Mercurial > repos > other > Puppet
view modules/fail2ban/manifests/init.pp @ 430:79e5fed321fa
Break up SSH bad users regexes
The list had got so long that it was failing to compile!
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sun, 11 Dec 2022 20:27:08 +0000 |
| parents | a7eaf17bff26 |
| children | c84f5efa999e |
line wrap: on
line source
class fail2ban ( $firewall_cmd, ) { package { 'fail2ban': ensure => installed, } service { 'fail2ban': ensure => running, enable => true } File<| tag == 'fail2ban' |> { ensure => present, require => Package['fail2ban'], notify => Service['fail2ban'], } file { '/etc/fail2ban/fail2ban.local': source => 'puppet:///modules/fail2ban/fail2ban.local', } if $osfamily == 'RedHat' { $ssh_log = '/var/log/secure' $mail_log = '/var/log/maillog' } elsif $osfamily == 'Debian' { $ssh_log = '/var/log/auth.log' $mail_log = '/var/log/mail.log' } file { '/etc/fail2ban/jail.local': content => epp('fail2ban/jail.local.epp', {'ssh_log' => $ssh_log, 'mail_log' => $mail_log}) } file { '/etc/fail2ban/action.d/apf.conf': source => 'puppet:///modules/fail2ban/apf.conf', } if $firewall_cmd == 'iptables' { $firewall_ban_cmd = 'iptables-multiport' } else { $firewall_ban_cmd = $firewall_cmd } if $osfamily == 'RedHat' { $apache_conf_custom = '/etc/httpd/conf.custom/' } elsif $osfamily == 'Debian' { $apache_conf_custom = '/etc/apache2/conf.custom/' } # Create an empty banlist file if it doesn't exist exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_banlist.db": path => '/sbin:/usr/bin', unless => "test -f ${apache_conf_custom}apache_banlist.db", require => Class['website'], before => Service['httpd'], } file { '/tmp/apache_banlist.txt': ensure => present, seltype => 'httpd_config_t', } # Create an empty repeat banlist file if it doesn't exist exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_repeat_banlist.db": path => '/sbin:/usr/bin', unless => "test -f ${apache_conf_custom}apache_repeat_banlist.db", require => Class['website'], before => Service['httpd'], } file { '/tmp/apache_repeat_banlist.txt': ensure => present, seltype => 'httpd_config_t', } if $operatingsystem == 'CentOS' { # And let the httxt2dbm process work the rest of the time file { '/etc/selinux/apache-ip-banlist.pp': source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp', } ~> exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp': path => '/usr/sbin', refreshonly => true, } } file { '/etc/fail2ban/action.d/firewall-ban.conf': ensure => link, target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", } file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf': source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf', } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', } file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', } file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', } file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix.conf': source => 'puppet:///modules/fail2ban/ibb-postfix.conf', } file { '/etc/fail2ban/filter.d/ibb-sshd.conf': source => 'puppet:///modules/fail2ban/ibb-sshd.conf', } $bad_users = [ [ '[^0-9a-zA-Z]+', '\.?