Mercurial > repos > other > Puppet
annotate modules/fail2ban/manifests/init.pp @ 324:b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Sun, 01 Mar 2020 19:57:21 +0000 |
parents | edd1e3b444e7 |
children | a79ad974a548 |
rev | line source |
---|---|
292 | 1 class fail2ban ( |
2 $firewall_cmd, | |
3 ) { | |
4 package { 'fail2ban': | |
5 ensure => installed, | |
6 } | |
7 service { 'fail2ban': | |
8 ensure => running, | |
9 enable => true | |
10 } | |
11 File<| tag == 'fail2ban' |> { | |
12 ensure => present, | |
13 require => Package['fail2ban'], | |
14 notify => Service['fail2ban'], | |
15 } | |
16 file { '/etc/fail2ban/fail2ban.local': | |
17 source => 'puppet:///modules/fail2ban/fail2ban.local', | |
18 } | |
19 file { '/etc/fail2ban/jail.local': | |
20 source => 'puppet:///modules/fail2ban/jail.local', | |
21 } | |
22 file { '/etc/fail2ban/action.d/apf.conf': | |
23 source => 'puppet:///modules/fail2ban/apf.conf', | |
24 } | |
25 | |
26 if $firewall_cmd == 'iptables' { | |
27 $firewall_ban_cmd = 'iptables-multiport' | |
28 } else { | |
29 $firewall_ban_cmd = $firewall_cmd | |
30 } | |
31 | |
32 file { '/etc/fail2ban/action.d/firewall-ban.conf': | |
33 ensure => link, | |
34 target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", | |
35 } | |
36 file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': | |
37 source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', | |
38 } | |
39 file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': | |
40 source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', | |
41 } | |
42 file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': | |
43 source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', | |
44 } | |
45 file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': | |
46 source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', | |
47 } | |
48 file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': | |
49 source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', | |
50 } | |
51 file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': | |
52 source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', | |
53 } | |
54 file { '/etc/fail2ban/filter.d/ibb-postfix.conf': | |
55 source => 'puppet:///modules/fail2ban/ibb-postfix.conf', | |
56 } | |
57 file { '/etc/fail2ban/filter.d/ibb-sshd.conf': | |
58 source => 'puppet:///modules/fail2ban/ibb-sshd.conf', | |
59 } | |
60 | |
61 $bad_users = [ | |
297 | 62 '[^0-9a-zA-Z]+', |
292 | 63 '[0-9]+', |
297 | 64 '[0-9a-zA-Z]{1,3}', |
292 | 65 '([0-9a-z])\2{2,}', |
66 'abused', | |
67 'adm', | |
68 'Admin', | |
297 | 69 'admins?[0-9]+', |
70 'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc | |
294 | 71 'admissions', |
292 | 72 'altibase', |
73 'alumni', | |
74 'amavisd?', | |
295 | 75 'amministratore', |
292 | 76 'anwenderschnittstelle', |
77 'anonymous', | |
78 'ansible', | |
79 'aptproxy', | |
297 | 80 'apt-mirror', |
81 'ark(server)?', | |
292 | 82 'asterisk', |
297 | 83 'audio', |
292 | 84 'auser', |
297 | 85 'autologin', |
292 | 86 'avahi', |
87 'avis', | |
88 'backlog', | |
89 'backup(s|er|pc|user)?', | |
297 | 90 'bash', |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
91 'batch', |
297 | 92 'beagleindex', |
292 | 93 'bf2', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
94 '.*bitbucket', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
95 'bind', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
96 'bitcoin', |
292 | 97 'bitnami', |
98 'bitrix', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
99 'bkroot', |
297 | 100 'blog', |
292 | 101 'boinc', |
102 'botmaster', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
103 'bugzilla', |
292 | 104 'build', |
105 'buscador', | |
106 'cacti(user)?', | |
297 | 107 'carrerasoft', |
292 | 108 'catchall', |
297 | 109 'celery', |
292 | 110 'cemergen', |
297 | 111 'centos', |
292 | 112 'chef', |
297 | 113 'cgi', |
114 'chromeuser', | |
292 | 115 'cinema', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
116 'cinstall', |
297 | 117 'cisco', |
292 | 118 'clamav', |
119 'cliente?[0-9]*', | |
120 'clouduser', | |
121 'com', | |
122 'comercial', | |
123 'control', | |
124 'couchdb', | |
125 'cpanel', | |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
126 'cpanelrrdtool', |
