# HG changeset patch # User IBBoard # Date 1517949769 0 # Node ID 103a3630e9b26f58c8c0a4326ad8998b6eb4466f # Parent c1854fae7af16bcf0ac2abb46457f018c7ebf214 Tighten up some Fail2Ban rules (including SSH probes with only insecure keys) diff -r c1854fae7af1 -r 103a3630e9b2 common/fail2ban/ibb-postfix-spammers.conf --- a/common/fail2ban/ibb-postfix-spammers.conf Sun Sep 17 09:54:44 2017 +0100 +++ b/common/fail2ban/ibb-postfix-spammers.conf Tue Feb 06 20:42:49 2018 +0000 @@ -14,7 +14,8 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = reject: RCPT from (.*)\[\]: 55[0-9] .* blocked using .* +failregex = reject: RCPT from (.*)\[\]: 55[0-9] .* (blocked using|DO NOT SCRAPE EMAIL ADDRESSES!) .* + reject: RCPT from ([^\[]*)\[\]: 454 [^:]+: Relay access denied; from=<[^@]+@ibboard.co.uk> # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -r c1854fae7af1 -r 103a3630e9b2 common/fail2ban/ibb-postfix.conf --- a/common/fail2ban/ibb-postfix.conf Sun Sep 17 09:54:44 2017 +0100 +++ b/common/fail2ban/ibb-postfix.conf Tue Feb 06 20:42:49 2018 +0000 @@ -15,7 +15,8 @@ # Values: TEXT # failregex = reject: RCPT from (.*)\[\]: 554 - reject: RCTP from (.*)\[\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/ + reject: RCTP from ([^\[]*)\[\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/ + reject: RCTP from ([^\[]*)\[\]: 454 [^:]+: Relay access denied; # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. diff -r c1854fae7af1 -r 103a3630e9b2 common/fail2ban/ibb-sshd.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/common/fail2ban/ibb-sshd.conf Tue Feb 06 20:42:49 2018 +0000 @@ -0,0 +1,19 @@ +# Fail2Ban configuration file +# Author: IBBoard + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = Unable to negotiate with port [0-9]+: no matching host key type found. Their offer: ssh-rsa,ssh-dss \[preauth\] + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -r c1854fae7af1 -r 103a3630e9b2 common/fail2ban/jail.local --- a/common/fail2ban/jail.local Sun Sep 17 09:54:44 2017 +0100 +++ b/common/fail2ban/jail.local Tue Feb 06 20:42:49 2018 +0000 @@ -6,11 +6,20 @@ [ssh-firewall-ban] enabled = true filter = sshd -action = firewall-ban[name=SSH,chain=Fail2Ban,port=22] +action = firewall-ban[name=SSH,chain=Fail2Ban,port=222] logpath = /var/log/secure maxretry = 5 bantime = 604800 +[ssh-key-ban] +enabled = true +filter = ibb-sshd +action = firewall-ban[name=SSH,chain=Fail2Ban,port=222] +logpath = /var/log/secure +maxretry = 5 +bantime = 604800 + + [apache-badbots] enabled = true filter = apache-badbots @@ -41,7 +50,7 @@ enabled = true maxretry = 2 filter = ibb-repeat-offender -action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"] +action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465,222"] logpath = /var/log/fail2ban.log findtime = 2592000 bantime = 2592000 diff -r c1854fae7af1 -r 103a3630e9b2 manifests/templates.pp --- a/manifests/templates.pp Sun Sep 17 09:54:44 2017 +0100 +++ b/manifests/templates.pp Tue Feb 06 20:42:49 2018 +0000 @@ -373,6 +373,9 @@ file { '/etc/fail2ban/filter.d/ibb-postfix.conf': source => 'puppet:///common/fail2ban/ibb-postfix.conf', } + file { '/etc/fail2ban/filter.d/ibb-sshd.conf': + source => 'puppet:///common/fail2ban/ibb-sshd.conf', + } # Because one of our rules checks fail2ban's log, but the service dies without the file file { '/var/log/fail2ban.log': ensure => present,