', | |
| 297 | 300 'jmeter', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
301 'joomla', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
302 'jquery', |
| 292 | 303 'jsboss', |
| 297 | 304 'juniper', |
| 292 | 305 'kafka', |
| 306 'kodi', | |
| 295 | 307 'kms', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
308 'ldap', |
| 297 | 309 'legacy', |
| 292 | 310 'library', |
| 311 'libsys', | |
| 312 'libuuid', | |
| 313 'linode', | |
| 314 'linux', | |
| 295 | 315 'localadmin', |
| 297 | 316 'logcheck', |
| 292 | 317 'login', |
| 318 'logout', | |
| 295 | 319 'logstash', |
| 297 | 320 'logview(er)?', |
| 321 'lsfadmin', | |
| 292 | 322 'lynx', |
| 430 | 323 ],[ |
| 297 | 324 'magento', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
325 'mail', |
| 292 | 326 'mailer', |
| 327 'mailman', | |
| 297 | 328 'mailtest', |
| 292 | 329 'maintain', |
| 330 'majordomo', | |
| 331 'man', | |
| 332 'mantis', | |
|
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
333 'mapruser', |
| 292 | 334 'marketing', |
| 335 'master', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
336 'member(ship)?', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
337 'merlin', |
| 297 | 338 'messagebus', |
| 292 | 339 'minecraft', |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
340 'mirc', |
| 292 | 341 'modem', |
| 342 'mongo(db|user)?', | |
| 297 | 343 'monitor(ing)?', |
| 292 | 344 'more', |
| 345 'moher', | |
| 346 'mpiuser', | |
| 297 | 347 'mqadm', |
| 292 | 348 'musi[ck]bot', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
349 '(my?|pg)(sq(ue)?l|admin)[0-9]*', |
| 292 | 350 'mythtv', |
| 351 'nagios', | |
| 297 | 352 'named', |
| 292 | 353 'nasa', |
|
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
354 'ncs', |
| 297 | 355 'nessus', |
| 356 'netadmin', | |
| 357 'netdiag', | |
| 292 | 358 'netdump', |
| 297 | 359 'network', |
| 292 | 360 'netzplatz', |
| 361 'newadmin', | |
| 295 | 362 'newuser', |
| 292 | 363 'nexus', |
| 297 | 364 'nfinity', |
| 292 | 365 'nfs', |
| 366 '(nfs)?nobody', | |
| 367 'nginx', | |
| 368 'noc', | |
| 297 | 369 'node', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
370 'notes', |
| 292 | 371 'nothing', |
| 372 'NpC', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
373 'ntps', |
| 292 | 374 'nux', |
| 375 'odoo', | |
| 376 'odroid', | |
| 297 | 377 'office', |
| 378 'omsagent', | |
| 292 | 379 'onyxeye', |
| 297 | 380 'oozie', |
| 292 | 381 'openbravo', |
| 294 | 382 'openfire', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
383 'openerp', |
| 292 | 384 'openvpn', |
| 385 'operador', | |
| 386 'operator', | |
| 387 'ops(code)?', | |
| 388 'oprofile', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
389 'ora_?(cle|prod|root|vis)[0-9]*', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
390 'orbital', |
| 292 | 391 'osmc', |
| 295 | 392 'owncloud', |
| 292 | 393 'papernet', |
| 297 | 394 'passwo?r?d', |
| 292 | 395 'payments', |
| 396 'pay_?pal', | |
| 294 | 397 'pdfbox', |
| 292 | 398 'pentaho', |
| 297 | 399 'php[0-9]*', |
| 400 'platform', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
401 'play', |
| 292 | 402 'PlcmSpIp(PlcmSpIp)?', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
403 'plesk', |
| 297 | 404 'plex', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
405 'point', |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
406 'polkitd?', |
| 297 | 407 'popd?3?', |
| 292 | 408 'popuser', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
409 'portal', |
| 292 | 410 'postfix', |
| 297 | 411 'p0stgr3s', |
| 292 | 412 'postgres', |
| 413 'postmaster', | |
| 297 | 414 'pptpd', |
| 292 | 415 'print', |
| 416 'privoxy', | |
| 417 'proba', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
418 'Prometheus', |
| 292 | 419 'proxy', |
| 295 | 420 'public', |
| 292 | 421 'puppet', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
422 'pwla', |
| 292 | 423 'qhsupport', |
| 424 'rabbit(mq)?', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
425 'radio', |
| 292 | 426 'radiusd?', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
427 'raspberry', |
| 297 | 428 'readonly', |
| 429 'reboot', | |
| 430 'recording', | |
| 292 | 431 'redis', |
| 432 'redmine', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
433 'remot[eo]', |
| 297 | 434 'reports', |
| 292 | 435 'riakcs', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
436 'root[0-9a-zA-Z]+', |
| 292 | 437 'rpc(user)?', |
| 297 | 438 'rpm', |
| 292 | 439 'RPM', |
| 440 'rtorrent', | |
| 430 | 441 ],[ |
| 292 | 442 'rustserver', |
| 443 'sales[0-9]+', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
444 'samp', |
| 292 | 445 's?bin', |
| 446 'saslauth', | |
| 297 | 447 'scan(n?er)?', |
| 292 | 448 'screen', |
| 449 'search', | |
| 297 | 450 'sekretariat', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
451 'server', |
| 294 | 452 'serverpilot', |
| 292 | 453 'service', |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
454 'setup', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
455 '(s|u|user|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', |
| 292 | 456 'sftponly', |
| 457 'shell', | |
| 458 'shop', | |
| 297 | 459 'sinusbot[0-9]*', |
|
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
460 'sirius', |
| 297 | 461 'smbguest', |
| 462 'smbuse?r', | |
| 292 | 463 'smmsp', |
| 464 'socket', | |
