mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-26 02:57:04 +00:00
merge: fail2ban broke, released v0.19a
This commit is contained in:
commit
86457e5bc4
@ -8,6 +8,13 @@ ownCloud:
|
|||||||
|
|
||||||
* Updated to ownCloud to 8.2.7.
|
* Updated to ownCloud to 8.2.7.
|
||||||
|
|
||||||
|
v0.19a (August 18, 2016)
|
||||||
|
------------------------
|
||||||
|
|
||||||
|
This update corrects a security issue in v0.19.
|
||||||
|
|
||||||
|
* fail2ban won't start if Roundcube had not yet been used - new installations probably do not have fail2ban running.
|
||||||
|
|
||||||
v0.19 (August 13, 2016)
|
v0.19 (August 13, 2016)
|
||||||
-----------------------
|
-----------------------
|
||||||
|
|
||||||
|
@ -59,7 +59,7 @@ by me:
|
|||||||
$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
|
$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
|
||||||
gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
|
gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
|
||||||
|
|
||||||
$ git verify-tag v0.19
|
$ git verify-tag v0.19a
|
||||||
gpg: Signature made ..... using RSA key ID C10BDD81
|
gpg: Signature made ..... using RSA key ID C10BDD81
|
||||||
gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
|
gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
|
||||||
gpg: WARNING: This key is not certified with a trusted signature!
|
gpg: WARNING: This key is not certified with a trusted signature!
|
||||||
@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
|
|||||||
|
|
||||||
Checkout the tag corresponding to the most recent release:
|
Checkout the tag corresponding to the most recent release:
|
||||||
|
|
||||||
$ git checkout v0.19
|
$ git checkout v0.19a
|
||||||
|
|
||||||
Begin the installation.
|
Begin the installation.
|
||||||
|
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
#########################################################
|
#########################################################
|
||||||
|
|
||||||
if [ -z "$TAG" ]; then
|
if [ -z "$TAG" ]; then
|
||||||
TAG=v0.19
|
TAG=v0.19a
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Are we running as root?
|
# Are we running as root?
|
||||||
|
@ -111,15 +111,22 @@ source setup/zpush.sh
|
|||||||
source setup/management.sh
|
source setup/management.sh
|
||||||
source setup/munin.sh
|
source setup/munin.sh
|
||||||
|
|
||||||
# Ping the management daemon to write the DNS and nginx configuration files.
|
# Wait for the management daemon to start...
|
||||||
until nc -z -w 4 127.0.0.1 10222
|
until nc -z -w 4 127.0.0.1 10222
|
||||||
do
|
do
|
||||||
echo Waiting for the Mail-in-a-Box management daemon to start...
|
echo Waiting for the Mail-in-a-Box management daemon to start...
|
||||||
sleep 2
|
sleep 2
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# ...and then have it write the DNS and nginx configuration files and start those
