Mercurial > repos > other > Puppet
annotate modules/fail2ban/manifests/init.pp @ 482:d83de9b3a62b default tip
Update hiera.yaml within Puppet config
Forgot that we manage it from here. Now has content to match
new packages
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Fri, 30 Aug 2024 16:10:36 +0100 |
parents | 2c3e745be8d2 |
children |
rev | line source |
---|---|
292 | 1 class fail2ban ( |
2 $firewall_cmd, | |
3 ) { | |
4 package { 'fail2ban': | |
5 ensure => installed, | |
6 } | |
7 service { 'fail2ban': | |
8 ensure => running, | |
9 enable => true | |
10 } | |
11 File<| tag == 'fail2ban' |> { | |
12 ensure => present, | |
13 require => Package['fail2ban'], | |
14 notify => Service['fail2ban'], | |
15 } | |
16 file { '/etc/fail2ban/fail2ban.local': | |
17 source => 'puppet:///modules/fail2ban/fail2ban.local', | |
18 } | |
480
2c3e745be8d2
Update server defs and own modules to match
IBBoard <dev@ibboard.co.uk>
parents:
457
diff
changeset
|
19 if $facts["os"]["family"] == 'RedHat' { |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
20 $ssh_log = '/var/log/secure' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
21 $mail_log = '/var/log/maillog' |
457
dde1d7e2309b
Set right log ownership/permissions for Ubuntu vs CentOS
IBBoard <dev@ibboard.co.uk>
parents:
431
diff
changeset
|
22 $log_group = 'root' |
dde1d7e2309b
Set right log ownership/permissions for Ubuntu vs CentOS
IBBoard <dev@ibboard.co.uk>
parents:
431
diff
changeset
|
23 $log_mode = '0600' |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
24 } |
480
2c3e745be8d2
Update server defs and own modules to match
IBBoard <dev@ibboard.co.uk>
parents:
457
diff
changeset
|
25 elsif $facts["os"]["family"] == 'Debian' { |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
26 $ssh_log = '/var/log/auth.log' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
27 $mail_log = '/var/log/mail.log' |
457
dde1d7e2309b
Set right log ownership/permissions for Ubuntu vs CentOS
IBBoard <dev@ibboard.co.uk>
parents:
431
diff
changeset
|
28 $log_group = 'adm' |
dde1d7e2309b
Set right log ownership/permissions for Ubuntu vs CentOS
IBBoard <dev@ibboard.co.uk>
parents:
431
diff
changeset
|
29 $log_mode = '0640' |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
30 } |
292 | 31 file { '/etc/fail2ban/jail.local': |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
32 content => epp('fail2ban/jail.local.epp', {'ssh_log' => $ssh_log, 'mail_log' => $mail_log}) |
292 | 33 } |
34 file { '/etc/fail2ban/action.d/apf.conf': | |
35 source => 'puppet:///modules/fail2ban/apf.conf', | |
36 } | |
37 | |
38 if $firewall_cmd == 'iptables' { | |
39 $firewall_ban_cmd = 'iptables-multiport' | |
40 } else { | |
41 $firewall_ban_cmd = $firewall_cmd | |
42 } | |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
43 |
480
2c3e745be8d2
Update server defs and own modules to match
IBBoard <dev@ibboard.co.uk>
parents:
457
diff
changeset
|
44 if $facts["os"]["family"] == 'RedHat' { |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
45 $apache_conf_custom = '/etc/httpd/conf.custom/' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
46 } |
480
2c3e745be8d2
Update server defs and own modules to match
IBBoard <dev@ibboard.co.uk>
parents:
457
diff
changeset
|
47 elsif $facts["os"]["family"] == 'Debian' { |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
48 $apache_conf_custom = '/etc/apache2/conf.custom/' |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
49 } |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
50 |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
51 # Create an empty banlist file if it doesn't exist |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
52 exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_banlist.db": |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
53 path => '/sbin:/usr/bin', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
54 unless => "test -f ${apache_conf_custom}apache_banlist.db", |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
55 require => Class['website'], |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
56 before => Service['httpd'], |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
57 } |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
58 file { '/tmp/apache_banlist.txt': |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