| 465 'software', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
466 'solr', |
| 292 | 467 'solarus', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
468 'spam', |
|
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
469 'spark', |
|
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
470 'speech-dispatcher', |
| 292 | 471 'splunk', |
| 297 | 472 'sprummlbot', |
| 292 | 473 'squid', |
| 297 | 474 'squirrelmail[0-9]+', |
| 475 'srvadmin', | |
|
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
476 'sshd', |
| 292 | 477 'sshusr', |
| 478 'staffc', | |
| 479 'steam(cmd)?', | |
| 480 'store', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
481 'stream', |
| 297 | 482 'stunnel', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
483 'super(user)?', |
|
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
484 'suporte', |
| 292 | 485 'support', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
486 'svn(root|admin)?', |
|
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
487 'sybase', |
| 297 | 488 'sync[0-9]*', |
| 292 | 489 'sysadmin', |
| 490 'system', | |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
491 'teamspeak[234]?(-?use?r)?', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
492 'telecom(admin)?', |
| 292 | 493 'telkom', |
| 297 | 494 'telnetd?', |
| 495 'te?mp(use?r)?[0-9]*', | |
|
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
496 'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
497 'ttest', |
| 292 | 498 '(test)?username', |
| 499 'text', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
500 'tiago', |
| 292 | 501 'tomcat', |
| 502 'tools', | |
| 503 'toor', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
504 'ts[123](se?rv(er)?|(musi[ck])?bot|sleep|user)?', |
| 297 | 505 'tss', |
| 292 | 506 'tunstall', |
| 507 'ubnt', | |
| 508 'unity', | |
| 297 | 509 'universitaetsrechenzentrum', # University Computing Center |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
510 'unix', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
511 'uplink', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
512 'upload(er)?[0-9]*', |
| 297 | 513 'user[0-9]*', |
| 292 | 514 'USERID', |
| 297 | 515 'username', |
| 292 | 516 'usuario', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
517 'utente', # Italian user |
| 292 | 518 'uucp', |
| 519 'vagrant', | |
| 520 'vbox', | |
| 521 'ventrilo', | |
| 522 'vhbackup', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
523 'video', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
524 'virtual', |
| 292 | 525 'virusalter', |
| 526 'vmadmin', | |
| 527 'vmail', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
528 'vscan?', |
|
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
529 'vtms', |
| 292 | 530 'vyatta', |
| 531 'wanadoo', | |
|
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
532 'web', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
533 'webapp', |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
534 'webdesign', |
| 292 | 535 'weblogic', |
| 536 'webmaster', | |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
537 'webmin', |
| 297 | 538 'webportal', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
539 'websync', |
|
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
540 'wiki', |
| 292 | 541 'WinD3str0y', |
| 542 'wine', | |
| 297 | 543 'wordpress', |
| 292 | 544 'wp-?user', |
| 545 'write', | |
| 546 'www', | |
| 297 | 547 'wwAdmin', |
| 548 '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)', | |
| 292 | 549 'xbian', |
| 550 'xbot', | |
| 297 | 551 'xmpp', |
| 292 | 552 'xoadmin', |
| 553 'yahoo', | |
| 554 'yarn', | |
| 555 'zabbix', | |
| 556 'zimbra', | |
| 557 'zookeeper', | |
| 430 | 558 ],[ |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
559 # User/admin/other |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
560 '(bwair|api|appl?|ats|cam|cat|db|dev|file|imap|is|my|net|site|tech|virtual|vnc|vpn)?(admins?|app|dev|use?r|server|man|manager|mgr)[0-9]*', |
|
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
561 '(abc|account|git|info|redhat|samba|sshd|student|teacher|tomcat|ubuntu|web)[0-9]*', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
562 # Names |
|
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
563 '(aaron|alexander|bill|david|james|sergio|thomas|timson|tom|victor|wang)[0-9]*', |
| 297 | 564 # And some passwords that turned up as usernames |
| 565 '1q2w3e4r', | |
| 566 'abc123', | |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
567 'letmein', |
| 292 | 568 '0fordn1on@#\$%%\^&', |
| 569 'P@\$\$w0rd', | |
| 297 | 570 'P@ssword1!', |
|
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
571 'Pa\$\$word_', |
|
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
572 'Passwd123(\$%%\^)', |
|
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
573 'password', |
| 297 | 574 'pass123?4?', |
| 575 'qwer?[0-9]+', | |
| 430 | 576 ] |
| 292 | 577 ] |
| 578 | |
| 579 file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': | |
| 580 content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), | |
| 581 } | |
| 582 # Because one of our rules checks fail2ban's log, but the service dies without the file | |
| 583 file { '/var/log/fail2ban.log': | |
| 584 ensure => present, | |
| 585 owner => 'root', | |
| 586 group => 'root', | |
| 587 mode => '0600', | |
| 588 } | |
| 589 } |