From 7d4d9915ecce105d65c25b5c4fd6485ead1336ab Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Wed, 23 Mar 2016 12:29:12 +0100 Subject: [PATCH 1/8] Add fail2ban to management interface --- conf/fail2ban/jail.local | 9 +++++++++ conf/fail2ban/miab-management-daemon.conf | 12 ++++++++++++ management/daemon.py | 24 ++++++++++++++++++++++- setup/system.sh | 1 + 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 conf/fail2ban/miab-management-daemon.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index b9340e52..f306b59d 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -24,6 +24,15 @@ filter = dovecotimap findtime = 30 maxretry = 20 +[management-daemon] +enabled = true +filter = miab-management-daemon +port = http,https +logpath = /var/log/mailinabox.log +maxretry = 20 +findtime = 30 + [recidive] enabled = true maxretry = 10 + diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/miab-management-daemon.conf new file mode 100644 index 00000000..9f3fdb79 --- /dev/null +++ b/conf/fail2ban/miab-management-daemon.conf @@ -0,0 +1,12 @@ +# Fail2Ban filter Mail-in-a-Box management daemon + +[INCLUDES] + +before = common.conf + +[Definition] + +_daemon = mailinabox + +failregex = Failed login from ip +ignoreregex = diff --git a/management/daemon.py b/management/daemon.py index bf3c9134..e62fe07f 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -1,6 +1,6 @@ #!/usr/bin/python3 -import os, os.path, re, json +import os, os.path, re, json, logging, logging.handlers from functools import wraps @@ -32,6 +32,19 @@ with open(os.path.join(os.path.dirname(me), "csr_country_codes.tsv")) as f: app = Flask(__name__, template_folder=os.path.abspath(os.path.join(os.path.dirname(me), "templates"))) +# Initialize the logger +# +# The logger wil automatically rotate the log if it gets to big, it will keep 3 old log files +# The log will contain timestap-level-message +logger = logging.getLogger('mailinabox') +fh = logging.handlers.RotatingFileHandler("/var/log/mailinabox.log", maxBytes=10240, backupCount=3) +fh.setFormatter(logging.Formatter('%(asctime)s %(levelname)-8s %(message)s')) +logger.addHandler(fh) +logger.setLevel(logging.INFO) + +# Log a line that the daemon was started +logger.info("Management daemon started") + # Decorator to protect views that require a user with 'admin' privileges. def authorized_personnel_only(viewfunc): @wraps(viewfunc) @@ -45,6 +58,9 @@ def authorized_personnel_only(viewfunc): privs = [] error = str(e) + # Write a line in the log recording the failed login + log_failed_login(request) + # Authorized to access an API view? if "admin" in privs: # Call view func. @@ -117,6 +133,9 @@ def me(): try: email, privs = auth_service.authenticate(request, env) except ValueError as e: + # Log the failed login + log_failed_login(request) + return json_response({ "status": "invalid", "reason": str(e), @@ -504,6 +523,9 @@ def munin(filename=""): if filename == "": filename = "index.html" return send_from_directory("/var/cache/munin/www", filename) +def log_failed_login(request): + logger.warning("Failed login from ip %s" % (request.headers.getlist("X-Forwarded-For")[0])) + # APP if __name__ == '__main__': diff --git a/setup/system.sh b/setup/system.sh index 1aeec458..cff423ce 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -232,5 +232,6 @@ cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf +cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf restart_service fail2ban From 864bd988d8a7c99d995d3b86521892d38b6029eb Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Thu, 24 Mar 2016 14:00:23 +0100 Subject: [PATCH 2/8] Write failed login attempts on the management interface to the syslog to allow fail2ban to ban repeat offenders --- conf/fail2ban/jail.local | 2 +- conf/fail2ban/miab-management-daemon.conf | 2 +- management/daemon.py | 29 +++++++++++------------ 3 files changed, 16 insertions(+), 17 deletions(-) diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index f306b59d..786f2fd9 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -28,7 +28,7 @@ maxretry = 20 enabled = true filter = miab-management-daemon port = http,https -logpath = /var/log/mailinabox.log +logpath = /var/log/syslog maxretry = 20 findtime = 30 diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/miab-management-daemon.conf index 9f3fdb79..0541ab6d 100644 --- a/conf/fail2ban/miab-management-daemon.conf +++ b/conf/fail2ban/miab-management-daemon.conf @@ -8,5 +8,5 @@ before = common.conf _daemon = mailinabox -failregex = Failed login from ip +failregex = MIAB: Failed login attempt from ip - timestamp .* ignoreregex = diff --git a/management/daemon.py b/management/daemon.py index e62fe07f..a671a80f 100755 --- a/management/daemon.py +++ b/management/daemon.py @@ -1,6 +1,6 @@ #!/usr/bin/python3 -import os, os.path, re, json, logging, logging.handlers +import os, os.path, re, json, time from functools import wraps @@ -32,19 +32,6 @@ with open(os.path.join(os.path.dirname(me), "csr_country_codes.tsv")) as f: app = Flask(__name__, template_folder=os.path.abspath(os.path.join(os.path.dirname(me), "templates"))) -# Initialize the logger -# -# The logger wil automatically rotate the log if it gets to big, it will keep 3 old log files -# The log will contain timestap-level-message -logger = logging.getLogger('mailinabox') -fh = logging.handlers.RotatingFileHandler("/var/log/mailinabox.log", maxBytes=10240, backupCount=3) -fh.setFormatter(logging.Formatter('%(asctime)s %(levelname)-8s %(message)s')) -logger.addHandler(fh) -logger.setLevel(logging.INFO) - -# Log a line that the daemon was started -logger.info("Management daemon started") - # Decorator to protect views that require a user with 'admin' privileges. def authorized_personnel_only(viewfunc): @wraps(viewfunc) @@ -524,7 +511,19 @@ def munin(filename=""): return send_from_directory("/var/cache/munin/www", filename) def log_failed_login(request): - logger.warning("Failed login from ip %s" % (request.headers.getlist("X-Forwarded-For")[0])) + # We need to figure out the ip to list in the message, all our calls are routed + # through nginx who will put the original ip in X-Forwarded-For. + # During setup we call the management interface directly to determine the user + # status. So we can't always use X-Forwarded-For because during setup that header + # will not be present. + if request.headers.getlist("X-Forwarded-For"): + ip = request.headers.getlist("X-Forwarded-For")[0] + else: + ip = request.remote_addr + + # We need to add a timestamp to the log message, otherwise /dev/log will eat the "duplicate" + # message. + app.logger.warning( "MIAB: Failed login attempt from ip %s - timestamp %s" % (ip, time.time())) # APP From 9b8d7773b9103143c5acc983b0dd8d4c0f6a975b Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Thu, 24 Mar 2016 14:16:57 +0100 Subject: [PATCH 3/8] Add fail2ban checks for roudcube --- conf/fail2ban/jail.local | 8 ++++++++ conf/fail2ban/roundcube.conf | 14 ++++++++++++++ setup/system.sh | 2 +- 3 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 conf/fail2ban/roundcube.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 786f2fd9..e7ab33ba 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -32,6 +32,14 @@ logpath = /var/log/syslog maxretry = 20 findtime = 30 +[roundcube] +enabled = true +port = http,https +filter = roundcube +logpath = /var/log/roundcubemail/errors +maxretry = 20 +findtime = 30 + [recidive] enabled = true maxretry = 10 diff --git a/conf/fail2ban/roundcube.conf b/conf/fail2ban/roundcube.conf new file mode 100644 index 00000000..7aa7c8bd --- /dev/null +++ b/conf/fail2ban/roundcube.conf @@ -0,0 +1,14 @@ +# Fail2Ban configuration file for roundcube web server +# +# +# + +[INCLUDES] + +before = common.conf + +[Definition] + +failregex = IMAP Error: Login failed for .