2023-01-03 05:58:09 +00:00
|
|
|
load "${REPOSITORY_ROOT}/test/helper/setup"
|
|
|
|
load "${REPOSITORY_ROOT}/test/helper/common"
|
|
|
|
|
|
|
|
TEST_NAME_PREFIX='Fail2Ban:'
|
|
|
|
CONTAINER1_NAME='dms-test_fail2ban'
|
|
|
|
CONTAINER2_NAME='dms-test_fail2ban_fail-auth-mailer'
|
|
|
|
|
2019-10-08 20:03:56 +00:00
|
|
|
function setup_file() {
|
2023-01-03 05:58:09 +00:00
|
|
|
export CONTAINER_NAME
|
|
|
|
|
|
|
|
CONTAINER_NAME=${CONTAINER1_NAME}
|
|
|
|
local CUSTOM_SETUP_ARGUMENTS=(
|
|
|
|
--env ENABLE_FAIL2BAN=1
|
|
|
|
--env POSTSCREEN_ACTION=ignore
|
|
|
|
--cap-add=NET_ADMIN
|
refactor: Parallel Tests
- `disabled_clamav_spamassassin`:
- Just shuffling the test order around, and removing the restart test at the end which doesn't make sense.
- `postscreen`:
- Now uses common helper for getting container IP
- Does not appear to need the `NET_ADMIN` capability?
- Reduced startup time for the 2nd container + additional context about it's relevance.
- Test cases are largely the same, but refactored the `nc` alternative that properly waits it's turn. This only needs to run once. Added additional commentary and made into a generic method if needed in other tests.
- `fail2ban`:
- Use the common container IP helper method.
- Postscreen isn't affecting this test, it's not required to do the much slower exchange with the mail server when sending a login failure.
- IP being passed into ENV is no longer necessary.
- `sleep 5` in the related test cases doesn't seem necessary, can better rely on polling with timeout.
- `sleep 10` for `setup.sh` also doesn't appear to be necessary.
- `postgrey`:
- Reduced POSTGREY_DELAY to 3, which shaves a fair amount of wasted time while still verifying the delay works.
- One of the checks in `main.cf` doesn't seem to need to know about the earlier spamhaus portion of the line to work, removed.
- Better test case descriptions.
- Improved log matching via standard method that better documents the expected triplet under test.
- Removed a redundant whitelist file and test that didn't seem to have any relevance. Added a TODO with additional notes about a concern with these tests.
- Reduced test time as 8 second timeouts from `-w 8` don't appear to be required, better to poll with grep instead.
- Replaced `wc -l` commands with a new method to assert expected line count, better enabling assertions on the actual output.
- `undef_spam_subject`:
- Split to two separate test cases, and initialize each container in their case instead of `setup_file()`, allowing for using the default `teardown()` method (and slight benefit if running in parallel).
- `permit_docker`:
- Not a parallel test, but I realized that the repeat helper methods don't necessarily play well with `run` as the command (can cause false positive of what was successful).
