From 17c0b3e049ec09a6605d18c9325a5a69d54db8f6 Mon Sep 17 00:00:00 2001 From: B Stack Date: Mon, 3 Oct 2016 11:43:00 -0400 Subject: added sudo --- company/fail2ban-files/filter.d/20_bju-blns.filter | 32 ++++++++++++++++++++++ company/fail2ban-files/filter.d/30_bju-max3.filter | 13 +++++++++ company/fail2ban-files/filter.d/60_sshd.filter | 31 +++++++++++++++++++++ company/fail2ban-files/jail.d/00_default.jail | 10 +++++++ company/fail2ban-files/jail.d/20_bju-blns.jail | 21 ++++++++++++++ company/fail2ban-files/jail.d/30_bju-max3.jail | 21 ++++++++++++++ company/fail2ban-files/jail.d/60_sshd.jail | 16 +++++++++++ 7 files changed, 144 insertions(+) create mode 100644 company/fail2ban-files/filter.d/20_bju-blns.filter create mode 100644 company/fail2ban-files/filter.d/30_bju-max3.filter create mode 100644 company/fail2ban-files/filter.d/60_sshd.filter create mode 100644 company/fail2ban-files/jail.d/00_default.jail create mode 100644 company/fail2ban-files/jail.d/20_bju-blns.jail create mode 100644 company/fail2ban-files/jail.d/30_bju-max3.jail create mode 100644 company/fail2ban-files/jail.d/60_sshd.jail (limited to 'company/fail2ban-files') diff --git a/company/fail2ban-files/filter.d/20_bju-blns.filter b/company/fail2ban-files/filter.d/20_bju-blns.filter new file mode 100644 index 0000000..c39cefa --- /dev/null +++ b/company/fail2ban-files/filter.d/20_bju-blns.filter @@ -0,0 +1,32 @@ +# Ansible controlled filename: /etc/fail2ban/filter.d/20_example-blns.filter +# Source: ansible bgstack15-fail2ban/files/example-blns.filter +# Date: 2016-04-19 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[Definition] +failregex = ^.*.*(GET|POST).*/etc/passwd.*$ + ^.*.*(GET|POST).*/etc/group.*$ + ^.*.*(GET|POST).*/etc/hosts.*$ + ^.*.*(GET|POST).*/proc/self/environ.*$ + ^.*.*(GET|POST).*(?i)admin.*admin.*$ + ^.*.*(GET|POST).*(?i)(php|db|pma|web|sql).*admin.*$ + ^.*.*(GET|POST).*(?i)admin.*(php|db|pma|web|sql).*$ + ^.*.*(GET|POST).*(?i)DELETE_comment.*$ + ^.*.*(GET|POST).*(?i)pma/scripts.*setup.*$ + ^.*.*(GET|POST).*(?i)pma([0-9]{4})?/? HTTP.*$ + ^.*.*(GET|POST).*(?i)(database|myadmin|mysql)/? HTTP.*$ + ^.*.*(GET|POST).*(?i)(dbweb|webdb|websql|sqlweb).*$ + ^.*.*(GET|POST).*(?i)(my)?sql.*manager.*$ + ^.*.*(GET|POST).*(?i)wp-(admin|login|signup|config).*$ + ^.*.*(GET|POST).*president/.*wp-cron\.php*$ + ^.*.*(GET|POST).*w00t.*blackhats.*$ + ^.*.*(GET|POST).*\+\+liker.profile_URL\+\+.*$ + ^.*.*(GET|POST).*muieblackcat.*$ + ^.*.*(GET|POST).*(?i)ldlogon.*$ + ^.*.*(GET|POST).*(?i)\.cobalt$ + ^.*.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$ + ^.*.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$ + ^.*.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$ + +ignoreregex = diff --git a/company/fail2ban-files/filter.d/30_bju-max3.filter b/company/fail2ban-files/filter.d/30_bju-max3.filter new file mode 100644 index 0000000..af692af --- /dev/null +++ b/company/fail2ban-files/filter.d/30_bju-max3.filter @@ -0,0 +1,13 @@ +# Ansible controlled filename: /etc/fail2ban/filter.d/30_example-max3.filter +# Source: ansible bgstack15-fail2ban/files/example-max3.filter +# Date: 2016-07-12 +# Reference: example-blns.filter +# NOTE: This file is managed via Ansible: manual changes will be lost + +[Definition] +failregex = ^.*.*(GET|POST).*(?i)\.cobalt$ + ^.*.*(GET|POST).*(?i)\.intruvert\/jsp\/admin\/Login\.jsp$ + ^.*.*(GET|POST).*(?i)MSWSMTP\/Common\/Authentication\/Logon\.aspx$ + ^.*.*(GET|POST).*(?i)php\?password=[0-9]*\&re_password=.*\&login=var.*$ + +ignoreregex = diff --git a/company/fail2ban-files/filter.d/60_sshd.filter b/company/fail2ban-files/filter.d/60_sshd.filter new file mode 100644 index 0000000..33b8ba8 --- /dev/null +++ b/company/fail2ban-files/filter.d/60_sshd.filter @@ -0,0 +1,31 @@ +# Ansible-controlled filename: /etc/fail2ban/filter.d/60_sshd.filter +# Source: ansible bgstack15-fail2ban/files/sshd.filter +# Date: 2016-06-23 +# Reference: Ubuntu 16.04 fail2ban package sshd filter +# NOTE: This file is managed via Ansible: manual changes will be lost + +[INCLUDES] +before = common.conf + +[Definition] +_daemon = sshd +failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|error) for .* from ( via \S+)?\s*$ + ^%(__prefix_line)s(?:error: PAM: )?User not known to the underlying authentication module for .* from \s*$ + ^%(__prefix_line)sFailed \S+ for .*? from (?: port \d*)?(?: ssh\d*)?(: (ruser .*|(\S+ ID \S+ \(serial \d+\) CA )?\S+ %(__md5hex)s(, client user ".*", client host ".*")?))?