2022-11-25 22:37:58 +00:00
|
|
|
load "${REPOSITORY_ROOT}/test/test_helper/common"
|
2019-10-08 20:03:56 +00:00
|
|
|
|
|
|
|
function setup_file() {
|
2022-05-30 00:53:30 +00:00
|
|
|
local PRIVATE_CONFIG
|
|
|
|
PRIVATE_CONFIG=$(duplicate_config_for_container .)
|
|
|
|
docker run --rm -d --name mail_fail2ban \
|
|
|
|
-v "${PRIVATE_CONFIG}":/tmp/docker-mailserver \
|
|
|
|
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test:ro \
|
|
|
|
-e ENABLE_FAIL2BAN=1 \
|
|
|
|
-e POSTSCREEN_ACTION=ignore \
|
|
|
|
--cap-add=NET_ADMIN \
|
2022-08-22 23:24:23 +00:00
|
|
|
--hostname mail.my-domain.com \
|
|
|
|
--tty \
|
|
|
|
--ulimit "nofile=$(ulimit -Sn):$(ulimit -Hn)" \
|
|
|
|
"${NAME}"
|
2022-05-30 00:53:30 +00:00
|
|
|
|
|
|
|
# Create a container which will send wrong authentications and should get banned
|
|
|
|
docker run --name fail-auth-mailer \
|
|
|
|
-e MAIL_FAIL2BAN_IP="$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_fail2ban)" \
|
|
|
|
-v "$(pwd)/test/test-files":/tmp/docker-mailserver-test \
|
|
|
|
-d "${NAME}" \
|
|
|
|
tail -f /var/log/faillog
|
|
|
|
|
|
|
|
wait_for_finished_setup_in_container mail_fail2ban
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
function teardown_file() {
|
2022-05-30 00:53:30 +00:00
|
|
|
docker rm -f mail_fail2ban fail-auth-mailer
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# processes
|
|
|
|
#
|
|
|
|
|
|
|
|
@test "checking process: fail2ban (fail2ban server enabled)" {
|
|
|
|
run docker exec mail_fail2ban /bin/bash -c "ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
|
|
|
|
assert_success
|
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# fail2ban
|
|
|
|
#
|
|
|
|
|
|
|
|
@test "checking fail2ban: localhost is not banned because ignored" {
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*127.0.0.1'"
|
|
|
|
assert_failure
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "grep 'ignoreip = 127.0.0.1/8' /etc/fail2ban/jail.conf"
|
|
|
|
assert_success
|
|
|
|
}
|
|
|
|
|
|
|
|
@test "checking fail2ban: fail2ban-fail2ban.cf overrides" {
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get loglevel | grep DEBUG"
|
|
|
|
assert_success
|
|
|
|
}
|
|
|
|
|
|
|
|
@test "checking fail2ban: fail2ban-jail.cf overrides" {
|
2021-04-11 15:33:39 +00:00
|
|
|
FILTERS=(dovecot postfix postfix-sasl)
|
2019-10-08 20:03:56 +00:00
|
|
|
|
|
|
|
for FILTER in "${FILTERS[@]}"; do
|
2020-11-05 12:32:42 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} bantime"
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_output 1234
|
|
|
|
|
2020-11-05 12:32:42 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} findtime"
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_output 321
|
|
|
|
|
2020-11-05 12:32:42 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} maxretry"
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_output 2
|
2021-04-18 10:55:43 +00:00
|
|
|
|
2022-04-05 13:13:59 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'nftables-multiport']\""
|
|
|
|
assert_output "['set', 'dovecot', 'addaction', 'nftables-multiport']"
|
2021-04-18 10:55:43 +00:00
|
|
|
|
2022-04-05 13:13:59 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'nftables-multiport']\""
|
|
|
|
assert_output "['set', 'postfix', 'addaction', 'nftables-multiport']"
|
2021-04-18 10:55:43 +00:00
|
|
|
|
2022-04-05 13:13:59 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'nftables-multiport']\""
|
|
|
|
assert_output "['set', 'postfix-sasl', 'addaction', 'nftables-multiport']"
|
2019-10-08 20:03:56 +00:00
|
|
|
done
|
|
|
|
}
|
|
|
|
|
|
|
|
@test "checking fail2ban: ban ip on multiple failed login" {
|
|
|
|
# can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn):
|
2020-11-05 12:32:42 +00:00
|
|
|
# shellcheck disable=SC1004
|
|
|
|
for _ in {1,2}
|
|
|
|
do
|
2019-10-08 20:03:56 +00:00
|
|
|
docker exec fail-auth-mailer /bin/bash -c \
|
2020-11-05 12:32:42 +00:00
|
|
|
'exec 3<>/dev/tcp/${MAIL_FAIL2BAN_IP}/25 && \
|
2019-10-08 20:03:56 +00:00
|
|
|
while IFS= read -r cmd; do \
|
|
|
|
head -1 <&3; \
|
2021-12-21 16:01:40 +00:00
|
|
|
[[ ${cmd} == "EHLO"* ]] && sleep 6; \
|
2020-11-05 12:32:42 +00:00
|
|
|
echo ${cmd} >&3; \
|
2019-10-08 20:03:56 +00:00
|
|
|
done < "/tmp/docker-mailserver-test/auth/smtp-auth-login-wrong.txt"'
|
|
|
|
done
|
|
|
|
|
|
|
|
sleep 5
|
|
|
|
|
|
|
|
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
|
|
|
# Checking that FAIL_AUTH_MAILER_IP is banned in mail_fail2ban
|
2020-11-05 12:32:42 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'"
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_success
|
|
|
|
|
2022-10-05 10:19:49 +00:00
|
|
|
# Checking that FAIL_AUTH_MAILER_IP is banned by nftables
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl"
|
|
|
|
assert_output --partial "elements = { ${FAIL_AUTH_MAILER_IP} }"
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
@test "checking fail2ban: unban ip works" {
|
|
|
|
FAIL_AUTH_MAILER_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' fail-auth-mailer)
|
2020-11-05 12:32:42 +00:00
|
|
|
docker exec mail_fail2ban fail2ban-client set postfix-sasl unbanip "${FAIL_AUTH_MAILER_IP}"
|
2019-10-08 20:03:56 +00:00
|
|
|
|
|
|
|
sleep 5
|
|
|
|
|
2020-11-05 12:32:42 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep 'IP list:.*${FAIL_AUTH_MAILER_IP}'"
|
2019-10-08 20:03:56 +00:00
|
|
|
assert_failure
|
|
|
|
|
2022-04-05 13:13:59 +00:00
|
|
|
# Checking that FAIL_AUTH_MAILER_IP is unbanned by nftables
|
2022-10-05 10:19:49 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "nft list set inet f2b-table addr-set-postfix-sasl"
|
|
|
|
refute_output --partial "${FAIL_AUTH_MAILER_IP}"
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
@test "checking fail2ban ban" {
|
2022-10-15 10:01:59 +00:00
|
|
|
# Ban single IP address
|
2022-04-19 08:44:51 +00:00
|
|
|
run docker exec mail_fail2ban fail2ban ban 192.0.66.7
|
|
|
|
assert_success
|
|
|
|
assert_output "Banned custom IP: 1"
|
|
|
|
|
|
|
|
run docker exec mail_fail2ban fail2ban
|
|
|
|
assert_success
|
|
|
|
assert_output --regexp "Banned in custom:.*192\.0\.66\.7"
|
|
|
|
|
2022-10-05 10:19:49 +00:00
|
|
|
run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
|
|
|
|
assert_success
|
|
|
|
assert_output --partial "elements = { 192.0.66.7 }"
|
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
run docker exec mail_fail2ban fail2ban unban 192.0.66.7
|
|
|
|
assert_success
|
|
|
|
assert_output --partial "Unbanned IP from custom: 1"
|
2022-10-05 10:19:49 +00:00
|
|
|
|
|
|
|
run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
|
|
|
|
refute_output --partial "192.0.66.7"
|
2022-10-15 10:01:59 +00:00
|
|
|
|
|
|
|
# Ban IP network
|
|
|
|
run docker exec mail_fail2ban fail2ban ban 192.0.66.0/24
|
|
|
|
assert_success
|
|
|
|
assert_output "Banned custom IP: 1"
|
|
|
|
|
|
|
|
run docker exec mail_fail2ban fail2ban
|
|
|
|
assert_success
|
|
|
|
assert_output --regexp "Banned in custom:.*192\.0\.66\.0/24"
|
|
|
|
|
|
|
|
run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
|
|
|
|
assert_success
|
|
|
|
assert_output --partial "elements = { 192.0.66.0/24 }"
|
|
|
|
|
|
|
|
run docker exec mail_fail2ban fail2ban unban 192.0.66.0/24
|
|
|
|
assert_success
|
|
|
|
assert_output --partial "Unbanned IP from custom: 1"
|
|
|
|
|
|
|
|
run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom
|
|
|
|
refute_output --partial "192.0.66.0/24"
|
2022-10-05 10:19:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
@test "checking FAIL2BAN_BLOCKTYPE is really set to drop" {
|
|
|
|
run docker exec mail_fail2ban bash -c 'nft list table inet f2b-table'
|
|
|
|
assert_success
|
|
|
|
assert_output --partial 'tcp dport { 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-dovecot drop'
|
|
|
|
assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995 } ip saddr @addr-set-postfix-sasl drop'
|
|
|
|
assert_output --partial 'tcp dport { 25, 110, 143, 465, 587, 993, 995, 4190 } ip saddr @addr-set-custom drop'
|
2022-04-19 08:44:51 +00:00
|
|
|
}
|
2019-10-08 20:03:56 +00:00
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
@test "checking setup.sh: setup.sh fail2ban" {
|
2019-10-08 20:03:56 +00:00
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4"
|
|
|
|
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5"
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2019-10-08 20:03:56 +00:00
|
|
|
sleep 10
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban
|
|
|
|
assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.4'
|
|
|
|
assert_output --regexp '^Banned in dovecot:.*192\.0\.66\.5'
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban unban 192.0.66.4
|
2021-05-15 09:11:10 +00:00
|
|
|
assert_output --partial "Unbanned IP from dovecot: 1"
|
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban
|
|
|
|
assert_output --regexp "^Banned in dovecot:.*192\.0\.66\.5"
|
2021-05-15 09:11:10 +00:00
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban unban 192.0.66.5
|
2021-05-15 09:11:10 +00:00
|
|
|
assert_output --partial "Unbanned IP from dovecot: 1"
|
|
|
|
|
2022-04-19 08:44:51 +00:00
|
|
|
run ./setup.sh -c mail_fail2ban fail2ban unban
|
2022-03-26 08:30:09 +00:00
|
|
|
assert_output --partial "You need to specify an IP address: Run"
|
2019-10-08 20:03:56 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
#
|
|
|
|
# supervisor
|
|
|
|
#
|
|
|
|
|
|
|
|
@test "checking restart of process: fail2ban (fail2ban server enabled)" {
|
|
|
|
run docker exec mail_fail2ban /bin/bash -c "pkill fail2ban && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/bin/python3 /usr/bin/fail2ban-server'"
|
|
|
|
assert_success
|
|
|
|
}
|