[0-9]+\.?', '[0-9a-zA-Z]{1,3}', '([0-9a-z])\2{2,}', 'abused', 'Admin', '[aA]dministr[a-z0-9\\]+', # administracion, administrador, administradorweb, administrator, administrat\303\266r (escaped รถ) etc 'admin-?gui', 'adminuser', 'admissions', 'altibase', 'alumni', 'amavisd?', 'amax[0-9]+', 'amministratore', 'amssys', 'anwenderschnittstelle', 'anonymous', 'ansible', 'apache', 'apps', 'aptproxy', 'apt-mirror', 'ark(server)?', 'asdfas', 'asterisk', 'audio', 'auser', 'autologin', 'avahi', 'avis', 'backlog', 'backup(s|er|pc|user)?', 'bash', 'batch', 'beagleindex', 'benutzer', # German user account 'bf2', '.*bitbucket', 'bind', 'biology', 'bitcoin', 'bitnami', 'bitrix', 'bkroot', 'blog', 'boinc', 'bot', 'botmaster', 'bouncer', 'browser', 'bugzilla', 'build', 'buscador', 'cacti(user)?', 'camera', 'carrerasoft', 'catchall', 'celery', 'cemergen', 'centos', 'chef', 'chimistry', 'cgi', 'chromeuser', 'cinema', 'cinstall', 'cisco', 'clamav', 'cliente?[0-9]*', 'CloudSigma', 'clouduser', 'com', 'comercial', 'configure', 'console', 'contact', 'control', 'couchdb', 'cpanel', 'cpanelrrdtool', 'create', 'cron', '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', 'cs-?go1?', 'CumulusLinux!', 'customer', 'cyrus[0-9]*', 'daemon', 'danger', 'darwin', 'dasuse?r[0-9]*', 'data(ba?se)?', 'db2inst[0-9]*', 'dbcloud', 'dbus', 'debian(-spamd)?', 'default', 'dell', 'demo', 'deploy(er)?[0-9]*', 'desktop', 'developer', 'devdata', 'devops', 'devteam', 'dietpi', 'discordbot', 'disklessadmin', 'display', 'django', 'dmarc', 'dpvirtual', 'docker(user)?', 'dotblot', 'download', 'dovecot', 'dovenull', 'duplicity', 'easy', 'ec2-user', 'ecquser', 'edu(cation)?[0-9]*', 'e-shop', 'elastic', 'elsearch', 'engin(eer)?', 'esadmin', 'events', 'exploit', 'exports?', 'facebook', 'factorio', 'fax', 'fcweb', 'fetchmail', 'filter', 'firebird', 'firefox', 'ftp(admin)?', 'fuser', ],[ 'games', 'gdm', 'geometry', 'geniuz', 'getmail', 'ggc_user', 'ghost', 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', 'glassfish', 'gmail', 'gmodserver', 'gnuhealth', 'google', 'gopher', 'government', 'gpadmin', 'grape', 'grid', 'guest', 'hacker', 'hadoop', 'haldaemon', 'harvard', 'hduser', 'headmaster', 'helpdesk', 'hive', 'home', 'host', 'httpd?', 'httpfs', 'huawei', 'iamroot', 'iceuser', 'image', 'imscp', 'info(rmix)?[0-9]*', 'inst[0-9]+', 'install(er)?', 'interadmin', 'inventario', 'java', 'jboss', 'jenkins', 'jira', 'jmeter', 'joomla', 'jquery', 'jsboss', 'juniper', 'kafka', 'kodi', 'kms', 'ldap', 'legacy', 'library', 'libsys', 'libuuid', 'linode', 'linux', 'localadmin', 'logcheck', 'login', 'logout', 'logstash', 'logview(er)?', 'lsfadmin', 'lynx', ],[ 'magento', 'mail', 'mailer', 'mailman', 'mailtest', 'maintain', 'majordomo', 'man', 'mantis', 'mapruser', 'marketing', 'master', 'member(ship)?', 'merlin', 'messagebus', 'minecraft', 'mirc', 'modem', 'mongo(db|user)?', 'monitor(ing)?', 'more', 'moher', 'mpiuser', 'mqadm', 'musi[ck]bot', '(my?|pg)(sq(ue)?l|admin)[0-9]*', 'mythtv', 'nagios', 'named', 'nasa', 'ncs', 'nessus', 'netadmin', 'netdiag', 'netdump', 'network', 'netzplatz', 'newadmin', 'newuser', 'nexus', 'nfinity', 'nfs', '(nfs)?nobody', 'nginx', 'noc', 'node', 'notes', 'nothing', 'NpC', 'ntps', 'nux', 'odoo', 'odroid', 'office', 'omsagent', 'onyxeye', 'oozie', 'openbravo', 'openfire', 'openerp', 'openvpn', 'operador', 'operator', 'ops(code)?', 'oprofile', 'ora_?