Mercurial > repos > other > Puppet

changeset 297:4f7315d7e869

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Blacklist LOTS of usernames These came from a period when Fail2ban was temporarily dead and one IP made over 1300 login requests!
author IBBoard <dev@ibboard.co.uk>
date Sun, 09 Feb 2020 20:31:12 +0000
parents 2f4d0ea4cb55
children 61e90445c899
files modules/fail2ban/manifests/init.pp
diffstat 1 files changed, 117 insertions(+), 27 deletions(-) [+]
line wrap: on
line diff
--- a/modules/fail2ban/manifests/init.pp	Sun Feb 09 14:50:14 2020 +0000
+++ b/modules/fail2ban/manifests/init.pp	Sun Feb 09 20:31:12 2020 +0000
@@ -59,16 +59,15 @@
 	}
 
 	$bad_users = [
+		'[^0-9a-zA-Z]+',
 		'[0-9]+',
-		'[0-9a-z][0-9a-z]?',
+		'[0-9a-zA-Z]{1,3}',
 		'([0-9a-z])\2{2,}',
-		'abc123',
 		'abused',
 		'adm',
 		'Admin',
-		'admin[0-9]+',
-		'administrateur',
-		'administracion',
+		'admins?[0-9]+',
+		'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc
 		'admissions',
 		'altibase',
 		'alumni',
@@ -78,26 +77,39 @@
 		'anonymous',
 		'ansible',
 		'aptproxy',
-		'arkserver',
+		'apt-mirror',
+		'ark(server)?',
 		'asterisk',
+		'audio',
 		'auser',
+		'autologin',
 		'avahi',
 		'avis',
 		'backlog',
 		'backup(s|er|pc|user)?',
+		'bash',
+		'beagleindex',
 		'bf2',
+		'bitbucket',
 		'bitcoin',
 		'bitnami',
 		'bitrix',
+		'blog',
 		'boinc',
 		'botmaster',
 		'build',
 		'buscador',
 		'cacti(user)?',
+		'carrerasoft',
 		'catchall',
+		'celery',
 		'cemergen',
+		'centos',
 		'chef',
+		'cgi',
+		'chromeuser',
 		'cinema',
+		'cisco',
 		'clamav',
 		'cliente?[0-9]*',
 		'clouduser',
@@ -108,28 +120,41 @@
 		'cpanel',
 		'create',
 		'cron',
-		'(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)se?rve?r?',
+		'(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?',
+		'cs-?go1?',
+		'CumulusLinux!',
 		'cyrus[0-9]*',
 		'daemon',
 		'danger',
+		'darwin',
+		'dasuse?r',
+		'data',
 		'debian(-spamd)?',
 		'default',
 		'dell',
-		'deploy(er)?',
+		'deploy(er)?[0-9]*',
 		'desktop',
 		'developer',
+		'devdata',
 		'devops',
 		'devteam',
 		'dietpi',
+		'discordbot',
+		'disklessadmin',
 		'django',
+		'dmarc',
+		'dockeruser',
 		'dotblot',
 		'download',
 		'dovecot',
+		'dovenull',
 		'duplicity',
 		'easy',
 		'ec2-user',
+		'ecquser',
 		'edu(cation)?[0-9]*',
 		'e-shop',
+		'elastic',
 		'elsearch',
 		'engin(eer)?',
 		'esadmin',
@@ -138,52 +163,71 @@
 		'facebook',
 		'factorio',
 		'fax',
+		'fcweb',
+		'fetchmail',
 		'filter',
 		'firebird',
+		'firefox',
 		'fuser',
 		'games',
 		'gdm',
 		'geniuz',
+		'getmail',
 		'ggc_user',
 		'ghost',
-		'git(olite?|blit|lab(_ci)?)?',
+		'git(olite?|blit|lab(_ci)?|admi?n?|use?r)?',
 		'gmail',
 		'gmodserver',
 		'gnuhealth',
 		'gopher',
+		'government',
 		'guest',
 		'hacker',
 		'hadoop',
+		'haldaemon',
 		'harvard',
+		'hduser',
+		'headmaster',
 		'helpdesk',
 		'home',
 		'host',
 		'httpd?',
 		'httpfs',
 		'huawei',
+		'iamroot',
 		'iceuser',
 		'imscp',
-		'info(rmix)?',
+		'info(rmix)?[0-9]*',
+		'installer',
+		'inventario',
 		'java',
 		'jboss',
 		'jenkins',
 		'jira',
+		'jmeter',
 		'jsboss',
+		'juniper',
 		'kafka',
 		'kodi',
 		'kms',
+		'legacy',
 		'library',
 		'libsys',
 		'libuuid',
 		'linode',
 		'linux',
 		'localadmin',
+		'logcheck',
 		'login',
 		'logout',
 		'logstash',
+		'logview(er)?',
+		'lsfadmin',
 		'lynx',
+		'magento',
 		'mailer',
 		'mailman',
+		'mailtest',
 		'maintain',
 		'majordomo',
 		'man',
@@ -192,34 +236,46 @@
 		'marketing',
 		'master',
 		'membership',
+		'messagebus',
 		'minecraft',
 		'modem',
 		'mongo(db|user)?',
-		'monitor',
