view modules/fail2ban/manifests/init.pp @ 385:d9009f54eb23

Migrate to a fully-fledged SSH module This handles lots of the server path differences for us
author IBBoard <dev@ibboard.co.uk>
date Mon, 03 Jan 2022 17:05:54 +0000
parents cd0e77678dca
children df5ad1612af7
line wrap: on
line source

class fail2ban (
	$firewall_cmd,
	) {
	package { 'fail2ban':
		ensure => installed,
	}
	service { 'fail2ban':
		ensure => running,
		enable => true
	}
	File<| tag == 'fail2ban' |> {
		ensure => present,
		require => Package['fail2ban'],
		notify => Service['fail2ban'],
	}
	file { '/etc/fail2ban/fail2ban.local':
		source => 'puppet:///modules/fail2ban/fail2ban.local',
	}
	file { '/etc/fail2ban/jail.local':
		source => 'puppet:///modules/fail2ban/jail.local',
	}
	file { '/etc/fail2ban/action.d/apf.conf':
		source => 'puppet:///modules/fail2ban/apf.conf',
	}

	if $firewall_cmd == 'iptables' {
		$firewall_ban_cmd = 'iptables-multiport'
	} else {
		$firewall_ban_cmd = $firewall_cmd
	}
	# Create an empty banlist file if it doesn't exist
	exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_banlist.db':
		path => '/usr/bin',
		unless => 'test -f /etc/httpd/conf.custom/apache_banlist.db',
		before => Service['httpd'],
	}
	file { '/tmp/apache_banlist.txt':
		ensure => present,
		seltype => 'httpd_config_t',
	}
	# Create an empty repeat banlist file if it doesn't exist
	exec { 'httxt2dbm -i /dev/null -o /etc/httpd/conf.custom/apache_repeat_banlist.db':
		path => '/usr/bin',
		unless => 'test -f /etc/httpd/conf.custom/apache_repeat_banlist.db',
		before => Service['httpd'],
	}
	file { '/tmp/apache_repeat_banlist.txt':
		ensure => present,
		seltype => 'httpd_config_t',
	}
	# And let the httxt2dbm process work the rest of the time
	file { '/etc/selinux/apache-ip-banlist.pp':
		source => 'puppet:///modules/fail2ban/apache-ip-banlist.pp',
	} ~>
	exec { 'semodule -i /etc/selinux/apache-ip-banlist.pp':
		path => '/usr/sbin',
		refreshonly => true,
	}
	file { '/etc/fail2ban/action.d/firewall-ban.conf':
		ensure => link,
		target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf",
	}
	file { '/etc/fail2ban/action.d/ibb-apache-ip-block.conf':
		source => 'puppet:///modules/fail2ban/ibb-apache-ip-block.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
		source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf':
		source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
		source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf':
		source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
		source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf':
		source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
		source => 'puppet:///modules/fail2ban/ibb-postfix.conf',
	}
	file { '/etc/fail2ban/filter.d/ibb-sshd.conf':
		source => 'puppet:///modules/fail2ban/ibb-sshd.conf',
	}

