From d62ea049e66f22e8b183a3c8c272b99875008b61 Mon Sep 17 00:00:00 2001 From: Marek Walczak <2558195+mwlczk@users.noreply.github.com> Date: Thu, 7 Dec 2017 19:27:31 +0100 Subject: [PATCH] Add ability to override fail2ban.conf with fail2ban.local values. (#769) * Add ability to override fail2ban.conf with fail2ban.local values. --- config/fail2ban-fail2ban.cf | 19 +++++++++++++++++++ config/postfix-accounts.cf.bak | 0 target/start-mailserver.sh | 1 + test/config/chksum | 2 ++ test/config/fail2ban-fail2ban.cf | 19 +++++++++++++++++++ test/tests.bats | 8 ++++++-- 6 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 config/fail2ban-fail2ban.cf create mode 100644 config/postfix-accounts.cf.bak create mode 100644 test/config/chksum create mode 100644 test/config/fail2ban-fail2ban.cf diff --git a/config/fail2ban-fail2ban.cf b/config/fail2ban-fail2ban.cf new file mode 100644 index 00000000..04b5b4e1 --- /dev/null +++ b/config/fail2ban-fail2ban.cf @@ -0,0 +1,19 @@ +[Definition] + +# Option: loglevel +# Notes.: Set the log level output. +# CRITICAL +# ERROR +# WARNING +# NOTICE +# INFO +# DEBUG +# Values: [ LEVEL ] Default: ERROR +# + +# loglevel = INFO + +# Options: dbpurgeage +# Notes.: Sets age at which bans should be purged from the database +# Values: [ SECONDS ] Default: 86400 (24hours), 604800 (1week) +# dbpurgeage = 604800 diff --git a/config/postfix-accounts.cf.bak b/config/postfix-accounts.cf.bak new file mode 100644 index 00000000..e69de29b diff --git a/target/start-mailserver.sh b/target/start-mailserver.sh index f4c9698e..831a51d0 100644 --- a/target/start-mailserver.sh +++ b/target/start-mailserver.sh @@ -983,6 +983,7 @@ function _setup_security_stack() { # Fail2ban if [ "$ENABLE_FAIL2BAN" = 1 ]; then notify 'inf' "Fail2ban enabled" + test -e /tmp/docker-mailserver/fail2ban-fail2ban.cf && cp /tmp/docker-mailserver/fail2ban-fail2ban.cf /etc/fail2ban/fail2ban.local test -e /tmp/docker-mailserver/fail2ban-jail.cf && cp /tmp/docker-mailserver/fail2ban-jail.cf /etc/fail2ban/jail.local else # Disable logrotate config for fail2ban if not enabled diff --git a/test/config/chksum b/test/config/chksum new file mode 100644 index 00000000..c5fd3a96 --- /dev/null +++ b/test/config/chksum @@ -0,0 +1,2 @@ +SHA512 (postfix-accounts.cf) = 8eba4eedb76e8c3b740ca4eea5d7ad1c8695fd7fd39d3e5d161201101b5b63a1c1471ab85bd79d6ed4ba192c423275a3d1210a9596a06904434ab5707ad3753b +SHA512 (postfix-virtual.cf) = c5bff9b5c50886a72a559ee52b1230b751c3820cd12de3ffe2a632f8d2a7845fa33ddac397c62889f0680d096be24418f22c1b81fb93ad56fd4937869f16954b diff --git a/test/config/fail2ban-fail2ban.cf b/test/config/fail2ban-fail2ban.cf new file mode 100644 index 00000000..e6adfd6b --- /dev/null +++ b/test/config/fail2ban-fail2ban.cf @@ -0,0 +1,19 @@ +[Definition] + +# Option: loglevel +# Notes.: Set the log level output. +# CRITICAL +# ERROR +# WARNING +# NOTICE +# INFO +# DEBUG +# Values: [ LEVEL ] Default: ERROR +# + +loglevel = DEBUG + +# Options: dbpurgeage +# Notes.: Sets age at which bans should be purged from the database +# Values: [ SECONDS ] Default: 86400 (24hours), 604800 (1week) +# dbpurgeage = 604800 diff --git a/test/tests.bats b/test/tests.bats index 3754c378..24de0f2d 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -611,7 +611,7 @@ load 'test_helper/bats-assert/load' assert_output 4 } -@test "checking opendkim: generator creates keys, tables and TrustedHosts using domain name" { +@test "checking opendkim: generator creates keys, tables and TrustedHosts using domain name" { rm -rf "$(pwd)/test/config/with-domain" && mkdir -p "$(pwd)/test/config/with-domain" run docker run --rm \ -v "$(pwd)/test/config/with-domain/":/tmp/docker-mailserver/ \ @@ -732,6 +732,11 @@ load 'test_helper/bats-assert/load' assert_success } +@test "checking fail2ban: fail2ban-fail2ban.cf overrides" { + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get loglevel | grep DEBUG" + assert_success +} + @test "checking fail2ban: fail2ban-jail.cf overrides" { FILTERS=(sshd postfix dovecot postfix-sasl) @@ -1385,4 +1390,3 @@ load 'test_helper/bats-assert/load' run docker exec mail_with_ldap /bin/bash -c "pkill saslauthd && sleep 10 && ps aux --forest | grep -v grep | grep '/usr/sbin/saslauthd'" assert_success } -