smecontribs/smeserver-fail2ban
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial commit of file from CVS for smeserver-fail2ban on Sat Sep 7 19:53:17 AEST 2024

Browse Source
This commit is contained in:
Trevor Batley
2024-09-07 19:53:18 +10:00
parent 1700d73fa1
commit 197253af46
86 changed files with 8686 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

455
root/usr/share/smanager/lib/SrvMngr/Controller/Fail2ban.pm Normal file
View File

@@ -0,0 +1,455 @@
package SrvMngr::Controller::Fail2ban;
#----------------------------------------------------------------------
# heading : Network
# description : Fail2Ban
# navigation : 6000 800
# name : fail2ban, method : get, url : /fail2ban, ctlact : fail2ban#main
# name : fail2banu, method : post, url : /fail2ban, ctlact : fail2ban#do_action
# name : fail2banr, method : get, url : /fail2ban2, ctlact : fail2ban#do_action_get
#
# routes : end
#----------------------------------------------------------------------
use strict;
use warnings;
use Mojo::Base 'Mojolicious::Controller';
use Locale::gettext;
use SrvMngr::I18N;
use Data::Validate::IP;
#use esmith::FormMagick::Panel::fail2ban;
# qw( get_value get_prop change_settings RemoveIP );
use SrvMngr qw( theme_list init_session ip_number );
our $cdb = esmith::ConfigDB->open() or die "Couldn't open ConfigDB\n";
my %defaultval=('FilterLocalNetworks'=> "enabled",
'FilterValidRemoteHosts'=> "enabled",
"Mail" => "enabled",
"BanTime" => '1800',
"FindTime" => '900',
"MaxRetry" => '3',
"sshd" => 'enabled',
"qpsmtpd" => 'enabled',
"dovecot" => 'enabled',
"httpd-e-smith" => 'enabled',
"ftp" => 'enabled',
"lemonldap" => 'enabled',
"ejabberd" => 'enabled',
"sogod" => 'disabled',
"wordpress" => 'disabled',
"smanager" => 'enabled',
);
sub main {
my $c = shift;
$c->app->log->info($c->log_req);
my %f2b_datas = ();
my $title = $c->l('f2b_FORM_TITLE');
$f2b_datas{'status'} = get_prop('fail2ban', 'status');
$f2b_datas{'filterlocalnetworks'} = get_prop('fail2ban', 'FilterLocalNetworks');
$f2b_datas{'filtervalidremotehosts'} = get_prop('fail2ban', 'FilterValidRemoteHosts');
$f2b_datas{'mail'} = get_prop('fail2ban', 'Mail');
$f2b_datas{'bantime'} = get_prop('fail2ban', 'BanTime');
$f2b_datas{'findtime'} = get_prop('fail2ban', 'FindTime');
$f2b_datas{'maxretry'} = get_prop('fail2ban', 'MaxRetry');
$f2b_datas{'wordpress'} = get_prop('fail2ban', 'wordpress');
$f2b_datas{'sshd'} = get_prop('sshd', 'Fail2Ban');
$f2b_datas{'qpsmtpd'} = get_prop('qpsmtpd', 'Fail2Ban');
$f2b_datas{'dovecot'} = get_prop('dovecot', 'Fail2Ban');
$f2b_datas{'httpd-e-smith'} = get_prop('httpd-e-smith', 'Fail2Ban');
$f2b_datas{'ftp'} = get_prop('sshd', 'Fail2Ban');
$f2b_datas{'lemonldap'} = get_prop('lemonldap', 'Fail2Ban');
$f2b_datas{'ejabberd'} = get_prop('ejabberd', 'Fail2Ban');
$f2b_datas{'sogod'} = get_prop('sogod', 'Fail2Ban');
$f2b_datas{'smanager'} = get_prop('smanager', 'Fail2Ban');
$c->stash( title => $title, f2b_datas => \%f2b_datas);
$c->render('fail2ban');
};
sub do_action {
my $c = shift;
$c->app->log->info($c->log_req);
my $rt = $c->current_route;
my %f2b_datas = ();
my $title = $c->l('f2b_FORM_TITLE');
my ($res, $result) = '';
$f2b_datas{status} = $c->param('Status');
my $action = ( $c->param('action') || '' );
$f2b_datas{ip} = $c->param('Ip');
$f2b_datas{bits} = $c->param('Bits');
# controls
$res = ip_number_or_blank( $c, $f2b_datas{ip} );
