Mercurial > repos > other > Puppet

changeset 292:3e04f35dd0af

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Turn Fail2ban setup into a module We now: * Don't have a large class outside a module * Build "bad SSH users" config from a list (easier to understand/see diffs in than a long line) * Use modern EPP files
author IBBoard <dev@ibboard.co.uk>
date Sat, 18 Jan 2020 15:17:03 +0000
parents d2ae0b786b49
children 55762b436f89
files common/fail2ban/apf.conf common/fail2ban/fail2ban.local common/fail2ban/ibb-apache-exploits-instaban.conf common/fail2ban/ibb-apache-shellshock.conf common/fail2ban/ibb-postfix-malicious.conf common/fail2ban/ibb-postfix-spammers.conf common/fail2ban/ibb-postfix.conf common/fail2ban/ibb-repeat-offender-ssh.conf common/fail2ban/ibb-repeat-offender.conf common/fail2ban/ibb-sshd-bad-user.conf common/fail2ban/ibb-sshd.conf common/fail2ban/jail.local manifests/templates.pp modules/fail2ban/files/apf.conf modules/fail2ban/files/fail2ban.local modules/fail2ban/files/ibb-apache-exploits-instaban.conf modules/fail2ban/files/ibb-apache-shellshock.conf modules/fail2ban/files/ibb-postfix-malicious.conf modules/fail2ban/files/ibb-postfix-spammers.conf modules/fail2ban/files/ibb-postfix.conf modules/fail2ban/files/ibb-repeat-offender-ssh.conf modules/fail2ban/files/ibb-repeat-offender.conf modules/fail2ban/files/ibb-sshd.conf modules/fail2ban/files/jail.local modules/fail2ban/manifests/init.pp modules/fail2ban/templates/ibb-sshd-bad-user.epp
diffstat 26 files changed, 685 insertions(+), 423 deletions(-) [+]
line wrap: on
line diff
--- a/common/fail2ban/apf.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,6 +0,0 @@
-[Definition]
-actionstart = 
-actionstop = 
-actioncheck = 
-actionban = /etc/apf/apf --deny <ip> Fail2Ban-<name>
-actionunban = /etc/apf/apf --remove <ip>
--- a/common/fail2ban/fail2ban.local	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-[Definition]
-loglevel = NOTICE
-logtarget = /var/log/fail2ban.log
--- a/common/fail2ban/ibb-apache-exploits-instaban.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: IBBoard
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failure messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex =	^<HOST> .*"(?:GET|HEAD|POST) .*/proc/self/environ.*"
-		^<HOST> .*"(?:GET|HEAD|POST) /w00tw00t\.at\..+\:\).*"
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?module=http(?:s)?:.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?write.phpdir=http(?:s)?:.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?src=http(?:s)?:.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*ivrrecording.php.*"
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?php=info&ip=uname.*"
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?input_file=http(?:s)?://.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?dir=http(?:s)?://.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?f=http(?:s)?://.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*([\+-]{5,})Result.*"
-		^<HOST> .*"(?:GET|HEAD|POST) .*onmousedown=%%22
-		^<HOST> .*"(?:GET|HEAD|POST) .*/bin/msgimport.*"
-		^<HOST> .* " " [2-5]
-		^<HOST> .*"(?:GET|HEAD|POST) .*//filemanager/.*"
-		^<HOST> .*"(?:GET|HEAD|POST) .*//php[Mm]y[Aa]dmin.*"
-		^<HOST> .*"(?:GET|HEAD|POST) .*///wp-content/themes/.*"
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+union(?:%%20|\+)select.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?[[^"]+\+(?:and|or)\+(?:1|%%2[27][xy]%%2[27])%%3D(?:1|%%2[27][xy]%%2[27]).*
-		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+\?\?\?