59 ensure => present, |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
60 seltype => 'httpd_config_t', |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
61 } |
341
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
62 # Create an empty repeat banlist file if it doesn't exist |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
63 exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_repeat_banlist.db": |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
64 path => '/sbin:/usr/bin', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
65 unless => "test -f ${apache_conf_custom}apache_repeat_banlist.db", |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
66 require => Class['website'], |
341
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
67 before => Service['httpd'], |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
68 } |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
69 file { '/tmp/apache_repeat_banlist.txt': |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
70 ensure => present, |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
71 seltype => 'httpd_config_t', |
3a1b19f6a054
Add a "repeat offender" ban to Apache IP block
IBBoard <dev@ibboard.co.uk>
parents:
337
diff
changeset
|
72 } |
480
2c3e745be8d2
Update server defs and own modules to match
IBBoard <dev@ibboard.co.uk>
parents:
457
diff
changeset
|
73 if $facts["os"]["name"] == 'CentOS' { |
390
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
74 # And let the httxt2dbm process work the rest of the time |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
75 file { '/etc/selinux/apache-ip-banlist.pp': |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
76 source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
77 } ~> |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
78 exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp': |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
79 path => '/usr/sbin', |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
80 refreshonly => true, |
df5ad1612af7
Adapt configs to support Ubuntu
IBBoard <dev@ibboard.co.uk>
parents:
370
diff
changeset
|
81 } |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
82 } |
292 | 83 file { '/etc/fail2ban/action.d/firewall-ban.conf': |
84 ensure => link, | |
85 target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", | |
86 } | |
337
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
87 file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf': |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
88 source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf', |
a79ad974a548
Implement fail2ban for Apache as mod_rewrite
IBBoard <dev@ibboard.co.uk>
parents:
324
diff
changeset
|
89 } |
292 | 90 file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': |
91 source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', | |
92 } | |
93 file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': | |
94 source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', | |
95 } | |
96 file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': | |
97 source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', | |
98 } | |
99 file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': | |
100 source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', | |
101 } | |
102 file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': | |
103 source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', | |
104 } | |
105 file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': | |
106 source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', | |
107 } | |
108 file { '/etc/fail2ban/filter.d/ibb-postfix.conf': | |
109 source => 'puppet:///modules/fail2ban/ibb-postfix.conf', | |
110 } | |
111 file { '/etc/fail2ban/filter.d/ibb-sshd.conf': | |
112 source => 'puppet:///modules/fail2ban/ibb-sshd.conf', | |
113 } | |
114 | |
115 $bad_users = [ | |
430 | 116 [ |
297 | 117 '[^0-9a-zA-Z]+', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
118 '\.?[0-9]+\.?', |
297 | 119 '[0-9a-zA-Z]{1,3}', |
292 | 120 '([0-9a-z])\2{2,}', |
121 'abused', | |
122 'Admin', | |
431 | 123 '[aA]dministr[a-z0-9\\\\]+', # administracion, administrador, administradorweb, administrator, administrat\303\266r (escaped ö) etc |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
