From b08c9b42ed2a211784499a3adbc46d4a80ad4b71 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Tue, 13 Feb 2018 08:31:12 +0100 Subject: [PATCH] moved fail2ban function from setup.sh to own file (#837) * moved fail2ban function out of setup.sh --- setup.sh | 38 +------------------------------------ target/bin/fail2ban | 46 +++++++++++++++++++++++++++++++++++++++++++++ test/tests.bats | 26 ++++++++++++------------- 3 files changed, 60 insertions(+), 50 deletions(-) create mode 100644 target/bin/fail2ban diff --git a/setup.sh b/setup.sh index 13e2c6cb..2a67e088 100755 --- a/setup.sh +++ b/setup.sh @@ -205,43 +205,7 @@ case $1 in ;; fail2ban) shift - JAILS=$(_docker_container fail2ban-client status | grep "Jail list" | cut -f2- | sed 's/,//g') - if [ -z "$1" ]; then - IP_COUNT=0 - for JAIL in $JAILS; do - BANNED_IP=$(_docker_container iptables -L f2b-$JAIL -n | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v '0.0.0.0') - if [ -n "$BANNED_IP" ]; then - BANNED_IP=$(echo $BANNED_IP | sed -e 's/\n/,/g') - echo "Banned in $JAIL: $BANNED_IP" - IP_COUNT=$((IP_COUNT+1)) - fi - done - if [ "$IP_COUNT" -eq 0 ]; then - echo "No IPs have been banned" - fi - else - case $1 in - unban) - shift - if [ -n "$1" ]; then - for JAIL in $JAILS; do - RESULT=`_docker_container fail2ban-client set $JAIL unbanip $@` - case "$RESULT" in - *"is not banned"*) ;; - *"NOK"*) ;; - *) echo -n "unbanned IP from $JAIL: " - echo "$RESULT";; - esac - done - else - echo "You need to specify an IP address. Run \"./setup.sh debug fail2ban\" to get a list of banned IP addresses." - fi - ;; - *) - _usage - ;; - esac - fi + _docker_container fail2ban $@ ;; show-mail-logs) _docker_container cat /var/log/mail/mail.log diff --git a/target/bin/fail2ban b/target/bin/fail2ban new file mode 100644 index 00000000..ceb91da8 --- /dev/null +++ b/target/bin/fail2ban @@ -0,0 +1,46 @@ +#! /bin/bash + +usage() { + echo "Usage: $0 [ ]" +} + +raise() { + echo "$@" 1>&2 + exit 1 +} + +JAILS=$(fail2ban-client status | grep "Jail list" | cut -f2- | sed 's/,//g') +if [ -z "$1" ]; then + IP_COUNT=0 + for JAIL in $JAILS; do + BANNED_IP=$(iptables -L f2b-$JAIL -n | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v '0.0.0.0') + if [ -n "$BANNED_IP" ]; then + BANNED_IP=$(echo $BANNED_IP | sed -e 's/\n/,/g') + echo "Banned in $JAIL: $BANNED_IP" + IP_COUNT=$((IP_COUNT+1)) + fi + done + if [ "$IP_COUNT" -eq 0 ]; then + echo "No IPs have been banned" + fi +else + case $1 in + unban) + shift + if [ -n "$1" ]; then + for JAIL in $JAILS; do + RESULT=`fail2ban-client set $JAIL unbanip $@` + if [[ "$RESULT" != *"is not banned"* ]] && [[ "$RESULT" != *"NOK"* ]]; then + echo -n "unbanned IP from $JAIL: " + echo "$RESULT" + fi + done + else + raise "You need to specify an IP address. Run \"./setup.sh debug fail2ban\" to get a list of banned IP addresses." + fi + ;; + *) + usage; raise "unknown command: $1" + ;; + esac +fi diff --git a/test/tests.bats b/test/tests.bats index 1d7b009c..7cdd6c57 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -757,9 +757,9 @@ load 'test_helper/bats-assert/load' # Create a container which will send wrong authentications and should get banned docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog - + # can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn): - for i in {1,2}; do + for i in {1,2}; do docker exec fail-auth-mailer /bin/bash -c \ 'exec 3<>/dev/tcp/$MAIL_FAIL2BAN_IP/25 && \ while IFS= read -r cmd; do \ @@ -804,17 +804,17 @@ load 'test_helper/bats-assert/load' @test "checking postscreen" { # Getting mail container IP MAIL_POSTSCREEN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_postscreen) - + # talk too fast: docker exec fail-auth-mailer /bin/sh -c "nc $MAIL_POSTSCREEN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt" sleep 5 - + run docker exec mail_postscreen grep 'COMMAND PIPELINING' /var/log/mail/mail.log assert_success - + # positive test. (respecting postscreen_greet_wait time and talking in turn): - for i in {1,2}; do + for i in {1,2}; do docker exec fail-auth-mailer /bin/bash -c \ 'exec 3<>/dev/tcp/'$MAIL_POSTSCREEN_IP'/25 && \ while IFS= read -r cmd; do \ @@ -823,9 +823,9 @@ load 'test_helper/bats-assert/load' echo $cmd >&3; \ done < "/tmp/docker-mailserver-test/auth/smtp-auth-login.txt"' done - + sleep 5 - + run docker exec mail_postscreen grep 'PASS NEW ' /var/log/mail/mail.log assert_success } @@ -1123,7 +1123,7 @@ load 'test_helper/bats-assert/load' } @test "checking setup.sh: setup.sh email restrict" { - run ./setup.sh -c mail email restrict + run ./setup.sh -c mail email restrict assert_failure run ./setup.sh -c mail email restrict add assert_failure @@ -1135,7 +1135,7 @@ load 'test_helper/bats-assert/load' assert_success run ./setup.sh -c mail email restrict list send assert_output --partial "Everyone is allowed" - + ./setup.sh -c mail email restrict add receive rec_lorem@impsum.org run ./setup.sh -c mail email restrict list receive assert_output --regexp "^rec_lorem@impsum.org.*REJECT" @@ -1194,16 +1194,16 @@ load 'test_helper/bats-assert/load' assert_success } @test "checking setup.sh: setup.sh debug fail2ban" { - + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5" sleep 10 run ./setup.sh -c mail_fail2ban debug fail2ban - assert_output "Banned in dovecot: 192.0.66.5 192.0.66.4" + assert_output --regexp "^Banned in dovecot: 192.0.66.5 192.0.66.4.*" run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4 assert_output --partial "unbanned IP from dovecot: 192.0.66.4" run ./setup.sh -c mail_fail2ban debug fail2ban - assert_output "Banned in dovecot: 192.0.66.5" + assert_output --regexp "^Banned in dovecot: 192.0.66.5.*" run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 run ./setup.sh -c mail_fail2ban debug fail2ban unban assert_output --partial "You need to specify an IP address. Run"