# HG changeset patch # User IBBoard # Date 1644871430 0 # Node ID a7eaf17bff267c24afdc0b1aee7bf74227c276ba # Parent 1de440d1bffb807999b172c05a10a4b846ff975c Block lots of probed user account variants Includes: * New services * More names * Foreign language variants diff -r 1de440d1bffb -r a7eaf17bff26 modules/fail2ban/manifests/init.pp --- a/modules/fail2ban/manifests/init.pp Mon Jan 03 19:40:59 2022 +0000 +++ b/modules/fail2ban/manifests/init.pp Mon Feb 14 20:43:50 2022 +0000 @@ -110,22 +110,26 @@ $bad_users = [ '[^0-9a-zA-Z]+', - '[0-9]+', + '\.?[0-9]+\.?', '[0-9a-zA-Z]{1,3}', '([0-9a-z])\2{2,}', 'abused', 'Admin', - 'admins?[0-9]*', - 'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc + '[aA]dministr[a-z0-9\\]+', # administracion, administrador, administradorweb, administrator, administrat\303\266r (escaped รถ) etc + 'admin-?gui', + 'adminuser', 'admissions', 'altibase', 'alumni', 'amavisd?', + 'amax[0-9]+', 'amministratore', + 'amssys', 'anwenderschnittstelle', 'anonymous', 'ansible', 'apache', + 'apps', 'aptproxy', 'apt-mirror', 'ark(server)?', @@ -141,9 +145,11 @@ 'bash', 'batch', 'beagleindex', + 'benutzer', # German user account 'bf2', '.*bitbucket', 'bind', + 'biology', 'bitcoin', 'bitnami', 'bitrix', @@ -152,16 +158,20 @@ 'boinc', 'bot', 'botmaster', + 'bouncer', + 'browser', 'bugzilla', 'build', 'buscador', 'cacti(user)?', + 'camera', 'carrerasoft', 'catchall', 'celery', 'cemergen', 'centos', 'chef', + 'chimistry', 'cgi', 'chromeuser', 'cinema', @@ -173,6 +183,9 @@ 'clouduser', 'com', 'comercial', + 'configure', + 'console', + 'contact', 'control', 'couchdb', 'cpanel', @@ -182,6 +195,7 @@ '(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?', 'cs-?go1?', 'CumulusLinux!', + 'customer', 'cyrus[0-9]*', 'daemon', 'danger', @@ -189,6 +203,7 @@ 'dasuse?r[0-9]*', 'data(ba?se)?', 'db2inst[0-9]*', + 'dbcloud', 'dbus', 'debian(-spamd)?', 'default', @@ -207,7 +222,7 @@ 'django', 'dmarc', 'dpvirtual', - 'dockeruser', + 'docker(user)?', 'dotblot', 'download', 'dovecot', @@ -237,6 +252,7 @@ 'fuser', 'games', 'gdm', + 'geometry', 'geniuz', 'getmail', 'ggc_user', @@ -246,8 +262,11 @@ 'gmail', 'gmodserver', 'gnuhealth', + 'google', 'gopher', 'government', + 'gpadmin', + 'grape', 'grid', 'guest', 'hacker', @@ -265,21 +284,26 @@ 'huawei', 'iamroot', 'iceuser', + 'image', 'imscp', 'info(rmix)?[0-9]*', 'inst[0-9]+', - 'installer', + 'install(er)?', + 'interadmin', 'inventario', 'java', 'jboss', 'jenkins', 'jira', 'jmeter', + 'joomla', + 'jquery', 'jsboss', 'juniper', 'kafka', 'kodi', 'kms', + 'ldap', 'legacy', 'library', 'libsys', @@ -306,7 +330,7 @@ 'mapruser', 'marketing', 'master', - 'membership', + 'member(ship)?', 'merlin', 'messagebus', 'minecraft', @@ -319,7 +343,7 @@ 'mpiuser', 'mqadm', 'musi[ck]bot', - '(my?|pg)sq(ue)?l[0-9]*', + '(my?