-		^<HOST> .*"(?:GET|HEAD|POST) .*%%5BPLM=.*
-		^<HOST> .*"(?:GET|HEAD|POST) /config/[^\.]+\.php\?[^"]+&sid=[a-z0-9]+
-		^<HOST> .*\?.*(?:\.\./|%%2E%%2E%%2F){3,}.*%%00
-                ^<HOST> .*"\\x16\\x03\\x01"
-		^<HOST> .*"PROPFIND /[^%%/"]%%24
-		^<HOST> .*"(?:GET|HEAD|POST) /manager/status [^"]*" 404
-		^<HOST> .*"(?:GET|HEAD|POST) [^"]*allow_url_include%%3d1.*
-		^<HOST> .*"(?:GET|HEAD|POST) .*php://.*
-		^<HOST> .*"CONNECT
-		^<HOST> .*"POST "
-		^<HOST> .*"(?:GET|POST) /[^"]+\.php.*174\.123\.231\.2(?:29|30)
-		^<HOST> .*"(?:GET|HEAD|POST)[^"]+" 402
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
--- a/common/fail2ban/ibb-apache-shellshock.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,17 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: IBBoard
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match Shellshock attempts against Apache
-# Values:  TEXT
-#
-failregex =	<HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
--- a/common/fail2ban/ibb-postfix-malicious.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-# $Revision: 728 $
-#
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = warning: non-SMTP command from (.*)\[<HOST>\].*GET
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
--- a/common/fail2ban/ibb-postfix-spammers.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-# $Revision: 728 $
-#
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = reject: RCPT from (.*)\[<HOST>\]: 55[0-9] .* (blocked using|DO NOT SCRAPE EMAIL ADDRESSES!) .*
-	reject: RCPT from ([^\[]*)\[<HOST>\]: 454 [^:]+: Relay access denied; from=<[^@]+@ibboard.co.uk>
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
--- a/common/fail2ban/ibb-postfix.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,25 +0,0 @@
-# Fail2Ban configuration file
-#
-# Author: Cyril Jaquier
-#
-# $Revision: 728 $
-#
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = reject: RCPT from (.*)\[<HOST>\]: 554
-	reject: RCTP from ([^\[]*)\[<HOST>\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/
-	reject: RCTP from ([^\[]*)\[<HOST>\]: 454 [^:]+: Relay access denied;
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
--- a/common/fail2ban/ibb-repeat-offender-ssh.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-# IBB-Repeat-Offender-SSH configuration file
-#
-# Author: Tom Hendrikx, minor modifications by Amir Caspi
-# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban
-# Renamed and adjusted by IBBoard for consistency
-#
-
-[Definition]
-
-# Option: failregex
-# Notes.: regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values: TEXT
-#
-failregex = NOTICE\s+\[ssh-[^\]]+\]\s+Ban\s+<HOST>
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-#ignoreregex =
--- a/common/fail2ban/ibb-repeat-offender.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-# IBB-Repeat-Offender configuration file
-#
-# Author: Tom Hendrikx, minor modifications by Amir Caspi
-# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban
-# Renamed and adjusted by IBBoard for consistency
-#
-
-[Definition]
-
-# Option: failregex
-# Notes.: regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values: TEXT
-#
-failregex = NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = fail2ban.actions:\s+NOTICE\s+\[(ibb-repeat-offender|ssh-)[^\]]+\]\s+Ban\s+<HOST>
--- a/common/fail2ban/ibb-sshd-bad-user.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-# Fail2Ban configuration file
-# Author: IBBoard
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = Failed password for invalid user ([0-9]+|[0-9a-z][0-9a-z]?|([0-9a-z])\2{2,}|abc123|abused|adm|Admin|admin[0-9]+|administrateur|administracion|altibase|alumni|amavisd?|anwenderschnittstelle|anonymous|ansible|aptproxy|arkserver|asterisk|auser|avahi|avis|backlog|backup(s|er|pc|user)?|bf2|bitnami|bitrix|boinc|botmaster|build|buscador|cacti(user)?|catchall|cemergen|chef|cinema|clamav|cliente?[0-9]*|clouduser|com|comercial|control|couchdb|cpanel|create|cron|(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?|cyrus[0-9]*|daemon|danger|debian(-spamd)?|default|dell|deploy(er)?|desktop|developer|devops|devteam|dietpi|django|dotblot|download|dovecot|easy|ec2-user|edu(cation)?[0-9]*|e-shop|engin(eer)?|esadmin|events|exports?|facebook|factorio|fax|filter|firebird|fuser|games|gdm|geniuz|ggc_user|ghost|git(olite?|blit|lab(_ci)?)?|gmail|gopher|guest|hacker|hadoop|harvard|helpdesk|home|host|httpd?|huawei|iceuser|imscp|info(rmix)?|java|jboss|jenkins|jira|jsboss|kafka|kodi|library|libsys|libuuid|linode|linux|login|logout|lynx|mailer|mailman|maintain|majordomo|man|mantis|marketing|master|membership|minecraft|modem|mongo(db|user)?|monitor|more|moher|mpiuser|musi[ck]bot|(my?|pg)sq(ue)?l|mythtv|nagios|nasa|netdump|netzplatz|newadmin|nexus|nfs|(nfs)?nobody|nginx|noc|nothing|NpC|nux|odoo|odroid|onyxeye|openbravo|openvpn|operador|operator|ops(code)?