# HG changeset patch # User IBBoard # Date 1670790428 0 # Node ID 79e5fed321fafa7e901863f17ab147c00927573b # Parent fa3093f2dc8e3e5a8d464d0844207142596673c7 Break up SSH bad users regexes The list had got so long that it was failing to compile! diff -r fa3093f2dc8e -r 79e5fed321fa modules/fail2ban/manifests/init.pp --- a/modules/fail2ban/manifests/init.pp Sun Dec 11 19:03:22 2022 +0000 +++ b/modules/fail2ban/manifests/init.pp Sun Dec 11 20:27:08 2022 +0000 @@ -109,6 +109,7 @@ } $bad_users = [ + [ '[^0-9a-zA-Z]+', '\.?[0-9]+\.?', '[0-9a-zA-Z]{1,3}', @@ -250,6 +251,7 @@ 'firefox', 'ftp(admin)?', 'fuser', + ],[ 'games', 'gdm', 'geometry', @@ -318,6 +320,7 @@ 'logview(er)?', 'lsfadmin', 'lynx', + ],[ 'magento', 'mail', 'mailer', @@ -435,6 +438,7 @@ 'rpm', 'RPM', 'rtorrent', + ],[ 'rustserver', 'sales[0-9]+', 'samp', @@ -551,6 +555,7 @@ 'zabbix', 'zimbra', 'zookeeper', + ],[ # User/admin/other '(bwair|api|appl?|ats|cam|cat|db|dev|file|imap|is|my|net|site|tech|virtual|vnc|vpn)?(admins?|app|dev|use?r|server|man|manager|mgr)[0-9]*', '(abc|account|git|info|redhat|samba|sshd|student|teacher|tomcat|ubuntu|web)[0-9]*', @@ -568,6 +573,7 @@ 'password', 'pass123?4?', 'qwer?[0-9]+', + ] ] file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf': diff -r fa3093f2dc8e -r 79e5fed321fa modules/fail2ban/templates/ibb-sshd-bad-user.epp --- a/modules/fail2ban/templates/ibb-sshd-bad-user.epp Sun Dec 11 19:03:22 2022 +0000 +++ b/modules/fail2ban/templates/ibb-sshd-bad-user.epp Sun Dec 11 20:27:08 2022 +0000 @@ -11,7 +11,9 @@ # (?:::f{4,6}:)?(?P[\w\-.^_]+) # Values: TEXT # -failregex = Failed password for invalid user (<%= join($bad_users, '|') %>)? from port [0-9]+ ssh2 +failregex = <% $bad_users.each |$array| { %> Failed password for invalid user (<%= join($array, '|') %>)? from port [0-9]+ ssh2 +<% } %> + # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.