github-com-docker-mailserver/docker-mailserver
1
0
Fork 0
mirror of https://github.com/docker-mailserver/docker-mailserver.git synced 2024-01-19 02:48:50 +00:00
Code Issues Projects Releases Wiki Activity

Fail2Ban block behaviour (#1914)

Browse source 
* new default: block IP on all ports

* introduce FAIL2BAN_BLOCKTYPE

* fix test

* tests added

* test added

* test blocktype drop

* merged two tests
This commit is contained in:
Casper 2021-04-18 12:55:43 +02:00 committed by GitHub
parent c6dd79dbca
commit f7836c8b1a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 50 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
ENVIRONMENT.md
View file

@ -63,6 +63,12 @@ cap_add:
Otherwise, `iptables` won't be able to ban IPs. Otherwise, `iptables` won't be able to ban IPs.
##### FAIL2BAN_BLOCKTYPE
- **drop** => drop packet (send NO reply)
- reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop
##### SMTP_ONLY ##### SMTP_ONLY
- **empty** => all daemons start - **empty** => all daemons start

5
config/fail2ban-jail.cf
View file

@ -9,3 +9,8 @@
# "maxretry" is the number of failures before a host get banned. # "maxretry" is the number of failures before a host get banned.
#maxretry = 5 #maxretry = 5
# Default ban action
# iptables-multiport: block IP only on affected port
# iptables-allports: block IP on all ports
#banaction = iptables-allports

5
mailserver.env
View file

@ -75,6 +75,11 @@ ENABLE_AMAVIS=1
# Otherwise, `iptables` won't be able to ban IPs. # Otherwise, `iptables` won't be able to ban IPs.
ENABLE_FAIL2BAN=0 ENABLE_FAIL2BAN=0
# Fail2Ban blocktype
# drop => drop packet (send NO reply)
# reject => reject packet (send ICMP unreachable)
FAIL2BAN_BLOCKTYPE=drop
# 1 => Enables Managesieve on port 4190 # 1 => Enables Managesieve on port 4190
# empty => disables Managesieve # empty => disables Managesieve
ENABLE_MANAGESIEVE= ENABLE_MANAGESIEVE=

5
target/fail2ban/jail.local
View file

@ -15,6 +15,11 @@ maxretry = 3
# can be defined using space (and/or comma) separator. # can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8 ignoreip = 127.0.0.1/8
# Default ban action
# iptables-multiport: block IP only on affected port
# iptables-allports: block IP on all ports
banaction = iptables-allports
[dovecot] [dovecot]
enabled = true enabled = true

2
target/scripts/start-mailserver.sh
View file

@ -32,6 +32,7 @@ VARS[ENABLE_QUOTAS]="${ENABLE_QUOTAS:=1}"
VARS[ENABLE_SASLAUTHD]="${ENABLE_SASLAUTHD:=0}" VARS[ENABLE_SASLAUTHD]="${ENABLE_SASLAUTHD:=0}"
VARS[ENABLE_SPAMASSASSIN]="${ENABLE_SPAMASSASSIN:=0}" VARS[ENABLE_SPAMASSASSIN]="${ENABLE_SPAMASSASSIN:=0}"
VARS[ENABLE_SRS]="${ENABLE_SRS:=0}" VARS[ENABLE_SRS]="${ENABLE_SRS:=0}"
VARS[FAIL2BAN_BLOCKTYPE]="${FAIL2BAN_BLOCKTYPE:=drop}"
VARS[FETCHMAIL_POLL]="${FETCHMAIL_POLL:=300}" VARS[FETCHMAIL_POLL]="${FETCHMAIL_POLL:=300}"
VARS[FETCHMAIL_PARALLEL]="${FETCHMAIL_PARALLEL:=0}" VARS[FETCHMAIL_PARALLEL]="${FETCHMAIL_PARALLEL:=0}"
VARS[LDAP_START_TLS]="${LDAP_START_TLS:=no}" VARS[LDAP_START_TLS]="${LDAP_START_TLS:=no}"
@ -103,6 +104,7 @@ function register_functions
[[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_setup_function '_setup_postgrey' [[ ${ENABLE_POSTGREY} -eq 1 ]] && _register_setup_function '_setup_postgrey'
[[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_setup_function '_setup_saslauthd' [[ ${ENABLE_SASLAUTHD} -eq 1 ]] && _register_setup_function '_setup_saslauthd'
[[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_inet_protocols' [[ ${POSTFIX_INET_PROTOCOLS} != 'all' ]] && _register_setup_function '_setup_inet_protocols'
[[ ${ENABLE_FAIL2BAN} -eq 1 ]] && _register_setup_function '_setup_fail2ban'
_register_setup_function '_setup_dkim' _register_setup_function '_setup_dkim'
_register_setup_function '_setup_ssl' _register_setup_function '_setup_ssl'