292 | 127 'create', |
128 'cron', | |
297 | 129 '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', |
130 'cs-?go1?', | |
131 'CumulusLinux!', | |
292 | 132 'cyrus[0-9]*', |
133 'daemon', | |
134 'danger', | |
297 | 135 'darwin', |
136 'dasuse?r', | |
137 'data', | |
292 | 138 'debian(-spamd)?', |
139 'default', | |
140 'dell', | |
297 | 141 'deploy(er)?[0-9]*', |
292 | 142 'desktop', |
143 'developer', | |
297 | 144 'devdata', |
292 | 145 'devops', |
146 'devteam', | |
147 'dietpi', | |
297 | 148 'discordbot', |
149 'disklessadmin', | |
292 | 150 'django', |
297 | 151 'dmarc', |
152 'dockeruser', | |
292 | 153 'dotblot', |
154 'download', | |
155 'dovecot', | |
297 | 156 'dovenull', |
294 | 157 'duplicity', |
292 | 158 'easy', |
159 'ec2-user', | |
297 | 160 'ecquser', |
292 | 161 'edu(cation)?[0-9]*', |
162 'e-shop', | |
297 | 163 'elastic', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
164 'elsearch', |
292 | 165 'engin(eer)?', |
166 'esadmin', | |
167 'events', | |
168 'exports?', | |
169 'facebook', | |
170 'factorio', | |
171 'fax', | |
297 | 172 'fcweb', |
173 'fetchmail', | |
292 | 174 'filter', |
175 'firebird', | |
297 | 176 'firefox', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
177 'ftp(admin)?', |
292 | 178 'fuser', |
179 'games', | |
180 'gdm', | |
181 'geniuz', | |
297 | 182 'getmail', |
292 | 183 'ggc_user', |
184 'ghost', | |
297 | 185 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', |
292 | 186 'gmail', |
294 | 187 'gmodserver', |
188 'gnuhealth', | |
292 | 189 'gopher', |
297 | 190 'government', |
292 | 191 'guest', |
192 'hacker', | |
193 'hadoop', | |
297 | 194 'haldaemon', |
292 | 195 'harvard', |
297 | 196 'hduser', |
197 'headmaster', | |
292 | 198 'helpdesk', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
199 'hive', |
292 | 200 'home', |
201 'host', | |
202 'httpd?', | |
294 | 203 'httpfs', |
292 | 204 'huawei', |
297 | 205 'iamroot', |
292 | 206 'iceuser', |
207 'imscp', | |
297 | 208 'info(rmix)?[0-9]*', |
209 'installer', | |
210 'inventario', | |
292 | 211 'java', |
212 'jboss', | |
213 'jenkins', | |
214 'jira', | |
297 | 215 'jmeter', |
292 | 216 'jsboss', |
297 | 217 'juniper', |
292 | 218 'kafka', |
219 'kodi', | |
295 | 220 'kms', |
297 | 221 'legacy', |
292 | 222 'library', |
223 'libsys', | |
224 'libuuid', | |
225 'linode', | |
226 'linux', | |
295 | 227 'localadmin', |
297 | 228 'logcheck', |
292 | 229 'login', |
230 'logout', | |
295 | 231 'logstash', |
297 | 232 'logview(er)?', |
233 'lsfadmin', | |
292 | 234 'lynx', |
297 | 235 'magento', |
292 | 236 'mailer', |
237 'mailman', | |
297 | 238 'mailtest', |
292 | 239 'maintain', |
240 'majordomo', | |
241 'man', | |
242 'mantis', | |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
243 'mapruser', |
292 | 244 'marketing', |
245 'master', | |
246 'membership', | |
297 | 247 'messagebus', |
292 | 248 'minecraft', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
249 'mirc', |
292 | 250 'modem', |
251 'mongo(db|user)?', | |
297 | 252 'monitor(ing)?', |
292 | 253 'more', |
254 'moher', | |
255 'mpiuser', | |
297 | 256 'mqadm', |
292 | 257 'musi[ck]bot', |
297 | 258 '(my?|pg)sq(ue)?l[0-9]*', |
292 | 259 'mythtv', |
260 'nagios', | |
297 | 261 'named', |
292 | 262 'nasa', |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
263 'ncs', |
297 | 264 'nessus', |
265 'netadmin', | |
266 'netdiag', | |
292 | 267 'netdump', |
297 | 268 'network', |
292 | 269 'netzplatz', |
270 'newadmin', | |
295 | 271 'newuser', |
292 | 272 'nexus', |
297 | 273 'nfinity', |
292 | 274 'nfs', |
275 '(nfs)?nobody', | |
276 'nginx', | |
277 'noc', | |
297 | 278 'node', |
292 | 279 'nothing', |
280 'NpC', | |
281 'nux', | |
282 'odoo', | |
283 'odroid', | |
297 | 284 'office', |
285 'omsagent', | |
292 | 286 'onyxeye', |
297 | 287 'oozie', |
292 | 288 'openbravo', |
294 | 289 'openfire', |
292 | 290 'openvpn', |
291 'operador', | |
292 'operator', | |
293 'ops(code)?', | |
294 'oprofile', | |
297 | 295 'ora(cle|prod|vis)[0-9]*', |
292 | 296 'osmc', |
295 | 297 'owncloud', |
292 | 298 'papernet', |
297 | 299 'passwo?r?d', |
292 | 300 'payments', |
301 'pay_?pal', | |
294 | 302 'pdfbox', |
292 | 303 'pentaho', |
297 | 304 'php[0-9]*', |
305 'platform', | |
