Mercurial > repos > other > Puppet
diff modules/fail2ban/manifests/init.pp @ 292:3e04f35dd0af
Turn Fail2ban setup into a module
We now:
* Don't have a large class outside a module
* Build "bad SSH users" config from a list
(easier to understand/see diffs in than a long line)
* Use modern EPP files
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 18 Jan 2020 15:17:03 +0000 |
| parents | |
| children | 55762b436f89 |
line wrap: on
line diff
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/manifests/init.pp Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,332 @@ +class fail2ban ( + $firewall_cmd, + ) { + package { 'fail2ban': + ensure => installed, + } + service { 'fail2ban': + ensure => running, + enable => true + } + File<| tag == 'fail2ban' |> { + ensure => present, + require => Package['fail2ban'], + notify => Service['fail2ban'], + } + file { '/etc/fail2ban/fail2ban.local': + source => 'puppet:///modules/fail2ban/fail2ban.local', + } + file { '/etc/fail2ban/jail.local': + source => 'puppet:///modules/fail2ban/jail.local', + } + file { '/etc/fail2ban/action.d/apf.conf': + source => 'puppet:///modules/fail2ban/apf.conf', + } + + if $firewall_cmd == 'iptables' { + $firewall_ban_cmd = 'iptables-multiport' + } else { + $firewall_ban_cmd = $firewall_cmd + } + + file { '/etc/fail2ban/action.d/firewall-ban.conf': + ensure => link, + target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", + } + file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': + source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', + } + file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': + source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', + } + file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': + source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', + } + file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': + source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', + } + file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': + source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', + } + file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': + source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', + } + file { '/etc/fail2ban/filter.d/ibb-postfix.conf': + source => 'puppet:///modules/fail2ban/ibb-postfix.conf', + } + file { '/etc/fail2ban/filter.d/ibb-sshd.conf': + source => 'puppet:///modules/fail2ban/ibb-sshd.conf', + } + + $bad_users = [ + '[0-9]+', + '[0-9a-z][0-9a-z]?', + '([0-9a-z])\2{2,}', + 'abc123', + 'abused', + 'adm', + 'Admin', + 'admin[0-9]+', + 'administrateur', + 'administracion', + 'altibase', + 'alumni', + 'amavisd?', + 'anwenderschnittstelle', + 'anonymous', + 'ansible', + 'aptproxy', + 'arkserver', + 'asterisk', + 'auser', + 'avahi', + 'avis', + 'backlog', + 'backup(s|er|pc|user)?', + 'bf2', + 'bitnami', + 'bitrix', + 'boinc', + 'botmaster', + 'build', + 'buscador', + 'cacti(user)?', + 'catchall', + 'cemergen', + 'chef', + 'cinema', + 'clamav', + 'cliente?[0-9]*', + 'clouduser', + 'com', + 'comercial', + 'control', + 'couchdb', + 'cpanel', + 'create', + 'cron', + '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?', + 'cyrus[0-9]*', + 'daemon', + 'danger', + 'debian(-spamd)?', + 'default', + 'dell', + 'deploy(er)?', + 'desktop', + 'developer', + 'devops', + 'devteam', + 'dietpi', + 'django', + 'dotblot', + 'download', + 'dovecot', + 'easy', + 'ec2-user', + 'edu(cation)?[0-9]*', + 'e-shop', + 'engin(eer)?', + 'esadmin', + 'events', + 'exports?', + 'facebook', + 'factorio', + 'fax', + 'filter', + 'firebird', + 'fuser', + 'games', + 'gdm', + 'geniuz', + 'ggc_user', + 'ghost', + 'git(olite?|blit|lab(_ci)?)?', + 'gmail', + 'gopher', + 'guest', + 'hacker', + 'hadoop', + 'harvard', + 'helpdesk', + 'home', + 'host', + 'httpd?', + 'huawei', + 'iceuser', + 'imscp', + 'info(rmix)?', + 'java', + 'jboss', + 'jenkins', + 'jira', + 'jsboss', + 'kafka', + 'kodi', + 'library', + 'libsys', + 'libuuid', + 'linode', + 'linux', + 'login', + 'logout', + 'lynx', + 'mailer', + 'mailman', + 'maintain', + 'majordomo', + 'man', + 'mantis', + 'marketing', + 'master', + 'membership', + 'minecraft', + 'modem', + 'mongo(db|user)?', + 'monitor', + 'more', + 'moher', + 'mpiuser', + 'musi[ck]bot', + '(my?|pg)sq(ue)?l', + 'mythtv', + 'nagios', + 'nasa', + 'netdump', + 'netzplatz', + 'newadmin', + 'nexus', + 'nfs', + '(nfs)?nobody', + 'nginx', + 'noc', + 'nothing', + 'NpC', + 'nux', + 'odoo', + 'odroid', + 'onyxeye', + 'openbravo', + 'openvpn', + 'operador', + 'operator', + 'ops(code)?', + 'oprofile', + 'ora(cle|prod)', + 'osmc', + 'papernet', + 'password', + 'payments', + 'pay_?pal', + 'pentaho', + 'PlcmSpIp(PlcmSpIp)?', + 'popuser', + 'postfix', + 'postgres', + 'postmaster', + 'print', + 'privoxy', + 'proba', + 'proxy', + 'puppet', + 'qhsupport', + 'rabbit(mq)?', + 'radiusd?', + 'redis', + 'redmine', + 'riakcs', + 'root[0-9]+', + 'rpc(user)?', + 'RPM', + 'rtorrent', + 'rustserver', + 'sales[0-9]+', + 's?bin', + '(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*', + 'saslauth', + 'scaner', + 'screen', + 'search', + 'setup', + 'service', + '(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*', + 'sftponly', + 'shell', + 'shop', + 'sinusbot', + 'smmsp', + 'socket', + 'software', + 'solarus', + 'splunk', + 'squid', + 'squirrelmail', + 'sshusr', + 'staffc', + 'steam(cmd)?', + 'store', + 'superuser', + 'support', + 'svnroot', + 'sysadmin', + 'system', + 'teamspeak3?', + 'telkom', + 'temp', + 'test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?', + '(test)?username', + 'text', + 'tomcat', + 'tools', + 'toor', + 'ts[23](se?rv(er)?|(musi[ck])?bot)?', + 'tunstall', + 'ubnt', + 'ubuntu', + 'upload', + 'unity', + 'USERID', + 'user[0-9]*', + 'usuario', + 'uucp', + 'vagrant', + 'vbox', + 'ventrilo', + 'vhbackup', + 'virusalter', + 'vmadmin', + 'vmail', + 'vyatta', + 'wanadoo', + 'weblogic', + 'webmaster', + 'WinD3str0y', + 'wine', + 'wp-?user', + 'write', + 'www', + '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)', + 'xbian', + 'xbot', + 'xoadmin', + 'yahoo', + 'yarn', + 'zabbix', + 'zimbra', + 'zookeeper', + '0fordn1on@#\$%%\^&', + 'P@\$\$w0rd', + 'pass123?4?' + ] + + file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': + content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), + } + # Because one of our rules checks fail2ban's log, but the service dies without the file + file { '/var/log/fail2ban.log': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + } +} \ No newline at end of file