Mercurial > repos > other > Puppet
view modules/fail2ban/manifests/init.pp @ 297:4f7315d7e869
Blacklist LOTS of usernames
These came from a period when Fail2ban was temporarily dead and
one IP made over 1300 login requests!
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 09 Feb 2020 20:31:12 +0000 |
| parents | 2f4d0ea4cb55 |
| children | 38e35360a390 |
line wrap: on
line source
class fail2ban ( $firewall_cmd, ) { package { 'fail2ban': ensure => installed, } service { 'fail2ban': ensure => running, enable => true } File<| tag == 'fail2ban' |> { ensure => present, require => Package['fail2ban'], notify => Service['fail2ban'], } file { '/etc/fail2ban/fail2ban.local': source => 'puppet:///modules/fail2ban/fail2ban.local', } file { '/etc/fail2ban/jail.local': source => 'puppet:///modules/fail2ban/jail.local', } file { '/etc/fail2ban/action.d/apf.conf': source => 'puppet:///modules/fail2ban/apf.conf', } if $firewall_cmd == 'iptables' { $firewall_ban_cmd = 'iptables-multiport' } else { $firewall_ban_cmd = $firewall_cmd } file { '/etc/fail2ban/action.d/firewall-ban.conf': ensure => link, target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', } file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', } file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', } file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix.conf': source => 'puppet:///modules/fail2ban/ibb-postfix.conf', } file { '/etc/fail2ban/filter.d/ibb-sshd.conf': source => 'puppet:///modules/fail2ban/ibb-sshd.conf', } $bad_users = [ '[^0-9a-zA-Z]+', '[0-9]+', '[0-9a-zA-Z]{1,3}', '([0-9a-z])\2{2,}', 'abused', 'adm', 'Admin', 'admins?[0-9]+', 'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc 'admissions', 'altibase', 'alumni', 'amavisd?', 'amministratore', 'anwenderschnittstelle', 'anonymous', 'ansible', 'aptproxy', 'apt-mirror', 'ark(server)?', 'asterisk', 'audio', 'auser', 'autologin', 'avahi', 'avis', 'backlog', 'backup(s|er|pc|user)?', 'bash', 'beagleindex', 'bf2', 'bitbucket', 'bitcoin', 'bitnami', 'bitrix', 'blog', 'boinc', 'botmaster', 'build', 'buscador', 'cacti(user)?', 'carrerasoft', 'catchall', 'celery', 'cemergen', 'centos', 'chef', 'cgi', 'chromeuser', 'cinema', 'cisco', 'clamav', 'cliente?[0-9]*', 'clouduser', 'com', 'comercial', 'control', 'couchdb', 'cpanel', 'create', 'cron', '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', 'cs-?go1?', 'CumulusLinux!', 'cyrus[0-9]*', 'daemon', 'danger', 'darwin', 'dasuse?r', 'data', 'debian(-spamd)?', 'default', 'dell', 'deploy(er)?[0-9]*', 'desktop', 'developer', 'devdata', 'devops', 'devteam', 'dietpi', 'discordbot', 'disklessadmin', 'django', 'dmarc', 'dockeruser', 'dotblot', 'download', 'dovecot', 'dovenull', 'duplicity', 'easy', 'ec2-user', 'ecquser', 'edu(cation)?[0-9]*', 'e-shop', 'elastic', 'elsearch', 'engin(eer)?', 'esadmin', 'events', 'exports?', 'facebook', 'factorio', 'fax', 'fcweb', 'fetchmail', 'filter', 'firebird', 'firefox', 'fuser', 'games', 'gdm', 'geniuz', 'getmail', 'ggc_user', 'ghost', 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', 'gmail', 'gmodserver', 'gnuhealth', 'gopher', 'government', 'guest', 'hacker', 'hadoop', 'haldaemon', 'harvard', 'hduser', 'headmaster', 'helpdesk', 'home', 'host', 'httpd?', 'httpfs', 'huawei', 'iamroot', 'iceuser', 'imscp', 'info(rmix)?