292 | 306 'PlcmSpIp(PlcmSpIp)?', |
297 | 307 'plex', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
308 'polkitd?', |
297 | 309 'popd?3?', |
292 | 310 'popuser', |
311 'postfix', | |
297 | 312 'p0stgr3s', |
292 | 313 'postgres', |
314 'postmaster', | |
297 | 315 'pptpd', |
292 | 316 'print', |
317 'privoxy', | |
318 'proba', | |
319 'proxy', | |
295 | 320 'public', |
292 | 321 'puppet', |
322 'qhsupport', | |
323 'rabbit(mq)?', | |
324 'radiusd?', | |
297 | 325 'readonly', |
326 'reboot', | |
327 'recording', | |
292 | 328 'redis', |
329 'redmine', | |
297 | 330 'remote', |
331 'reports', | |
292 | 332 'riakcs', |
333 'root[0-9]+', | |
334 'rpc(user)?', | |
297 | 335 'rpm', |
292 | 336 'RPM', |
337 'rtorrent', | |
338 'rustserver', | |
339 'sales[0-9]+', | |
340 's?bin', | |
297 | 341 '(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|db)?(dev|use?r|server|man|manager|mgr)|account)[0-9]*', |
292 | 342 'saslauth', |
297 | 343 'scan(n?er)?', |
292 | 344 'screen', |
345 'search', | |
297 | 346 'sekretariat', |
294 | 347 'serverpilot', |
292 | 348 'service', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
349 'setup', |
297 | 350 '(s|u|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', |
292 | 351 'sftponly', |
352 'shell', | |
353 'shop', | |
297 | 354 'sinusbot[0-9]*', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
355 'sirius', |
297 | 356 'smbguest', |
357 'smbuse?r', | |
292 | 358 'smmsp', |
359 'socket', | |
360 'software', | |
361 'solarus', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
362 'speech-dispatcher', |
292 | 363 'splunk', |
297 | 364 'sprummlbot', |
292 | 365 'squid', |
297 | 366 'squirrelmail[0-9]+', |
367 'srvadmin', | |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
368 'sshd', |
292 | 369 'sshusr', |
370 'staffc', | |
371 'steam(cmd)?', | |
372 'store', | |
297 | 373 'stunnel', |
292 | 374 'superuser', |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
375 'suporte', |
292 | 376 'support', |
297 | 377 'svn(root)?', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
378 'sybase', |
297 | 379 'sync[0-9]*', |
292 | 380 'sysadmin', |
381 'system', | |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
382 'teamspeak[234]?(-?use?r)?', |
292 | 383 'telkom', |
297 | 384 'telnetd?', |
385 'te?mp(use?r)?[0-9]*', | |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
386 'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?', |
292 | 387 '(test)?username', |
388 'text', | |
389 'tomcat', | |
390 'tools', | |
391 'toor', | |
297 | 392 'ts[23](se?rv(er)?|(musi[ck])?bot|sleep)?', |
393 'tss', | |
292 | 394 'tunstall', |
395 'ubnt', | |
396 'ubuntu', | |
397 'unity', | |
297 | 398 'universitaetsrechenzentrum', # University Computing Center |
399 'upload[0-9]*', | |
400 'user[0-9]*', | |
292 | 401 'USERID', |
297 | 402 'username', |
292 | 403 'usuario', |
404 'uucp', | |
405 'vagrant', | |
406 'vbox', | |
407 'ventrilo', | |
408 'vhbackup', | |
409 'virusalter', | |
410 'vmadmin', | |
411 'vmail', | |
297 | 412 'vscan', |
292 | 413 'vyatta', |
414 'wanadoo', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
415 'web', |
292 | 416 'weblogic', |
417 'webmaster', | |
297 | 418 'webportal', |
292 | 419 'WinD3str0y', |
420 'wine', | |
297 | 421 'wordpress', |
292 | 422 'wp-?user', |
423 'write', | |
424 'www', | |
297 | 425 'wwAdmin', |
426 '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)', | |
292 | 427 'xbian', |
428 'xbot', | |
297 | 429 'xmpp', |
292 | 430 'xoadmin', |
431 'yahoo', | |
432 'yarn', | |
433 'zabbix', | |
434 'zimbra', | |
435 'zookeeper', | |
297 | 436 # And some passwords that turned up as usernames |
437 '1q2w3e4r', | |
438 'abc123', | |
292 | 439 '0fordn1on@#\$%%\^&', |
440 'P@\$\$w0rd', | |
297 | 441 'P@ssword1!', |
442 'Passwd123', | |
443 'pass123?4?', | |
444 'qwer?[0-9]+', | |
292 | 445 ] |
446 | |
447 file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': | |
448 content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), | |
449 } | |
450 # Because one of our rules checks fail2ban's log, but the service dies without the file | |
451 file { '/var/log/fail2ban.log': | |
452 ensure => present, | |
453 owner => 'root', | |
454 group => 'root', | |
455 mode => '0600', | |
456 } | |
457 } |