Mercurial > repos > other > Puppet
view modules/fail2ban/manifests/init.pp @ 385:d9009f54eb23
Migrate to a fully-fledged SSH module
This handles lots of the server path differences for us
author | IBBoard <dev@ibboard.co.uk> |
---|---|
date | Mon, 03 Jan 2022 17:05:54 +0000 |
parents | cd0e77678dca |
children | df5ad1612af7 |
line wrap: on
line source
class fail2ban ( $firewall_cmd, ) { package { 'fail2ban': ensure => installed, } service { 'fail2ban': ensure => running, enable => true } File<| tag == 'fail2ban' |> { ensure => present, require => Package['fail2ban'], notify => Service['fail2ban'], } file { '/etc/fail2ban/fail2ban.local': source => 'puppet:///modules/fail2ban/fail2ban.local', } file { '/etc/fail2ban/jail.local': source => 'puppet:///modules/fail2ban/jail.local', } file { '/etc/fail2ban/action.d/apf.conf': source => 'puppet:///modules/fail2ban/apf.conf', } if $firewall_cmd == 'iptables' { $firewall_ban_cmd = 'iptables-multiport' } else { $firewall_ban_cmd = $firewall_cmd } # Create an empty banlist file if it doesn't exist exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_banlist.db': path => '/usr/bin', unless => 'test -f /etc/httpd/conf.custom/apache_banlist.db', before => Service['httpd'], } file { '/tmp/apache_banlist.txt': ensure => present, seltype => 'httpd_config_t', } # Create an empty repeat banlist file if it doesn't exist exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_repeat_banlist.db': path => '/usr/bin', unless => 'test -f /etc/httpd/conf.custom/apache_repeat_banlist.db', before => Service['httpd'], } file { '/tmp/apache_repeat_banlist.txt': ensure => present, seltype => 'httpd_config_t', } # And let the httxt2dbm process work the rest of the time file { '/etc/selinux/apache-ip-banlist.pp': source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp', } ~> exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp': path => '/usr/sbin', refreshonly => true, } file { '/etc/fail2ban/action.d/firewall-ban.conf': ensure => link, target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", } file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf': source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf', } file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', } file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', } file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', } file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', } file { '/etc/fail2ban/filter.d/ibb-postfix.conf': source => 'puppet:///modules/fail2ban/ibb-postfix.conf', } file { '/etc/fail2ban/filter.d/ibb-sshd.conf': source => 'puppet:///modules/fail2ban/ibb-sshd.conf', } $bad_users = [ '[^0-9a-zA-Z]+', '[0-9]+', '[0-9a-zA-Z]{1,3}', '([0-9a-z])\2{2,}', 'abused', 'Admin', 'admins?[0-9]*', 'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc 'admissions', 'altibase', 'alumni', 'amavisd?', 'amministratore', 'anwenderschnittstelle', 'anonymous', 'ansible', 'apache', 'aptproxy', 'apt-mirror', 'ark(server)?', 'asdfas', 'asterisk', 'audio', 'auser', 'autologin', 'avahi', 'avis', 'backlog', 'backup(s|er|pc|user)?', 'bash', 'batch', 'beagleindex', 'bf2', '.*bitbucket', 'bind', 'bitcoin', 'bitnami', 'bitrix', 'bkroot', 'blog', 'boinc', 'bot', 'botmaster', 'bugzilla', 'build', 'buscador', 'cacti(user)?', 'carrerasoft', 'catchall', 'celery', 'cemergen', 'centos', 'chef', 'cgi', 'chromeuser', 'cinema', 'cinstall', 'cisco', 'clamav', 'cliente?[0-9]*', 'CloudSigma', 'clouduser', 'com', 'comercial', 'control', 'couchdb', 'cpanel', 'cpanelrrdtool', 'create', 'cron', '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', 'cs-?go1?', 'CumulusLinux!', 'cyrus[0-9]*', 'daemon', 'danger', 'darwin', 'dasuse?r[0-9]*', 'data(ba?se)?', 'db2inst[0-9]*', 'dbus', 'debian(-spamd)?', 'default', 'dell', 'demo', 'deploy(er)?[0-9]*', 'desktop', 'developer', 'devdata', 'devops', 'devteam', 'dietpi', 'discordbot', 'disklessadmin', 'display', 'django', 'dmarc', 'dpvirtual', 'dockeruser', 'dotblot', 'download', 'dovecot', 'dovenull', 'duplicity', 'easy', 'ec2-user', 'ecquser', 'edu(cation)?