changeset 392:a7eaf17bff26

Block lots of probed user account variants Includes: * New services * More names * Foreign language variants
author IBBoard <dev@ibboard.co.uk>
date Mon, 14 Feb 2022 20:43:50 +0000
parents 1de440d1bffb
children a948419a23b1
files modules/fail2ban/manifests/init.pp
diffstat 1 files changed, 61 insertions(+), 16 deletions(-) [+]
line wrap: on
line diff
--- a/modules/fail2ban/manifests/init.pp	Mon Jan 03 19:40:59 2022 +0000
+++ b/modules/fail2ban/manifests/init.pp	Mon Feb 14 20:43:50 2022 +0000
@@ -110,22 +110,26 @@
 
 	$bad_users = [
 		'[^0-9a-zA-Z]+',
-		'[0-9]+',
+		'\.?[0-9]+\.?',
 		'[0-9a-zA-Z]{1,3}',
 		'([0-9a-z])\2{2,}',
 		'abused',
 		'Admin',
-		'admins?[0-9]*',
-		'administr[a-z]+', # administracion, administrador, administradorweb, administrator, etc
+		'[aA]dministr[a-z0-9\\]+', # administracion, administrador, administradorweb, administrator, administrat\303\266r (escaped รถ) etc
+		'admin-?gui',
+		'adminuser',
 		'admissions',
 		'altibase',
 		'alumni',
 		'amavisd?',
+		'amax[0-9]+',
 		'amministratore',
+		'amssys',
 		'anwenderschnittstelle',
 		'anonymous',
 		'ansible',
 		'apache',
+		'apps',
 		'aptproxy',
 		'apt-mirror',
 		'ark(server)?',
@@ -141,9 +145,11 @@
 		'bash',
 		'batch',
 		'beagleindex',
+		'benutzer', # German user account
 		'bf2',
 		'.*bitbucket',
 		'bind',
+		'biology',
 		'bitcoin',
 		'bitnami',
 		'bitrix',
@@ -152,16 +158,20 @@
 		'boinc',
 		'bot',
 		'botmaster',
+		'bouncer',
+		'browser',
 		'bugzilla',
 		'build',
 		'buscador',
 		'cacti(user)?',
+		'camera',
 		'carrerasoft',
 		'catchall',
 		'celery',
 		'cemergen',
 		'centos',
 		'chef',
+		'chimistry',
 		'cgi',
 		'chromeuser',
 		'cinema',
@@ -173,6 +183,9 @@
 		'clouduser',
 		'com',
 		'comercial',
+		'configure',
+		'console',
+		'contact',
 		'control',
 		'couchdb',
 		'cpanel',
@@ -182,6 +195,7 @@
 		'(cs(s|go|cz)|arma|mc|tf2?|sdtd|web|pz)-?se?rve?r?',
 		'cs-?go1?',
 		'CumulusLinux!',
+		'customer',
 		'cyrus[0-9]*',
 		'daemon',
 		'danger',
@@ -189,6 +203,7 @@
 		'dasuse?r[0-9]*',
 		'data(ba?se)?',
 		'db2inst[0-9]*',
+		'dbcloud',
 		'dbus',
 		'debian(-spamd)?',
 		'default',
@@ -207,7 +222,7 @@
 		'django',
 		'dmarc',
 		'dpvirtual',
-		'dockeruser',
+		'docker(user)?',
 		'dotblot',
 		'download',
 		'dovecot',
@@ -237,6 +252,7 @@
 		'fuser',
 		'games',
 		'gdm',
+		'geometry',
 		'geniuz',
 		'getmail',
 		'ggc_user',
@@ -246,8 +262,11 @@
 		'gmail',
 		'gmodserver',
 		'gnuhealth',
+		'google',
 		'gopher',
 		'government',
+		'gpadmin',
+		'grape',
 		'grid',
 		'guest',
 		'hacker',
@@ -265,21 +284,26 @@
 		'huawei',
 		'iamroot',
 		'iceuser',
+		'image',
 		'imscp',
 		'info(rmix)?[0-9]*',
 		'inst[0-9]+',
-		'installer',
+		'install(er)?',
+		'interadmin',
 		'inventario',
 		'java',
 		'jboss',
 		'jenkins',
 		'jira',
 		'jmeter',
+		'joomla',
+		'jquery',
 		'jsboss',
 		'juniper',
 		'kafka',
 		'kodi',
 		'kms',
+		'ldap',
 		'legacy',
 		'library',
 		'libsys',
@@ -306,7 +330,7 @@
 		'mapruser',
 		'marketing',
 		'master',
-		'membership',
+		'member(ship)?',
 		'merlin',
 		'messagebus',
 		'minecraft',
@@ -319,7 +343,7 @@
 		'mpiuser',
 		'mqadm',
 		'musi[ck]bot',