|oprofile|ora(cle|prod)|osmc|papernet|password|payments|pay_?pal|pentaho|PlcmSpIp(PlcmSpIp)?|popuser|postfix|postgres|postmaster|print|privoxy|proba|proxy|puppet|qhsupport|rabbit(mq)?|radiusd?|redis|redmine|riakcs|root[0-9]+|rpc(user)?|RPM|rtorrent|rustserver|sales[0-9]+|s?bin|(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*|saslauth|scaner|screen|search|setup|service|(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*|sftponly|shell|shop|sinusbot|smmsp|socket|software|solarus|splunk|squid|squirrelmail|sshusr|staffc|steam(cmd)?|store|superuser|support|svnroot|sysadmin|system|teamspeak3?|telkom|temp|test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?|(test)?username|text|tomcat|tools|toor|ts[23](se?rv(er)?|(musi[ck])?bot)?|tunstall|ubnt|ubuntu|upload|unity|USERID|user[0-9]*|usuario|uucp|vagrant|vbox|ventrilo|vhbackup|virusalter|vmadmin|vmail|vyatta|wanadoo|weblogic|webmaster|WinD3str0y|wine|wp-?user|write|www|(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)|xbian|xbot|xoadmin|yahoo|yarn|zabbix|zimbra|zookeeper|0fordn1on@#\$%%\^&|P@\$\$w0rd|pass123?4?)? from <HOST> port [0-9]+ ssh2
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
--- a/common/fail2ban/ibb-sshd.conf	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-# Fail2Ban configuration file
-# Author: IBBoard
-
-[Definition]
-
-# Option:  failregex
-# Notes.:  regex to match the password failures messages in the logfile. The
-#          host must be matched by a group named "host". The tag "<HOST>" can
-#          be used for standard IP/hostname matching and is only an alias for
-#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
-# Values:  TEXT
-#
-failregex = Unable to negotiate with <HOST> port [0-9]+: no matching host key type found. Their offer: ssh-rsa,ssh-dss \[preauth\]
-
-# Option:  ignoreregex
-# Notes.:  regex to ignore. If this regex matches, the line is ignored.
-# Values:  TEXT
-#
-ignoreregex = 
--- a/common/fail2ban/jail.local	Sat Jan 18 14:40:05 2020 +0000
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,119 +0,0 @@
-# Disable ssh-iptables because some versions auto-enable it
-# and we want to use our own version (which may use non-iptables)
-[ssh-iptables]
-enabled = false
-
-[ssh-firewall-ban]
-enabled  = true
-filter   = sshd
-action   = firewall-ban[name=SSH,chain=Fail2Ban,port=222]
-logpath  = /var/log/secure
-maxretry = 3
-bantime  = 604800
-
-[ssh-user-instaban]
-enabled  = true
-filter   = ibb-sshd-bad-user
-action   = firewall-ban[name=SSH-Instaban,chain=Fail2Ban,port=222]
-logpath  = /var/log/secure
-maxretry = 1
-bantime  = 604800
-
-[ssh-key-ban]
-enabled  = true
-filter   = ibb-sshd
-action   = firewall-ban[name=SSH-Key,chain=Fail2Ban,port=222]
-logpath  = /var/log/secure
-maxretry = 3
-findtime = 604800
-bantime  = 604800
-
-
-[apache-badbots]
-enabled  = true
-filter   = apache-badbots
-action   = firewall-ban[name=ApacheBadBots,chain=Fail2Ban,port="80,443"]
-logpath  = /var/log/apache/access_*.log
-findtime = 604800
-bantime  = 604800
-
-[apache-instaban]
-enabled  = true
-maxretry = 1
-filter   = ibb-apache-exploits-instaban
-action   = firewall-ban[name=ApacheInstaban,chain=Fail2Ban,port="80,443"]
-logpath  = /var/log/apache/access_*.log
-findtime = 86400
-bantime  = 86400
-
-[apache-auth]
-enabled  = true
-maxretry = 5
-filter   = apache-auth
-action   = firewall-ban[name=ApacheAuth,chain=Fail2Ban,port="80,443"]
-logpath  = /var/log/apache/error_*.log
-findtime = 86400
-bantime  = 604800
-
-[repeat-offenders]
-enabled  = true
-maxretry = 2
-filter   = ibb-repeat-offender
-action   = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"]
-logpath  = /var/log/fail2ban.log
-findtime = 2592000
-bantime  = 2592000
-
-[repeat-offenders-ssh]
-enabled  = true
-maxretry = 2
-filter   = ibb-repeat-offender-ssh
-action   = firewall-ban[name=RepeatOffendersSSH,chain=Fail2Ban,port="222"]
-logpath  = /var/log/fail2ban.log
-findtime = 2592000
-bantime  = 2592000
-
-[spam-email]
-enabled = true
-maxretry = 1
-filter = ibb-postfix-spammers
-action = firewall-ban[name=SpamEmail,chain=Fail2Ban,port="465,25"]
-logpath = /var/log/maillog
-findtime = 604800
-bantime  = 604800
-
-[mail-abuse]
-enabled = true
-maxretry = 1
-filter = ibb-postfix-malicious
-action = firewall-ban[name=MailAbuse,chain=Fail2Ban,port="465,25"]
-logpath = /var/log/maillog
-findtime = 604800
-bantime  = 604800
-
-[mail-rejected]
-enabled = true
-maxretry = 10
-filter = ibb-postfix
-action = firewall-ban[name=MailRejected,chain=Fail2Ban,port="465,25"]
-logpath = /var/log/maillog
-findtime = 604800
-bantime  = 604800
-
-[sasl]
-enabled = true
-maxretry = 10
-filter = postfix[mode=auth]
-action = firewall-ban[name=SASLFailures,chain=Fail2Ban,port="465,25"]