2023-01-03 06:11:36 +00:00
|
|
|
# NOTE: May no longer be needed with newer F2B:
|
2023-01-03 05:58:09 +00:00
|
|
|
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)"
|
|
|
|
)
|
|
|
|
init_with_defaults
|
|
|
|
common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
|
|
|
|
wait_for_smtp_port_in_container "${CONTAINER_NAME}"
|
2022-05-30 00:53:30 +00:00
|
|
|
|
|
|
|
# Create a container which will send wrong authentications and should get banned
|
2023-01-03 05:58:09 +00:00
|
|
|
CONTAINER_NAME=${CONTAINER2_NAME}
|
|
|
|
init_with_defaults
|
|
|
|
common_container_setup 'CUSTOM_SETUP_ARGUMENTS'
|
2022-05-30 00:53:30 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
# Set default implicit container fallback for helpers:
|
|
|
|
CONTAINER_NAME=${CONTAINER1_NAME}
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
function teardown_file() {
|
2023-01-03 05:58:09 +00:00
|
|
|
docker rm -f "${CONTAINER1_NAME}" "${CONTAINER2_NAME}"
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} Fail2Ban is running" {
|
|
|
|
run check_if_process_is_running 'fail2ban-server'
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_success
|
|
|
|
}
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} localhost is not banned because ignored" {
|
|
|
|
_run_in_container fail2ban-client status postfix-sasl
|
|
|
|
assert_success
|
|
|
|
refute_output --regexp '.*IP list:.*127\.0\.0\.1.*'
|
2019-10-08 20:03:56 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_success
|
|
|
|
}
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} fail2ban-fail2ban.cf overrides" {
|
|
|
|
_run_in_container fail2ban-client get loglevel
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output --partial 'DEBUG'
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} fail2ban-jail.cf overrides" {
|
|
|
|
for FILTER in 'dovecot' 'postfix' 'postfix-sasl'
|
|
|
|
do
|
|
|
|
_run_in_container fail2ban-client get "${FILTER}" bantime
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_output 1234
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban-client get "${FILTER}" findtime
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_output 321
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban-client get "${FILTER}" maxretry
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_output 2
|
2021-04-18 10:55:43 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban-client -d
|
|
|
|
assert_output --partial "['set', 'dovecot', 'addaction', 'nftables-multiport']"
|
|
|
|
assert_output --partial "['set', 'postfix', 'addaction', 'nftables-multiport']"
|
|
|
|
assert_output --partial "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
|
2019-10-08 20:03:56 +00:00
|
|
|
done
|
|
|
|
}
|
|
|
|
|
refactor: Parallel Tests
- `disabled_clamav_spamassassin`:
- Just shuffling the test order around, and removing the restart test at the end which doesn't make sense.
- `postscreen`:
- Now uses common helper for getting container IP
- Does not appear to need the `NET_ADMIN` capability?
- Reduced startup time for the 2nd container + additional context about it's relevance.
- Test cases are largely the same, but refactored the `nc` alternative that properly waits it's turn. This only needs to run once. Added additional commentary and made into a generic method if needed in other tests.
- `fail2ban`:
- Use the common container IP helper method.
- Postscreen isn't affecting this test, it's not required to do the much slower exchange with the mail server when sending a login failure.
- IP being passed into ENV is no longer necessary.
- `sleep 5` in the related test cases doesn't seem necessary, can better rely on polling with timeout.
- `sleep 10` for `setup.sh` also doesn't appear to be necessary.
- `postgrey`:
- Reduced POSTGREY_DELAY to 3, which shaves a fair amount of wasted time while still verifying the delay works.
- One of the checks in `main.cf` doesn't seem to need to know about the earlier spamhaus portion of the line to work, removed.
- Better test case descriptions.
- Improved log matching via standard method that better documents the expected triplet under test.
- Removed a redundant whitelist file and test that didn't seem to have any relevance. Added a TODO with additional notes about a concern with these tests.
- Reduced test time as 8 second timeouts from `-w 8` don't appear to be required, better to poll with grep instead.
- Replaced `wc -l` commands with a new method to assert expected line count, better enabling assertions on the actual output.
- `undef_spam_subject`:
- Split to two separate test cases, and initialize each container in their case instead of `setup_file()`, allowing for using the default `teardown()` method (and slight benefit if running in parallel).
- `permit_docker`:
- Not a parallel test, but I realized that the repeat helper methods don't necessarily play well with `run` as the command (can cause false positive of what was successful).
2023-01-03 06:11:36 +00:00
|
|
|
# NOTE: This test case is fragile if other test cases were to be run concurrently.
|
|
|
|
# - After multiple login fails and a slight delay, f2b will ban that IP.
|
|
|
|
# - You could hard-code `sleep 5` on both cases to avoid the alternative assertions,
|
|
|
|
# but the polling + piping into grep approach here reliably minimizes the delay.
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} ban ip on multiple failed login" {
|
refactor: Parallel Tests
- `disabled_clamav_spamassassin`:
- Just shuffling the test order around, and removing the restart test at the end which doesn't make sense.
- `postscreen`:
- Now uses common helper for getting container IP
- Does not appear to need the `NET_ADMIN` capability?