	$bad_users = [
		'[^0-9a-zA-Z]+',
		'[0-9]+',
		'[0-9a-zA-Z]{1,3}',
		'([0-9a-z])\2{2,}',
		'abused',
		'Admin',
		'admins?[0-9]*',
		'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc
		'admissions',
		'altibase',
		'alumni',
		'amavisd?',
		'amministratore',
		'anwenderschnittstelle',
		'anonymous',
		'ansible',
		'apache',
		'aptproxy',
		'apt-mirror',
		'ark(server)?',
		'asdfas',
		'asterisk',
		'audio',
		'auser',
		'autologin',
		'avahi',
		'avis',
		'backlog',
		'backup(s|er|pc|user)?',
		'bash',
		'batch',
		'beagleindex',
		'bf2',
		'.*bitbucket',
		'bind',
		'bitcoin',
		'bitnami',
		'bitrix',
		'bkroot',
		'blog',
		'boinc',
		'bot',
		'botmaster',
		'bugzilla',
		'build',
		'buscador',
		'cacti(user)?',
		'carrerasoft',
		'catchall',
		'celery',
		'cemergen',
		'centos',
		'chef',
		'cgi',
		'chromeuser',
		'cinema',
		'cinstall',
		'cisco',
		'clamav',
		'cliente?[0-9]*',
		'CloudSigma',
		'clouduser',
		'com',
		'comercial',
		'control',
		'couchdb',
		'cpanel',
		'cpanelrrdtool',
		'create',
		'cron',
		'(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?',
		'cs-?go1?',
		'CumulusLinux!',
		'cyrus[0-9]*',
		'daemon',
		'danger',
		'darwin',
		'dasuse?r[0-9]*',
		'data(ba?se)?',
		'db2inst[0-9]*',
		'dbus',
		'debian(-spamd)?',
		'default',
		'dell',
		'demo',
		'deploy(er)?[0-9]*',
		'desktop',
		'developer',
		'devdata',
		'devops',
		'devteam',
		'dietpi',
		'discordbot',
		'disklessadmin',
		'display',
		'django',
		'dmarc',
		'dpvirtual',
		'dockeruser',
		'dotblot',
		'download',
		'dovecot',
		'dovenull',
		'duplicity',
		'easy',
		'ec2-user',
		'ecquser',
		'edu(cation)?[0-9]*',
		'e-shop',
		'elastic',
		'elsearch',
		'engin(eer)?',
		'esadmin',
		'events',
		'exploit',
		'exports?',
		'facebook',
		'factorio',
		'fax',
		'fcweb',
		'fetchmail',
		'filter',
		'firebird',
		'firefox',
		'ftp(admin)?',
		'fuser',
		'games',
		'gdm',
		'geniuz',
		'getmail',
		'ggc_user',
		'ghost',
		'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?',
		'glassfish',
		'gmail',
		'gmodserver',
		'gnuhealth',
		'gopher',
		'government',
		'grid',
		'guest',
		'hacker',
		'hadoop',
		'haldaemon',
		'harvard',
		'hduser',
		'headmaster',
		'helpdesk',
		'hive',
		'home',
		'host',
		'httpd?',
		'httpfs',
		'huawei',
		'iamroot',
		'iceuser',
		'imscp',
		'info(rmix)?[0-9]*',
		'inst[0-9]+',
		'installer',
		'inventario',
		'java',
		'jboss',
		'jenkins',
		'jira',
		'jmeter',
		'jsboss',
		'juniper',
		'kafka',
		'kodi',
		'kms',
		'legacy',
		'library',
		'libsys',
		'libuuid',
		'linode',
		'linux',
		'localadmin',
		'logcheck',
		'login',
		'logout',
		'logstash',
		'logview(er)?',
		'lsfadmin',
		'lynx',
		'magento',
		'mail',
		'mailer',
		'mailman',
		'mailtest',
		'maintain',
		'majordomo',
		'man',
		'mantis',
		'mapruser',
		'marketing',
		'master',
		'membership',
		'merlin',
		'messagebus',
		'minecraft',
		'mirc',
		'modem',
		'mongo(db|user)?',
		'monitor(ing)?',
		'more',
		'moher',
		'mpiuser',
		'mqadm',
		'musi[ck]bot',
		'(my?|pg)sq(ue)?l[0-9]*',
		'mythtv',
		'nagios',
		'named',
		'nasa',
		'ncs',
		'nessus',
		'netadmin',
		'netdiag',
		'netdump',
		'network',
		'netzplatz',
		'newadmin',
		'newuser',
		'nexus',
		'nfinity',
		'nfs',
		'(nfs)?nobody',
		'nginx',
		'noc',
		'node',