*? from \. AUTHENTICATE.* + +ignoreregex = diff --git a/setup/system.sh b/setup/system.sh index cff423ce..cd633b62 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -233,5 +233,5 @@ cat conf/fail2ban/jail.local \ > /etc/fail2ban/jail.local cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf - +cp conf/fail2ban/roundcube.conf /etc/fail2ban/filter.d/roundcube.conf restart_service fail2ban From f54333724e09e0c28d2e4b58245aa48a38a1eccb Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Thu, 24 Mar 2016 15:07:15 +0100 Subject: [PATCH 4/8] Add fail2ban checks for owncloud --- conf/fail2ban/jail.local | 8 ++++++++ conf/fail2ban/owncloud.conf | 3 +++ setup/owncloud.sh | 5 +++++ setup/system.sh | 1 + 4 files changed, 17 insertions(+) create mode 100644 conf/fail2ban/owncloud.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index e7ab33ba..8a4f32f2 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -40,6 +40,14 @@ logpath = /var/log/roundcubemail/errors maxretry = 20 findtime = 30 +[owncloud] +enabled = true +port = http,https +filter = owncloud +logpath = /home/user-data/owncloud/owncloud.log +maxretry = 20 +findtime = 30 + [recidive] enabled = true maxretry = 10 diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/owncloud.conf new file mode 100644 index 00000000..6666473d --- /dev/null +++ b/conf/fail2ban/owncloud.conf @@ -0,0 +1,3 @@ +[Definition] +failregex=Login failed: .*Remote IP: '[\)'] +ignoreregex = diff --git a/setup/owncloud.sh b/setup/owncloud.sh index c71c3ffb..f678d8f6 100755 --- a/setup/owncloud.sh +++ b/setup/owncloud.sh @@ -163,7 +163,10 @@ fi # so set it here. It also can change if the box's PRIMARY_HOSTNAME changes, so # this will make sure it has the right value. # * Some settings weren't included in previous versions of Mail-in-a-Box. +# * We need to set the timezone to the system timezone to allow fail2ban to ban +# users within the proper timeframe # Use PHP to read the settings file, modify it, and write out the new settings array. +TIMEZONE=$(cat /etc/timezone) CONFIG_TEMP=$(/bin/mktemp) php < $CONFIG_TEMP && mv $CONFIG_TEMP $STORAGE_ROOT/owncloud/config.php; Date: Thu, 24 Mar 2016 15:17:07 +0100 Subject: [PATCH 5/8] Cleanup fail2ban config files --- conf/fail2ban/owncloud.conf | 4 ++++ conf/fail2ban/roundcube.conf | 5 ----- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/owncloud.conf index 6666473d..a9a13f2c 100644 --- a/conf/fail2ban/owncloud.conf +++ b/conf/fail2ban/owncloud.conf @@ -1,3 +1,7 @@ +[INCLUDES] + +before = common.conf + [Definition] failregex=Login failed: .*Remote IP: '[\)'] ignoreregex = diff --git a/conf/fail2ban/roundcube.conf b/conf/fail2ban/roundcube.conf index 7aa7c8bd..c6979c85 100644 --- a/conf/fail2ban/roundcube.conf +++ b/conf/fail2ban/roundcube.conf @@ -1,8 +1,3 @@ -# Fail2Ban configuration file for roundcube web server -# -# -# - [INCLUDES] before = common.conf From 710ad87602d22e399a67a170c73c69cb0500c59a Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Mon, 28 Mar 2016 16:10:52 +0200 Subject: [PATCH 6/8] Add fail2ban filters for munin and postfix submission --- conf/fail2ban/jail.local | 16 ++++++++++++++++ conf/fail2ban/munin.conf | 7 +++++++ conf/fail2ban/postfix-submission.conf | 7 +++++++ setup/system.sh | 2 ++ 4 files changed, 32 insertions(+) create mode 100644 conf/fail2ban/munin.conf create mode 100644 conf/fail2ban/postfix-submission.conf diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 