- Reduced startup time for the 2nd container + additional context about it's relevance.
- Test cases are largely the same, but refactored the `nc` alternative that properly waits it's turn. This only needs to run once. Added additional commentary and made into a generic method if needed in other tests.
- `fail2ban`:
- Use the common container IP helper method.
- Postscreen isn't affecting this test, it's not required to do the much slower exchange with the mail server when sending a login failure.
- IP being passed into ENV is no longer necessary.
- `sleep 5` in the related test cases doesn't seem necessary, can better rely on polling with timeout.
- `sleep 10` for `setup.sh` also doesn't appear to be necessary.
- `postgrey`:
- Reduced POSTGREY_DELAY to 3, which shaves a fair amount of wasted time while still verifying the delay works.
- One of the checks in `main.cf` doesn't seem to need to know about the earlier spamhaus portion of the line to work, removed.
- Better test case descriptions.
- Improved log matching via standard method that better documents the expected triplet under test.
- Removed a redundant whitelist file and test that didn't seem to have any relevance. Added a TODO with additional notes about a concern with these tests.
- Reduced test time as 8 second timeouts from `-w 8` don't appear to be required, better to poll with grep instead.
- Replaced `wc -l` commands with a new method to assert expected line count, better enabling assertions on the actual output.
- `undef_spam_subject`:
- Split to two separate test cases, and initialize each container in their case instead of `setup_file()`, allowing for using the default `teardown()` method (and slight benefit if running in parallel).
- `permit_docker`:
- Not a parallel test, but I realized that the repeat helper methods don't necessarily play well with `run` as the command (can cause false positive of what was successful).
2023-01-03 06:11:36 +00:00
|
|
|
CONTAINER1_IP=$(get_container_ip ${CONTAINER1_NAME})
|
|
|
|
# Trigger a ban by failing to login twice:
|
|
|
|
_run_in_container_explicit "${CONTAINER2_NAME}" bash -c "nc ${CONTAINER1_IP} 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"
|
|
|
|
_run_in_container_explicit "${CONTAINER2_NAME}" bash -c "nc ${CONTAINER1_IP} 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"
|
2019-10-08 20:03:56 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
# Checking that CONTAINER2_IP is banned in "${CONTAINER1_NAME}"
|
refactor: Parallel Tests
- `disabled_clamav_spamassassin`:
- Just shuffling the test order around, and removing the restart test at the end which doesn't make sense.
- `postscreen`:
- Now uses common helper for getting container IP
- Does not appear to need the `NET_ADMIN` capability?
- Reduced startup time for the 2nd container + additional context about it's relevance.
- Test cases are largely the same, but refactored the `nc` alternative that properly waits it's turn. This only needs to run once. Added additional commentary and made into a generic method if needed in other tests.
- `fail2ban`:
- Use the common container IP helper method.
- Postscreen isn't affecting this test, it's not required to do the much slower exchange with the mail server when sending a login failure.
- IP being passed into ENV is no longer necessary.
- `sleep 5` in the related test cases doesn't seem necessary, can better rely on polling with timeout.
- `sleep 10` for `setup.sh` also doesn't appear to be necessary.
- `postgrey`:
- Reduced POSTGREY_DELAY to 3, which shaves a fair amount of wasted time while still verifying the delay works.
- One of the checks in `main.cf` doesn't seem to need to know about the earlier spamhaus portion of the line to work, removed.
- Better test case descriptions.
- Improved log matching via standard method that better documents the expected triplet under test.
- Removed a redundant whitelist file and test that didn't seem to have any relevance. Added a TODO with additional notes about a concern with these tests.
- Reduced test time as 8 second timeouts from `-w 8` don't appear to be required, better to poll with grep instead.
- Replaced `wc -l` commands with a new method to assert expected line count, better enabling assertions on the actual output.
- `undef_spam_subject`:
- Split to two separate test cases, and initialize each container in their case instead of `setup_file()`, allowing for using the default `teardown()` method (and slight benefit if running in parallel).
