view modules/fail2ban/manifests/init.pp @ 392:a7eaf17bff26

Block lots of probed user account variants Includes: * New services * More names * Foreign language variants
author IBBoard <>
date Mon, 14 Feb 2022 20:43:50 +0000
class fail2ban (
	) {
	package { 'fail2ban':
		ensure => installed,
	service { 'fail2ban':
		ensure => running,
		enable => true
	File<| tag == 'fail2ban' |> {
		ensure => present,
		require => Package['fail2ban'],
		notify => Service['fail2ban'],
	file { '/etc/fail2ban/fail2ban.local':
		source => 'puppet:///modules/fail2ban/fail2ban.local',
	if $osfamily == 'RedHat' {
		$ssh_log = '/var/log/secure'
		$mail_log = '/var/log/maillog'
	elsif $osfamily == 'Debian' {
		$ssh_log = '/var/log/auth.log'
		$mail_log = '/var/log/mail.log'
	file { '/etc/fail2ban/jail.local':
		content => epp('fail2ban/jail.local.epp', {'ssh_log' => $ssh_log, 'mail_log' => $mail_log})
	file { '/etc/fail2ban/action.d/apf.conf':
		source => 'puppet:///modules/fail2ban/apf.conf',

	if $firewall_cmd == 'iptables' {
		$firewall_ban_cmd = 'iptables-multiport'
	} else {
		$firewall_ban_cmd = $firewall_cmd

	if $osfamily == 'RedHat' {
		$apache_conf_custom = '/etc/httpd/conf.custom/'
	elsif $osfamily == 'Debian' {
		$apache_conf_custom = '/etc/apache2/conf.custom/'
	# Create an empty banlist file if it doesn't exist
	exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_banlist.db":
		path => '/sbin:/usr/bin',
		unless => "test -f ${apache_conf_custom}apache_banlist.db",
		require => Class['website'],
		before => Service['httpd'],
	file { '/tmp/apache_banlist.txt':
		ensure => present,
		seltype => 'httpd_config_t',
	# Create an empty repeat banlist file if it doesn't exist
	exec { "httxt2dbm -i /dev/null -o ${apache_conf_custom}apache_repeat_banlist.db":
		path => '/sbin:/usr/bin',
		unless => "test -f ${apache_conf_custom}apache_repeat_banlist.db",
		require => Class['website'],
		before => Service['httpd'],
	file { '/tmp/apache_repeat_banlist.txt':
		ensure => present,
		seltype => 'httpd_config_t',
	if $operatingsystem == 'CentOS' {
		# And let the httxt2dbm process work the rest of the time
		file { '/etc/selinux/apache-ip-banlist.pp':
			source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp',
		} ~>
		exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp':
			path => '/usr/sbin',
			refreshonly => true,
	file { '/etc/fail2ban/action.d/firewall-ban.conf':
		ensure => link,
		target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf",
	file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf':
		source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf',
	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
		source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf',
	file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf':
		source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf',
	file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
		source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf',
	file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf':
		source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf',
	file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
		source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf',
	file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf':
		source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf',
	file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
		source => 'puppet:///modules/fail2ban/ibb-postfix.conf',
	file { '/etc/fail2ban/filter.d/ibb-sshd.conf':
		source => 'puppet:///modules/fail2ban/ibb-sshd.conf',

	$bad_users = [
		'[aA]dministr[a-z0-9\\]+', # administracion, administrador, administradorweb, administrator, administrat\303\266r (escaped รถ) etc
		'benutzer', # German user account
		'universitaetsrechenzentrum', # University Computing Center
		'utente', # Italian user
		# User/admin/other
		# Names
		# And some passwords that turned up as usernames

	file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf':
		content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }),
	# Because one of our rules checks fail2ban's log, but the service dies without the file
	file { '/var/log/fail2ban.log':
		ensure => present,
		owner => 'root',
		group => 'root',
		mode => '0600',