[0-9]*', 'e-shop', 'elastic', 'elsearch', 'engin(eer)?', 'esadmin', 'events', 'exploit', 'exports?', 'facebook', 'factorio', 'fax', 'fcweb', 'fetchmail', 'filter', 'firebird', 'firefox', 'ftp(admin)?', 'fuser', 'games', 'gdm', 'geniuz', 'getmail', 'ggc_user', 'ghost', 'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?', 'glassfish', 'gmail', 'gmodserver', 'gnuhealth', 'gopher', 'government', 'grid', 'guest', 'hacker', 'hadoop', 'haldaemon', 'harvard', 'hduser', 'headmaster', 'helpdesk', 'hive', 'home', 'host', 'httpd?', 'httpfs', 'huawei', 'iamroot', 'iceuser', 'imscp', 'info(rmix)?[0-9]*', 'inst[0-9]+', 'installer', 'inventario', 'java', 'jboss', 'jenkins', 'jira', 'jmeter', 'jsboss', 'juniper', 'kafka', 'kodi', 'kms', 'legacy', 'library', 'libsys', 'libuuid', 'linode', 'linux', 'localadmin', 'logcheck', 'login', 'logout', 'logstash', 'logview(er)?', 'lsfadmin', 'lynx', 'magento', 'mail', 'mailer', 'mailman', 'mailtest', 'maintain', 'majordomo', 'man', 'mantis', 'mapruser', 'marketing', 'master', 'membership', 'merlin', 'messagebus', 'minecraft', 'mirc', 'modem', 'mongo(db|user)?', 'monitor(ing)?', 'more', 'moher', 'mpiuser', 'mqadm', 'musi[ck]bot', '(my?|pg)sq(ue)?l[0-9]*', 'mythtv', 'nagios', 'named', 'nasa', 'ncs', 'nessus', 'netadmin', 'netdiag', 'netdump', 'network', 'netzplatz', 'newadmin', 'newuser', 'nexus', 'nfinity', 'nfs', '(nfs)?nobody', 'nginx', 'noc', 'node', 'notes', 'nothing', 'NpC', 'nux', 'odoo', 'odroid', 'office', 'omsagent', 'onyxeye', 'oozie', 'openbravo', 'openfire', 'openvpn', 'operador', 'operator', 'ops(code)?', 'oprofile', 'ora(cle|prod|vis)[0-9]*', 'osmc', 'owncloud', 'papernet', 'passwo?r?d', 'payments', 'pay_?pal', 'pdfbox', 'pentaho', 'php[0-9]*', 'platform', 'play', 'PlcmSpIp(PlcmSpIp)?', 'plex', 'polkitd?', 'popd?3?', 'popuser', 'postfix', 'p0stgr3s', 'postgres', 'postmaster', 'pptpd', 'print', 'privoxy', 'proba', 'proxy', 'public', 'puppet', 'qhsupport', 'rabbit(mq)?', 'radiusd?', 'raspberry', 'readonly', 'reboot', 'recording', 'redis', 'redmine', 'remote', 'reports', 'riakcs', 'root[0-9]+', 'rpc(user)?', 'rpm', 'RPM', 'rtorrent', 'rustserver', 'sales[0-9]+', 's?bin', 'saslauth', 'scan(n?er)?', 'screen', 'search', 'sekretariat', 'server', 'serverpilot', 'service', 'setup', '(s|u|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', 'sftponly', 'shell', 'shop', 'sinusbot[0-9]*', 'sirius', 'smbguest', 'smbuse?r', 'smmsp', 'socket', 'software', 'solr', 'solarus', 'spam', 'spark', 'speech-dispatcher', 'splunk', 'sprummlbot', 'squid', 'squirrelmail[0-9]+', 'srvadmin', 'sshd', 'sshusr', 'staffc', 'steam(cmd)?', 'store', 'stunnel', 'superuser', 'suporte', 'support', 'svn(root|admin)?', 'sybase', 'sync[0-9]*', 'sysadmin', 'system', 'teamspeak[234]?(-?use?r)?', 'telkom', 'telnetd?', 'te?mp(use?r)?[0-9]*', 'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?', '(test)?username', 'text', 'tomcat', 'tools', 'toor', 'ts[123](se?rv(er)?|(musi[ck])?bot|sleep|user)?', 'tss', 'tunstall', 'ubnt', 'unity', 'universitaetsrechenzentrum', # University Computing Center 'upload[0-9]*', 'user[0-9]*', 'USERID', 'username', 'usuario', 'uucp', 'vagrant', 'vbox', 'ventrilo', 'vhbackup', 'virusalter', 'vmadmin', 'vmail', 'vscan?', 'vtms', 'vyatta', 'wanadoo', 'web', 'webapp', 'weblogic', 'webmaster', 'webportal', 'websync', 'wiki', 'WinD3str0y', 'wine', 'wordpress', 'wp-?user', 'write', 'www', 'wwAdmin', '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)', 'xbian', 'xbot', 'xmpp', 'xoadmin', 'yahoo', 'yarn', 'zabbix', 'zimbra', 'zookeeper', # User/admin/other '(api|appl?|ats|cam|cat|db|imap|is|my|virtual|vpn)?(admin|dev|use?r|server|man|manager|mgr)[0-9]*', '(abc|account|git|info|redhat|samba|sshd|student|tomcat|ubuntu|web)[0-9]*', # Names '(aaron|david|james|tom|victor)[0-9]*', # And some passwords that turned up as usernames '1q2w3e4r', 'abc123', 'letmein', '0fordn1on@#\$%%\^&', 'P@\$\$w0rd', 'P@ssword1!', 'Pa\$\$word_', 'Passwd123(\$%%\^)', 'password', 'pass123?4?', 'qwer?[0-9]+', ] file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), } # Because one of our rules checks fail2ban's log, but the service dies without the file file { '/var/log/fail2ban.log': ensure => present, owner => 'root', group => 'root', mode => '0600', } }