- `permit_docker`:
- Not a parallel test, but I realized that the repeat helper methods don't necessarily play well with `run` as the command (can cause false positive of what was successful).
2023-01-03 06:11:36 +00:00
|
|
|
CONTAINER2_IP=$(get_container_ip ${CONTAINER2_NAME})
|
|
|
|
run repeat_in_container_until_success_or_timeout 10 "${CONTAINER_NAME}" bash -c "fail2ban-client status postfix-sasl | grep -F '${CONTAINER2_IP}'"
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_success
|
refactor: Parallel Tests
- `disabled_clamav_spamassassin`:
- Just shuffling the test order around, and removing the restart test at the end which doesn't make sense.
- `postscreen`:
- Now uses common helper for getting container IP
- Does not appear to need the `NET_ADMIN` capability?
- Reduced startup time for the 2nd container + additional context about it's relevance.
- Test cases are largely the same, but refactored the `nc` alternative that properly waits it's turn. This only needs to run once. Added additional commentary and made into a generic method if needed in other tests.
- `fail2ban`:
- Use the common container IP helper method.
- Postscreen isn't affecting this test, it's not required to do the much slower exchange with the mail server when sending a login failure.
- IP being passed into ENV is no longer necessary.
- `sleep 5` in the related test cases doesn't seem necessary, can better rely on polling with timeout.
- `sleep 10` for `setup.sh` also doesn't appear to be necessary.
- `postgrey`:
- Reduced POSTGREY_DELAY to 3, which shaves a fair amount of wasted time while still verifying the delay works.
- One of the checks in `main.cf` doesn't seem to need to know about the earlier spamhaus portion of the line to work, removed.
- Better test case descriptions.
- Improved log matching via standard method that better documents the expected triplet under test.
- Removed a redundant whitelist file and test that didn't seem to have any relevance. Added a TODO with additional notes about a concern with these tests.
- Reduced test time as 8 second timeouts from `-w 8` don't appear to be required, better to poll with grep instead.
- Replaced `wc -l` commands with a new method to assert expected line count, better enabling assertions on the actual output.
- `undef_spam_subject`:
- Split to two separate test cases, and initialize each container in their case instead of `setup_file()`, allowing for using the default `teardown()` method (and slight benefit if running in parallel).
- `permit_docker`:
- Not a parallel test, but I realized that the repeat helper methods don't necessarily play well with `run` as the command (can cause false positive of what was successful).
2023-01-03 06:11:36 +00:00
|
|
|
assert_output --partial 'Banned IP list:'
|
2019-10-08 20:03:56 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
# Checking that CONTAINER2_IP is banned by nftables
|
|
|
|
_run_in_container bash -c 'nft list set inet f2b-table addr-set-postfix-sasl'
|
|
|
|
assert_success
|
|
|
|
assert_output --partial "elements = { ${CONTAINER2_IP} }"
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
refactor: Parallel Tests
- `disabled_clamav_spamassassin`:
- Just shuffling the test order around, and removing the restart test at the end which doesn't make sense.
- `postscreen`:
- Now uses common helper for getting container IP
- Does not appear to need the `NET_ADMIN` capability?
- Reduced startup time for the 2nd container + additional context about it's relevance.
- Test cases are largely the same, but refactored the `nc` alternative that properly waits it's turn. This only needs to run once. Added additional commentary and made into a generic method if needed in other tests.
- `fail2ban`:
- Use the common container IP helper method.
- Postscreen isn't affecting this test, it's not required to do the much slower exchange with the mail server when sending a login failure.
- IP being passed into ENV is no longer necessary.
- `sleep 5` in the related test cases doesn't seem necessary, can better rely on polling with timeout.
- `sleep 10` for `setup.sh` also doesn't appear to be necessary.
- `postgrey`:
- Reduced POSTGREY_DELAY to 3, which shaves a fair amount of wasted time while still verifying the delay works.
- One of the checks in `main.cf` doesn't seem to need to know about the earlier spamhaus portion of the line to work, removed.
- Better test case descriptions.
- Improved log matching via standard method that better documents the expected triplet under test.