|
||||||
|
# services.
|
||||||
tools/dns_update
|
tools/dns_update
|
||||||
tools/web_update
|
tools/web_update
|
||||||
|
|
||||||
|
# Give fail2ban another restart. The log files may not all have been present when
|
||||||
|
# fail2ban was first configured, but they should exist now.
|
||||||
|
restart_service fail2ban
|
||||||
|
|
||||||
# If DNS is already working, try to provision TLS certficates from Let's Encrypt.
|
# If DNS is already working, try to provision TLS certficates from Let's Encrypt.
|
||||||
# Suppress extra reasons why domains aren't getting a new certificate.
|
# Suppress extra reasons why domains aren't getting a new certificate.
|
||||||
management/ssl_certificates.py -q
|
management/ssl_certificates.py -q
|
||||||
|
@ -299,4 +299,9 @@ cat conf/fail2ban/jails.conf \
|
|||||||
> /etc/fail2ban/jail.d/mailinabox.conf
|
> /etc/fail2ban/jail.d/mailinabox.conf
|
||||||
cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
|
cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
|
||||||
|
|
||||||
|
# On first installation, the log files that the jails look at don't all exist.
|
||||||
|
# e.g., The roundcube error log isn't normally created until someone logs into
|
||||||
|
# Roundcube for the first time. This causes fail2ban to fail to start. Later
|
||||||
|
# scripts will ensure the files exist and then fail2ban is given another
|
||||||
|
# restart at the very end of setup.
|
||||||
restart_service fail2ban
|
restart_service fail2ban
|
||||||
|
@ -133,6 +133,9 @@ EOF
|
|||||||
mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
|
mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
|
||||||
chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
|
chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
|
||||||
|
|
||||||
|
# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
|
||||||
|
sudo -u www-data touch /var/log/roundcubemail/errors
|
||||||
|
|
||||||
# Password changing plugin settings
|
# Password changing plugin settings
|
||||||
# The config comes empty by default, so we need the settings
|
# The config comes empty by default, so we need the settings
|
||||||
# we're not planning to change in config.inc.dist...
|
# we're not planning to change in config.inc.dist...
|
||||||
|
@ -1,20 +1,20 @@
|
|||||||
# Test that a box's fail2ban setting are working
|
# Test that a box's fail2ban setting are working
|
||||||
# correctly by attempting a bunch of failed logins.
|
# correctly by attempting a bunch of failed logins.
|
||||||
# Specify SSH login information the command line -
|
#
|
||||||
# we use that to reset fail2ban after each test,
|
# Specify a SSH login command (which we use to reset
|
||||||
# and we extract the hostname from that to open
|
# fail2ban after each test) and the hostname to
|
||||||
# connections to.
|
# try to log in to.
|
||||||
######################################################################
|
######################################################################
|
||||||
|
|
||||||
import sys, os, time, functools
|
import sys, os, time, functools
|
||||||
|
|
||||||
# parse command line
|
# parse command line
|
||||||
|
|
||||||
if len(sys.argv) < 2:
|
if len(sys.argv) != 3:
|
||||||
print("Usage: tests/fail2ban.py user@hostname")
|
print("Usage: tests/fail2ban.py \"ssh user@hostname\" hostname")
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
ssh_user, hostname = sys.argv[1].split("@", 1)
|
ssh_command, hostname = sys.argv[1:3]
|
||||||
|
|
||||||
# define some test types
|
# define some test types
|
||||||
|
|
||||||
@ -85,7 +85,8 @@ def http_test(url, expected_status, postdata=None, qsargs=None, auth=None):
|
|||||||
auth=HTTPBasicAuth(*auth) if auth else None,
|
auth=HTTPBasicAuth(*auth) if auth else None,
|
||||||
data=postdata,
|
data=postdata,
|
||||||
headers={'User-Agent': 'Mail-in-a-Box fail2ban tester'},
|
headers={'User-Agent': 'Mail-in-a-Box fail2ban tester'},
|
||||||
timeout=8)
|
timeout=8,
|
||||||
|
verify=False) # don't bother with HTTPS validation, it may not be configured yet
|
||||||
except requests.exceptions.ConnectTimeout as e:
|
except requests.exceptions.ConnectTimeout as e:
|
||||||
raise IsBlocked()
|
raise IsBlocked()
|
||||||
except requests.exceptions.ConnectionError as e:
|
except requests.exceptions.ConnectionError as e:
|
||||||
@ -106,7 +107,7 @@ def restart_fail2ban_service(final=False):
|
|||||||
if not final:
|
if not final:
|
||||||
# Stop recidive jails during testing.
|
# Stop recidive jails during testing.
|
||||||
command += " && sudo fail2ban-client stop recidive"
|
command += " && sudo fail2ban-client stop recidive"
|
||||||
os.system("ssh %s@%s \"%s\"" % (ssh_user, hostname, command))
|
os.system("%s \"%s\"" % (ssh_command, command))
|
||||||
|
|
||||||
def testfunc_runner(i, testfunc, *args):
|
def testfunc_runner(i, testfunc, *args):
|
||||||
print(i+1, end=" ", flush=True)
|
print(i+1, end=" ", flush=True)
|
||||||
|
Loading…
Reference in New Issue
Block a user