|pg)(sq(ue)?l|admin)[0-9]*', 'mythtv', 'nagios', 'named', @@ -343,6 +367,7 @@ 'notes', 'nothing', 'NpC', + 'ntps', 'nux', 'odoo', 'odroid', @@ -352,12 +377,14 @@ 'oozie', 'openbravo', 'openfire', + 'openerp', 'openvpn', 'operador', 'operator', 'ops(code)?', 'oprofile', - 'ora(cle|prod|vis)[0-9]*', + 'ora_?(cle|prod|root|vis)[0-9]*', + 'orbital', 'osmc', 'owncloud', 'papernet', @@ -370,10 +397,13 @@ 'platform', 'play', 'PlcmSpIp(PlcmSpIp)?', + 'plesk', 'plex', + 'point', 'polkitd?', 'popd?3?', 'popuser', + 'portal', 'postfix', 'p0stgr3s', 'postgres', @@ -382,11 +412,14 @@ 'print', 'privoxy', 'proba', + 'Prometheus', 'proxy', 'public', 'puppet', + 'pwla', 'qhsupport', 'rabbit(mq)?', + 'radio', 'radiusd?', 'raspberry', 'readonly', @@ -394,16 +427,17 @@ 'recording', 'redis', 'redmine', - 'remote', + 'remot[eo]', 'reports', 'riakcs', - 'root[0-9]+', + 'root[0-9a-zA-Z]+', 'rpc(user)?', 'rpm', 'RPM', 'rtorrent', 'rustserver', 'sales[0-9]+', + 'samp', 's?bin', 'saslauth', 'scan(n?er)?', @@ -414,7 +448,7 @@ 'serverpilot', 'service', 'setup', - '(s|u|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', + '(s|u|user|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*', 'sftponly', 'shell', 'shop', @@ -440,8 +474,9 @@ 'staffc', 'steam(cmd)?', 'store', + 'stream', 'stunnel', - 'superuser', + 'super(user)?', 'suporte', 'support', 'svn(root|admin)?', @@ -450,12 +485,15 @@ 'sysadmin', 'system', 'teamspeak[234]?(-?use?r)?', + 'telecom(admin)?', 'telkom', 'telnetd?', 'te?mp(use?r)?[0-9]*', 'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?', + 'ttest', '(test)?username', 'text', + 'tiago', 'tomcat', 'tools', 'toor', @@ -465,16 +503,21 @@ 'ubnt', 'unity', 'universitaetsrechenzentrum', # University Computing Center - 'upload[0-9]*', + 'unix', + 'uplink', + 'upload(er)?[0-9]*', 'user[0-9]*', 'USERID', 'username', 'usuario', + 'utente', # Italian user 'uucp', 'vagrant', 'vbox', 'ventrilo', 'vhbackup', + 'video', + 'virtual', 'virusalter', 'vmadmin', 'vmail', @@ -484,8 +527,10 @@ 'wanadoo', 'web', 'webapp', + 'webdesign', 'weblogic', 'webmaster', + 'webmin', 'webportal', 'websync', 'wiki', @@ -507,10 +552,10 @@ 'zimbra', 'zookeeper', # User/admin/other - '(api|appl?|ats|cam|cat|db|imap|is|my|virtual|vpn)?(admin|dev|use?r|server|man|manager|mgr)[0-9]*', - '(abc|account|git|info|redhat|samba|sshd|student|tomcat|ubuntu|web)[0-9]*', + '(bwair|api|appl?|ats|cam|cat|db|dev|file|imap|is|my|net|site|tech|virtual|vnc|vpn)?(admins?|app|dev|use?r|server|man|manager|mgr)[0-9]*', + '(abc|account|git|info|redhat|samba|sshd|student|teacher|tomcat|ubuntu|web)[0-9]*', # Names - '(aaron|david|james|tom|victor)[0-9]*', + '(aaron|alexander|bill|david|james|sergio|thomas|timson|tom|victor|wang)[0-9]*', # And some passwords that turned up as usernames '1q2w3e4r', 'abc123',