-logpath = /var/log/maillog
-findtime = 604800
-bantime  = 604800
-
-[shellshock]
-enabled = true
-maxretry = 1
-filter = ibb-apache-shellshock
-action = firewall-ban[name=Shellshock,chain=Fail2Ban,port="80,443"]
-logpath = /var/log/apache/access_*.log
-findtime = 604800
-bantime  = 604800
--- a/manifests/templates.pp	Sat Jan 18 14:40:05 2020 +0000
+++ b/manifests/templates.pp	Sat Jan 18 15:17:03 2020 +0000
@@ -337,77 +337,6 @@
 	}
 }
 
-class fail2ban (
-	$firewall_cmd,
-	) {
-	package { 'fail2ban':
-		ensure => installed,
-	}
-	service { 'fail2ban':
-		ensure => running,
-		enable => true
-	}
-	File {
-		ensure => present,
-		require => Package['fail2ban'],
-		notify => Service['fail2ban'],
-	}
-	file { '/etc/fail2ban/fail2ban.local':
-		source => 'puppet:///common/fail2ban/fail2ban.local',
-	}
-	file { '/etc/fail2ban/jail.local':
-		source => 'puppet:///common/fail2ban/jail.local',
-	}
-	file { '/etc/fail2ban/action.d/apf.conf':
-		source => 'puppet:///common/fail2ban/apf.conf',
-	}
-
-	if $firewall_cmd == 'iptables' {
-		$firewall_ban_cmd = 'iptables-multiport'
-	} else {
-		$firewall_ban_cmd = $firewall_cmd
-	}
-
-	file { '/etc/fail2ban/action.d/firewall-ban.conf':
-		ensure => link,
-		target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf",
-	}
-	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
-		source => 'puppet:///common/fail2ban/ibb-apache-exploits-instaban.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf':
-		source => 'puppet:///common/fail2ban/ibb-apache-shellshock.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
-		source => 'puppet:///common/fail2ban/ibb-repeat-offender.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf':
-		source => 'puppet:///common/fail2ban/ibb-repeat-offender-ssh.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
-		source => 'puppet:///common/fail2ban/ibb-postfix-spammers.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf':
-		source => 'puppet:///common/fail2ban/ibb-postfix-malicious.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
-		source => 'puppet:///common/fail2ban/ibb-postfix.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-sshd.conf':
-		source => 'puppet:///common/fail2ban/ibb-sshd.conf',
-	}
-	file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf':
-		source => 'puppet:///common/fail2ban/ibb-sshd-bad-user.conf',
-	}
-	# Because one of our rules checks fail2ban's log, but the service dies without the file
-	file { '/var/log/fail2ban.log':
-		ensure => present,
-		owner => 'root',
-		group => 'root',
-		mode => '0600',
-	}
-}
-
 #Our web server with our configs, not just a stock one
 class webserver (
 	$primary_ip,
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/apf.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,6 @@
+[Definition]
+actionstart = 
+actionstop = 
+actioncheck = 
+actionban = /etc/apf/apf --deny <ip> Fail2Ban-<name>
+actionunban = /etc/apf/apf --remove <ip>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/fail2ban.local	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,3 @@
+[Definition]
+loglevel = NOTICE
+logtarget = /var/log/fail2ban.log
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-apache-exploits-instaban.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,51 @@
+# Fail2Ban configuration file
+#
+# Author: IBBoard
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failure messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex =	^<HOST> .*"(?:GET|HEAD|POST) .*/proc/self/environ.*"
+		^<HOST> .*"(?:GET|HEAD|POST) /w00tw00t\.at\..+\:\).*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?module=http(?:s)?:.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?write.phpdir=http(?:s)?:.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?src=http(?:s)?:.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*ivrrecording.php.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?php=info&ip=uname.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?input_file=http(?:s)?://.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?dir=http(?:s)?://.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?f=http(?:s)?://.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*([\+-]{5,})Result.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*onmousedown=%%22
+		^<HOST> .*"(?:GET|HEAD|POST) .*/bin/msgimport.*"
+		^<HOST> .* " " [2-5]
+		^<HOST> .*"(?:GET|HEAD|POST) .*//filemanager/.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*//php[Mm]y[Aa]dmin.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*///wp-content/themes/.*"
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+union(?:%%20|\+)select.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?[[^"]+\+(?:and|or)\+(?:1|%%2[27][xy]%%2[27])%%3D(?:1|%%2[27][xy]%%2[27]).*
+		^<HOST> .*"(?:GET|HEAD|POST) .*\?[^"]+\?\?\?
