Mercurial > repos > other > Puppet
changeset 171:103a3630e9b2 puppet-3.6
Tighten up some Fail2Ban rules (including SSH probes with only insecure keys)
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Tue, 06 Feb 2018 20:42:49 +0000 |
| parents | c1854fae7af1 |
| children | 1af9fd04c285 |
| files | common/fail2ban/ibb-postfix-spammers.conf common/fail2ban/ibb-postfix.conf common/fail2ban/ibb-sshd.conf common/fail2ban/jail.local manifests/templates.pp |
| diffstat | 5 files changed, 37 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/common/fail2ban/ibb-postfix-spammers.conf Sun Sep 17 09:54:44 2017 +0100 +++ b/common/fail2ban/ibb-postfix-spammers.conf Tue Feb 06 20:42:49 2018 +0000 @@ -14,7 +14,8 @@ # (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) # Values: TEXT # -failregex = reject: RCPT from (.*)\[<HOST>\]: 55[0-9] .* blocked using .* +failregex = reject: RCPT from (.*)\[<HOST>\]: 55[0-9] .* (blocked using|DO NOT SCRAPE EMAIL ADDRESSES!) .* + reject: RCPT from ([^\[]*)\[<HOST>\]: 454 [^:]+: Relay access denied; from=<[^@]+@ibboard.co.uk> # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.
--- a/common/fail2ban/ibb-postfix.conf Sun Sep 17 09:54:44 2017 +0100 +++ b/common/fail2ban/ibb-postfix.conf Tue Feb 06 20:42:49 2018 +0000 @@ -15,7 +15,8 @@ # Values: TEXT # failregex = reject: RCPT from (.*)\[<HOST>\]: 554 - reject: RCTP from (.*)\[<HOST>\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/ + reject: RCTP from ([^\[]*)\[<HOST>\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/ + reject: RCTP from ([^\[]*)\[<HOST>\]: 454 [^:]+: Relay access denied; # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/common/fail2ban/ibb-sshd.conf Tue Feb 06 20:42:49 2018 +0000 @@ -0,0 +1,19 @@ +# Fail2Ban configuration file +# Author: IBBoard + +[Definition] + +# Option: failregex +# Notes.: regex to match the password failures messages in the logfile. The +# host must be matched by a group named "host". The tag "<HOST>" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+) +# Values: TEXT +# +failregex = Unable to negotiate with <host> port [0-9]+: no matching host key type found. Their offer: ssh-rsa,ssh-dss \[preauth\] + +# Option: ignoreregex +# Notes.: regex to ignore. If this regex matches, the line is ignored. +# Values: TEXT +# +ignoreregex =
--- a/common/fail2ban/jail.local Sun Sep 17 09:54:44 2017 +0100 +++ b/common/fail2ban/jail.local Tue Feb 06 20:42:49 2018 +0000 @@ -6,11 +6,20 @@ [ssh-firewall-ban] enabled = true filter = sshd -action = firewall-ban[name=SSH,chain=Fail2Ban,port=22] +action = firewall-ban[name=SSH,chain=Fail2Ban,port=222] logpath = /var/log/secure maxretry = 5 bantime = 604800 +[ssh-key-ban] +enabled = true +filter = ibb-sshd +action = firewall-ban[name=SSH,chain=Fail2Ban,port=222] +logpath = /var/log/secure +maxretry = 5 +bantime = 604800 + + [apache-badbots] enabled = true filter = apache-badbots @@ -41,7 +50,7 @@ enabled = true maxretry = 2 filter = ibb-repeat-offender -action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"] +action = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465,222"] logpath = /var/log/fail2ban.log findtime = 2592000 bantime = 2592000
--- a/manifests/templates.pp Sun Sep 17 09:54:44 2017 +0100 +++ b/manifests/templates.pp Tue Feb 06 20:42:49 2018 +0000 @@ -373,6 +373,9 @@ file { '/etc/fail2ban/filter.d/ibb-postfix.conf': source => 'puppet:///common/fail2ban/ibb-postfix.conf', } + file { '/etc/fail2ban/filter.d/ibb-sshd.conf': + source => 'puppet:///common/fail2ban/ibb-sshd.conf', + } # Because one of our rules checks fail2ban's log, but the service dies without the file file { '/var/log/fail2ban.log': ensure => present,