# HG changeset patch # User IBBoard # Date 1579360623 0 # Node ID 3e04f35dd0af727ec25841a3aa7937b67d843d5b # Parent d2ae0b786b49d533349a34467017b612d3310191 Turn Fail2ban setup into a module We now: * Don't have a large class outside a module * Build "bad SSH users" config from a list (easier to understand/see diffs in than a long line) * Use modern EPP files diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/apf.conf --- a/common/fail2ban/apf.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,6 +0,0 @@ -[Definition] -actionstart = -actionstop = -actioncheck = -actionban = /etc/apf/apf --deny Fail2Ban- -actionunban = /etc/apf/apf --remove diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/fail2ban.local --- a/common/fail2ban/fail2ban.local Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,3 +0,0 @@ -[Definition] -loglevel = NOTICE -logtarget = /var/log/fail2ban.log diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-apache-exploits-instaban.conf --- a/common/fail2ban/ibb-apache-exploits-instaban.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,51 +0,0 @@ -# Fail2Ban configuration file -# -# Author: IBBoard - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failure messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = ^ .*"(?:GET|HEAD|POST) .*/proc/self/environ.*" - ^ .*"(?:GET|HEAD|POST) /w00tw00t\.at\..+\:\).*" - ^ .*"(?:GET|HEAD|POST) .*\?module=http(?:s)?:.* - ^ .*"(?:GET|HEAD|POST) .*\?write.phpdir=http(?:s)?:.* - ^ .*"(?:GET|HEAD|POST) .*\?src=http(?:s)?:.* - ^ .*"(?:GET|HEAD|POST) .*ivrrecording.php.*" - ^ .*"(?:GET|HEAD|POST) .*\?php=info&ip=uname.*" - ^ .*"(?:GET|HEAD|POST) .*\?input_file=http(?:s)?://.* - ^ .*"(?:GET|HEAD|POST) .*\?dir=http(?:s)?://.* - ^ .*"(?:GET|HEAD|POST) .*\?f=http(?:s)?://.* - ^ .*"(?:GET|HEAD|POST) .*([\+-]{5,})Result.*" - ^ .*"(?:GET|HEAD|POST) .*onmousedown=%%22 - ^ .*"(?:GET|HEAD|POST) .*/bin/msgimport.*" - ^ .* " " [2-5] - ^ .*"(?:GET|HEAD|POST) .*//filemanager/.*" - ^ .*"(?:GET|HEAD|POST) .*//php[Mm]y[Aa]dmin.*" - ^ .*"(?:GET|HEAD|POST) .*///wp-content/themes/.*" - ^ .*"(?:GET|HEAD|POST) .*\?[^"]+union(?:%%20|\+)select.* - ^ .*"(?:GET|HEAD|POST) .*\?[[^"]+\+(?:and|or)\+(?:1|%%2[27][xy]%%2[27])%%3D(?:1|%%2[27][xy]%%2[27]).* - ^ .*"(?:GET|HEAD|POST) .*\?[^"]+\?\?\? - ^ .*"(?:GET|HEAD|POST) .*%%5BPLM=.* - ^ .*"(?:GET|HEAD|POST) /config/[^\.]+\.php\?[^"]+&sid=[a-z0-9]+ - ^ .*\?.*(?:\.\./|%%2E%%2E%%2F){3,}.*%%00 - ^ .*"\\x16\\x03\\x01" - ^ .*"PROPFIND /[^%%/"]%%24 - ^ .*"(?:GET|HEAD|POST) /manager/status [^"]*" 404 - ^ .*"(?:GET|HEAD|POST) [^"]*allow_url_include%%3d1.* - ^ .*"(?:GET|HEAD|POST) .*php://.* - ^ .*"CONNECT - ^ .*"POST " - ^ .*"(?:GET|POST) /[^"]+\.php.*174\.123\.231\.2(?:29|30) - ^ .*"(?:GET|HEAD|POST)[^"]+" 402 - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-apache-shellshock.conf --- a/common/fail2ban/ibb-apache-shellshock.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,17 +0,0 @@ -# Fail2Ban configuration file -# -# Author: IBBoard - -[Definition] - -# Option: failregex -# Notes.: regex to match Shellshock attempts against Apache -# Values: TEXT -# -failregex = .*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+ - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-postfix-malicious.conf --- a/common/fail2ban/ibb-postfix-malicious.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,23 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# -# $Revision: 728 $ -# - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = warning: non-SMTP command from (.*)\[\].*GET - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-postfix-spammers.conf --- a/common/fail2ban/ibb-postfix-spammers.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,24 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# -# $Revision: 728 $ -# - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = reject: RCPT from (.