- Removed a redundant whitelist file and test that didn't seem to have any relevance. Added a TODO with additional notes about a concern with these tests.
- Reduced test time as 8 second timeouts from `-w 8` don't appear to be required, better to poll with grep instead.
- Replaced `wc -l` commands with a new method to assert expected line count, better enabling assertions on the actual output.
- `undef_spam_subject`:
- Split to two separate test cases, and initialize each container in their case instead of `setup_file()`, allowing for using the default `teardown()` method (and slight benefit if running in parallel).
- `permit_docker`:
- Not a parallel test, but I realized that the repeat helper methods don't necessarily play well with `run` as the command (can cause false positive of what was successful).
2023-01-03 06:11:36 +00:00
|
|
|
# NOTE: Depends on previous test case, if no IP was banned at this point, it passes regardless..
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} unban ip works" {
|
refactor: Parallel Tests
- `disabled_clamav_spamassassin`:
- Just shuffling the test order around, and removing the restart test at the end which doesn't make sense.
- `postscreen`:
- Now uses common helper for getting container IP
- Does not appear to need the `NET_ADMIN` capability?
- Reduced startup time for the 2nd container + additional context about it's relevance.
- Test cases are largely the same, but refactored the `nc` alternative that properly waits it's turn. This only needs to run once. Added additional commentary and made into a generic method if needed in other tests.
- `fail2ban`:
- Use the common container IP helper method.
- Postscreen isn't affecting this test, it's not required to do the much slower exchange with the mail server when sending a login failure.
- IP being passed into ENV is no longer necessary.
- `sleep 5` in the related test cases doesn't seem necessary, can better rely on polling with timeout.
- `sleep 10` for `setup.sh` also doesn't appear to be necessary.
- `postgrey`:
- Reduced POSTGREY_DELAY to 3, which shaves a fair amount of wasted time while still verifying the delay works.
- One of the checks in `main.cf` doesn't seem to need to know about the earlier spamhaus portion of the line to work, removed.
- Better test case descriptions.
- Improved log matching via standard method that better documents the expected triplet under test.
- Removed a redundant whitelist file and test that didn't seem to have any relevance. Added a TODO with additional notes about a concern with these tests.
- Reduced test time as 8 second timeouts from `-w 8` don't appear to be required, better to poll with grep instead.
- Replaced `wc -l` commands with a new method to assert expected line count, better enabling assertions on the actual output.
- `undef_spam_subject`:
- Split to two separate test cases, and initialize each container in their case instead of `setup_file()`, allowing for using the default `teardown()` method (and slight benefit if running in parallel).
- `permit_docker`:
- Not a parallel test, but I realized that the repeat helper methods don't necessarily play well with `run` as the command (can cause false positive of what was successful).
2023-01-03 06:11:36 +00:00
|
|
|
CONTAINER2_IP=$(get_container_ip ${CONTAINER2_NAME})
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban-client set postfix-sasl unbanip "${CONTAINER2_IP}"
|
|
|
|
assert_success
|
2019-10-08 20:03:56 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
# Checking that CONTAINER2_IP is unbanned in "${CONTAINER1_NAME}"
|
|
|
|
_run_in_container fail2ban-client status postfix-sasl
|
|
|
|
assert_success
|
|
|
|
refute_output --partial "${CONTAINER2_IP}"
|
2019-10-08 20:03:56 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
# Checking that CONTAINER2_IP is unbanned by nftables
|
|
|
|
_run_in_container bash -c 'nft list set inet f2b-table addr-set-postfix-sasl'
|
|
|
|
refute_output --partial "${CONTAINER2_IP}"
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} bans work properly (single IP)" {
|
|
|
|
_run_in_container fail2ban ban 192.0.66.7
|
2022-04-19 08:44:51 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output 'Banned custom IP: 1'
|
2022-04-19 08:44:51 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban
|
2022-04-19 08:44:51 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output --regexp 'Banned in custom:.*192\.0\.66\.7'
|
