Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

moved fail2ban function from setup.sh to own file (#837) 

* moved fail2ban function out of setup.sh
This commit is contained in:
17Halbe 2018-02-13 08:31:12 +01:00 committed by Johan Smits
parent 19cb22a1a5
commit b08c9b42ed
3 changed files with 60 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
setup.sh
View File

@ -205,43 +205,7 @@ case $1 in
;; ;;
fail2ban) fail2ban)
shift shift
JAILS=$(_docker_container fail2ban-client status | grep "Jail list" | cut -f2- | sed 's/,//g') _docker_container fail2ban $@
if [ -z "$1" ]; then
IP_COUNT=0
for JAIL in $JAILS; do
BANNED_IP=$(_docker_container iptables -L f2b-$JAIL -n | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v '0.0.0.0')
if [ -n "$BANNED_IP" ]; then
BANNED_IP=$(echo $BANNED_IP | sed -e 's/\n/,/g')
echo "Banned in $JAIL: $BANNED_IP"
IP_COUNT=$((IP_COUNT+1))
fi
done
if [ "$IP_COUNT" -eq 0 ]; then
echo "No IPs have been banned"
fi
else
case $1 in
unban)
shift
if [ -n "$1" ]; then
for JAIL in $JAILS; do
RESULT=`_docker_container fail2ban-client set $JAIL unbanip $@`
case "$RESULT" in
*"is not banned"*) ;;
*"NOK"*) ;;
*) echo -n "unbanned IP from $JAIL: "
echo "$RESULT";;
esac
done
else
echo "You need to specify an IP address. Run \"./setup.sh debug fail2ban\" to get a list of banned IP addresses."
fi
;;
*)
_usage
;;
esac
fi
;; ;;
show-mail-logs) show-mail-logs)
_docker_container cat /var/log/mail/mail.log _docker_container cat /var/log/mail/mail.log

46
target/bin/fail2ban Normal file
View File

@ -0,0 +1,46 @@
#! /bin/bash
usage() {
echo "Usage: $0 [<unban> <ip-address>]"
}
raise() {
echo "$@" 1>&2
exit 1
}
JAILS=$(fail2ban-client status | grep "Jail list" | cut -f2- | sed 's/,//g')
if [ -z "$1" ]; then
IP_COUNT=0
for JAIL in $JAILS; do
BANNED_IP=$(iptables -L f2b-$JAIL -n | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v '0.0.0.0')
if [ -n "$BANNED_IP" ]; then
BANNED_IP=$(echo $BANNED_IP | sed -e 's/\n/,/g')
echo "Banned in $JAIL: $BANNED_IP"
IP_COUNT=$((IP_COUNT+1))
fi
done
if [ "$IP_COUNT" -eq 0 ]; then
echo "No IPs have been banned"
fi
else
case $1 in
unban)
shift
if [ -n "$1" ]; then
for JAIL in $JAILS; do
RESULT=`fail2ban-client set $JAIL unbanip $@`
if [[ "$RESULT" != *"is not banned"* ]] && [[ "$RESULT" != *"NOK"* ]]; then
echo -n "unbanned IP from $JAIL: "
echo "$RESULT"
fi
done
else
raise "You need to specify an IP address. Run \"./setup.sh debug fail2ban\" to get a list of banned IP addresses."
fi
;;
*)
usage; raise "unknown command: $1"
;;
esac
fi