*)\[\]: 55[0-9] .* (blocked using|DO NOT SCRAPE EMAIL ADDRESSES!) .* - reject: RCPT from ([^\[]*)\[\]: 454 [^:]+: Relay access denied; from=<[^@]+@ibboard.co.uk> - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-postfix.conf --- a/common/fail2ban/ibb-postfix.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,25 +0,0 @@ -# Fail2Ban configuration file -# -# Author: Cyril Jaquier -# -# $Revision: 728 $ -# - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = reject: RCPT from (.*)\[\]: 554 - reject: RCTP from ([^\[]*)\[\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/ - reject: RCTP from ([^\[]*)\[\]: 454 [^:]+: Relay access denied; - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-repeat-offender-ssh.conf --- a/common/fail2ban/ibb-repeat-offender-ssh.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,23 +0,0 @@ -# IBB-Repeat-Offender-SSH configuration file -# -# Author: Tom Hendrikx, minor modifications by Amir Caspi -# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban -# Renamed and adjusted by IBBoard for consistency -# - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = NOTICE\s+\[ssh-[^\]]+\]\s+Ban\s+ - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -#ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-repeat-offender.conf --- a/common/fail2ban/ibb-repeat-offender.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,23 +0,0 @@ -# IBB-Repeat-Offender configuration file -# -# Author: Tom Hendrikx, minor modifications by Amir Caspi -# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban -# Renamed and adjusted by IBBoard for consistency -# - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = NOTICE\s+\[(?:.*)\]\s+Ban\s+ - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = fail2ban.actions:\s+NOTICE\s+\[(ibb-repeat-offender|ssh-)[^\]]+\]\s+Ban\s+ diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-sshd-bad-user.conf --- a/common/fail2ban/ibb-sshd-bad-user.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,19 +0,0 @@ -# Fail2Ban configuration file -# Author: IBBoard - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = Failed password for invalid user ([0-9]+|[0-9a-z][0-9a-z]?|([0-9a-z])\2{2,}|abc123|abused|adm|Admin|admin[0-9]+|administrateur|administracion|altibase|alumni|amavisd?|anwenderschnittstelle|anonymous|ansible|aptproxy|arkserver|asterisk|auser|avahi|avis|backlog|backup(s|er|pc|user)?|bf2|bitnami|bitrix|boinc|botmaster|build|buscador|cacti(user)?|catchall|cemergen|chef|cinema|clamav|cliente?[0-9]*|clouduser|com|comercial|control|couchdb|cpanel|create|cron|(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?|cyrus[0-9]*|daemon|danger|debian(-spamd)?|default|dell|deploy(er)?|desktop|developer|devops|devteam|dietpi|django|dotblot|download|dovecot|easy|ec2-user|edu(cation)?[0-9]*|e-shop|engin(eer)?|esadmin|events|exports?|facebook|factorio|fax|filter|firebird|fuser|games|gdm|geniuz|ggc_user|ghost|git(olite?|blit|lab(_ci)?)?|gmail|gopher|guest|hacker|hadoop|harvard|helpdesk|home|host|httpd?|huawei|iceuser|imscp|info(rmix)?|java|jboss|jenkins|jira|jsboss|kafka|kodi|library|libsys|libuuid|linode|linux|login|logout|lynx|mailer|mailman|maintain|majordomo|man|mantis|marketing|master|membership|minecraft|modem|mongo(db|user)?|monitor|more|moher|mpiuser|musi[ck]bot|(my?|pg)sq(ue)?l|mythtv|nagios|nasa|netdump|netzplatz|newadmin|nexus|nfs|(nfs)?nobody|nginx|noc|nothing|NpC|nux|odoo|odroid|onyxeye|openbravo|openvpn|operador|operator|ops(code)?|oprofile|ora(cle|prod)|osmc|papernet|password|payments|pay_?pal|pentaho|PlcmSpIp(PlcmSpIp)?|popuser|postfix|postgres|postmaster|print|privoxy|proba|proxy|puppet|qhsupport|rabbit(mq)?|radiusd?|redis|redmine|riakcs|root[0-9]+|rpc(user)?|RPM|rtorrent|rustserver|sales[0-9]+|s?bin|(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*|saslauth|scaner|screen|search|setup|service|(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*|sftponly|shell|shop|sinusbot|smmsp|socket|software|solarus|splunk|squid|squirrelmail|sshusr|staffc|steam(cmd)?|store|superuser|support|svnroot|sysadmin|system|teamspeak3?|telkom|temp|test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?|(test)?username|text|tomcat|tools|toor|ts[23](se?rv(er)?|(musi[ck])?bot)?|tunstall|ubnt|ubuntu|upload|unity|USERID|user[0-9]*|usuario|uucp|vagrant|vbox|ventrilo|vhbackup|virusalter|vmadmin|vmail|vyatta|wanadoo|weblogic|webmaster|WinD3str0y|wine|wp-?user|write|www|(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)|xbian|xbot|xoadmin|yahoo|yarn|zabbix|zimbra|zookeeper|0fordn1on@#\$%%\^&|P@\$\$w0rd|pass123?4?)? from port [0-9]+ ssh2 - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/ibb-sshd.conf --- a/common/fail2ban/ibb-sshd.conf Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,19 +0,0 @@ -# Fail2Ban configuration file -# Author: IBBoard - -[Definition] - -# Option: failregex -# Notes.: regex to match the password failures messages in the logfile. The -# host must be matched by a group named "host". The tag "" can -# be used for standard IP/hostname matching and is only an alias for -# (?:::f{4,6}:)?(?P[\w\-.^_]+) -# Values: TEXT -# -failregex = Unable to negotiate with port [0-9]+: no matching host key type found. Their offer: ssh-rsa,ssh-dss \[preauth\] - -# Option: ignoreregex -# Notes.: regex to ignore. If this regex matches, the line is ignored. -# Values: TEXT -# -ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af common/fail2ban/jail.local --- a/common/fail2ban/jail.local Sat Jan 18 14:40:05 2020 +0000 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,119 +0,0 @@ -# Disable ssh-iptables because some versions auto-enable it -# and we want to use our own version (which may use non-iptables) -[ssh-iptables] -enabled = false - -[ssh-firewall-ban] -enabled = true -filter = sshd -action = firewall-ban[name=SSH,chain=Fail2Ban,port=222] -logpath = /var/log/secure -maxretry = 3 -bantime = 604800 - -[ssh-user-instaban] -enabled = true -filter = ibb-sshd-bad-user -action = firewall-ban[name=SSH-Instaban,chain=Fail2Ban,port=222] -logpath = /var/log/secure -maxretry = 1 -bantime = 604800 - -[ssh-key-ban] -enabled = true -filter = ibb-sshd -action = firewall-ban[name=SSH-Key,chain=Fail2Ban,port=222] -logpath = /var/log/secure -maxretry = 3 -findtime = 604800 -bantime = 604800 - - -[apache-badbots] -enabled = true -filter = apache-badbots -action = firewall-ban[name=ApacheBadBots,chain=Fail2Ban,port="80,443"] -logpath = /var/log/apache/access_*.log -findtime = 604800 -bantime = 604800 - -[apache-instaban] -enabled = true -maxretry = 1 -filter = ibb-apache-exploits-instaban -action = firewall-ban[name=ApacheInstaban,chain=Fail2Ban,port="80,443"] -logpath = /var/log/apache/access_*.log -findtime = 86400 -bantime = 86400 - -[apache-auth] -enabled = true -maxretry = 5 -filter = apache-auth -action = firewall-ban[name=ApacheAuth,chain=Fail2Ban,port="80,443"] -logpath = /var/log/apache/error_*.log -findtime = 86400 -bantime = 604800 - -[repeat-offenders] -enabled = true -maxretry = 2 -filter = ibb-repeat-offender -action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"] -logpath = /var/log/fail2ban.log -findtime = 2592000 -bantime = 2592000 - -[repeat-offenders-ssh] -enabled = true -maxretry = 2 -filter = ibb-repeat-offender-ssh -action = firewall-ban[name=RepeatOffendersSSH,chain=Fail2Ban,port="222"] -logpath = /var/log/fail2ban.log -findtime = 2592000 -bantime = 2592000 - -[spam-email] -enabled = true -maxretry = 1 -filter = ibb-postfix-spammers -action = firewall-ban[name=SpamEmail,chain=Fail2Ban,port="465,25"] -logpath = /var/log/maillog -findtime = 604800 -bantime = 604800 - -[mail-abuse] -enabled = true -maxretry = 1 -filter = ibb-postfix-malicious -action = firewall-ban[name=MailAbuse,chain=Fail2Ban,port="465,25"] -logpath = /var/log/maillog -findtime = 604800 -bantime = 604800 - -[mail-rejected] -enabled = true -maxretry = 10 -filter = ibb-postfix -action = firewall-ban[name=MailRejected,chain=Fail2Ban,port="465,25"] -logpath = /var/log/maillog -findtime = 604800 -bantime = 604800 - -[sasl] -enabled = true -maxretry = 10 -filter = postfix[mode=auth] -action = firewall-ban[name=SASLFailures,chain=Fail2Ban,port="465,25"] -logpath = /var/log/maillog -findtime = 604800 -bantime = 604800 - -[shellshock] -enabled = true -maxretry = 1 -filter = ibb-apache-shellshock -action = firewall-ban[name=Shellshock,chain=Fail2Ban,port="80,443"] -logpath = /var/log/apache/access_*.log -findtime = 604800 -bantime = 604800 diff -r d2ae0b786b49 -r 3e04f35dd0af manifests/templates.pp --- a/manifests/templates.pp Sat Jan 18 14:40:05 2020 +0000 +++ b/manifests/templates.pp Sat Jan 18 15:17:03 2020 +0000 @@ -337,77 +337,6 @@ } } -class fail2ban ( - $firewall_cmd, - ) { - package { 'fail2ban': - ensure => installed, - } - service { 'fail2ban': - ensure => running, - enable => true - } - File { - ensure => present, - require => Package['fail2ban'], - notify => Service['fail2ban'], - } - file { '/etc/fail2ban/fail2ban.local': - source => 'puppet:///common/fail2ban/fail2ban.local', - } - file { '/etc/fail2ban/jail.local': - source => 'puppet:///common/fail2ban/jail.local', - } - file { '/etc/fail2ban/action.d/apf.conf': - source => 'puppet:///common/fail2ban/apf.conf', - } - - if $firewall_cmd == 'iptables' { - $firewall_ban_cmd = 'iptables-multiport' - } else { - $firewall_ban_cmd = $firewall_cmd - } - - file { '/etc/fail2ban/action.d/firewall-ban.conf': - ensure => link, - target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", - } - file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': - source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf', - } - file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': - source => 'puppet:///common/fail2ban/ibb-apache-shellshock.conf', - } - file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': - source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf', - } - file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': - source => 'puppet:///common/fail2ban/ibb-repeat-offender-ssh.conf', - } - file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': - source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf', - } - file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': - source => 'puppet:///common/fail2ban/ibb-postfix-malicious.conf', - } - file { '/etc/fail2ban/filter.d/ibb-postfix.conf': - source => 'puppet:///common/fail2ban/ibb-postfix.conf', - } - file { '/etc/fail2ban/filter.d/ibb-sshd.conf': - source => 'puppet:///common/fail2ban/ibb-sshd.conf', - } - file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': - source => 'puppet:///common/fail2ban/ibb-sshd-bad-user.conf', - } - # Because one of our rules checks fail2ban's log, but the service dies without the file - file { '/var/log/fail2ban.log': - ensure => present, - owner => 'root', - group => 'root', - mode => '0600', - } -} - #Our web server with our configs, not just a stock one class webserver ( $primary_ip, diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/apf.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/apf.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,6 @@ +[Definition] +actionstart = +actionstop = +actioncheck = +actionban = /etc/apf/apf --deny Fail2Ban- +actionunban = /etc/apf/apf --remove diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/fail2ban.local --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/fail2ban.local Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,3 @@ +[Definition] +loglevel = NOTICE +logtarget = /var/log/fail2ban.log diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-apache-exploits-instaban.