+		^<HOST> .*"(?:GET|HEAD|POST) .*%%5BPLM=.*
+		^<HOST> .*"(?:GET|HEAD|POST) /config/[^\.]+\.php\?[^"]+&sid=[a-z0-9]+
+		^<HOST> .*\?.*(?:\.\./|%%2E%%2E%%2F){3,}.*%%00
+                ^<HOST> .*"\\x16\\x03\\x01"
+		^<HOST> .*"PROPFIND /[^%%/"]%%24
+		^<HOST> .*"(?:GET|HEAD|POST) /manager/status [^"]*" 404
+		^<HOST> .*"(?:GET|HEAD|POST) [^"]*allow_url_include%%3d1.*
+		^<HOST> .*"(?:GET|HEAD|POST) .*php://.*
+		^<HOST> .*"CONNECT
+		^<HOST> .*"POST "
+		^<HOST> .*"(?:GET|POST) /[^"]+\.php.*174\.123\.231\.2(?:29|30)
+		^<HOST> .*"(?:GET|HEAD|POST)[^"]+" 402
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-apache-shellshock.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,17 @@
+# Fail2Ban configuration file
+#
+# Author: IBBoard
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match Shellshock attempts against Apache
+# Values:  TEXT
+#
+failregex =	<HOST>.*\(\s*\)\s*\{[^"]*\}\s*\;[^"]+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-postfix-malicious.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,23 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 728 $
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = warning: non-SMTP command from (.*)\[<HOST>\].*GET
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-postfix-spammers.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,24 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 728 $
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = reject: RCPT from (.*)\[<HOST>\]: 55[0-9] .* (blocked using|DO NOT SCRAPE EMAIL ADDRESSES!) .*
+	reject: RCPT from ([^\[]*)\[<HOST>\]: 454 [^:]+: Relay access denied; from=<[^@]+@ibboard.co.uk>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-postfix.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,25 @@
+# Fail2Ban configuration file
+#
+# Author: Cyril Jaquier
+#
+# $Revision: 728 $
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = reject: RCPT from (.*)\[<HOST>\]: 554
+	reject: RCTP from ([^\[]*)\[<HOST>\]: 550 .* Recipient address rejected: Please see http://www.openspf.org/
+	reject: RCTP from ([^\[]*)\[<HOST>\]: 454 [^:]+: Relay access denied;
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-repeat-offender-ssh.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,23 @@
+# IBB-Repeat-Offender-SSH configuration file
+#
+# Author: Tom Hendrikx, minor modifications by Amir Caspi
+# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban
+# Renamed and adjusted by IBBoard for consistency
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+#
+failregex = NOTICE\s+\[ssh-[^\]]+\]\s+Ban\s+<HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+#ignoreregex =
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-repeat-offender.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,23 @@
+# IBB-Repeat-Offender configuration file
+#
+# Author: Tom Hendrikx, minor modifications by Amir Caspi
+# See http://whyscream.net/wiki/index.php/Fail2ban_monitoring_Fail2ban
+# Renamed and adjusted by IBBoard for consistency
+#
+
+[Definition]
+
+# Option: failregex
+# Notes.: regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values: TEXT
+#
+failregex = NOTICE\s+\[(?:.*)\]\s+Ban\s+<HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = fail2ban.actions:\s+NOTICE\s+\[(ibb-repeat-offender|ssh-)[^\]]+\]\s+Ban\s+<HOST>
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/ibb-sshd.conf	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,19 @@