124 'admin-?gui', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
125 'adminuser', |
294 | 126 'admissions', |
292 | 127 'altibase', |
128 'alumni', | |
129 'amavisd?', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
130 'amax[0-9]+', |
295 | 131 'amministratore', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
132 'amssys', |
292 | 133 'anwenderschnittstelle', |
134 'anonymous', | |
135 'ansible', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
136 'apache', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
137 'apps', |
292 | 138 'aptproxy', |
297 | 139 'apt-mirror', |
140 'ark(server)?', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
141 'asdfas', |
292 | 142 'asterisk', |
297 | 143 'audio', |
292 | 144 'auser', |
297 | 145 'autologin', |
292 | 146 'avahi', |
147 'avis', | |
148 'backlog', | |
149 'backup(s|er|pc|user)?', | |
297 | 150 'bash', |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
151 'batch', |
297 | 152 'beagleindex', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
153 'benutzer', # German user account |
292 | 154 'bf2', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
155 '.*bitbucket', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
156 'bind', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
157 'biology', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
158 'bitcoin', |
292 | 159 'bitnami', |
160 'bitrix', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
161 'bkroot', |
297 | 162 'blog', |
292 | 163 'boinc', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
164 'bot', |
292 | 165 'botmaster', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
166 'bouncer', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
167 'browser', |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
168 'bugzilla', |
292 | 169 'build', |
170 'buscador', | |
171 'cacti(user)?', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
172 'camera', |
297 | 173 'carrerasoft', |
292 | 174 'catchall', |
297 | 175 'celery', |
292 | 176 'cemergen', |
297 | 177 'centos', |
292 | 178 'chef', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
179 'chimistry', |
297 | 180 'cgi', |
181 'chromeuser', | |
292 | 182 'cinema', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
183 'cinstall', |
297 | 184 'cisco', |
292 | 185 'clamav', |
186 'cliente?[0-9]*', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
187 'CloudSigma', |
292 | 188 'clouduser', |
189 'com', | |
190 'comercial', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
191 'configure', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
192 'console', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
193 'contact', |
292 | 194 'control', |
195 'couchdb', | |
196 'cpanel', | |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
197 'cpanelrrdtool', |
292 | 198 'create', |
199 'cron', | |
297 | 200 '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', |
201 'cs-?go1?', | |
202 'CumulusLinux!', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
203 'customer', |
292 | 204 'cyrus[0-9]*', |
205 'daemon', | |
206 'danger', | |
297 | 207 'darwin', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
208 'dasuse?r[0-9]*', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
209 'data(ba?se)?', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
210 'db2inst[0-9]*', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
211 'dbcloud', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
212 'dbus', |
292 | 213 'debian(-spamd)?', |
214 'default', | |
215 'dell', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
216 'demo', |
297 | 217 'deploy(er)?[0-9]*', |
292 | 218 'desktop', |
219 'developer', | |
297 | 220 'devdata', |
292 | 221 'devops', |
222 'devteam', | |
223 'dietpi', | |
297 | 224 'discordbot', |
225 'disklessadmin', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
226 'display', |
292 | 227 'django', |
297 | 228 'dmarc', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
229 'dpvirtual', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
230 'docker(user)?', |
292 | 231 'dotblot', |
232 'download', | |
233 'dovecot', | |
297 | 234 'dovenull', |
294 | 235 'duplicity', |
292 | 236 'easy', |
237 'ec2-user', | |
297 | 238 'ecquser', |
292 | 239 'edu(cation)?[0-9]*', |
240 'e-shop', | |
