From 1e02bb0bf1e0fbc74528745db48840c10d935bdd Mon Sep 17 00:00:00 2001
From: Michael Kroes <michael@kroes.email>
Date: Tue, 29 Mar 2016 18:43:05 +0200
Subject: [PATCH] Make use of fail2ban jail.d

---
 conf/fail2ban/{ => filter.d}/dovecotimap.conf |  0
 .../miab-management-daemon.conf               |  0
 .../{munin.conf => filter.d/miab-munin.conf}  |  0
 .../miab-owncloud.conf}                       |  0
 .../miab-postfix-submission.conf}             |  0
 .../miab-roundcube.conf}                      |  0
 conf/fail2ban/jail.d/dovecot.conf             |  5 ++
 .../jail.d/miab-management-daemon.conf        |  7 +++
 conf/fail2ban/jail.d/miab-munin.conf          |  7 +++
 conf/fail2ban/jail.d/miab-owncloud.conf       |  7 +++
 .../jail.d/miab-postfix-submission.conf       |  7 +++
 conf/fail2ban/jail.d/miab-roundcube.conf      |  7 +++
 conf/fail2ban/jail.d/recidive.conf            |  4 ++
 conf/fail2ban/jail.d/sasl.conf                |  2 +
 conf/fail2ban/jail.d/ssh-ddos.conf            |  2 +
 conf/fail2ban/jail.d/ssh.conf                 |  3 +
 conf/fail2ban/jail.local                      | 62 -------------------
 setup/system.sh                               | 10 ++-
 18 files changed, 55 insertions(+), 68 deletions(-)
 rename conf/fail2ban/{ => filter.d}/dovecotimap.conf (100%)
 rename conf/fail2ban/{ => filter.d}/miab-management-daemon.conf (100%)
 rename conf/fail2ban/{munin.conf => filter.d/miab-munin.conf} (100%)
 rename conf/fail2ban/{owncloud.conf => filter.d/miab-owncloud.conf} (100%)
 rename conf/fail2ban/{postfix-submission.conf => filter.d/miab-postfix-submission.conf} (100%)
 rename conf/fail2ban/{roundcube.conf => filter.d/miab-roundcube.conf} (100%)
 create mode 100644 conf/fail2ban/jail.d/dovecot.conf
 create mode 100644 conf/fail2ban/jail.d/miab-management-daemon.conf
 create mode 100644 conf/fail2ban/jail.d/miab-munin.conf
 create mode 100644 conf/fail2ban/jail.d/miab-owncloud.conf
 create mode 100644 conf/fail2ban/jail.d/miab-postfix-submission.conf
 create mode 100644 conf/fail2ban/jail.d/miab-roundcube.conf
 create mode 100644 conf/fail2ban/jail.d/recidive.conf
 create mode 100644 conf/fail2ban/jail.d/sasl.conf
 create mode 100644 conf/fail2ban/jail.d/ssh-ddos.conf
 create mode 100644 conf/fail2ban/jail.d/ssh.conf