2022-04-19 08:44:51 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container nft list set inet f2b-table addr-set-custom
|
2022-10-05 10:19:49 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output --partial 'elements = { 192.0.66.7 }'
|
2022-10-05 10:19:49 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban unban 192.0.66.7
|
2022-04-19 08:44:51 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output --partial 'Unbanned IP from custom: 1'
|
2022-10-05 10:19:49 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container nft list set inet f2b-table addr-set-custom
|
|
|
|
refute_output --partial '192.0.66.7'
|
|
|
|
}
|
2022-10-15 10:01:59 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} bans work properly (subnet)" {
|
|
|
|
_run_in_container fail2ban ban 192.0.66.0/24
|
2022-10-15 10:01:59 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output 'Banned custom IP: 1'
|
2022-10-15 10:01:59 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban
|
2022-10-15 10:01:59 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output --regexp 'Banned in custom:.*192\.0\.66\.0/24'
|
2022-10-15 10:01:59 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container nft list set inet f2b-table addr-set-custom
|
2022-10-15 10:01:59 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output --partial 'elements = { 192.0.66.0/24 }'
|
2022-10-15 10:01:59 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container fail2ban unban 192.0.66.0/24
|
2022-10-15 10:01:59 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
assert_output --partial 'Unbanned IP from custom: 1'
|
2022-10-15 10:01:59 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container nft list set inet f2b-table addr-set-custom
|
|
|
|
refute_output --partial '192.0.66.0/24'
|
2022-10-05 10:19:49 +00:00
|
|
|
}
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} FAIL2BAN_BLOCKTYPE is really set to drop" {
|
|
|
|
# ban IPs here manually so we can be sure something is inside the jails
|
|
|
|
for JAIL in dovecot postfix-sasl custom; do
|
|
|
|
_run_in_container fail2ban-client set "${JAIL}" banip 192.33.44.55
|
|
|
|
assert_success
|
|
|
|
done
|
|
|
|
|
|
|
|
_run_in_container nft list table inet f2b-table
|
2022-10-05 10:19:49 +00:00
|
|
|
assert_success
|
|
|
|
assert_output --partial 'tcp dport { 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-dovecot drop'
|
|
|
|
assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995 } ip saddr @addr-set-postfix-sasl drop'
|
|
|
|
assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-custom drop'
|
2023-01-03 05:58:09 +00:00
|
|
|
|
|
|
|
# unban the IPs previously banned to get a clean state again
|
|
|
|
for JAIL in dovecot postfix-sasl custom; do
|
|
|
|
_run_in_container fail2ban-client set "${JAIL}" unbanip 192.33.44.55
|
|
|
|
assert_success
|
|
|
|
done
|
2022-04-19 08:44:51 +00:00
|
|
|
}
|
2019-10-08 20:03:56 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} setup.sh fail2ban" {
|
|
|
|
_run_in_container fail2ban-client set dovecot banip 192.0.66.4
|
|
|
|
_run_in_container fail2ban-client set dovecot banip 192.0.66.5
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
# Originally: run ./setup.sh -c "${CONTAINER1_NAME}" fail2ban
|
|
|
|
_run_in_container setup fail2ban
|
2022-04-19 08:44:51 +00:00
|
|
|
assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.4'
|
|
|
|
assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.5'
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container setup fail2ban unban 192.0.66.4
|
2021-05-15 09:11:10 +00:00
|
|
|
assert_output --partial "Unbanned IP from dovecot: 1"
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container setup fail2ban
|
|
|
|
assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.5'
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container setup fail2ban unban 192.0.66.5
|
|
|
|
assert_output --partial 'Unbanned IP from dovecot: 1'
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
_run_in_container setup fail2ban unban
|
|
|
|
assert_output --partial 'You need to specify an IP address: Run'
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
2023-01-03 05:58:09 +00:00
|
|
|
@test "${TEST_NAME_PREFIX} restart of Fail2Ban" {
|
|
|
|
_run_in_container pkill fail2ban
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_success
|
2023-01-03 05:58:09 +00:00
|
|
|
|
|
|
|
run_until_success_or_timeout 10 check_if_process_is_running 'fail2ban-server'
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|