$result .= $res . " <br>" if ( $res ne 'OK' );
$res = subnet_mask_bit( $c, $f2b_datas{bit} );
$result .= $res . " <br>" if ( $res ne 'OK' );
$res = validate_network_and_mask( $c, $f2b_datas{ip}, $f2b_datas{bits} );
$result .= $res . " <br>" if ( $res ne 'OK' );
#$result .= 'Blocked for testing d_a ! No updates for now '; # if $action;
$res = '';
if ( ! $result ) {
$res = $c->do_changes();
$result .= $res unless $res eq 'OK';
if ( ! $result ) {
$result = $c->l('f2b_SUCCESS');
}
}
$c->stash( title => $title, f2b_datas => \%f2b_datas );
if ($res ne 'OK') {
$c->stash( error => $result );
return $c->render('fail2ban');
}
my $message = 'fail2ban updates DONE';
$c->app->log->info($message);
$c->flash( success => $result );
#$c->flash( error => " No changes applied !!" );
#return to 'fail2ban' route !!!
$c->redirect_to('/fail2ban');
};
sub do_action_get {
my $c = shift;
$c->app->log->info($c->log_req);
my ($res, $result) = '';
# controls
my $action = ($c->param('action') || '');
$result .= $c->l('f2b_ERROR_UPDATING') . " action: $action <br>"
unless ($action eq 'RemoveIP');
my $ip = ($c->param('IP') || '');
my $whitelist = ($c->param('Whitelist'))? 'true' : 'false';
#check ip
my $validator=Data::Validate::IP->new;
$result .= $c->l('f2b_ERROR_STOPPING') . " IP: $ip <br>"
unless ($validator->is_ipv4($ip));
$ip = $validator->is_ipv4($ip);
# validate and untaint jail
my $jail = ($c->param('Jail') || '');
# could be [a-zA-Z0-9_\-]
$jail = $jail =~ /([a-zA-Z0-9_\-]+)/ ? $1 : undef;
$result .= $c->l('f2b_ERROR_UPDATING') . " jail: $jail <br>"
unless $jail;
#$result .= 'Blocked for testing d_a_g ! No updates for now '; # if $action;
$res = '';
if ( ! $result ) {
$res = $c->RemoveIP( $ip, $whitelist, $jail );
$result .= $res unless $res eq 'OK';
if ( ! $result ) {
if ($whitelist eq "true" ) {
$result = $c->l('f2b_SUCCESS_IP_WHITE')." : $ip";
} else {
$result = $c->l('f2b_SUCCESS_IP')." : $ip";
}
}
}
if ($res ne 'OK') {
$c->flash( error => $result );
} else {
my $message = "fail2ban removeip $ip DONE";
$c->app->log->info($message);
$c->flash( success => $result );
}
$c->redirect_to('/fail2ban');
};
sub do_changes {
my $c = shift;
my %conf;
# Don't process the form unless we clicked the Save button. The event is
# called even if we chose the Remove link or the Add link.
my $ip = ($c->param ('Ip') || '');
my $status = ($c->param ('Status') || 'status');
my $FilterLocalNetworks = ($c->param ('FilterLocalNetworks') || "enabled");
my $FilterValidRemoteHosts= ($c->param ('FilterValidRemoteHosts') || "enabled");
my $Mail= ($c->param ("Mail") || "enabled");
my $BanTime= ($c->param ("BanTime") || '1800');
my $FindTime= ($c->param ("FindTime") || '900');
my $MaxRetry= ($c->param ("MaxRetry") || '3');
# those are stored in a different key dedicated to the service
my %services;
$services{'sshd'}= ($c->param ("Sshd") ||'enabled');
$services{'qpsmtpd'}= ($c->param ("Qpsmtpd") ||'enabled');
$services{'dovecot'}= ($c->param ("Dovecot") ||'enabled');
$services{'httpd-e-smith'}= ($c->param ("Httpd-e-smith") ||'enabled');
$services{'ftp'}= ($c->param ("Ftp") ||'enabled');
$services{'lemonldap'}= ($c->param ("Lemonldap") ||'enabled');
$services{'ejabberd'}= ($c->param ("Ejabberd" ) ||'enabled');
$services{'sogod'}= ($c->param ("Sogod" ) ||'enabled');
$services{'wordpress'}= ($c->param ("Wordpress") ||'enabled');
$services{'smanager'}= ($c->param ("Smanager") ||'enabled');