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-apache-exploits-instaban.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,51 @@ +# Fail2Ban configuration file +# +# Author: IBBoard + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failure messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = ^ .*"(?:GET|HEAD|POST) .*/proc/self/environ.*" + ^ .*"(?:GET|HEAD|POST) /w00tw00t\.at\..+\:\).*" + ^ .*"(?:GET|HEAD|POST) .*\?module=http(?:s)?:.* + ^ .*"(?:GET|HEAD|POST) .*\?write.phpdir=http(?:s)?:.* + ^ .*"(?:GET|HEAD|POST) .*\?src=http(?:s)?:.* + ^ .*"(?:GET|HEAD|POST) .*ivrrecording.php.*" + ^ .*"(?:GET|HEAD|POST) .*\?php=info&ip=uname.*" + ^ .*"(?:GET|HEAD|POST) .*\?input_file=http(?:s)?://.* + ^ .*"(?:GET|HEAD|POST) .*\?dir=http(?:s)?://.* + ^ .*"(?:GET|HEAD|POST) .*\?f=http(?:s)?://.* + ^ .*"(?:GET|HEAD|POST) .*([\+-]{5,})Result.*" + ^ .*"(?:GET|HEAD|POST) .*onmousedown=%%22 + ^ .*"(?:GET|HEAD|POST) .*/bin/msgimport.*" + ^ .* " " [2-5] + ^ .*"(?:GET|HEAD|POST) .*//filemanager/.*" + ^ .*"(?:GET|HEAD|POST) .*//php[Mm]y[Aa]dmin.*" + ^ .*"(?:GET|HEAD|POST) .*///wp-content/themes/.*" + ^ .*"(?:GET|HEAD|POST) .*\?[^"]+union(?:%%20|\+)select.* + ^ .*"(?:GET|HEAD|POST) .*\?[[^"]+\+(?:and|or)\+(?:1|%%2[27][xy]%%2[27])%%3D(?:1|%%2[27][xy]%%2[27]).* + ^ .*"(?:GET|HEAD|POST) .*\?[^"]+\?\?\? + ^ .*"(?:GET|HEAD|POST) .*%%5BPLM=.* + ^ .*"(?:GET|HEAD|POST) /config/[^\.]+\.php\?[^"]+&sid=[a-z0-9]+ + ^ .*\?.*(?:\.\./|%%2E%%2E%%2F){3,}.*%%00 + ^ .*"\\x16\\x03\\x01" + ^ .*"PROPFIND /[^%%/"]%%24 + ^ .*"(?:GET|HEAD|POST) /manager/status [^"]*" 404 + ^ .*"(?:GET|HEAD|POST) [^"]*allow_url_include%%3d1.* + ^ .*"(?:GET|HEAD|POST) .*php://.* + ^ .*"CONNECT + ^ .*"POST " + ^ .*"(?:GET|POST) /[^"]+\.php.*174\.123\.231\.2(?:29|30) + ^ .*"(?:GET|HEAD|POST)[^"]+" 402 + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-apache-shellshock.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-apache-shellshock.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,17 @@ +# Fail2Ban configuration file +# +# Author: IBBoard + +[Definition] + +# Option: failregex +# Notes.: regex to match Shellshock attempts against Apache +# Values: TEXT +# +failregex = .*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-postfix-malicious.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-postfix-malicious.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,23 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# $Revision: 728 $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = warning: non-SMTP command from (.*)\[\].*GET + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-postfix-spammers.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-postfix-spammers.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,24 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# $Revision: 728 $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = reject: RCPT from (.*)\[\]: 55[0-9] .* (blocked using|DO NOT SCRAPE EMAIL ADDRESSES!) .* + reject: RCPT from ([^\[]*)\[\]: 454 [^:]+: Relay access denied; from=<[^@]+@ibboard.co.uk> + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-postfix.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-postfix.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,25 @@ +# Fail2Ban configuration file +# +# Author: Cyril Jaquier +# +# $Revision: 728 $ +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = reject: RCPT from (.*)\[\]: 554 + reject: RCTP from ([^\[]*)\[\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/ + reject: RCTP from ([^\[]*)\[\]: 454 [^:]+: Relay access denied; + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-repeat-offender-ssh.