diff --git a/conf/fail2ban/dovecotimap.conf b/conf/fail2ban/filter.d/dovecotimap.conf
similarity index 100%
rename from conf/fail2ban/dovecotimap.conf
rename to conf/fail2ban/filter.d/dovecotimap.conf
diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/filter.d/miab-management-daemon.conf
similarity index 100%
rename from conf/fail2ban/miab-management-daemon.conf
rename to conf/fail2ban/filter.d/miab-management-daemon.conf
diff --git a/conf/fail2ban/munin.conf b/conf/fail2ban/filter.d/miab-munin.conf
similarity index 100%
rename from conf/fail2ban/munin.conf
rename to conf/fail2ban/filter.d/miab-munin.conf
diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/filter.d/miab-owncloud.conf
similarity index 100%
rename from conf/fail2ban/owncloud.conf
rename to conf/fail2ban/filter.d/miab-owncloud.conf
diff --git a/conf/fail2ban/postfix-submission.conf b/conf/fail2ban/filter.d/miab-postfix-submission.conf
similarity index 100%
rename from conf/fail2ban/postfix-submission.conf
rename to conf/fail2ban/filter.d/miab-postfix-submission.conf
diff --git a/conf/fail2ban/roundcube.conf b/conf/fail2ban/filter.d/miab-roundcube.conf
similarity index 100%
rename from conf/fail2ban/roundcube.conf
rename to conf/fail2ban/filter.d/miab-roundcube.conf
diff --git a/conf/fail2ban/jail.d/dovecot.conf b/conf/fail2ban/jail.d/dovecot.conf
new file mode 100644
index 00000000..29b0e65a
--- /dev/null
+++ b/conf/fail2ban/jail.d/dovecot.conf
@@ -0,0 +1,5 @@
+[dovecot]
+enabled = true
+filter  = dovecotimap
+findtime = 30
+maxretry = 20
diff --git a/conf/fail2ban/jail.d/miab-management-daemon.conf b/conf/fail2ban/jail.d/miab-management-daemon.conf
new file mode 100644
index 00000000..f5920dfe
--- /dev/null
+++ b/conf/fail2ban/jail.d/miab-management-daemon.conf
@@ -0,0 +1,7 @@
+[miab-management-daemon]
+enabled = true
+filter = miab-management-daemon
+port = http,https
+logpath = /var/log/syslog
+maxretry = 20
+findtime = 30
diff --git a/conf/fail2ban/jail.d/miab-munin.conf b/conf/fail2ban/jail.d/miab-munin.conf
new file mode 100644
index 00000000..9d72c4f2
--- /dev/null
+++ b/conf/fail2ban/jail.d/miab-munin.conf
@@ -0,0 +1,7 @@
+[miab-munin]
+enabled  = true
+port     = http,https
+filter   = miab-munin
+logpath  = /var/log/nginx/access.log
+maxretry = 20
+findtime = 30
diff --git a/conf/fail2ban/jail.d/miab-owncloud.conf b/conf/fail2ban/jail.d/miab-owncloud.conf
new file mode 100644
index 00000000..9328bd5d
--- /dev/null
+++ b/conf/fail2ban/jail.d/miab-owncloud.conf
@@ -0,0 +1,7 @@
+[miab-owncloud]
+enabled  = true
+port     = http,https
+filter   = miab-owncloud
+logpath  = /home/user-data/owncloud/owncloud.log
+maxretry = 20
+findtime = 30
diff --git a/conf/fail2ban/jail.d/miab-postfix-submission.conf b/conf/fail2ban/jail.d/miab-postfix-submission.conf
new file mode 100644
index 00000000..6033214f
--- /dev/null
+++ b/conf/fail2ban/jail.d/miab-postfix-submission.conf
@@ -0,0 +1,7 @@
+[miab-postfix-submission]
+enabled  = true
+port     = 587
+filter   = miab-postfix-submission
+logpath  = /var/log/mail.log
+maxretry = 20
+findtime = 30
diff --git a/conf/fail2ban/jail.d/miab-roundcube.conf b/conf/fail2ban/jail.d/miab-roundcube.conf
new file mode 100644
index 00000000..e84cc4d1
--- /dev/null
+++ b/conf/fail2ban/jail.d/miab-roundcube.conf
@@ -0,0 +1,7 @@
+[miab-roundcube]
+enabled  = true
+port     = http,https
+filter   = miab-roundcube
+logpath  = /var/log/roundcubemail/errors
+maxretry = 20
+findtime = 30
diff --git a/conf/fail2ban/jail.d/recidive.conf b/conf/fail2ban/jail.d/recidive.conf
new file mode 100644
index 00000000..3546a839
--- /dev/null
+++ b/conf/fail2ban/jail.d/recidive.conf
@@ -0,0 +1,4 @@
+[recidive]
+enabled  = true
+maxretry = 10
+
diff --git a/conf/fail2ban/jail.d/sasl.conf b/conf/fail2ban/jail.d/sasl.conf
new file mode 100644
index 00000000..b01f79de
--- /dev/null
+++ b/conf/fail2ban/jail.d/sasl.conf
@@ -0,0 +1,2 @@
+[sasl]
+enabled  = true
diff --git a/conf/fail2ban/jail.d/ssh-ddos.conf b/conf/fail2ban/jail.d/ssh-ddos.conf
new file mode 100644
index 00000000..522ae99f
--- /dev/null
+++ b/conf/fail2ban/jail.d/ssh-ddos.conf
@@ -0,0 +1,2 @@
+[ssh-ddos]
+enabled  = true
diff --git a/conf/fail2ban/jail.d/ssh.conf b/conf/fail2ban/jail.d/ssh.conf
new file mode 100644
index 00000000..0d0f6aab
--- /dev/null
+++ b/conf/fail2ban/jail.d/ssh.conf
@@ -0,0 +1,3 @@
+[ssh]
+maxretry = 7
+bantime = 3600
diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local
index 76f8b22e..fcf05396 100644
--- a/conf/fail2ban/jail.local
+++ b/conf/fail2ban/jail.local
@@ -6,65 +6,3 @@
 # ours too. The string is substituted during installation.
 ignoreip = 127.0.0.1/8 PUBLIC_IP
 
-# JAILS
-
-[ssh]
-maxretry = 7
-bantime = 3600
-
-[ssh-ddos]
-enabled  = true
-
-[sasl]
-enabled  = true
-
-[dovecot]
-enabled = true
-filter  = dovecotimap
-findtime = 30
-maxretry = 20
-
-[management-daemon]
-enabled = true
-filter = miab-management-daemon
-port = http,https
-logpath = /var/log/syslog
-maxretry = 20
-findtime = 30
-
-[roundcube]
-enabled  = true
-port     = http,https
-filter   = roundcube
-logpath  = /var/log/roundcubemail/errors
-maxretry = 20
-findtime = 30
-
-[owncloud]
-enabled  = true
-port     = http,https
-filter   = owncloud
-logpath  = /home/user-data/owncloud/owncloud.log
-maxretry = 20
-findtime = 30
-
-[munin]
-enabled  = true
-port     = http,https
-filter   = munin
-logpath  = /var/log/nginx/access.log
-maxretry = 20
-findtime = 30
-
-[postfix-submission]
-enabled  = true
-port     = 587
-filter   = postfix-submission
-logpath  = /var/log/mail.log
-maxretry = 20
-findtime = 30
-
-[recidive]
-enabled  = true
-maxretry = 10
-
diff --git a/setup/system.sh b/setup/system.sh
index 202f0959..3ceba616 100755
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -285,10 +285,8 @@ restart_service resolvconf
 cat conf/fail2ban/jail.local \
 	| sed "s/PUBLIC_IP/$PUBLIC_IP/g" \
 	> /etc/fail2ban/jail.local
-cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf
-cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf
-cp conf/fail2ban/roundcube.conf /etc/fail2ban/filter.d/roundcube.conf
-cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf
-cp conf/fail2ban/munin.conf /etc/fail2ban/filter.d/munin.conf
-cp conf/fail2ban/postfix-submission.conf /etc/fail2ban/filter.d/postfix-submission.conf
+
+cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
+cp -f conf/fail2ban/jail.d/* /etc/fail2ban/jail.d/
+
 restart_service fail2ban