297 | 241 'elastic', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
242 'elsearch', |
292 | 243 'engin(eer)?', |
244 'esadmin', | |
245 'events', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
246 'exploit', |
292 | 247 'exports?', |
248 'facebook', | |
249 'factorio', | |
250 'fax', | |
297 | 251 'fcweb', |
252 'fetchmail', | |
292 | 253 'filter', |
254 'firebird', | |
297 | 255 'firefox', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
256 'ftp(admin)?', |
292 | 257 'fuser', |
430 | 258 ],[ |
292 | 259 'games', |
260 'gdm', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
261 'geometry', |
292 | 262 'geniuz', |
297 | 263 'getmail', |
292 | 264 'ggc_user', |
265 'ghost', | |
297 | 266 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
267 'glassfish', |
292 | 268 'gmail', |
294 | 269 'gmodserver', |
270 'gnuhealth', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
271 'google', |
292 | 272 'gopher', |
297 | 273 'government', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
274 'gpadmin', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
275 'grape', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
276 'grid', |
292 | 277 'guest', |
278 'hacker', | |
279 'hadoop', | |
297 | 280 'haldaemon', |
292 | 281 'harvard', |
297 | 282 'hduser', |
283 'headmaster', | |
292 | 284 'helpdesk', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
285 'hive', |
292 | 286 'home', |
287 'host', | |
288 'httpd?', | |
294 | 289 'httpfs', |
292 | 290 'huawei', |
297 | 291 'iamroot', |
292 | 292 'iceuser', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
293 'image', |
292 | 294 'imscp', |
297 | 295 'info(rmix)?[0-9]*', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
296 'inst[0-9]+', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
297 'install(er)?', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
298 'interadmin', |
297 | 299 'inventario', |
292 | 300 'java', |
301 'jboss', | |
302 'jenkins', | |
303 'jira', | |
297 | 304 'jmeter', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
305 'joomla', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
306 'jquery', |
292 | 307 'jsboss', |
297 | 308 'juniper', |
292 | 309 'kafka', |
310 'kodi', | |
295 | 311 'kms', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
312 'ldap', |
297 | 313 'legacy', |
292 | 314 'library', |
315 'libsys', | |
316 'libuuid', | |
317 'linode', | |
318 'linux', | |
295 | 319 'localadmin', |
297 | 320 'logcheck', |
292 | 321 'login', |
322 'logout', | |
295 | 323 'logstash', |
297 | 324 'logview(er)?', |
325 'lsfadmin', | |
292 | 326 'lynx', |
430 | 327 ],[ |
297 | 328 'magento', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
329 'mail', |
292 | 330 'mailer', |
331 'mailman', | |
297 | 332 'mailtest', |
292 | 333 'maintain', |
334 'majordomo', | |
335 'man', | |
336 'mantis', | |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
337 'mapruser', |
292 | 338 'marketing', |
339 'master', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
340 'member(ship)?', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
341 'merlin', |
297 | 342 'messagebus', |
292 | 343 'minecraft', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
344 'mirc', |
292 | 345 'modem', |
346 'mongo(db|user)?', | |
297 | 347 'monitor(ing)?', |
292 | 348 'more', |
349 'moher', | |
350 'mpiuser', | |
297 | 351 'mqadm', |
292 | 352 'musi[ck]bot', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
353 '(my?|pg)(sq(ue)?l|admin)[0-9]*', |
292 | 354 'mythtv', |
355 'nagios', | |
297 | 356 'named', |
292 | 357 'nasa', |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
358 'ncs', |
297 | 359 'nessus', |
360 'netadmin', | |
361 'netdiag', | |
292 | 362 'netdump', |
297 | 363 'network', |
292 | 364 'netzplatz', |
365 'newadmin', | |
295 | 366 'newuser', |
292 | 367 'nexus', |
297 | 368 'nfinity', |
292 | 369 'nfs', |
370 '(nfs)?nobody', | |
371 'nginx', | |
372 'noc', | |
297 | 373 'node', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
374 'notes', |
292 | 375 'nothing', |
376 'NpC', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
377 'ntps', |
292 | 378 'nux', |
379 'odoo', | |
380 'odroid', | |
297 | 381 'office', |
382 'omsagent', | |
292 | 383 'onyxeye', |
297 | 384 'oozie', |
292 | 385 'openbravo', |
294 | 386 'openfire', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