+# Fail2Ban configuration file
+# Author: IBBoard
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = Unable to negotiate with <HOST> port [0-9]+: no matching host key type found. Their offer: ssh-rsa,ssh-dss \[preauth\]
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex = 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/files/jail.local	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,119 @@
+# Disable ssh-iptables because some versions auto-enable it
+# and we want to use our own version (which may use non-iptables)
+[ssh-iptables]
+enabled = false
+
+[ssh-firewall-ban]
+enabled  = true
+filter   = sshd
+action   = firewall-ban[name=SSH,chain=Fail2Ban,port=222]
+logpath  = /var/log/secure
+maxretry = 3
+bantime  = 604800
+
+[ssh-user-instaban]
+enabled  = true
+filter   = ibb-sshd-bad-user
+action   = firewall-ban[name=SSH-Instaban,chain=Fail2Ban,port=222]
+logpath  = /var/log/secure
+maxretry = 1
+bantime  = 604800
+
+[ssh-key-ban]
+enabled  = true
+filter   = ibb-sshd
+action   = firewall-ban[name=SSH-Key,chain=Fail2Ban,port=222]
+logpath  = /var/log/secure
+maxretry = 3
+findtime = 604800
+bantime  = 604800
+
+
+[apache-badbots]
+enabled  = true
+filter   = apache-badbots
+action   = firewall-ban[name=ApacheBadBots,chain=Fail2Ban,port="80,443"]
+logpath  = /var/log/apache/access_*.log
+findtime = 604800
+bantime  = 604800
+
+[apache-instaban]
+enabled  = true
+maxretry = 1
+filter   = ibb-apache-exploits-instaban
+action   = firewall-ban[name=ApacheInstaban,chain=Fail2Ban,port="80,443"]
+logpath  = /var/log/apache/access_*.log
+findtime = 86400
+bantime  = 86400
+
+[apache-auth]
+enabled  = true
+maxretry = 5
+filter   = apache-auth
+action   = firewall-ban[name=ApacheAuth,chain=Fail2Ban,port="80,443"]
+logpath  = /var/log/apache/error_*.log
+findtime = 86400
+bantime  = 604800
+
+[repeat-offenders]
+enabled  = true
+maxretry = 2
+filter   = ibb-repeat-offender
+action   = firewall-ban[name=RepeatOffenders,chain=Fail2Ban,port="80,443,25,465"]
+logpath  = /var/log/fail2ban.log
+findtime = 2592000
+bantime  = 2592000
+
+[repeat-offenders-ssh]
+enabled  = true
+maxretry = 2
+filter   = ibb-repeat-offender-ssh
+action   = firewall-ban[name=RepeatOffendersSSH,chain=Fail2Ban,port="222"]
+logpath  = /var/log/fail2ban.log
+findtime = 2592000
+bantime  = 2592000
+
+[spam-email]
+enabled = true
+maxretry = 1
+filter = ibb-postfix-spammers
+action = firewall-ban[name=SpamEmail,chain=Fail2Ban,port="465,25"]
+logpath = /var/log/maillog
+findtime = 604800
+bantime  = 604800
+
+[mail-abuse]
+enabled = true
+maxretry = 1
+filter = ibb-postfix-malicious
+action = firewall-ban[name=MailAbuse,chain=Fail2Ban,port="465,25"]
+logpath = /var/log/maillog
+findtime = 604800
+bantime  = 604800
+
+[mail-rejected]
+enabled = true
+maxretry = 10
+filter = ibb-postfix
+action = firewall-ban[name=MailRejected,chain=Fail2Ban,port="465,25"]
+logpath = /var/log/maillog
+findtime = 604800
+bantime  = 604800
+
+[sasl]
+enabled = true
+maxretry = 10
+filter = postfix[mode=auth]
+action = firewall-ban[name=SASLFailures,chain=Fail2Ban,port="465,25"]
+logpath = /var/log/maillog
+findtime = 604800
+bantime  = 604800
+
+[shellshock]
+enabled = true
+maxretry = 1
+filter = ibb-apache-shellshock
+action = firewall-ban[name=Shellshock,chain=Fail2Ban,port="80,443"]
+logpath = /var/log/apache/access_*.log
+findtime = 604800
+bantime  = 604800