\s*$ + ^%(__prefix_line)sROOT LOGIN REFUSED.* FROM \s*$ + ^%(__prefix_line)s[iI](?:llegal|nvalid) user .* from \s*$ + ^%(__prefix_line)sUser .+ from not allowed because not listed in AllowUsers\s*$ + ^%(__prefix_line)sUser .+ from not allowed because listed in DenyUsers\s*$ + ^%(__prefix_line)sUser .+ from not allowed because not in any group\s*$ + ^%(__prefix_line)srefused connect from \S+ \(\)\s*$ + ^%(__prefix_line)sReceived disconnect from : 3: \S+: Auth fail$ + ^%(__prefix_line)sUser .+ from not allowed because a group is listed in DenyGroups\s*$ + ^%(__prefix_line)sUser .+ from not allowed because none of user's groups are listed in AllowGroups\s*$ + ^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked(?P=__prefix)(?:error: )?Received disconnect from : 11: .+ \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\](?P=__prefix)(?:error: )?Connection closed by \[preauth\]$ + ^(?P<__prefix>%(__prefix_line)s)Connection from port \d+(?: on \S+ port \d+)?(?P=__prefix)Disconnecting: Too many authentication failures for .+? \[preauth\]$ + ^%(__prefix_line)spam_unix\(sshd:auth\):\s+authentication failure;\s*logname=\S*\s*uid=\d*\s*euid=\d*\s*tty=\S*\s*ruser=\S*\s*rhost=\s.*$ +ignoreregex = +[Init] +maxlines = 10 +journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd diff --git a/company/fail2ban-files/jail.d/00_default.jail b/company/fail2ban-files/jail.d/00_default.jail new file mode 100644 index 0000000..71cd3e8 --- /dev/null +++ b/company/fail2ban-files/jail.d/00_default.jail @@ -0,0 +1,10 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/00_default.filter +# Source: ansible bgstack15-fail2ban/files/00_default.conf +# Date: 2016-06-23 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[DEFAULT] +ignoreip = 127.0.0.1/8 203.0.0.0/16 10.0.0.0/8 192.168.0.0/16 204.13.201.0/24 64.37.231.0/24 +# TrustKeeper Vulnerability Scan IPs = 204.13.201.0/24 64.37.231.0/24 + diff --git a/company/fail2ban-files/jail.d/20_bju-blns.jail b/company/fail2ban-files/jail.d/20_bju-blns.jail new file mode 100644 index 0000000..eb1d1c9 --- /dev/null +++ b/company/fail2ban-files/jail.d/20_bju-blns.jail @@ -0,0 +1,21 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/20_example-blns.jail +# Source: ansible bgstack15-fail2ban/files/example-blns.jail +# Date: 2016-04-19 +# Reference: +# NOTE: This file is managed via Ansible: manual changes will be lost + +[example-blns] +enabled = true +action = iptables-allports + sendmail[name=exampleblns, dest=linuxadmin@example.com] +filter = 20_example-blns +logpath = /var/log/httpd/access_log + /var/log/httpd/error_log + /var/log/httpd/ssl_access_log + /var/log/httpd/ssl_error_log + /var/log/apache2/access_log + /var/log/apache2/error_log + /var/log/apache2/ssl_access_log + /var/log/apache2/ssl_error_log +maxretry = 1 +bantime = 86400 diff --git a/company/fail2ban-files/jail.d/30_bju-max3.jail b/company/fail2ban-files/jail.d/30_bju-max3.jail new file mode 100644 index 0000000..6ca7781 --- /dev/null +++ b/company/fail2ban-files/jail.d/30_bju-max3.jail @@ -0,0 +1,21 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/30_example-max3.jail +# Source: ansible bgstack15-fail2ban/files/example-max3.jail +# Date: 2016-07-12 +# Reference: example-blns.jail +# NOTE: This file is managed via Ansible: manual changes will be lost + +[example-max3] +enabled = true +action = iptables-allports + sendmail[name=examplemax3, dest=linuxadmin@example.com] +filter = 30_example-max3 +logpath = /var/log/httpd/access_log + /var/log/httpd/error_log + /var/log/httpd/ssl_access_log + /var/log/httpd/ssl_error_log + /var/log/apache2/access_log + /var/log/apache2/error_log + /var/log/apache2/ssl_access_log + /var/log/apache2/ssl_error_log +maxretry = 3 +bantime = 86400 diff --git a/company/fail2ban-files/jail.d/60_sshd.jail b/company/fail2ban-files/jail.d/60_sshd.jail new file mode 100644 index 0000000..aeb2751 --- /dev/null +++ b/company/fail2ban-files/jail.d/60_sshd.jail @@ -0,0 +1,16 @@ +# Ansible controlled filename: /etc/fail2ban/jail.d/60_sshd.jail +# Source: ansible bgstack15-fail2ban/files/sshd.jail +# Date: 2016-06-23 +# Reference: Ubuntu 16.04 fail2ban package sshd jail +# NOTE: This file is managed via Ansible: manual changes will be lost + +[ssh-iptables] + +enabled = true +filter = sshd +action = iptables[name=SSH, port=ssh, protocol=tcp] + sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com] +logpath = %(sshd_log)s +maxretry = 5 + +ignoreip = 203.0.193.232/24 -- cgit