387 'openerp', |
292 | 388 'openvpn', |
389 'operador', | |
390 'operator', | |
391 'ops(code)?', | |
392 'oprofile', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
393 'ora_?(cle|prod|root|vis)[0-9]*', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
394 'orbital', |
292 | 395 'osmc', |
295 | 396 'owncloud', |
292 | 397 'papernet', |
297 | 398 'passwo?r?d', |
292 | 399 'payments', |
400 'pay_?pal', | |
294 | 401 'pdfbox', |
292 | 402 'pentaho', |
297 | 403 'php[0-9]*', |
404 'platform', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
405 'play', |
292 | 406 'PlcmSpIp(PlcmSpIp)?', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
407 'plesk', |
297 | 408 'plex', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
409 'point', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
410 'polkitd?', |
297 | 411 'popd?3?', |
292 | 412 'popuser', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
413 'portal', |
292 | 414 'postfix', |
297 | 415 'p0stgr3s', |
292 | 416 'postgres', |
417 'postmaster', | |
297 | 418 'pptpd', |
292 | 419 'print', |
420 'privoxy', | |
421 'proba', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
422 'Prometheus', |
292 | 423 'proxy', |
295 | 424 'public', |
292 | 425 'puppet', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
426 'pwla', |
292 | 427 'qhsupport', |
428 'rabbit(mq)?', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
429 'radio', |
292 | 430 'radiusd?', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
431 'raspberry', |
297 | 432 'readonly', |
433 'reboot', | |
434 'recording', | |
292 | 435 'redis', |
436 'redmine', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
437 'remot[eo]', |
297 | 438 'reports', |
292 | 439 'riakcs', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
440 'root[0-9a-zA-Z]+', |
292 | 441 'rpc(user)?', |
297 | 442 'rpm', |
292 | 443 'RPM', |
444 'rtorrent', | |
430 | 445 ],[ |
292 | 446 'rustserver', |
447 'sales[0-9]+', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
448 'samp', |
292 | 449 's?bin', |
450 'saslauth', | |
297 | 451 'scan(n?er)?', |
292 | 452 'screen', |
453 'search', | |
297 | 454 'sekretariat', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
455 'server', |
294 | 456 'serverpilot', |
292 | 457 'service', |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
458 'setup', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
459 '(s|u|user|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', |
292 | 460 'sftponly', |
461 'shell', | |
462 'shop', | |
297 | 463 'sinusbot[0-9]*', |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
464 'sirius', |
297 | 465 'smbguest', |
466 'smbuse?r', | |
292 | 467 'smmsp', |
468 'socket', | |
469 'software', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
470 'solr', |
292 | 471 'solarus', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
472 'spam', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
473 'spark', |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
474 'speech-dispatcher', |
292 | 475 'splunk', |
297 | 476 'sprummlbot', |
292 | 477 'squid', |
297 | 478 'squirrelmail[0-9]+', |
479 'srvadmin', | |
324
b0928653dfc2
Blacklist more users, including sshd, ftpadmin and a cPanel tool
IBBoard <dev@ibboard.co.uk>
parents:
308
diff
changeset
|
480 'sshd', |
292 | 481 'sshusr', |
482 'staffc', | |
483 'steam(cmd)?', | |
484 'store', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
485 'stream', |
297 | 486 'stunnel', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
487 'super(user)?', |
296
2f4d0ea4cb55
Blacklist Portuguese support, MapR, numbered Oracle and more
IBBoard <dev@ibboard.co.uk>
parents:
295
diff
changeset
|
488 'suporte', |
292 | 489 'support', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
490 'svn(root|admin)?', |
293
55762b436f89
Add more blacklisted SSH usernames
IBBoard <dev@ibboard.co.uk>
parents:
292
diff
changeset
|
491 'sybase', |
297 | 492 'sync[0-9]*', |
292 | 493 'sysadmin', |
494 'system', | |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
495 'teamspeak[234]?(-?use?r)?', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
496 'telecom(admin)?', |
292 | 497 'telkom', |
297 | 498 'telnetd?', |
499 'te?mp(use?r)?[0-9]*', | |
305
38e35360a390
Blacklist hive, polkitd, cinstall and more as SSH logins