#------------------------------------------------------------
# Looks good; go ahead and change the access.
#------------------------------------------------------------
my $rec = $cdb->get('fail2ban');
if ($rec) {
$rec->set_prop('status', $status);
# unless prop empty and value eq default
$rec->set_prop('FilterLocalNetworks', $FilterLocalNetworks)
unless ( ! $cdb->get_prop('fail2ban','FilterLocalNetworks')
&& $FilterLocalNetworks eq $defaultval{'FilterLocalNetworks'} );
$rec->set_prop('FilterValidRemoteHosts', $FilterValidRemoteHosts)
unless ( ! $cdb->get_prop('fail2ban','FilterValidRemoteHosts')
&& $FilterValidRemoteHosts eq $defaultval{'FilterValidRemoteHosts'} );
$rec->set_prop('Mail', $Mail)
unless ( ! $cdb->get_prop('fail2ban','Mail') && $Mail eq $defaultval{'Mail'} );
$rec->set_prop('BanTime', $BanTime)
unless ( ! $cdb->get_prop('fail2ban','BanTime') && $BanTime eq $defaultval{'BanTime'} );
$rec->set_prop('FindTime', $FindTime)
unless ( ! $cdb->get_prop('fail2ban','FindTime') && $FindTime eq $defaultval{'FindTime'} );
$rec->set_prop('MaxRetry', $MaxRetry)
unless ( ! $cdb->get_prop('fail2ban','MaxRetry') && $MaxRetry eq $defaultval{'MaxRetry'} );
}
# for the 9 services update unless key does not exist and property does not exist and value eq default
foreach my $key (keys %services) {
if ($key eq "wordpress") {
$rec = $cdb->get('fail2ban');
my $getprop = $cdb->get_prop('fail2ban',$key) || "";
$rec->set_prop($key, $services{$key} )
unless ( ! $rec || (! $cdb->get_prop('fail2ban', $key) && $services{$key} eq $defaultval{$key} ) );
} else {
$rec = $cdb->get($key);
my $getprop = $cdb->get_prop($key,'Fail2Ban') || "";
$rec->set_prop('Fail2Ban', $services{$key} )
unless ( ! $rec || (! $cdb->get_prop($key,'Fail2Ban') && $services{$key} eq $defaultval{$key} ) );
}
}
# ?? this seems to prevent reload of service if we update something and remove or add an ip... ??
$c->add_new_valid_from;
$c->remove_valid_from;
unless ( system( "/sbin/e-smith/signal-event", "fail2ban-update" ) == 0 ) {
return $c->l('f2b_ERROR_UPDATING');
}
unless ( system( "/sbin/e-smith/signal-event", "fail2ban-conf" ) == 0 ) {
return $c->l('f2b_ERROR_UPDATING');
}
if ( $rec->prop('status') eq 'disabled' ) {
unless ( `/etc/init.d/fail2ban stop` ) {
return $c->l('f2b_ERROR_STOPPING');
}
}
return 'OK';
}
# RemoveIP after validation
sub RemoveIP {
my ( $c, $ip, $whitelist, $jail ) = @_;
unless ( system( "/usr/bin/fail2ban-client set $jail unbanip $ip ".' >/dev/null 2>&1' ) == 0 ) {
return $c->l('f2b_ERROR_UPDATING');
}
if ($whitelist eq 'true' ) {
# add $ip to whitelist for the current $jail
warn "/sbin/e-smith/db configuration setprop fail2ban IgnoreIP `/sbin/e-smith/db configuration getprop fail2ban IgnoreIP`,$ip/32";
unless ( system( "/sbin/e-smith/db configuration setprop fail2ban IgnoreIP `/sbin/e-smith/db configuration getprop fail2ban IgnoreIP`,$ip/32 ".' >/dev/null 2>&1' ) == 0
&& system( "/usr/bin/fail2ban-client reload ".' >/dev/null 2>&1' ) == 0
) {
return $c->l('f2b_ERROR_UPDATING_WHITE');
}
}
return 'OK';
}
sub add_new_valid_from {
my $c = shift;
my $ip = $c->param('Ip');
my $bits = $c->param('Bits');
# do nothing if no ip was added
return 1 unless ($ip);
my $rec = $cdb->get('fail2ban');
return $c->l('f2b_ERR_NO_RECORD') unless $rec;
my $prop = $rec->prop('IgnoreIP') || '';
my @vals = split /,/, $prop;
return '' if (grep /^$ip\/$bits$/, @vals); # already have this entry
if ($prop ne '') {
$prop .= ",$ip/$bits";
} else {
$prop = "$ip/$bits";
}
$rec->set_prop('IgnoreIP', $prop);
return 1;
}
sub remove_valid_from {
my $c = shift;
my @remove = @{$c->every_param('ValidFromRemove')};
return 1 unless @remove;
my @vals = @{$c->get_valid_from()};
unless (@vals) {
print STDERR "ERROR: unable to load IgnoreIP property from conf db\n";
return undef;
}
#$c->app->log->debug("remo: " . $c->dumper(\@remove) .' vals: '. $c->dumper(\@vals));
foreach my $entry (@remove) {
@vals = (grep { $entry ne $_ } @vals);
}
my $prop = '';
$prop = join(',', @vals) if @vals;
$cdb->get('fail2ban')->set_prop('IgnoreIP', $prop);
return 1;
}
sub ip_number_or_blank {
my $c = shift;
my $ip = shift;
if (!defined($ip) || $ip eq "") {
return 'OK';
}
$c->ip_number( $ip );
}
sub subnet_mask_bit {
my ($c, $mask) = @_;
my @allowed = (8,9,12,14,16,17,20,22,24,25,28,30,32);
if ( !defined($mask) || $mask eq "" || grep( /^$mask$/, @allowed ) ) {
return "OK";
}
return $c->l('f2b_INVALID_SUBNET_MASK');
}
sub validate_network_and_mask {
my $c = shift;
my $net = shift || "";
my $mask = shift || "";
# my $net = $c->param('Ip') || "";
if ($net xor $mask) {
return $c->l('f2b_ERR_INVALID_PARAMS');
}
return 'OK';
}
sub get_prop {
# my $c = shift;
my $item = shift;
my $prop = shift;
my $value = $cdb->get_prop($item, $prop) || '';
if ( $value eq "" && exists($defaultval{$prop}) && $item eq "fail2ban") {
$value=$defaultval{$prop};
} elsif ( $value eq "" && exists($defaultval{$item}) && $prop eq "Fail2Ban" && $item ne "fail2ban" ) {
$value=$defaultval{$item};
}
return $value;
}
sub get_valid_from {
my $c = shift;
my @vals_sorted = ();
my $rec = $cdb->get('fail2ban');
if ( $rec ) {
my @vals = (split ',', $rec->prop('IgnoreIP'));
@vals_sorted = sort ip_sort @vals if @vals;
# @vals_sorted = @vals;
}
return \@vals_sorted;
}
sub get_current_deny {
my $c = shift;
my @cdeny = `/usr/bin/sfail2ban`;
return \@cdeny
}
sub ip_sort(@) {
return esmith::util::IPquadToAddr($a) <=> esmith::util::IPquadToAddr($b);
}
1;

56
root/usr/share/smanager/lib/SrvMngr/I18N/Modules/Fail2ban/fail2ban_en.lex Normal file
View File

@@ -0,0 +1,56 @@
'f2b_FORM_TITLE' => 'Fail2ban service',
'f2b_SERVICE_STATUS' => 'Fail2ban service status.',
'f2b_STATUS' => 'Status',
'f2b_FilterLocalNetworks_STATUS' => 'Whitelist all the local network defined.',
'f2b_FilterLocalNetworks' => 'FilterLocalNetworks status',
'f2b_FilterValidRemoteHosts_STATUS' => 'Whitelist all the authorized remote hosts allowed to acces server-manager.',
'f2b_FilterValidRemoteHosts' => 'FilterValidRemoteHosts status',