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/manifests/init.pp	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,332 @@
+class fail2ban (
+	$firewall_cmd,
+	) {
+	package { 'fail2ban':
+		ensure => installed,
+	}
+	service { 'fail2ban':
+		ensure => running,
+		enable => true
+	}
+	File<| tag == 'fail2ban' |> {
+		ensure => present,
+		require => Package['fail2ban'],
+		notify => Service['fail2ban'],
+	}
+	file { '/etc/fail2ban/fail2ban.local':
+		source => 'puppet:///modules/fail2ban/fail2ban.local',
+	}
+	file { '/etc/fail2ban/jail.local':
+		source => 'puppet:///modules/fail2ban/jail.local',
+	}
+	file { '/etc/fail2ban/action.d/apf.conf':
+		source => 'puppet:///modules/fail2ban/apf.conf',
+	}
+
+	if $firewall_cmd == 'iptables' {
+		$firewall_ban_cmd = 'iptables-multiport'
+	} else {
+		$firewall_ban_cmd = $firewall_cmd
+	}
+
+	file { '/etc/fail2ban/action.d/firewall-ban.conf':
+		ensure => link,
+		target => "/etc/fail2ban/action.d/${firewall_ban_cmd}.conf",
+	}
+	file { '/etc/fail2ban/filter.d/ibb-apache-exploits-instaban.conf':
+		source => 'puppet:///modules/fail2ban/ibb-apache-exploits-instaban.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-apache-shellshock.conf':
+		source => 'puppet:///modules/fail2ban/ibb-apache-shellshock.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-repeat-offender.conf':
+		source => 'puppet:///modules/fail2ban/ibb-repeat-offender.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-repeat-offender-ssh.conf':
+		source => 'puppet:///modules/fail2ban/ibb-repeat-offender-ssh.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-postfix-spammers.conf':
+		source => 'puppet:///modules/fail2ban/ibb-postfix-spammers.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-postfix-malicious.conf':
+		source => 'puppet:///modules/fail2ban/ibb-postfix-malicious.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-postfix.conf':
+		source => 'puppet:///modules/fail2ban/ibb-postfix.conf',
+	}
+	file { '/etc/fail2ban/filter.d/ibb-sshd.conf':
+		source => 'puppet:///modules/fail2ban/ibb-sshd.conf',
+	}
+
+	$bad_users = [
+		'[0-9]+',
+		'[0-9a-z][0-9a-z]?',
+		'([0-9a-z])\2{2,}',
+		'abc123',
+		'abused',
+		'adm',
+		'Admin',
+		'admin[0-9]+',
+		'administrateur',
+		'administracion',
+		'altibase',
+		'alumni',
+		'amavisd?',
+		'anwenderschnittstelle',
+		'anonymous',
+		'ansible',
+		'aptproxy',
+		'arkserver',
+		'asterisk',
+		'auser',
+		'avahi',
+		'avis',
+		'backlog',
+		'backup(s|er|pc|user)?',
+		'bf2',
+		'bitnami',
+		'bitrix',
+		'boinc',
+		'botmaster',
+		'build',
+		'buscador',
+		'cacti(user)?',
+		'catchall',
+		'cemergen',
+		'chef',
+		'cinema',
+		'clamav',
+		'cliente?[0-9]*',
+		'clouduser',
+		'com',
+		'comercial',
+		'control',
+		'couchdb',
+		'cpanel',
+		'create',
+		'cron',
+		'(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?',
+		'cyrus[0-9]*',
+		'daemon',
+		'danger',
+		'debian(-spamd)?',
+		'default',
+		'dell',
+		'deploy(er)?',
+		'desktop',
+		'developer',
+		'devops',
+		'devteam',
+		'dietpi',
+		'django',
+		'dotblot',
+		'download',
+		'dovecot',
+		'easy',
+		'ec2-user',
+		'edu(cation)?[0-9]*',
+		'e-shop',
+		'engin(eer)?',
+		'esadmin',
+		'events',
+		'exports?',
+		'facebook',
+		'factorio',
+		'fax',
+		'filter',
+		'firebird',
+		'fuser',
+		'games',
+		'gdm',
+		'geniuz',
+		'ggc_user',
+		'ghost',
+		'git(olite?|blit|lab(_ci)?)?',
+		'gmail',
+		'gopher',
+		'guest',
+		'hacker',
+		'hadoop',
+		'harvard',
+		'helpdesk',
+		'home',
