Merge pull request #78 from dominikwinter/fail2ban

Added fail2ban to prevent brute force attack.
This commit is contained in:
Thomas VIAL 2016-02-13 11:26:05 +01:00
commit 0e5de114b7
5 changed files with 52 additions and 10 deletions

View file

@ -7,7 +7,7 @@ RUN apt-get -y upgrade
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install vim postfix sasl2-bin courier-imap courier-imap-ssl \
courier-pop courier-pop-ssl courier-authdaemon supervisor gamin amavisd-new spamassassin clamav clamav-daemon libnet-dns-perl libmail-spf-perl \
pyzor razor arj bzip2 cabextract cpio file gzip nomarch p7zip pax unzip zip zoo rsyslog mailutils netcat \
opendkim opendkim-tools opendmarc curl
opendkim opendkim-tools opendmarc curl fail2ban
RUN apt-get autoclean && rm -rf /var/lib/apt/lists/*
# Configures Saslauthd

View file

@ -2,6 +2,8 @@ mail:
image: tvial/docker-mailserver
hostname: mail
domainname: domain.com
cap_add:
- NET_ADMIN
ports:
- "25:25"
- "143:143"

View file

@ -188,6 +188,22 @@ echo "required_score 5" >> /etc/mail/spamassassin/local.cf
echo "rewrite_header Subject ***SPAM***" >> /etc/mail/spamassassin/local.cf
cp /tmp/spamassassin/rules.cf /etc/spamassassin/
echo "Configuring fail2ban"
# enable filters
perl -i -0pe 's/(\[postfix\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[couriersmtp\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[courierauth\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
perl -i -0pe 's/(\[sasl\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
# increase ban time and find time to 3h
sed -i "/^bantime *=/c\bantime = 10800" /etc/fail2ban/jail.conf
sed -i "/^findtime *=/c\findtime = 10800" /etc/fail2ban/jail.conf
# avoid warning on startup
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
echo "Starting daemons"
cron
/etc/init.d/rsyslog start
@ -208,6 +224,7 @@ fi
/etc/init.d/opendkim start
/etc/init.d/opendmarc start
/etc/init.d/postfix start
/etc/init.d/fail2ban start
echo "Listing SASL users"
sasldblistusers2

View file

@ -0,0 +1,4 @@
EHLO mail
AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu
Bn3JKisq4HQ2RO==
QUIT

View file

@ -4,16 +4,17 @@
source assert.sh
# Testing that services are running and pop3 is disabled
assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/postfix/master'" 0
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/saslauthd'" 0
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/clamd'" 0
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/amavisd-new'" 0
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendkim'" 0
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendmarc'" 0
assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 1
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/postfix/master'" 0
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" 0
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" 0
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" 0
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'" 0
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'" 0
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 1
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'" 0
# Testing services of pop3 container
assert_raises "docker exec mail_pop3 ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 0
assert_raises "docker exec mail_pop3 ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 0
# Testing IMAP server
assert_raises "docker exec mail nc -w 1 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'Courier-IMAP ready'" 0
@ -85,5 +86,23 @@ assert_raises "docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-enc
# Testing generated ssl certs
assert_raises "docker exec mail openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'" "0"
# Testing fail2ban
assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1
docker exec mail fail2ban-client set sasl delignoreip 127.0.0.1/8 &> /dev/null
docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null
docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null
docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null
sleep 10
assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 0
docker exec mail fail2ban-client set sasl addignoreip 127.0.0.1/8 &> /dev/null
docker exec mail fail2ban-client set sasl unbanip 127.0.0.1 &> /dev/null
sleep 10
assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1
# Ending tests
assert_end
assert_end