diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf index 952dc35a..0213ea7b 100644 --- a/conf/fail2ban/jails.conf +++ b/conf/fail2ban/jails.conf @@ -30,14 +30,6 @@ logpath = /var/log/nginx/access.log maxretry = 20 findtime = 30 -[miab-owncloud] -enabled = true -port = http,https -filter = miab-owncloud -logpath = STORAGE_ROOT/owncloud/nextcloud.log -maxretry = 20 -findtime = 120 - [miab-postfix587] enabled = true port = 587 diff --git a/conf/fail2ban/jails_no_nextcloud.conf b/conf/fail2ban/jails_no_nextcloud.conf deleted file mode 100644 index 0213ea7b..00000000 --- a/conf/fail2ban/jails_no_nextcloud.conf +++ /dev/null @@ -1,70 +0,0 @@ -# Fail2Ban configuration file for Mail-in-a-Box. Do not edit. -# This file is re-generated on updates. - -[DEFAULT] -# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks -# ping services over the public interface so we should whitelist that address of -# ours too. The string is substituted during installation. -ignoreip = 127.0.0.1/8 PUBLIC_IP - -[dovecot] -enabled = true -filter = dovecotimap -logpath = /var/log/mail.log -findtime = 30 -maxretry = 20 - -[miab-management] -enabled = true -filter = miab-management-daemon -port = http,https -logpath = /var/log/syslog -maxretry = 20 -findtime = 30 - -[miab-munin] -enabled = true -port = http,https -filter = miab-munin -logpath = /var/log/nginx/access.log -maxretry = 20 -findtime = 30 - -[miab-postfix587] -enabled = true -port = 587 -filter = miab-postfix-submission -logpath = /var/log/mail.log -maxretry = 20 -findtime = 30 - -[miab-roundcube] -enabled = true -port = http,https -filter = miab-roundcube -logpath = /var/log/roundcubemail/errors -maxretry = 20 -findtime = 30 - -[recidive] -enabled = true -maxretry = 10 -action = iptables-allports[name=recidive] -# In the recidive section of jail.conf the action contains: -# -# action = iptables-allports[name=recidive] -# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] -# -# The last line on the action will sent an email to the configured address. This mail will -# notify the administrator that someone has been repeatedly triggering one of the other jails. -# By default we don't configure this address and no action is required from the admin anyway. -# So the notification is ommited. This will prevent message appearing in the mail.log that mail -# can't be delivered to fail2ban@$HOSTNAME. - -[postfix-sasl] -enabled = true - -[sshd] -enabled = true -maxretry = 7 -bantime = 3600 diff --git a/conf/fail2ban/nextcloud-jail.conf b/conf/fail2ban/nextcloud-jail.conf new file mode 100644 index 00000000..a954beea --- /dev/null +++ b/conf/fail2ban/nextcloud-jail.conf @@ -0,0 +1,8 @@ + +[miab-owncloud] +enabled = true +port = http,https +filter = miab-owncloud +logpath = STORAGE_ROOT/owncloud/nextcloud.log +maxretry = 20 +findtime = 120 diff --git a/setup/system.sh b/setup/system.sh index e96952a2..abd84459 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -341,18 +341,17 @@ systemctl restart systemd-resolved rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config -if [ ${DISABLE_NEXTCLOUD} == "1"]; then +# Check if the user wants to enable Nextcloud, if the user wants it +# the relevant firejail configuration will be added +if [ ${DISABLE_NEXTCLOUD} != "1"]; then + cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf +fi + +cat conf/fail2ban/jails.conf \ + | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ + | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ + > /etc/fail2ban/jail.d/mailinabox.conf - cat conf/fail2ban/jails_no_nextcloud.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf -else - cat conf/fail2ban/jails.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf -fi cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/