26
test/tests.bats
View File

@ -757,9 +757,9 @@ load 'test_helper/bats-assert/load'
# Create a container which will send wrong authentications and should get banned # Create a container which will send wrong authentications and should get banned
docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog docker run --name fail-auth-mailer -e MAIL_FAIL2BAN_IP=$MAIL_FAIL2BAN_IP -v "$(pwd)/test":/tmp/docker-mailserver-test -d $(docker inspect --format '{{ .Config.Image }}' mail) tail -f /var/log/faillog
# can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn): # can't pipe the file as usual due to postscreen. (respecting postscreen_greet_wait time and talking in turn):
for i in {1,2}; do for i in {1,2}; do
docker exec fail-auth-mailer /bin/bash -c \ docker exec fail-auth-mailer /bin/bash -c \
'exec 3<>/dev/tcp/$MAIL_FAIL2BAN_IP/25 && \ 'exec 3<>/dev/tcp/$MAIL_FAIL2BAN_IP/25 && \
while IFS= read -r cmd; do \ while IFS= read -r cmd; do \
@ -804,17 +804,17 @@ load 'test_helper/bats-assert/load'
@test "checking postscreen" { @test "checking postscreen" {
# Getting mail container IP # Getting mail container IP
MAIL_POSTSCREEN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_postscreen) MAIL_POSTSCREEN_IP=$(docker inspect --format '{{ .NetworkSettings.IPAddress }}' mail_postscreen)
# talk too fast: # talk too fast:
docker exec fail-auth-mailer /bin/sh -c "nc $MAIL_POSTSCREEN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt" docker exec fail-auth-mailer /bin/sh -c "nc $MAIL_POSTSCREEN_IP 25 < /tmp/docker-mailserver-test/auth/smtp-auth-login.txt"
sleep 5 sleep 5
run docker exec mail_postscreen grep 'COMMAND PIPELINING' /var/log/mail/mail.log run docker exec mail_postscreen grep 'COMMAND PIPELINING' /var/log/mail/mail.log
assert_success assert_success
# positive test. (respecting postscreen_greet_wait time and talking in turn): # positive test. (respecting postscreen_greet_wait time and talking in turn):
for i in {1,2}; do for i in {1,2}; do
docker exec fail-auth-mailer /bin/bash -c \ docker exec fail-auth-mailer /bin/bash -c \
'exec 3<>/dev/tcp/'$MAIL_POSTSCREEN_IP'/25 && \ 'exec 3<>/dev/tcp/'$MAIL_POSTSCREEN_IP'/25 && \
while IFS= read -r cmd; do \ while IFS= read -r cmd; do \
@ -823,9 +823,9 @@ load 'test_helper/bats-assert/load'
echo $cmd >&3; \ echo $cmd >&3; \
done < "/tmp/docker-mailserver-test/auth/smtp-auth-login.txt"' done < "/tmp/docker-mailserver-test/auth/smtp-auth-login.txt"'
done done
sleep 5 sleep 5
run docker exec mail_postscreen grep 'PASS NEW ' /var/log/mail/mail.log run docker exec mail_postscreen grep 'PASS NEW ' /var/log/mail/mail.log
assert_success assert_success
} }
@ -1123,7 +1123,7 @@ load 'test_helper/bats-assert/load'
} }
@test "checking setup.sh: setup.sh email restrict" { @test "checking setup.sh: setup.sh email restrict" {
run ./setup.sh -c mail email restrict run ./setup.sh -c mail email restrict
assert_failure assert_failure
run ./setup.sh -c mail email restrict add run ./setup.sh -c mail email restrict add
assert_failure assert_failure
@ -1135,7 +1135,7 @@ load 'test_helper/bats-assert/load'
assert_success assert_success
run ./setup.sh -c mail email restrict list send run ./setup.sh -c mail email restrict list send
assert_output --partial "Everyone is allowed" assert_output --partial "Everyone is allowed"
./setup.sh -c mail email restrict add receive rec_lorem@impsum.org ./setup.sh -c mail email restrict add receive rec_lorem@impsum.org
run ./setup.sh -c mail email restrict list receive run ./setup.sh -c mail email restrict list receive
assert_output --regexp "^rec_lorem@impsum.org.*REJECT" assert_output --regexp "^rec_lorem@impsum.org.*REJECT"
@ -1194,16 +1194,16 @@ load 'test_helper/bats-assert/load'
assert_success assert_success
} }
@test "checking setup.sh: setup.sh debug fail2ban" { @test "checking setup.sh: setup.sh debug fail2ban" {
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4"
run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5" run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5"
sleep 10 sleep 10
run ./setup.sh -c mail_fail2ban debug fail2ban run ./setup.sh -c mail_fail2ban debug fail2ban
assert_output "Banned in dovecot: 192.0.66.5 192.0.66.4" assert_output --regexp "^Banned in dovecot: 192.0.66.5 192.0.66.4.*"
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4 run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4
assert_output --partial "unbanned IP from dovecot: 192.0.66.4" assert_output --partial "unbanned IP from dovecot: 192.0.66.4"
run ./setup.sh -c mail_fail2ban debug fail2ban run ./setup.sh -c mail_fail2ban debug fail2ban
assert_output "Banned in dovecot: 192.0.66.5" assert_output --regexp "^Banned in dovecot: 192.0.66.5.*"
run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5
run ./setup.sh -c mail_fail2ban debug fail2ban unban run ./setup.sh -c mail_fail2ban debug fail2ban unban
assert_output --partial "You need to specify an IP address. Run" assert_output --partial "You need to specify an IP address. Run"