Mercurial > repos > other > Puppet
view common/fail2ban/ibb-sshd-bad-user.conf @ 291:d2ae0b786b49
Blacklist LOADS more usernames on SSH probes
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Sat, 18 Jan 2020 14:40:05 +0000 |
| parents | 670e933bbd63 |
| children |
line wrap: on
line source
# Fail2Ban configuration file # Author: IBBoard [Definition] # Option: failregex # Notes.: regex to match the password failures messages in the logfile. The # host must be matched by a group named "host". The tag "<HOST>" can # be used for standard IP/hostname matching and is only an alias for # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # failregex = Failed password for invalid user ([0-9]+|[0-9a-z][0-9a-z]?|([0-9a-z])\2{2,}|abc123|abused|adm|Admin|admin[0-9]+|administrateur|administracion|altibase|alumni|amavisd?|anwenderschnittstelle|anonymous|ansible|aptproxy|arkserver|asterisk|auser|avahi|avis|backlog|backup(s|er|pc|user)?|bf2|bitnami|bitrix|boinc|botmaster|build|buscador|cacti(user)?|catchall|cemergen|chef|cinema|clamav|cliente?[0-9]*|clouduser|com|comercial|control|couchdb|cpanel|create|cron|(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?|cyrus[0-9]*|daemon|danger|debian(-spamd)?|default|dell|deploy(er)?|desktop|developer|devops|devteam|dietpi|django|dotblot|download|dovecot|easy|ec2-user|edu(cation)?[0-9]*|e-shop|engin(eer)?|esadmin|events|exports?|facebook|factorio|fax|filter|firebird|fuser|games|gdm|geniuz|ggc_user|ghost|git(olite?|blit|lab(_ci)?)?|gmail|gopher|guest|hacker|hadoop|harvard|helpdesk|home|host|httpd?|huawei|iceuser|imscp|info(rmix)?|java|jboss|jenkins|jira|jsboss|kafka|kodi|library|libsys|libuuid|linode|linux|login|logout|lynx|mailer|mailman|maintain|majordomo|man|mantis|marketing|master|membership|minecraft|modem|mongo(db|user)?|monitor|more|moher|mpiuser|musi[ck]bot|(my?|pg)sq(ue)?l|mythtv|nagios|nasa|netdump|netzplatz|newadmin|nexus|nfs|(nfs)?nobody|nginx|noc|nothing|NpC|nux|odoo|odroid|onyxeye|openbravo|openvpn|operador|operator|ops(code)?|oprofile|ora(cle|prod)|osmc|papernet|password|payments|pay_?pal|pentaho|PlcmSpIp(PlcmSpIp)?|popuser|postfix|postgres|postmaster|print|privoxy|proba|proxy|puppet|qhsupport|rabbit(mq)?|radiusd?|redis|redmine|riakcs|root[0-9]+|rpc(user)?|RPM|rtorrent|rustserver|sales[0-9]+|s?bin|(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*|saslauth|scaner|screen|search|setup|service|(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*|sftponly|shell|shop|sinusbot|smmsp|socket|software|solarus|splunk|squid|squirrelmail|sshusr|staffc|steam(cmd)?|store|superuser|support|svnroot|sysadmin|system|teamspeak3?|telkom|temp|test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?|(test)?username|text|tomcat|tools|toor|ts[23](se?rv(er)?|(musi[ck])?bot)?|tunstall|ubnt|ubuntu|upload|unity|USERID|user[0-9]*|usuario|uucp|vagrant|vbox|ventrilo|vhbackup|virusalter|vmadmin|vmail|vyatta|wanadoo|weblogic|webmaster|WinD3str0y|wine|wp-?user|write|www|(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)|xbian|xbot|xoadmin|yahoo|yarn|zabbix|zimbra|zookeeper|0fordn1on@#\$%%\^&|P@\$\$w0rd|pass123?4?)? from <HOST> port [0-9]+ ssh2 # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex =