From be899f2b9e3515aa7e6b5a513f81a6da7d59b23d Mon Sep 17 00:00:00 2001 From: KiekerJan Date: Mon, 25 Oct 2021 16:44:25 +0200 Subject: [PATCH] avoid a runaway /64 in jail.conf --- conf/fail2ban/jails.conf | 2 +- setup/system.sh | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/conf/fail2ban/jails.conf b/conf/fail2ban/jails.conf index b434fc99..b0faa6f1 100644 --- a/conf/fail2ban/jails.conf +++ b/conf/fail2ban/jails.conf @@ -5,7 +5,7 @@ # Whitelist our own IP addresses. 127.0.0.1/8 is the default. But our status checks # ping services over the public interface so we should whitelist that address of # ours too. The string is substituted during installation. -ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6/64 +ignoreip = 127.0.0.1/8 ::1/128 PUBLIC_IP PUBLIC_IPV6/64 ADMIN_HOME_IP ADMIN_HOME_IPV6 bantime = 15m findtime = 120m maxretry = 4 diff --git a/setup/system.sh b/setup/system.sh index 2fb92b75..e52dd049 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -346,10 +346,17 @@ systemctl restart systemd-resolved # Configure the Fail2Ban installation to prevent dumb bruce-force attacks against dovecot, postfix, ssh, etc. rm -f /etc/fail2ban/jail.local # we used to use this file but don't anymore rm -f /etc/fail2ban/jail.d/defaults-debian.conf # removes default config so we can manage all of fail2ban rules in one config + +if [ ! -z "$ADMIN_HOME_IPV6" ]; then + ADMIN_HOME_IPV6_FB="${ADMIN_HOME_IPV6}/64" +else + ADMIN_HOME_IPV6_FB="" +fi + cat conf/fail2ban/jails.conf \ | sed "s/PUBLIC_IPV6/$PUBLIC_IPV6/g" \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ - | sed "s/ADMIN_HOME_IPV6/$ADMIN_HOME_IPV6/g" \ + | sed "s/ADMIN_HOME_IPV6/$ADMIN_HOME_IPV6_FB/g" \ | sed "s/ADMIN_HOME_IP/$ADMIN_HOME_IP/g" \ | sed "s#STORAGE_ROOT#$STORAGE_ROOT#" \ > /etc/fail2ban/jail.d/00-mailinabox.conf