mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
Merge pull request #78 from dominikwinter/fail2ban
Added fail2ban to prevent brute force attack.
This commit is contained in:
commit
0e5de114b7
|
@ -7,7 +7,7 @@ RUN apt-get -y upgrade
|
||||||
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install vim postfix sasl2-bin courier-imap courier-imap-ssl \
|
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install vim postfix sasl2-bin courier-imap courier-imap-ssl \
|
||||||
courier-pop courier-pop-ssl courier-authdaemon supervisor gamin amavisd-new spamassassin clamav clamav-daemon libnet-dns-perl libmail-spf-perl \
|
courier-pop courier-pop-ssl courier-authdaemon supervisor gamin amavisd-new spamassassin clamav clamav-daemon libnet-dns-perl libmail-spf-perl \
|
||||||
pyzor razor arj bzip2 cabextract cpio file gzip nomarch p7zip pax unzip zip zoo rsyslog mailutils netcat \
|
pyzor razor arj bzip2 cabextract cpio file gzip nomarch p7zip pax unzip zip zoo rsyslog mailutils netcat \
|
||||||
opendkim opendkim-tools opendmarc curl
|
opendkim opendkim-tools opendmarc curl fail2ban
|
||||||
RUN apt-get autoclean && rm -rf /var/lib/apt/lists/*
|
RUN apt-get autoclean && rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
# Configures Saslauthd
|
# Configures Saslauthd
|
||||||
|
|
|
@ -2,6 +2,8 @@ mail:
|
||||||
image: tvial/docker-mailserver
|
image: tvial/docker-mailserver
|
||||||
hostname: mail
|
hostname: mail
|
||||||
domainname: domain.com
|
domainname: domain.com
|
||||||
|
cap_add:
|
||||||
|
- NET_ADMIN
|
||||||
ports:
|
ports:
|
||||||
- "25:25"
|
- "25:25"
|
||||||
- "143:143"
|
- "143:143"
|
||||||
|
|
|
@ -188,6 +188,22 @@ echo "required_score 5" >> /etc/mail/spamassassin/local.cf
|
||||||
echo "rewrite_header Subject ***SPAM***" >> /etc/mail/spamassassin/local.cf
|
echo "rewrite_header Subject ***SPAM***" >> /etc/mail/spamassassin/local.cf
|
||||||
cp /tmp/spamassassin/rules.cf /etc/spamassassin/
|
cp /tmp/spamassassin/rules.cf /etc/spamassassin/
|
||||||
|
|
||||||
|
|
||||||
|
echo "Configuring fail2ban"
|
||||||
|
# enable filters
|
||||||
|
perl -i -0pe 's/(\[postfix\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
|
||||||
|
perl -i -0pe 's/(\[couriersmtp\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
|
||||||
|
perl -i -0pe 's/(\[courierauth\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
|
||||||
|
perl -i -0pe 's/(\[sasl\]\n\n).*\n/\1enabled = true\n/' /etc/fail2ban/jail.conf
|
||||||
|
|
||||||
|
# increase ban time and find time to 3h
|
||||||
|
sed -i "/^bantime *=/c\bantime = 10800" /etc/fail2ban/jail.conf
|
||||||
|
sed -i "/^findtime *=/c\findtime = 10800" /etc/fail2ban/jail.conf
|
||||||
|
|
||||||
|
# avoid warning on startup
|
||||||
|
echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf
|
||||||
|
|
||||||
|
|
||||||
echo "Starting daemons"
|
echo "Starting daemons"
|
||||||
cron
|
cron
|
||||||
/etc/init.d/rsyslog start
|
/etc/init.d/rsyslog start
|
||||||
|
@ -208,6 +224,7 @@ fi
|
||||||
/etc/init.d/opendkim start
|
/etc/init.d/opendkim start
|
||||||
/etc/init.d/opendmarc start
|
/etc/init.d/opendmarc start
|
||||||
/etc/init.d/postfix start
|
/etc/init.d/postfix start
|
||||||
|
/etc/init.d/fail2ban start
|
||||||
|
|
||||||
echo "Listing SASL users"
|
echo "Listing SASL users"
|
||||||
sasldblistusers2
|
sasldblistusers2
|
||||||
|
|
4
test/auth/smtp-auth-login-wrong.txt
Normal file
4
test/auth/smtp-auth-login-wrong.txt
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
EHLO mail
|
||||||
|
AUTH LOGIN dXNlcjFAbG9jYWxob3N0LmxvY2FsZG9tYWlu