8a4f32f2..76f8b22e 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -48,6 +48,22 @@ logpath = /home/user-data/owncloud/owncloud.log maxretry = 20 findtime = 30 +[munin] +enabled = true +port = http,https +filter = munin +logpath = /var/log/nginx/access.log +maxretry = 20 +findtime = 30 + +[postfix-submission] +enabled = true +port = 587 +filter = postfix-submission +logpath = /var/log/mail.log +maxretry = 20 +findtime = 30 + [recidive] enabled = true maxretry = 10 diff --git a/conf/fail2ban/munin.conf b/conf/fail2ban/munin.conf new file mode 100644 index 00000000..b254cc62 --- /dev/null +++ b/conf/fail2ban/munin.conf @@ -0,0 +1,7 @@ +[INCLUDES] + +before = common.conf + +[Definition] +failregex= - .*GET /admin/munin/.* HTTP/1.1\" 401.* +ignoreregex = diff --git a/conf/fail2ban/postfix-submission.conf b/conf/fail2ban/postfix-submission.conf new file mode 100644 index 00000000..236e1331 --- /dev/null +++ b/conf/fail2ban/postfix-submission.conf @@ -0,0 +1,7 @@ +[INCLUDES] + +before = common.conf + +[Definition] +failregex=postfix/submission/smtpd.*warning.*\[\]: .* authentication (failed|aborted) +ignoreregex = diff --git a/setup/system.sh b/setup/system.sh index be20a1b1..202f0959 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -289,4 +289,6 @@ cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf cp conf/fail2ban/roundcube.conf /etc/fail2ban/filter.d/roundcube.conf cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf +cp conf/fail2ban/munin.conf /etc/fail2ban/filter.d/munin.conf +cp conf/fail2ban/postfix-submission.conf /etc/fail2ban/filter.d/postfix-submission.conf restart_service fail2ban From 1e02bb0bf1e0fbc74528745db48840c10d935bdd Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Tue, 29 Mar 2016 18:43:05 +0200 Subject: [PATCH 7/8] Make use of fail2ban jail.d --- conf/fail2ban/{ => filter.d}/dovecotimap.conf | 0 .../miab-management-daemon.conf | 0 .../{munin.conf => filter.d/miab-munin.conf} | 0 .../miab-owncloud.conf} | 0 .../miab-postfix-submission.conf} | 0 .../miab-roundcube.conf} | 0 conf/fail2ban/jail.d/dovecot.conf | 5 ++ .../jail.d/miab-management-daemon.conf | 7 +++ conf/fail2ban/jail.d/miab-munin.conf | 7 +++ conf/fail2ban/jail.d/miab-owncloud.conf | 7 +++ .../jail.d/miab-postfix-submission.conf | 7 +++ conf/fail2ban/jail.d/miab-roundcube.conf | 7 +++ conf/fail2ban/jail.d/recidive.conf | 4 ++ conf/fail2ban/jail.d/sasl.conf | 2 + conf/fail2ban/jail.d/ssh-ddos.conf | 2 + conf/fail2ban/jail.d/ssh.conf | 3 + conf/fail2ban/jail.local | 62 ------------------- setup/system.sh | 10 ++- 18 files changed, 55 insertions(+), 68 deletions(-) rename conf/fail2ban/{ => filter.d}/dovecotimap.conf (100%) rename conf/fail2ban/{ => filter.d}/miab-management-daemon.conf (100%) rename conf/fail2ban/{munin.conf => filter.d/miab-munin.conf} (100%) rename conf/fail2ban/{owncloud.conf => filter.d/miab-owncloud.conf} (100%) rename conf/fail2ban/{postfix-submission.conf => filter.d/miab-postfix-submission.conf} (100%) rename conf/fail2ban/{roundcube.conf => filter.d/miab-roundcube.conf} (100%) create mode 100644 conf/fail2ban/jail.d/dovecot.conf create mode 100644 conf/fail2ban/jail.d/miab-management-daemon.conf create mode 100644 conf/fail2ban/jail.d/miab-munin.conf create mode 100644 conf/fail2ban/jail.d/miab-owncloud.conf create mode 100644 conf/fail2ban/jail.d/miab-postfix-submission.conf create mode 100644 conf/fail2ban/jail.d/miab-roundcube.conf create mode 100644 conf/fail2ban/jail.d/recidive.conf create mode 100644 conf/fail2ban/jail.d/sasl.conf create mode 100644 conf/fail2ban/jail.d/ssh-ddos.conf create mode 100644 conf/fail2ban/jail.d/ssh.conf diff --git a/conf/fail2ban/dovecotimap.conf b/conf/fail2ban/filter.d/dovecotimap.conf