-		'(my?|pg)sq(ue)?l[0-9]*',
+		'(my?|pg)(sq(ue)?l|admin)[0-9]*',
 		'mythtv',
 		'nagios',
 		'named',
@@ -343,6 +367,7 @@
 		'notes',
 		'nothing',
 		'NpC',
+		'ntps',
 		'nux',
 		'odoo',
 		'odroid',
@@ -352,12 +377,14 @@
 		'oozie',
 		'openbravo',
 		'openfire',
+		'openerp',
 		'openvpn',
 		'operador',
 		'operator',
 		'ops(code)?',
 		'oprofile',
-		'ora(cle|prod|vis)[0-9]*',
+		'ora_?(cle|prod|root|vis)[0-9]*',
+		'orbital',
 		'osmc',
 		'owncloud',
 		'papernet',
@@ -370,10 +397,13 @@
 		'platform',
 		'play',
 		'PlcmSpIp(PlcmSpIp)?',
+		'plesk',
 		'plex',
+		'point',
 		'polkitd?',
 		'popd?3?',
 		'popuser',
+		'portal',
 		'postfix',
 		'p0stgr3s',
 		'postgres',
@@ -382,11 +412,14 @@
 		'print',
 		'privoxy',
 		'proba',
+		'Prometheus',
 		'proxy',
 		'public',
 		'puppet',
+		'pwla',
 		'qhsupport',
 		'rabbit(mq)?',
+		'radio',
 		'radiusd?',
 		'raspberry',
 		'readonly',
@@ -394,16 +427,17 @@
 		'recording',
 		'redis',
 		'redmine',
-		'remote',
+		'remot[eo]',
 		'reports',
 		'riakcs',
-		'root[0-9]+',
+		'root[0-9a-zA-Z]+',
 		'rpc(user)?',
 		'rpm',
 		'RPM',
 		'rtorrent',
 		'rustserver',
 		'sales[0-9]+',
+		'samp',
 		's?bin',
 		'saslauth',
 		'scan(n?er)?',
@@ -414,7 +448,7 @@
 		'serverpilot',
 		'service',
 		'setup',
-		'(s|u|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*',
+		'(s|u|user|ams|admin|inss|pro|web)?ftp(d|[_-]?use?r|home|_?test|immo)?[0-9]*',
 		'sftponly',
 		'shell',
 		'shop',
@@ -440,8 +474,9 @@
 		'staffc',
 		'steam(cmd)?',
 		'store',
+		'stream',
 		'stunnel',
-		'superuser',
+		'super(user)?',
 		'suporte',
 		'support',
 		'svn(root|admin)?',
@@ -450,12 +485,15 @@
 		'sysadmin',
 		'system',
 		'teamspeak[234]?(-?use?r)?',
+		'telecom(admin)?',
 		'telkom',
 		'telnetd?',
 		'te?mp(use?r)?[0-9]*',
 		'test((er?|ing|ftp|man|linux|use?r|u)[0-9]*|[0-9]+)?',
+		'ttest',
 		'(test)?username',
 		'text',
+		'tiago',
 		'tomcat',
 		'tools',
 		'toor',
@@ -465,16 +503,21 @@
 		'ubnt',
 		'unity',
 		'universitaetsrechenzentrum', # University Computing Center
-		'upload[0-9]*',
+		'unix',
+		'uplink',
+		'upload(er)?[0-9]*',
 		'user[0-9]*',
 		'USERID',
 		'username',
 		'usuario',
+		'utente', # Italian user
 		'uucp',
 		'vagrant',
 		'vbox',
 		'ventrilo',
 		'vhbackup',
+		'video',
+		'virtual',
 		'virusalter',
 		'vmadmin',
 		'vmail',
@@ -484,8 +527,10 @@
 		'wanadoo',
 		'web',
 		'webapp',
+		'webdesign',
 		'weblogic',
 		'webmaster',
+		'webmin',
 		'webportal',
 		'websync',
 		'wiki',
@@ -507,10 +552,10 @@
 		'zimbra',
 		'zookeeper',
 		# User/admin/other
-		'(api|appl?|ats|cam|cat|db|imap|is|my|virtual|vpn)?(admin|dev|use?r|server|man|manager|mgr)[0-9]*',
-		'(abc|account|git|info|redhat|samba|sshd|student|tomcat|ubuntu|web)[0-9]*',
+		'(bwair|api|appl?|ats|cam|cat|db|dev|file|imap|is|my|net|site|tech|virtual|vnc|vpn)?(admins?|app|dev|use?r|server|man|manager|mgr)[0-9]*',
+		'(abc|account|git|info|redhat|samba|sshd|student|teacher|tomcat|ubuntu|web)[0-9]*',
 		# Names
-		'(aaron|david|james|tom|victor)[0-9]*',
+		'(aaron|alexander|bill|david|james|sergio|thomas|timson|tom|victor|wang)[0-9]*',
 		# And some passwords that turned up as usernames
 		'1q2w3e4r',
 		'abc123',