		'notes',
		'nothing',
		'NpC',
		'nux',
		'odoo',
		'odroid',
		'office',
		'omsagent',
		'onyxeye',
		'oozie',
		'openbravo',
		'openfire',
		'openvpn',
		'operador',
		'operator',
		'ops(code)?',
		'oprofile',
		'ora(cle|prod|vis)[0-9]*',
		'osmc',
		'owncloud',
		'papernet',
		'passwo?r?d',
		'payments',
		'pay_?pal',
		'pdfbox',
		'pentaho',
		'php[0-9]*',
		'platform',
		'play',
		'PlcmSpIp(PlcmSpIp)?',
		'plex',
		'polkitd?',
		'popd?3?',
		'popuser',
		'postfix',
		'p0stgr3s',
		'postgres',
		'postmaster',
		'pptpd',
		'print',
		'privoxy',
		'proba',
		'proxy',
		'public',
		'puppet',
		'qhsupport',
		'rabbit(mq)?',
		'radiusd?',
		'raspberry',
		'readonly',
		'reboot',
		'recording',
		'redis',
		'redmine',
		'remote',
		'reports',
		'riakcs',
		'root[0-9]+',
		'rpc(user)?',
		'rpm',
		'RPM',
		'rtorrent',
		'rustserver',
		'sales[0-9]+',
		's?bin',
		'saslauth',
		'scan(n?er)?',
		'screen',
		'search',
		'sekretariat',
		'server',
		'serverpilot',
		'service',
		'setup',
		'(s|u|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*',
		'sftponly',
		'shell',
		'shop',
		'sinusbot[0-9]*',
		'sirius',
		'smbguest',
		'smbuse?r',
		'smmsp',
		'socket',
		'software',
		'solr',
		'solarus',
		'spam',
		'spark',
		'speech-dispatcher',
		'splunk',
		'sprummlbot',
		'squid',
		'squirrelmail[0-9]+',
		'srvadmin',
		'sshd',
		'sshusr',
		'staffc',
		'steam(cmd)?',
		'store',
		'stunnel',
		'superuser',
		'suporte',
		'support',
		'svn(root|admin)?',
		'sybase',
		'sync[0-9]*',
		'sysadmin',
		'system',
		'teamspeak[234]?(-?use?r)?',
		'telkom',
		'telnetd?',
		'te?mp(use?r)?[0-9]*',
		'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?',
		'(test)?username',
		'text',
		'tomcat',
		'tools',
		'toor',
		'ts[123](se?rv(er)?|(musi[ck])?bot|sleep|user)?',
		'tss',
		'tunstall',
		'ubnt',
		'unity',
		'universitaetsrechenzentrum', # University Computing Center
		'upload[0-9]*',
		'user[0-9]*',
		'USERID',
		'username',
		'usuario',
		'uucp',
		'vagrant',
		'vbox',
		'ventrilo',
		'vhbackup',
		'virusalter',
		'vmadmin',
		'vmail',
		'vscan?',
		'vtms',
		'vyatta',
		'wanadoo',
		'web',
		'webapp',
		'weblogic',
		'webmaster',
		'webportal',
		'websync',
		'wiki',
		'WinD3str0y',
		'wine',
		'wordpress',
		'wp-?user',
		'write',
		'www',
		'wwAdmin',
		'(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)',
		'xbian',
		'xbot',
		'xmpp',
		'xoadmin',
		'yahoo',
		'yarn',
		'zabbix',
		'zimbra',
		'zookeeper',
		# User/admin/other
		'(api|appl?|ats|cam|cat|db|imap|is|my|virtual|vpn)?(admin|dev|use?r|server|man|manager|mgr)[0-9]*',
		'(abc|account|git|info|redhat|samba|sshd|student|tomcat|ubuntu|web)[0-9]*',
		# Names
		'(aaron|david|james|tom|victor)[0-9]*',
		# And some passwords that turned up as usernames
		'1q2w3e4r',
		'abc123',
		'letmein',
		'0fordn1on@#\$%%\^&',
		'P@\$\$w0rd',
		'P@ssword1!',
		'Pa\$\$word_',
		'Passwd123(\$%%\^)',
		'password',
		'pass123?4?',
		'qwer?[0-9]+',
	]

	file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf':
		content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }),
	}
	# Because one of our rules checks fail2ban's log, but the service dies without the file
	file { '/var/log/fail2ban.log':
		ensure => present,
		owner => 'root',
		group => 'root',
		mode => '0600',
	}
}