|
||||||
|
Bn3JKisq4HQ2RO==
|
||||||
|
QUIT
|
35
test/test.sh
35
test/test.sh
|
@ -4,16 +4,17 @@
|
||||||
source assert.sh
|
source assert.sh
|
||||||
|
|
||||||
# Testing that services are running and pop3 is disabled
|
# Testing that services are running and pop3 is disabled
|
||||||
assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/postfix/master'" 0
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/postfix/master'" 0
|
||||||
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/saslauthd'" 0
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" 0
|
||||||
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/clamd'" 0
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/clamd'" 0
|
||||||
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/amavisd-new'" 0
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/amavisd-new'" 0
|
||||||
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendkim'" 0
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendkim'" 0
|
||||||
assert_raises "docker exec mail ps aux --forest | grep '/usr/sbin/opendmarc'" 0
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/sbin/opendmarc'" 0
|
||||||
assert_raises "docker exec mail ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 1
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 1
|
||||||
|
assert_raises "docker exec mail ps aux --forest | grep -v grep | grep '/usr/bin/python /usr/bin/fail2ban-server'" 0
|
||||||
|
|
||||||
# Testing services of pop3 container
|
# Testing services of pop3 container
|
||||||
assert_raises "docker exec mail_pop3 ps aux --forest | grep '/usr/lib/courier/courier/courierpop3d'" 0
|
assert_raises "docker exec mail_pop3 ps aux --forest | grep -v grep | grep '/usr/lib/courier/courier/courierpop3d'" 0
|
||||||
|
|
||||||
# Testing IMAP server
|
# Testing IMAP server
|
||||||
assert_raises "docker exec mail nc -w 1 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'Courier-IMAP ready'" 0
|
assert_raises "docker exec mail nc -w 1 0.0.0.0 143 | grep '* OK' | grep 'STARTTLS' | grep 'Courier-IMAP ready'" 0
|
||||||
|
@ -85,5 +86,23 @@ assert_raises "docker exec mail grep 'BEGIN CERTIFICATE' /etc/ssl/certs/lets-enc
|
||||||
# Testing generated ssl certs
|
# Testing generated ssl certs
|
||||||
assert_raises "docker exec mail openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'" "0"
|
assert_raises "docker exec mail openssl s_client -connect 0.0.0.0:587 -starttls smtp -CApath /etc/ssl/certs/ | grep 'Verify return code: 0 (ok)'" "0"
|
||||||
|
|
||||||
|
# Testing fail2ban
|
||||||
|
assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1
|
||||||
|
|
||||||
|
docker exec mail fail2ban-client set sasl delignoreip 127.0.0.1/8 &> /dev/null
|
||||||
|
|
||||||
|
docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null
|
||||||
|
docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null
|
||||||
|
docker exec mail /bin/sh -c 'nc -w 1 0.0.0.0 25 < /tmp/test/auth/smtp-auth-login-wrong.txt' &> /dev/null
|
||||||
|
|
||||||
|
sleep 10
|
||||||
|
assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 0
|
||||||
|
|
||||||
|
docker exec mail fail2ban-client set sasl addignoreip 127.0.0.1/8 &> /dev/null
|
||||||
|
docker exec mail fail2ban-client set sasl unbanip 127.0.0.1 &> /dev/null
|
||||||
|
|
||||||
|
sleep 10
|
||||||
|
assert_raises "docker exec mail fail2ban-client status sasl | grep 'IP list:\s*127.0.0.1'" 1
|
||||||
|
|
||||||
# Ending tests
|
# Ending tests
|
||||||
assert_end
|
assert_end
|
||||||
|
|
Loading…
Reference in a new issue