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-repeat-offender-ssh.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,23 @@ +# IBB-Repeat-Offender-SSH configuration file +# +# Author: Tom Hendrikx, minor modifications by Amir Caspi +# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban +# Renamed and adjusted by IBBoard for consistency +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = NOTICE\s+\[ssh-[^\]]+\]\s+Ban\s+ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +#ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-repeat-offender.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-repeat-offender.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,23 @@ +# IBB-Repeat-Offender configuration file +# +# Author: Tom Hendrikx, minor modifications by Amir Caspi +# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban +# Renamed and adjusted by IBBoard for consistency +# + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = NOTICE\s+\[(?:.*)\]\s+Ban\s+ + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = fail2ban.actions:\s+NOTICE\s+\[(ibb-repeat-offender|ssh-)[^\]]+\]\s+Ban\s+ diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/ibb-sshd.conf --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/ibb-sshd.conf Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,19 @@ +# Fail2Ban configuration file +# Author: IBBoard + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = Unable to negotiate with port [0-9]+: no matching host key type found. Their offer: ssh-rsa,ssh-dss \[preauth\] + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex = diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/files/jail.local --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/files/jail.local Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,119 @@ +# Disable ssh-iptables because some versions auto-enable it +# and we want to use our own version (which may use non-iptables) +[ssh-iptables] +enabled = false + +[ssh-firewall-ban] +enabled = true +filter = sshd +action = firewall-ban[name=SSH,chain=Fail2Ban,port=222] +logpath = /var/log/secure +maxretry = 3 +bantime = 604800 + +[ssh-user-instaban] +enabled = true +filter = ibb-sshd-bad-user +action = firewall-ban[name=SSH-Instaban,chain=Fail2Ban,port=222] +logpath = /var/log/secure +maxretry = 1 +bantime = 604800 + +[ssh-key-ban] +enabled = true +filter = ibb-sshd +action = firewall-ban[name=SSH-Key,chain=Fail2Ban,port=222] +logpath = /var/log/secure +maxretry = 3 +findtime = 604800 +bantime = 604800 + + +[apache-badbots] +enabled = true +filter = apache-badbots +action = firewall-ban[name=ApacheBadBots,chain=Fail2Ban,port="80,443"] +logpath = /var/log/apache/access_*.log +findtime = 604800 +bantime = 604800 + +[apache-instaban] +enabled = true +maxretry = 1 +filter = ibb-apache-exploits-instaban +action = firewall-ban[name=ApacheInstaban,chain=Fail2Ban,port="80,443"] +logpath = /var/log/apache/access_*.log +findtime = 86400 +bantime = 86400 + +[apache-auth] +enabled = true +maxretry = 5 +filter = apache-auth +action = firewall-ban[name=ApacheAuth,chain=Fail2Ban,port="80,443"] +logpath = /var/log/apache/error_*.log +findtime = 86400 +bantime = 604800 + +[repeat-offenders] +enabled = true +maxretry = 2 +filter = ibb-repeat-offender +action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"] +logpath = /var/log/fail2ban.log +findtime = 2592000 +bantime = 2592000 + +[repeat-offenders-ssh] +enabled = true +maxretry = 2 +filter = ibb-repeat-offender-ssh +action = firewall-ban[name=RepeatOffendersSSH,chain=Fail2Ban,port="222"] +logpath = /var/log/fail2ban.log +findtime = 2592000 +bantime = 2592000 + +[spam-email] +enabled = true +maxretry = 1 +filter = ibb-postfix-spammers +action = firewall-ban[name=SpamEmail,chain=Fail2Ban,port="465,25"] +logpath = /var/log/maillog +findtime = 604800 +bantime = 604800 + +[mail-abuse] +enabled = true +maxretry = 1 +filter = ibb-postfix-malicious +action = firewall-ban[name=MailAbuse,chain=Fail2Ban,port="465,25"] +logpath = /var/log/maillog +findtime = 604800 +bantime = 604800 + +[mail-rejected] +enabled = true +maxretry = 10 +filter = ibb-postfix +action = firewall-ban[name=MailRejected,chain=Fail2Ban,port="465,25"] +logpath = /var/log/maillog +findtime = 604800 +bantime = 604800 + +[sasl] +enabled = true +maxretry = 10 +filter = postfix[mode=auth] +action = firewall-ban[name=SASLFailures,chain=Fail2Ban,port="465,25"] +logpath = /var/log/maillog +findtime = 604800 +bantime = 604800 + +[shellshock] +enabled = true +maxretry = 1 +filter = ibb-apache-shellshock +action = firewall-ban[name=Shellshock,chain=Fail2Ban,port="80,443"] +logpath = /var/log/apache/access_*.log +findtime = 604800 +bantime = 604800 diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/manifests/init.pp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/manifests/init.pp Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,332 @@ +class fail2ban ( + $firewall_cmd, + ) { + package { 'fail2ban': + ensure => installed, + } + service { 'fail2ban': + ensure => running, + enable => true + } + File<| tag == 'fail2ban' |> { + ensure => present, + require => Package['fail2ban'], + notify => Service['fail2ban'], + } + file { '/etc/fail2ban/fail2ban.local': + source => 'puppet:///modules/fail2ban/fail2ban.local', + } + file { '/etc/fail2ban/jail.local': + source => 'puppet:///modules/fail2ban/jail.local', + } + file { '/etc/fail2ban/action.d/apf.conf': + source => 'puppet:///modules/fail2ban/apf.conf', + } + + if $firewall_cmd == 'iptables' { + $firewall_ban_cmd = 'iptables-multiport' + } else { + $firewall_ban_cmd = $firewall_cmd + } + + file { '/etc/fail2ban/action.d/firewall-ban.conf': + ensure => link, + target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf", + } + file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf': + source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf', + } + file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf': + source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf', + } + file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf': + source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf', + } + file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf': + source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf', + } + file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf': + source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf', + } + file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf': + source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf', + } + file { '/etc/fail2ban/filter.d/ibb-postfix.conf': + source => 'puppet:///modules/fail2ban/ibb-postfix.conf', + } + file { '/etc/fail2ban/filter.d/ibb-sshd.conf': + source => 'puppet:///modules/fail2ban/ibb-sshd.conf', + } + + $bad_users = [ + '[0-9]+', + '[0-9a-z][0-9a-z]?', + '([0-9a-z])\2{2,}', + 'abc123', + 'abused', + 'adm', + 'Admin', + 'admin[0-9]+', + 'administrateur', + 'administracion', + 'altibase', + 'alumni', + 'amavisd?', + 'anwenderschnittstelle', + 'anonymous', + 'ansible', + 'aptproxy', + 'arkserver', + 'asterisk', + 'auser', + 'avahi', + 'avis', + 'backlog', + 'backup(s|er|pc|user)?', + 'bf2', + 'bitnami', + 'bitrix', + 'boinc', + 'botmaster', + 'build', + 'buscador', + 'cacti(user)?', + 'catchall', + 'cemergen', + 'chef', + 'cinema', + 'clamav', + 'cliente?[0-9]*', + 'clouduser', + 'com', + 'comercial', + 'control', + 'couchdb', + 'cpanel', + 'create', + 'cron', + '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?', + 'cyrus[0-9]*', + 'daemon', + 'danger', + 'debian(-spamd)?', + 'default', + 'dell', + 'deploy(er)?', + 'desktop', + 'developer', + 'devops', + 'devteam', + 'dietpi', + 'django', + 'dotblot', + 'download', + 'dovecot', + 'easy', + 'ec2-user', + 'edu(cation)?