similarity index 100% rename from conf/fail2ban/dovecotimap.conf rename to conf/fail2ban/filter.d/dovecotimap.conf diff --git a/conf/fail2ban/miab-management-daemon.conf b/conf/fail2ban/filter.d/miab-management-daemon.conf similarity index 100% rename from conf/fail2ban/miab-management-daemon.conf rename to conf/fail2ban/filter.d/miab-management-daemon.conf diff --git a/conf/fail2ban/munin.conf b/conf/fail2ban/filter.d/miab-munin.conf similarity index 100% rename from conf/fail2ban/munin.conf rename to conf/fail2ban/filter.d/miab-munin.conf diff --git a/conf/fail2ban/owncloud.conf b/conf/fail2ban/filter.d/miab-owncloud.conf similarity index 100% rename from conf/fail2ban/owncloud.conf rename to conf/fail2ban/filter.d/miab-owncloud.conf diff --git a/conf/fail2ban/postfix-submission.conf b/conf/fail2ban/filter.d/miab-postfix-submission.conf similarity index 100% rename from conf/fail2ban/postfix-submission.conf rename to conf/fail2ban/filter.d/miab-postfix-submission.conf diff --git a/conf/fail2ban/roundcube.conf b/conf/fail2ban/filter.d/miab-roundcube.conf similarity index 100% rename from conf/fail2ban/roundcube.conf rename to conf/fail2ban/filter.d/miab-roundcube.conf diff --git a/conf/fail2ban/jail.d/dovecot.conf b/conf/fail2ban/jail.d/dovecot.conf new file mode 100644 index 00000000..29b0e65a --- /dev/null +++ b/conf/fail2ban/jail.d/dovecot.conf @@ -0,0 +1,5 @@ +[dovecot] +enabled = true +filter = dovecotimap +findtime = 30 +maxretry = 20 diff --git a/conf/fail2ban/jail.d/miab-management-daemon.conf b/conf/fail2ban/jail.d/miab-management-daemon.conf new file mode 100644 index 00000000..f5920dfe --- /dev/null +++ b/conf/fail2ban/jail.d/miab-management-daemon.conf @@ -0,0 +1,7 @@ +[miab-management-daemon] +enabled = true +filter = miab-management-daemon +port = http,https +logpath = /var/log/syslog +maxretry = 20 +findtime = 30 diff --git a/conf/fail2ban/jail.d/miab-munin.conf b/conf/fail2ban/jail.d/miab-munin.conf new file mode 100644 index 00000000..9d72c4f2 --- /dev/null +++ b/conf/fail2ban/jail.d/miab-munin.conf @@ -0,0 +1,7 @@ +[miab-munin] +enabled = true +port = http,https +filter = miab-munin +logpath = /var/log/nginx/access.log +maxretry = 20 +findtime = 30 diff --git a/conf/fail2ban/jail.d/miab-owncloud.conf b/conf/fail2ban/jail.d/miab-owncloud.conf new file mode 100644 index 00000000..9328bd5d --- /dev/null +++ b/conf/fail2ban/jail.d/miab-owncloud.conf @@ -0,0 +1,7 @@ +[miab-owncloud] +enabled = true +port = http,https +filter = miab-owncloud +logpath = /home/user-data/owncloud/owncloud.log +maxretry = 20 +findtime = 30 diff --git a/conf/fail2ban/jail.d/miab-postfix-submission.conf b/conf/fail2ban/jail.d/miab-postfix-submission.conf new file mode 100644 index 00000000..6033214f --- /dev/null +++ b/conf/fail2ban/jail.d/miab-postfix-submission.conf @@ -0,0 +1,7 @@ +[miab-postfix-submission] +enabled = true +port = 587 +filter = miab-postfix-submission +logpath = /var/log/mail.log +maxretry = 20 +findtime = 30 diff --git a/conf/fail2ban/jail.d/miab-roundcube.conf b/conf/fail2ban/jail.d/miab-roundcube.conf new file mode 100644 index 00000000..e84cc4d1 --- /dev/null +++ b/conf/fail2ban/jail.d/miab-roundcube.conf @@ -0,0 +1,7 @@ +[miab-roundcube] +enabled = true +port = http,https +filter = miab-roundcube +logpath = /var/log/roundcubemail/errors +maxretry = 20 +findtime = 30 diff --git a/conf/fail2ban/jail.d/recidive.conf b/conf/fail2ban/jail.d/recidive.conf new file mode 100644 index 00000000..3546a839 --- /dev/null +++ b/conf/fail2ban/jail.d/recidive.conf @@ -0,0 +1,4 @@ +[recidive] +enabled = true +maxretry = 10 + diff --git a/conf/fail2ban/jail.d/sasl.conf b/conf/fail2ban/jail.d/sasl.conf new file mode 100644 index 00000000..b01f79de --- /dev/null +++ b/conf/fail2ban/jail.d/sasl.conf @@ -0,0 +1,2 @@ +[sasl] +enabled = true diff --git a/conf/fail2ban/jail.d/ssh-ddos.conf b/conf/fail2ban/jail.d/ssh-ddos.conf new file mode 100644 index 00000000..522ae99f --- /dev/null +++ b/conf/fail2ban/jail.d/ssh-ddos.conf @@ -0,0 +1,2 @@ +[ssh-ddos] +enabled = true diff --git a/conf/fail2ban/jail.d/ssh.conf b/conf/fail2ban/jail.d/ssh.conf new file mode 100644 index 00000000..0d0f6aab --- /dev/null +++ b/conf/fail2ban/jail.d/ssh.conf @@ -0,0 +1,3 @@ +[ssh] +maxretry = 7 +bantime = 3600 diff --git a/conf/fail2ban/jail.local b/conf/fail2ban/jail.local index 76f8b22e..fcf05396 100644 --- a/conf/fail2ban/jail.local +++ b/conf/fail2ban/jail.local @@ -6,65 +6,3 @@ # ours too. The string is substituted during installation. ignoreip = 127.0.0.1/8 PUBLIC_IP -# JAILS - -[ssh] -maxretry = 7 -bantime = 3600 - -[ssh-ddos] -enabled = true - -[sasl] -enabled = true - -[dovecot] -enabled = true -filter = dovecotimap -findtime = 30 -maxretry = 20 - -[management-daemon] -enabled = true -filter = miab-management-daemon -port = http,https -logpath = /var/log/syslog -maxretry = 20 -findtime = 30 - -[roundcube] -enabled = true -port = http,https -filter = roundcube -logpath = /var/log/roundcubemail/errors -maxretry = 20 -findtime = 30 - -[owncloud] -enabled = true -port = http,https -filter = owncloud -logpath = /home/user-data/owncloud/owncloud.log -maxretry = 20 -findtime = 30 - -[munin] -enabled = true -port = http,https -filter = munin -logpath = /var/log/nginx/access.log -maxretry = 20 -findtime = 30 - -[postfix-submission] -enabled = true -port = 587 -filter = postfix-submission -logpath = /var/log/mail.log -maxretry = 20 -findtime = 30 - -[recidive] -enabled = true -maxretry = 10 - diff --git a/setup/system.sh b/setup/system.sh index 202f0959..3ceba616 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -285,10 +285,8 @@ restart_service resolvconf cat conf/fail2ban/jail.local \ | sed "s/PUBLIC_IP/$PUBLIC_IP/g" \ > /etc/fail2ban/jail.local -cp conf/fail2ban/dovecotimap.conf /etc/fail2ban/filter.d/dovecotimap.conf -cp conf/fail2ban/miab-management-daemon.conf /etc/fail2ban/filter.d/miab-management-daemon.conf -cp conf/fail2ban/roundcube.conf /etc/fail2ban/filter.d/roundcube.conf -cp conf/fail2ban/owncloud.conf /etc/fail2ban/filter.d/owncloud.conf -cp conf/fail2ban/munin.conf /etc/fail2ban/filter.d/munin.conf -cp conf/fail2ban/postfix-submission.conf /etc/fail2ban/filter.d/postfix-submission.conf + +cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/ +cp -f conf/fail2ban/jail.d/* /etc/fail2ban/jail.d/ + restart_service fail2ban From f2da513f5a0f8a07f68e804fd0986fd99ffb1b6c Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 10 Apr 2016 13:02:51 +0200 Subject: [PATCH 8/8] Fail2ban for owncloud should user STORAGE_ROOT instead of hardcoded path --- conf/fail2ban/jail.d/miab-owncloud.conf | 2 +- setup/system.sh | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/conf/fail2ban/jail.d/miab-owncloud.conf b/conf/fail2ban/jail.d/miab-owncloud.conf index 9328bd5d..edb3a949 100644 --- a/conf/fail2ban/jail.d/miab-owncloud.conf +++ b/conf/fail2ban/jail.d/miab-owncloud.conf @@ -2,6 +2,6 @@ enabled = true port = http,https filter = miab-owncloud -logpath = /home/user-data/owncloud/owncloud.log +logpath = STORAGE_ROOT/owncloud/owncloud.log maxretry = 20 findtime = 30 diff --git a/setup/system.sh b/setup/system.sh index 1673ba13..c1e9152b 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -299,4 +299,6 @@ cat conf/fail2ban/jail.local \ cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/ cp -f conf/fail2ban/jail.d/* /etc/fail2ban/jail.d/ +sed -i "s#STORAGE_ROOT#$STORAGE_ROOT#" /etc/fail2ban/jail.d/miab-owncloud.conf + restart_service fail2ban