[0-9]*', 'installer', 'inventario', 'java', 'jboss', 'jenkins', 'jira', 'jmeter', 'jsboss', 'juniper', 'kafka', 'kodi', 'kms', 'legacy', 'library', 'libsys', 'libuuid', 'linode', 'linux', 'localadmin', 'logcheck', 'login', 'logout', 'logstash', 'logview(er)?', 'lsfadmin', 'lynx', 'magento', 'mailer', 'mailman', 'mailtest', 'maintain', 'majordomo', 'man', 'mantis', 'mapruser', 'marketing', 'master', 'membership', 'messagebus', 'minecraft', 'modem', 'mongo(db|user)?', 'monitor(ing)?', 'more', 'moher', 'mpiuser', 'mqadm', 'musi[ck]bot', '(my?|pg)sq(ue)?l[0-9]*', 'mythtv', 'nagios', 'named', 'nasa', 'ncs', 'nessus', 'netadmin', 'netdiag', 'netdump', 'network', 'netzplatz', 'newadmin', 'newuser', 'nexus', 'nfinity', 'nfs', '(nfs)?nobody', 'nginx', 'noc', 'node', 'nothing', 'NpC', 'nux', 'odoo', 'odroid', 'office', 'omsagent', 'onyxeye', 'oozie', 'openbravo', 'openfire', 'openvpn', 'operador', 'operator', 'ops(code)?', 'oprofile', 'ora(cle|prod|vis)[0-9]*', 'osmc', 'owncloud', 'papernet', 'passwo?r?d', 'payments', 'pay_?pal', 'pdfbox', 'pentaho', 'php[0-9]*', 'platform', 'PlcmSpIp(PlcmSpIp)?', 'plex', 'popd?3?', 'popuser', 'postfix', 'p0stgr3s', 'postgres', 'postmaster', 'pptpd', 'print', 'privoxy', 'proba', 'proxy', 'public', 'puppet', 'qhsupport', 'rabbit(mq)?', 'radiusd?', 'readonly', 'reboot', 'recording', 'redis', 'redmine', 'remote', 'reports', 'riakcs', 'root[0-9]+', 'rpc(user)?', 'rpm', 'RPM', 'rtorrent', 'rustserver', 'sales[0-9]+', 's?bin', '(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|db)?(dev|use?r|server|man|manager|mgr)|account)[0-9]*', 'saslauth', 'scan(n?er)?', 'screen', 'search', 'sekretariat', 'setup', 'serverpilot', 'service', '(s|u|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', 'sftponly', 'shell', 'shop', 'sinusbot[0-9]*', 'smbguest', 'smbuse?r', 'smmsp', 'socket', 'software', 'solarus', 'splunk', 'sprummlbot', 'squid', 'squirrelmail[0-9]+', 'srvadmin', 'sshusr', 'staffc', 'steam(cmd)?', 'store', 'stunnel', 'superuser', 'suporte', 'support', 'svn(root)?', 'sybase', 'sync[0-9]*', 'sysadmin', 'system', 'teamspeak[23]?(-?use?r)?', 'telkom', 'telnetd?', 'te?mp(use?r)?[0-9]*', 'test((er?|ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?', '(test)?username', 'text', 'tomcat', 'tools', 'toor', 'ts[23](se?rv(er)?|(musi[ck])?bot|sleep)?', 'tss', 'tunstall', 'ubnt', 'ubuntu', 'unity', 'universitaetsrechenzentrum', # University Computing Center 'upload[0-9]*', 'user[0-9]*', 'USERID', 'username', 'usuario', 'uucp', 'vagrant', 'vbox', 'ventrilo', 'vhbackup', 'virusalter', 'vmadmin', 'vmail', 'vscan', 'vyatta', 'wanadoo', 'weblogic', 'webmaster', 'webportal', 'WinD3str0y', 'wine', 'wordpress', 'wp-?user', 'write', 'www', 'wwAdmin', '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)', 'xbian', 'xbot', 'xmpp', 'xoadmin', 'yahoo', 'yarn', 'zabbix', 'zimbra', 'zookeeper', # And some passwords that turned up as usernames '1q2w3e4r', 'abc123', '0fordn1on@#\$%%\^&', 'P@\$\$w0rd', 'P@ssword1!', 'Passwd123', 'pass123?4?', 'qwer?[0-9]+', ] file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), } # Because one of our rules checks fail2ban's log, but the service dies without the file file { '/var/log/fail2ban.log': ensure => present, owner => 'root', group => 'root', mode => '0600', } }