Initial file upload

3 files changed, 76 insertions, 0 deletions

diff --git a/company.example/fail2ban-files/filter.d/20_example-blns.filter b/company.example/fail2ban-files/filter.d/20_example-blns.filter
new file mode 100644
index 0000000..c39cefa
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/20_example-blns.filter
@@ -0,0 +1,32 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter
+# Source: ansible bgstack15-fail2ban/files/example-blns.filter
+# Date: 2016-04-19
+# Reference: 
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*/etc/passwd.*$
+            ^.*<HOST>.*(GET|POST).*/etc/group.*$
+            ^.*<HOST>.*(GET|POST).*/etc/hosts.*$
+            ^.*<HOST>.*(GET|POST).*/proc/self/environ.*$
+            ^.*<HOST>.*(GET|POST).*(?i)admin.*admin.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$
+            ^.*<HOST>.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$
+            ^.*<HOST>.*(GET|POST).*(?i)DELETE_comment.*$
+            ^.*<HOST>.*(GET|POST).*(?i)pma/scripts.*setup.*$
+            ^.*<HOST>.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$
+            ^.*<HOST>.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$
+            ^.*<HOST>.*(GET|POST).*(?i)(my)?sql.*manager.*$
+            ^.*<HOST>.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$
+            ^.*<HOST>.*(GET|POST).*president/.*wp-cron\.php*$
+            ^.*<HOST>.*(GET|POST).*w00t.*blackhats.*$
+            ^.*<HOST>.*(GET|POST).*\+\+liker.profile_URL\+\+.*$
+            ^.*<HOST>.*(GET|POST).*muieblackcat.*$
+            ^.*<HOST>.*(GET|POST).*(?i)ldlogon.*$
+            ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/30_example-max3.filter b/company.example/fail2ban-files/filter.d/30_example-max3.filter
new file mode 100644
index 0000000..af692af
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/30_example-max3.filter
@@ -0,0 +1,13 @@
+# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter
+# Source: ansible bgstack15-fail2ban/files/example-max3.filter
+# Date: 2016-07-12
+# Reference: example-blns.filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[Definition]
+failregex = ^.*<HOST>.*(GET|POST).*(?i)\.cobalt$
+            ^.*<HOST>.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$
+            ^.*<HOST>.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$
+            ^.*<HOST>.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$
+
+ignoreregex =
diff --git a/company.example/fail2ban-files/filter.d/60_sshd.filter b/company.example/fail2ban-files/filter.d/60_sshd.filter
new file mode 100644
index 0000000..33b8ba8
--- /dev/null
+++ b/company.example/fail2ban-files/filter.d/60_sshd.filter
@@ -0,0 +1,31 @@
+# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter
+# Source: ansible bgstack15-fail2ban/files/sshd.filter
+# Date: 2016-06-23
+# Reference: Ubuntu 16.04 fail2ban package sshd filter
+# NOTE: This file is managed via Ansible: manual changes will be lost
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = sshd
+failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from <HOST>( via \S+)?\s*$
+            ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from <HOST>\s*$
+            ^%(__prefix_line)sFailed \S+ for .*? from <HOST>(?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$
+            ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM <HOST>\s*$
+            ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from <HOST>\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not listed in AllowUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because listed in DenyUsers\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because not in any group\s*$
+            ^%(__prefix_line)srefused connect from \S+ \(<HOST>\)\s*$
+            ^%(__prefix_line)sReceived disconnect from <HOST>: 3: \S+: Auth fail$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
+            ^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
+            ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: .+ \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
+            ^(?P<__prefix>%(__prefix_line)s)Connection from <HOST> port \d+(?: on \S+ port \d+)?<SKIPLINES>(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$
+            ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=<HOST>\s.*$
+ignoreregex =
+[Init]
+maxlines = 10
+journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd