From c2f422001698de9b5d5efe434a37008f4af13847 Mon Sep 17 00:00:00 2001 From: 17Halbe Date: Wed, 31 Jan 2018 22:25:29 +0100 Subject: [PATCH] fail2ban handling integrated in setup.sh (#797) * fail2ban handling integrated in setup.sh - calling \"./setup debug fail2ban\" lists all iptable chains whith blocked IPs (like: Banned in dovecot: 91.200.12.164 Banned in postfix-sasl: 91.200.12.164) - calling \"./setup debug fail2ban unban xxx.xxx.xxx.xxx [yyy.yyy.yyy.yyy ...]\" unbans/removes those IPs from all jails. - calling \"./setup debug fail2ban unban\" (without an IP) gives an descriptive error: (You need to specify an IP address. Run "./setup.sh debug fail2ban" to get a list of banned IP addresses.) * disable_vrfy_command: (#798) Prevents Spammers from collecting existing mail-addresses by probing the mailserver for them. * Added support for Dovecot and Postfix LDAP TLS (#800) * Allow setup of LDAP STARTTLS for Dovecot and Postfix * Added tests for TLS config override * Add missing Postfix TLS options * Added missing new line at the end of the file * Added STARTTLS tests for Postfix config * tests added and made the script output look more shiny. * setup.sh enhancements --- setup.sh | 41 +++++++++++++++++++++++++++++++++++++++++ test/tests.bats | 15 +++++++++++++++ 2 files changed, 56 insertions(+) diff --git a/setup.sh b/setup.sh index 26da098c..6269e9ec 100755 --- a/setup.sh +++ b/setup.sh @@ -60,6 +60,7 @@ SUBCOMMANDS: debug: $0 debug fetchmail + $0 debug fail2ban $0 debug show-mail-logs $0 debug inspect $0 debug login @@ -180,6 +181,46 @@ case $1 in fetchmail) _docker_image debug-fetchmail ;; + fail2ban) + shift + JAILS=$(_docker_container fail2ban-client status | grep "Jail list" | cut -f2- | sed 's/,//g') + if [ -z "$1" ]; then + IP_COUNT=0 + for JAIL in $JAILS; do + BANNED_IP=$(_docker_container iptables -L f2b-$JAIL -n | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v '0.0.0.0') + if [ -n "$BANNED_IP" ]; then + BANNED_IP=$(echo $BANNED_IP | sed -e 's/\n/,/g') + echo "Banned in $JAIL: $BANNED_IP" + IP_COUNT=$((IP_COUNT+1)) + fi + done + if [ "$IP_COUNT" -eq 0 ]; then + echo "No IPs have been banned" + fi + else + case $1 in + unban) + shift + if [ -n "$1" ]; then + for JAIL in $JAILS; do + RESULT=`_docker_container fail2ban-client set $JAIL unbanip $@` + case "$RESULT" in + *"is not banned"*) ;; + *"NOK"*) ;; + *) echo -n "unbanned IP from $JAIL: " + echo "$RESULT";; + esac + done + else + echo "You need to specify an IP address. Run \"./setup.sh debug fail2ban\" to get a list of banned IP addresses." + fi + ;; + *) + _usage + ;; + esac + fi + ;; show-mail-logs) _docker_container cat /var/log/mail/mail.log ;; diff --git a/test/tests.bats b/test/tests.bats index d6cc26be..ddd5ac04 100644 --- a/test/tests.bats +++ b/test/tests.bats @@ -1131,6 +1131,21 @@ load 'test_helper/bats-assert/load' run ./setup.sh -c mail debug login ls assert_success } +@test "checking setup.sh: setup.sh debug fail2ban" { + + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.4" + run docker exec mail_fail2ban /bin/sh -c "fail2ban-client set dovecot banip 192.0.66.5" + sleep 10 + run ./setup.sh -c mail_fail2ban debug fail2ban + assert_output "Banned in dovecot: 192.0.66.5 192.0.66.4" + run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.4 + assert_output --partial "unbanned IP from dovecot: 192.0.66.4" + run ./setup.sh -c mail_fail2ban debug fail2ban + assert_output "Banned in dovecot: 192.0.66.5" + run ./setup.sh -c mail_fail2ban debug fail2ban unban 192.0.66.5 + run ./setup.sh -c mail_fail2ban debug fail2ban unban + assert_output --partial "You need to specify an IP address. Run" +} # # LDAP