+		'host',
+		'httpd?',
+		'huawei',
+		'iceuser',
+		'imscp',
+		'info(rmix)?',
+		'java',
+		'jboss',
+		'jenkins',
+		'jira',
+		'jsboss',
+		'kafka',
+		'kodi',
+		'library',
+		'libsys',
+		'libuuid',
+		'linode',
+		'linux',
+		'login',
+		'logout',
+		'lynx',
+		'mailer',
+		'mailman',
+		'maintain',
+		'majordomo',
+		'man',
+		'mantis',
+		'marketing',
+		'master',
+		'membership',
+		'minecraft',
+		'modem',
+		'mongo(db|user)?',
+		'monitor',
+		'more',
+		'moher',
+		'mpiuser',
+		'musi[ck]bot',
+		'(my?|pg)sq(ue)?l',
+		'mythtv',
+		'nagios',
+		'nasa',
+		'netdump',
+		'netzplatz',
+		'newadmin',
+		'nexus',
+		'nfs',
+		'(nfs)?nobody',
+		'nginx',
+		'noc',
+		'nothing',
+		'NpC',
+		'nux',
+		'odoo',
+		'odroid',
+		'onyxeye',
+		'openbravo',
+		'openvpn',
+		'operador',
+		'operator',
+		'ops(code)?',
+		'oprofile',
+		'ora(cle|prod)',
+		'osmc',
+		'papernet',
+		'password',
+		'payments',
+		'pay_?pal',
+		'pentaho',
+		'PlcmSpIp(PlcmSpIp)?',
+		'popuser',
+		'postfix',
+		'postgres',
+		'postmaster',
+		'print',
+		'privoxy',
+		'proba',
+		'proxy',
+		'puppet',
+		'qhsupport',
+		'rabbit(mq)?',
+		'radiusd?',
+		'redis',
+		'redmine',
+		'riakcs',
+		'root[0-9]+',
+		'rpc(user)?',
+		'RPM',
+		'rtorrent',
+		'rustserver',
+		'sales[0-9]+',
+		's?bin',
+		'(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|b)?(use?r|server|manager|mgr)|account)[0-9]*',
+		'saslauth',
+		'scaner',
+		'screen',
+		'search',
+		'setup',
+		'service',
+		'(s|u|ams|admin|inss|pro)?ftp(d|_?user|home|_?test)?[0-9]*',
+		'sftponly',
+		'shell',
+		'shop',
+		'sinusbot',
+		'smmsp',
+		'socket',
+		'software',
+		'solarus',
+		'splunk',
+		'squid',
+		'squirrelmail',
+		'sshusr',
+		'staffc',
+		'steam(cmd)?',
+		'store',
+		'superuser',
+		'support',
+		'svnroot',
+		'sysadmin',
+		'system',
+		'teamspeak3?',
+		'telkom',
+		'temp',
+		'test((ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?',
+		'(test)?username',
+		'text',
+		'tomcat',
+		'tools',
+		'toor',
+		'ts[23](se?rv(er)?|(musi[ck])?bot)?',
+		'tunstall',
+		'ubnt',
+		'ubuntu',
+		'upload',
+		'unity',
+		'USERID',
+		'user[0-9]*',
+		'usuario',
+		'uucp',
+		'vagrant',
+		'vbox',
+		'ventrilo',
+		'vhbackup',
+		'virusalter',
+		'vmadmin',
+		'vmail',
+		'vyatta',
+		'wanadoo',
+		'weblogic',
+		'webmaster',
+		'WinD3str0y',
+		'wine',
+		'wp-?user',
+		'write',
+		'www',
+		'(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)',
+		'xbian',
+		'xbot',
+		'xoadmin',
+		'yahoo',
+		'yarn',
+		'zabbix',
+		'zimbra',
+		'zookeeper',
+		'0fordn1on@#\$%%\^&',
+		'P@\$\$w0rd',
+		'pass123?4?'
+	]
+
+	file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf':
+		content => epp('fail2ban/ibb-sshd-bad-user.epp', { 'bad_users' => $bad_users }),
+	}
+	# Because one of our rules checks fail2ban's log, but the service dies without the file
+	file { '/var/log/fail2ban.log':
+		ensure => present,
+		owner => 'root',
+		group => 'root',
+		mode => '0600',
+	}
+}
\ No newline at end of file
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/modules/fail2ban/templates/ibb-sshd-bad-user.epp	Sat Jan 18 15:17:03 2020 +0000
@@ -0,0 +1,20 @@
+<%- | Array $bad_users | -%>
+# Fail2Ban configuration file
+# Author: IBBoard
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = Failed password for invalid user (<%= join($bad_users, '|') %>)? from <HOST> port [0-9]+ ssh2
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =