From 857ccaa06c9e04064078c9dcfdad675c656b7d28 Mon Sep 17 00:00:00 2001 From: dkoao Date: Thu, 26 Sep 2019 09:20:52 +0000 Subject: [PATCH] Implement a new way to handle the Nextcloud fail2ban config. If the user wants Nextcloud to be installed, the setup script will simply append the relevant rules to the config file. This is more efficient than having two separate files. --- conf/fail2ban/jails.conf | 8 --- conf/fail2ban/jails_no_nextcloud.conf | 70 --------------------------- conf/fail2ban/nextcloud-jail.conf | 8 +++ setup/system.sh | 21 ++++---- 4 files changed, 18 insertions(+), 89 deletions(-) delete mode 100644 conf/fail2ban/jails_no_nextcloud.conf create mode 100644 conf/fail2ban/nextcloud-jail.conf diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf index 952dc35a..0213ea7b 100644 --- a/conf/fail2ban/jails.conf +++ b/conf/fail2ban/jails.conf @@ -30,14 +30,6 @@ logpath = /var/log/nginx/access.log maxretry = 20 findtime = 30 -[miab-owncloud] -enabled = true -port = http,https -filter = miab-owncloud -logpath = STORAGE_ROOT/owncloud/nextcloud.log -maxretry = 20 -findtime = 120 - [miab-postfix587] enabled = true port = 587 diff --git a/conf/fail2ban/jails_no_nextcloud.conf b/conf/fail2ban/jails_no_nextcloud.conf deleted file mode 100644 index 0213ea7b..00000000 --- a/conf/fail2ban/jails_no_nextcloud.conf +++ /dev/null @@ -1,70 +0,0 @@ -# Fail2Ban configuration file for Mail-in-a-Box. Do not edit. -# This file is re-generated on updates. - -[DEFAULT] -# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks -# ping services over the public interface so we should whitelist that address of -# ours too. The string is substituted during installation. -ignoreip = 127.0.0.1/8 PUBLIC_IP - -[dovecot] -enabled = true -filter = dovecotimap -logpath = /var/log/mail.log -findtime = 30 -maxretry = 20 - -[miab-management] -enabled = true -filter = miab-management-daemon -port = http,https -logpath = /var/log/syslog -maxretry = 20 -findtime = 30 - -[miab-munin] -enabled = true -port = http,https -filter = miab-munin -logpath = /var/log/nginx/access.log -maxretry = 20 -findtime = 30 - -[miab-postfix587] -enabled = true -port = 587 -filter = miab-postfix-submission -logpath = /var/log/mail.log -maxretry = 20 -findtime = 30 - -[miab-roundcube] -enabled = true -port = http,https -filter = miab-roundcube -logpath = /var/log/roundcubemail/errors -maxretry = 20 -findtime = 30 - -[recidive] -enabled = true -maxretry = 10 -action = iptables-allports[name=recidive] -# In the recidive section of jail.conf the action contains: -# -# action = iptables-allports[name=recidive] -# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] -# -# The last line on the action will sent an email to the configured address. This mail will -# notify the administrator that someone has been repeatedly triggering one of the other jails. -# By default we don't configure this address and no action is required from the admin anyway. -# So the notification is ommited. This will prevent message appearing in the mail.log that mail -# can't be delivered to fail2ban@$HOSTNAME. - -[postfix-sasl] -enabled = true - -[sshd] -enabled = true -maxretry = 7 -bantime = 3600 diff --git a/conf/fail2ban/nextcloud-jail.conf b/conf/fail2ban/nextcloud-jail.conf new file mode 100644 index 00000000..a954beea --- /dev/null +++ b/conf/fail2ban/nextcloud-jail.conf @@ -0,0 +1,8 @@ + +[miab-owncloud] +enabled = true +port = http,https +filter = miab-owncloud +logpath = STORAGE_ROOT/owncloud/nextcloud.log +maxretry = 20 +findtime = 120 diff --git a/setup/system.sh b/setup/system.sh index e96952a2..abd84459 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -341,18 +341,17 @@ systemctl restart systemd-resolved rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config -if [ ${DISABLE_NEXTCLOUD} == "1"]; then +# Check if the user wants to enable Nextcloud, if the user wants it +# the relevant firejail configuration will be added +if [ ${DISABLE_NEXTCLOUD} != "1"]; then + cat conf/fail2ban/nextcloud-jail.conf >> conf/fail2ban/jails.conf +fi + +cat conf/fail2ban/jails.conf \ + | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ + | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ + > /etc/fail2ban/jail.d/mailinabox.conf - cat conf/fail2ban/jails_no_nextcloud.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf -else - cat conf/fail2ban/jails.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf -fi cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/