+		'monitor(ing)?',
 		'more',
 		'moher',
 		'mpiuser',
+		'mqadm',
 		'musi[ck]bot',
-		'(my?|pg)sq(ue)?l',
+		'(my?|pg)sq(ue)?l[0-9]*',
 		'mythtv',
 		'nagios',
+		'named',
 		'nasa',
 		'ncs',
+		'nessus',
+		'netadmin',
+		'netdiag',
 		'netdump',
+		'network',
 		'netzplatz',
 		'newadmin',
 		'newuser',
 		'nexus',
+		'nfinity',
 		'nfs',
 		'(nfs)?nobody',
 		'nginx',
 		'noc',
+		'node',
 		'nothing',
 		'NpC',
 		'nux',
 		'odoo',
 		'odroid',
+		'office',
+		'omsagent',
 		'onyxeye',
+		'oozie',
 		'openbravo',
 		'openfire',
 		'openvpn',
@@ -227,20 +283,26 @@
 		'operator',
 		'ops(code)?',
 		'oprofile',
-		'ora(cle|prod)[0-9]*',
+		'ora(cle|prod|vis)[0-9]*',
 		'osmc',
 		'owncloud',
 		'papernet',
-		'password',
+		'passwo?r?d',
 		'payments',
 		'pay_?pal',
 		'pdfbox',
 		'pentaho',
+		'php[0-9]*',
+		'platform',
 		'PlcmSpIp(PlcmSpIp)?',
+		'plex',
+		'popd?3?',
 		'popuser',
 		'postfix',
+		'p0stgr3s',
 		'postgres',
 		'postmaster',
+		'pptpd',
 		'print',
 		'privoxy',
 		'proba',
@@ -250,64 +312,81 @@
 		'qhsupport',
 		'rabbit(mq)?',
 		'radiusd?',
+		'readonly',
+		'reboot',
+		'recording',
 		'redis',
 		'redmine',
+		'remote',
+		'reports',
 		'riakcs',
 		'root[0-9]+',
 		'rpc(user)?',
+		'rpm',
 		'RPM',
 		'rtorrent',
 		'rustserver',
 		'sales[0-9]+',
 		's?bin',
-		'(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|db)?(use?r|server|manager|mgr)|account)[0-9]*',
+		'(samba|sshd|git|student|tomcat|abc|web|info|(vpn|appl?|my|db)?(dev|use?r|server|man|manager|mgr)|account)[0-9]*',
 		'saslauth',
-		'scaner',
+		'scan(n?er)?',
 		'screen',
 		'search',
+		'sekretariat',
 		'setup',
 		'serverpilot',
 		'service',
-		'(s|u|ams|admin|inss|pro|web)?ftp(d|_?use?r|home|_?test)?[0-9]*',
+		'(s|u|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*',
 		'sftponly',
 		'shell',
 		'shop',
-		'sinusbot',
+		'sinusbot[0-9]*',
+		'smbguest',
+		'smbuse?r',
 		'smmsp',
 		'socket',
 		'software',
 		'solarus',
 		'splunk',
+		'sprummlbot',
 		'squid',
-		'squirrelmail',
+		'squirrelmail[0-9]+',
+		'srvadmin',
 		'sshusr',
 		'staffc',
 		'steam(cmd)?',
 		'store',
+		'stunnel',
 		'superuser',
 		'suporte',
 		'support',
-		'svnroot',
+		'svn(root)?',
 		'sybase',
+		'sync[0-9]*',
 		'sysadmin',
 		'system',
-		'teamspeak3?',
+		'teamspeak[23]?(-?use?r)?',
 		'telkom',
-		'temp',
+		'telnetd?',
+		'te?mp(use?r)?[0-9]*',
 		'test((er?|ing|ftp|man|use?r|u)[0-9]*|[0-9]+)?',
 		'(test)?username',
 		'text',
 		'tomcat',
 		'tools',
 		'toor',
-		'ts[23](se?rv(er)?|(musi[ck])?bot)?',
+		'ts[23](se?rv(er)?|(musi[ck])?bot|sleep)?',
+		'tss',
 		'tunstall',
 		'ubnt',
 		'ubuntu',
-		'upload',
 		'unity',
+		'universitaetsrechenzentrum', # University Computing Center
+		'upload[0-9]*',
+		'user[0-9]*',
 		'USERID',
-		'user[0-9]*',
+		'username',
 		'usuario',
 		'uucp',
 		'vagrant',
@@ -317,27 +396,38 @@
 		'virusalter',
 		'vmadmin',
 		'vmail',
+		'vscan',
 		'vyatta',
 		'wanadoo',
 		'weblogic',
 		'webmaster',
+		'webportal',
 		'WinD3str0y',
 		'wine',
+		'wordpress',
 		'wp-?user',
 		'write',
 		'www',
-		'(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|user|data)',
+		'wwAdmin',
+		'(www|web|coin|fax|sys|db2|rsync|tc)-?(adm(in)?|run|users?|data|[0-9]+)',
 		'xbian',
 		'xbot',
+		'xmpp',
 		'xoadmin',
 		'yahoo',
 		'yarn',
 		'zabbix',
 		'zimbra',
 		'zookeeper',
+		# And some passwords that turned up as usernames
+		'1q2w3e4r',
+		'abc123',
 		'0fordn1on@#\$%%\^&',
 		'P@\$\$w0rd',
-		'pass123?4?'
+		'P@ssword1!',
+		'Passwd123',
+		'pass123?4?',
+		'qwer?[0-9]+',
 	]
 
 	file { '/etc/fail2ban/filter.d/ibb-sshd-bad-user.conf':