9
target/scripts/startup/setup-stack.sh
View file

@ -1619,3 +1619,12 @@ function _setup_environment
echo "VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY}" >>/etc/environment echo "VIRUSMAILS_DELETE_DELAY=${VIRUSMAILS_DELETE_DELAY}" >>/etc/environment
fi fi
} }
function _setup_fail2ban
{
_notify 'task' 'Setting up fail2ban'
if [[ ${FAIL2BAN_BLOCKTYPE} != "reject" ]]
then
echo -e "[Init]\nblocktype = DROP" > /etc/fail2ban/action.d/iptables-common.local
fi
}

5
test/config/fail2ban-jail.cf
View file

@ -9,3 +9,8 @@ findtime = 321
# "maxretry" is the number of failures before a host get banned. # "maxretry" is the number of failures before a host get banned.
maxretry = 2 maxretry = 2
# Default ban action
# iptables-multiport: block IP only on affected port
# iptables-allports: block IP on all ports
banaction = iptables-multiport

16
test/mail_fail2ban.bats
View file

@ -75,6 +75,15 @@ function teardown_file() {
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} maxretry" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client get ${FILTER} maxretry"
assert_output 2 assert_output 2
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'dovecot', 'addaction', 'iptables-multiport']\""
assert_output "['set', 'dovecot', 'addaction', 'iptables-multiport']"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix', 'addaction', 'iptables-multiport']\""
assert_output "['set', 'postfix', 'addaction', 'iptables-multiport']"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client -d | grep -F \"['set', 'postfix-sasl', 'addaction', 'iptables-multiport']\""
assert_output "['set', 'postfix-sasl', 'addaction', 'iptables-multiport']"
done done
} }
@ -99,9 +108,9 @@ function teardown_file() {
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client status postfix-sasl | grep '${FAIL_AUTH_MAILER_IP}'"
assert_success assert_success
# Checking that FAIL_AUTH_MAILER_IP is banned by iptables # Checking that FAIL_AUTH_MAILER_IP is banned by iptables and blocktype set to DROP
run docker exec mail_fail2ban /bin/sh -c "iptables -L f2b-postfix-sasl -n | grep REJECT | grep '${FAIL_AUTH_MAILER_IP}'" run docker exec mail_fail2ban /bin/sh -c "iptables -n -L f2b-postfix-sasl"
assert_success assert_output --regexp "DROP.+all.+${FAIL_AUTH_MAILER_IP}"
} }
@test "checking fail2ban: unban ip works" { @test "checking fail2ban: unban ip works" {
@ -135,6 +144,7 @@ function teardown_file() {
run ./setup.sh -c mail_fail2ban debug fail2ban run ./setup.sh -c mail_fail2ban debug fail2ban
assert_output --regexp "^Banned in dovecot: 192.0.66.5.*" assert_output --regexp "^Banned in dovecot: 192.0.66.5.*"
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5
assert_output --partial "Unbanned IP from dovecot: 192.0.66.5"
run ./setup.sh -c mail_fail2ban debug fail2ban unban run ./setup.sh -c mail_fail2ban debug fail2ban unban
assert_output --partial "You need to specify an IP address. Run" assert_output --partial "You need to specify an IP address. Run"
} }