[0-9]*', + 'e-shop', + 'engin(eer)?', + 'esadmin', + 'events', + 'exports?', + 'facebook', + 'factorio', + 'fax', + 'filter', + 'firebird', + 'fuser', + 'games', + 'gdm', + 'geniuz', + 'ggc_user', + 'ghost', + 'git(olite?|blit|lab(_ci)?)?', + 'gmail', + 'gopher', + 'guest', + 'hacker', + 'hadoop', + 'harvard', + 'helpdesk', + 'home', + 'host', + 'httpd?', + 'huawei', + 'iceuser', + 'imscp', + 'info(rmix)?', + 'java', + 'jboss', + 'jenkins', + 'jira', + 'jsboss', + 'kafka', + 'kodi', + 'library', + 'libsys', + 'libuuid', + 'linode', + 'linux', + 'login', + 'logout', + 'lynx', + 'mailer', + 'mailman', + 'maintain', + 'majordomo', + 'man', + 'mantis', + 'marketing', + 'master', + 'membership', + 'minecraft', + 'modem', + 'mongo(db|user)?', + 'monitor', + 'more', + 'moher', + 'mpiuser', + 'musi[ck]bot', + '(my?|pg)sq(ue)?l', + 'mythtv', + 'nagios', + 'nasa', + 'netdump', + 'netzplatz', + 'newadmin', + 'nexus', + 'nfs', + '(nfs)?nobody', + 'nginx', + 'noc', + 'nothing', + 'NpC', + 'nux', + 'odoo', + 'odroid', + 'onyxeye', + 'openbravo', + 'openvpn', + 'operador', + 'operator', + 'ops(code)?', + 'oprofile', + 'ora(cle|prod)', + 'osmc', + 'papernet', + 'password', + 'payments', + 'pay_?pal', + 'pentaho', + 'PlcmSpIp(PlcmSpIp)?', + 'popuser', + 'postfix', + 'postgres', + 'postmaster', + 'print', + 'privoxy', + 'proba', + 'proxy', + 'puppet', + 'qhsupport', + 'rabbit(mq)?', + 'radiusd?', + 'redis', + 'redmine', + 'riakcs', + 'root[0-9]+', + 'rpc(user)?', + 'RPM', + 'rtorrent', + 'rustserver', + 'sales[0-9]+', + 's?bin', + '(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*', + 'saslauth', + 'scaner', + 'screen', + 'search', + 'setup', + 'service', + '(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*', + 'sftponly', + 'shell', + 'shop', + 'sinusbot', + 'smmsp', + 'socket', + 'software', + 'solarus', + 'splunk', + 'squid', + 'squirrelmail', + 'sshusr', + 'staffc', + 'steam(cmd)?', + 'store', + 'superuser', + 'support', + 'svnroot', + 'sysadmin', + 'system', + 'teamspeak3?', + 'telkom', + 'temp', + 'test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?', + '(test)?username', + 'text', + 'tomcat', + 'tools', + 'toor', + 'ts[23](se?rv(er)?|(musi[ck])?bot)?', + 'tunstall', + 'ubnt', + 'ubuntu', + 'upload', + 'unity', + 'USERID', + 'user[0-9]*', + 'usuario', + 'uucp', + 'vagrant', + 'vbox', + 'ventrilo', + 'vhbackup', + 'virusalter', + 'vmadmin', + 'vmail', + 'vyatta', + 'wanadoo', + 'weblogic', + 'webmaster', + 'WinD3str0y', + 'wine', + 'wp-?user', + 'write', + 'www', + '(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)', + 'xbian', + 'xbot', + 'xoadmin', + 'yahoo', + 'yarn', + 'zabbix', + 'zimbra', + 'zookeeper', + '0fordn1on@#\$%%\^&', + 'P@\$\$w0rd', + 'pass123?4?' + ] + + file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': + content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }), + } + # Because one of our rules checks fail2ban's log, but the service dies without the file + file { '/var/log/fail2ban.log': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + } +} \ No newline at end of file diff -r d2ae0b786b49 -r 3e04f35dd0af modules/fail2ban/templates/ibb-sshd-bad-user.epp --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/modules/fail2ban/templates/ibb-sshd-bad-user.epp Sat Jan 18 15:17:03 2020 +0000 @@ -0,0 +1,20 @@ +<%- | Array $bad_users | -%> +# Fail2Ban configuration file +# Author: IBBoard + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# Values: TEXT +# +failregex = Failed password for invalid user (<%= join($bad_users, '|') %>)? from port [0-9]+ ssh2 + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex =