diff --git a/conf/fail2ban/jails_no_nextcloud.conf b/conf/fail2ban/jails_no_nextcloud.conf new file mode 100644 index 00000000..0213ea7b --- /dev/null +++ b/conf/fail2ban/jails_no_nextcloud.conf @@ -0,0 +1,70 @@ +# Fail2Ban configuration file for Mail-in-a-Box. Do not edit. +# This file is re-generated on updates. + +[DEFAULT] +# Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks +# ping services over the public interface so we should whitelist that address of +# ours too. The string is substituted during installation. +ignoreip = 127.0.0.1/8 PUBLIC_IP + +[dovecot] +enabled = true +filter = dovecotimap +logpath = /var/log/mail.log +findtime = 30 +maxretry = 20 + +[miab-management] +enabled = true +filter = miab-management-daemon +port = http,https +logpath = /var/log/syslog +maxretry = 20 +findtime = 30 + +[miab-munin] +enabled = true +port = http,https +filter = miab-munin +logpath = /var/log/nginx/access.log +maxretry = 20 +findtime = 30 + +[miab-postfix587] +enabled = true +port = 587 +filter = miab-postfix-submission +logpath = /var/log/mail.log +maxretry = 20 +findtime = 30 + +[miab-roundcube] +enabled = true +port = http,https +filter = miab-roundcube +logpath = /var/log/roundcubemail/errors +maxretry = 20 +findtime = 30 + +[recidive] +enabled = true +maxretry = 10 +action = iptables-allports[name=recidive] +# In the recidive section of jail.conf the action contains: +# +# action = iptables-allports[name=recidive] +# sendmail-whois-lines[name=recidive, logpath=/var/log/fail2ban.log] +# +# The last line on the action will sent an email to the configured address. This mail will +# notify the administrator that someone has been repeatedly triggering one of the other jails. +# By default we don't configure this address and no action is required from the admin anyway. +# So the notification is ommited. This will prevent message appearing in the mail.log that mail +# can't be delivered to fail2ban@$HOSTNAME. + +[postfix-sasl] +enabled = true + +[sshd] +enabled = true +maxretry = 7 +bantime = 3600 diff --git a/setup/system.sh b/setup/system.sh index ccc60231..895ce0ae 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -340,10 +340,20 @@ systemctl restart systemd-resolved # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix, ssh, etc. rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config -cat conf/fail2ban/jails.conf \ - | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ - > /etc/fail2ban/jail.d/mailinabox.conf + +if [ ${DISABLE_NEXTCLOUD} != "1"]; then + + cat conf/fail2ban/jails.conf \ + | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ + | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ + > /etc/fail2ban/jail.d/mailinabox.conf +else + cat conf/fail2ban/jails_no_nextcloud.conf \ + | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ + | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ + > /etc/fail2ban/jail.d/mailinabox.conf +fi + cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/ # On first installation, the log files that the jails look at don't all exist.