IBBoard <dev@ibboard.co.uk>
parents:
297
diff
changeset
|
500 'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
501 'ttest', |
292 | 502 '(test)?username', |
503 'text', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
504 'tiago', |
292 | 505 'tomcat', |
506 'tools', | |
507 'toor', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
508 'ts[123](se?rv(er)?|(musi[ck])?bot|sleep|user)?', |
297 | 509 'tss', |
292 | 510 'tunstall', |
511 'ubnt', | |
512 'unity', | |
297 | 513 'universitaetsrechenzentrum', # University Computing Center |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
514 'unix', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
515 'uplink', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
516 'upload(er)?[0-9]*', |
297 | 517 'user[0-9]*', |
292 | 518 'USERID', |
297 | 519 'username', |
292 | 520 'usuario', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
521 'utente', # Italian user |
292 | 522 'uucp', |
523 'vagrant', | |
524 'vbox', | |
525 'ventrilo', | |
526 'vhbackup', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
527 'video', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
528 'virtual', |
292 | 529 'virusalter', |
530 'vmadmin', | |
531 'vmail', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
532 'vscan?', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
533 'vtms', |
292 | 534 'vyatta', |
535 'wanadoo', | |
308
edd1e3b444e7
Blacklist more users on SSH including bugzilla
IBBoard <dev@ibboard.co.uk>
parents:
305
diff
changeset
|
536 'web', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
537 'webapp', |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
538 'webdesign', |
292 | 539 'weblogic', |
540 'webmaster', | |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
541 'webmin', |
297 | 542 'webportal', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
543 'websync', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
544 'wiki', |
292 | 545 'WinD3str0y', |
546 'wine', | |
297 | 547 'wordpress', |
292 | 548 'wp-?user', |
549 'write', | |
550 'www', | |
297 | 551 'wwAdmin', |
552 '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)', | |
292 | 553 'xbian', |
554 'xbot', | |
297 | 555 'xmpp', |
292 | 556 'xoadmin', |
557 'yahoo', | |
558 'yarn', | |
559 'zabbix', | |
560 'zimbra', | |
561 'zookeeper', | |
430 | 562 ],[ |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
563 # User/admin/other |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
564 '(bwair|api|appl?|ats|cam|cat|db|dev|file|imap|is|my|net|site|tech|virtual|vnc|vpn)?(admins?|app|dev|use?r|server|man|manager|mgr)[0-9]*', |
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
565 '(abc|account|git|info|redhat|samba|sshd|student|teacher|tomcat|ubuntu|web)[0-9]*', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
566 # Names |
392
a7eaf17bff26
Block lots of probed user account variants
IBBoard <dev@ibboard.co.uk>
parents:
390
diff
changeset
|
567 '(aaron|alexander|bill|david|james|sergio|thomas|timson|tom|victor|wang)[0-9]*', |
297 | 568 # And some passwords that turned up as usernames |
569 '1q2w3e4r', | |
570 'abc123', | |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
571 'letmein', |
292 | 572 '0fordn1on@#\$%%\^&', |
573 'P@\$\$w0rd', | |
297 | 574 'P@ssword1!', |
370
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
575 'Pa\$\$word_', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
576 'Passwd123(\$%%\^)', |
cd0e77678dca
Block more SSH probe usernames from recent attack
IBBoard <dev@ibboard.co.uk>
parents:
341
diff
changeset
|
577 'password', |
297 | 578 'pass123?4?', |
579 'qwer?[0-9]+', | |
430 | 580 ] |
292 | 581 ] |
582 | |
583 file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': | |
584 content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), | |
585 } | |
586 # Because one of our rules checks fail2ban's log, but the service dies without the file | |
587 file { '/var/log/fail2ban.log': | |
588 ensure => present, | |
589 owner => 'root', | |
457
dde1d7e2309b
Set right log ownership/permissions for Ubuntu vs CentOS
IBBoard <dev@ibboard.co.uk>
parents:
431
diff
changeset
|
590 group => $log_group, |
dde1d7e2309b
Set right log ownership/permissions for Ubuntu vs CentOS
IBBoard <dev@ibboard.co.uk>
parents:
431
diff
changeset
|
591 mode => $log_mode, |
292 | 592 } |
593 } |