'f2b_SEND_MAIL_STATUS' => 'Status of qmail jail',
'f2b_MAIL' => 'Mail',
'f2b_BANTIME' => 'Set the default ban time for jails (Initial default is 1800 seconds).',
'f2b_DEFAULT_BANTIME' => 'Bantime',
'f2b_FINDTIME' => '>Set the default find time for jails (Initial default is 900 seconds).',
'f2b_DEFAULT_FINDTIME' => 'Findtime',
'f2b_MAXRETRY' => 'Set the default max retry allowed before being ban (Initial default is 3).',
'f2b_DEFAULT_MAXRETRY' => 'Maxretry',
'f2b_SSHD_STATUS' => 'Status of sshd jail.',
'f2b_SSHD' => 'sshd',
'f2b_QPSMTPD_STATUS' => 'Status of qpsmtpd (incoming emails) jail.',
'f2b_QPSMTPD' => 'qpsmtpd',
'f2b_IMAP_STATUS' => 'Status of dovecot (imap service to retrieve emails) jail.',
'f2b_IMAP' => 'dovecot',
'f2b_HTTPD_STATUS' => 'Status of httpd jails. Multiple features are enabled at once there.',
'f2b_HTTPD' => 'httpd',
'f2b_FTP_STATUS' => 'Status of proftpd jail.',
'f2b_FTP' => 'proftpd',
'f2b_LEMONLDAP_STATUS' => 'Status of LemonLDAP jail, if installed. Nothing is running if LemonLDAP is not installed or disabled.',
'f2b_LEMONLDAP' => 'LemonLDAP',
'f2b_EJABBERD_STATUS' => 'Status of ejabberd jail, if installed. Nothing is running if ejabberd is not installed or disabled.',
'f2b_EJABBERD' => 'ejabberd',
'f2b_SOGOD_STATUS' => 'Status of SOGO jail, if installed. Nothing is running if SOGO is not installed or disabled.',
'f2b_SOGOD' => 'Sogo',
'f2b_WORDPRESS_STATUS' => 'Status of wordpress jails. You need to activate it manually whether you have it in an ibay or use the contrib. Please also install the plugin in all your wordpress instances.',
'f2b_WORDPRESS' => 'Wordpress',
'f2b_SMANAGER_STATUS' => 'Status of smanager jails. You need to activate it manually if you install it after fail2ban.',
'f2b_SMANAGER' => 'Smanager',
'f2b_VALIDFROM_TITLE' => 'Allowed Hosts',
'f2b_VALIDFROM_DESC' => 'This is a list of hosts that will not be blocked by fail2ban.',
'f2b_NO_ENTRIES_YET' => 'No Entries Yet',
'f2b_DESC_ADD_IP' => 'To add a new allowed network, enter the details below.',
'f2b_ADD_IP' => 'Authorized network',
'f2b_DESC_ADD_BITS' => 'To add a new allowed network, enter the associated subnet using bits eg 22, 25 or 32).',
'f2b_ADD_BITS' => 'Authorized network subnet',
'f2b_CURRENT_DENY_TITLE' => 'Blocked Hosts',
'f2b_CURRENT_DENY_DESC' => 'This is a list of hosts that are currently blocked.',
'f2b_JAIL' => 'Jail',
'f2b_FIRST_SEEN' => 'Host first seen',
'f2b_SUCCESS' => 'The new fail2ban settings have been saved.',
'f2b_ERR_NO_RECORD' => 'Unable to locate fail2ban record in configuration db',
'f2b_ERROR_STOPPING' => 'Error while trying to stop service',
'f2b_SUCCESS_IP' => 'The following IP has been unbanned',
'f2b_WHITELIST' => 'Whitelist',
'f2b_SUCCESS_IP_WHITE' => 'The following IP has been unbanned and whitelisted',
'f2b_ERROR_UPDATING' => 'Unable to unban',
'f2b_ERROR_UPDATING_WHITE' => 'Unable to unban and whitelist',
'f2b_ERR_INVALID_PARAMS' => 'Invalid network parameters',
'f2b_INVALID_SUBNET_MASK' => 'Invalid subnet mask',