(cle|prod|root|vis)[0-9]*', 'orbital', 'osmc', 'owncloud', 'papernet', 'passwo?r?d', 'payments', 'pay_?pal', 'pdfbox', 'pentaho', 'php[0-9]*', 'platform', 'play', 'PlcmSpIp(PlcmSpIp)?', 'plesk', 'plex', 'point', 'polkitd?', 'popd?3?', 'popuser', 'portal', 'postfix', 'p0stgr3s', 'postgres', 'postmaster', 'pptpd', 'print', 'privoxy', 'proba', 'Prometheus', 'proxy', 'public', 'puppet', 'pwla', 'qhsupport', 'rabbit(mq)?', 'radio', 'radiusd?', 'raspberry', 'readonly', 'reboot', 'recording', 'redis', 'redmine', 'remot[eo]', 'reports', 'riakcs', 'root[0-9a-zA-Z]+', 'rpc(user)?', 'rpm', 'RPM', 'rtorrent', ],[ 'rustserver', 'sales[0-9]+', 'samp', 's?bin', 'saslauth', 'scan(n?er)?', 'screen', 'search', 'sekretariat', 'server', 'serverpilot', 'service', 'setup', '(s|u|user|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', 'sftponly', 'shell', 'shop', 'sinusbot[0-9]*', 'sirius', 'smbguest', 'smbuse?r', 'smmsp', 'socket', 'software', 'solr', 'solarus', 'spam', 'spark', 'speech-dispatcher', 'splunk', 'sprummlbot', 'squid', 'squirrelmail[0-9]+', 'srvadmin', 'sshd', 'sshusr', 'staffc', 'steam(cmd)?', 'store', 'stream', 'stunnel', 'super(user)?', 'suporte', 'support', 'svn(root|admin)?', 'sybase', 'sync[0-9]*', 'sysadmin', 'system', 'teamspeak[234]?(-?use?r)?', 'telecom(admin)?', 'telkom', 'telnetd?', 'te?mp(use?r)?[0-9]*', 'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?', 'ttest', '(test)?username', 'text', 'tiago', 'tomcat', 'tools', 'toor', 'ts[123](se?rv(er)?|(musi[ck])?bot|sleep|user)?', 'tss', 'tunstall', 'ubnt', 'unity', 'universitaetsrechenzentrum', # University Computing Center 'unix', 'uplink', 'upload(er)?[0-9]*', 'user[0-9]*', 'USERID', 'username', 'usuario', 'utente', # Italian user 'uucp', 'vagrant', 'vbox', 'ventrilo', 'vhbackup', 'video', 'virtual', 'virusalter', 'vmadmin', 'vmail', 'vscan?', 'vtms', 'vyatta', 'wanadoo', 'web', 'webapp', 'webdesign', 'weblogic', 'webmaster', 'webmin', 'webportal', 'websync', 'wiki', 'WinD3str0y', 'wine', 'wordpress', 'wp-?user', 'write', 'www', 'wwAdmin', '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)', 'xbian', 'xbot', 'xmpp', 'xoadmin', 'yahoo', 'yarn', 'zabbix', 'zimbra', 'zookeeper', ],[ # User/admin/other '(bwair|api|appl?|ats|cam|cat|db|dev|file|imap|is|my|net|site|tech|virtual|vnc|vpn)?(admins?|app|dev|use?r|server|man|manager|mgr)[0-9]*', '(abc|account|git|info|redhat|samba|sshd|student|teacher|tomcat|ubuntu|web)[0-9]*', # Names '(aaron|alexander|bill|david|james|sergio|thomas|timson|tom|victor|wang)[0-9]*', # And some passwords that turned up as usernames '1q2w3e4r', 'abc123', 'letmein', '0fordn1on@#\$%%\^&', 'P@\$\$w0rd', 'P@ssword1!', 'Pa\$\$word_', 'Passwd123(\$%%\^)', 'password', 'pass123?4?', 'qwer?[0-9]+', ] ] file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), } # Because one of our rules checks fail2ban's log, but the service dies without the file file { '/var/log/fail2ban.log': ensure => present, owner => 'root', group => 'root', mode => '0600', } }