smecontribs/smeserver-fail2ban
6
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Fri Sep 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.18-36.sme

Browse Source 
- fix spec file [SME: 13172]
- fix 05IgnoreIP fragment [SME: 12453]
- whitelist wan ip [SME: 12199]
- create Fail2ban chain if missing on reloading firewall  [SME: 10786]
- update qpsmtpd logs path
- fix createlinks
This commit is contained in:
Jean-Philippe Pialasse
2025-09-26 10:20:56 -04:00
parent b596eafc6c
commit 21e6e9a0dd
8 changed files with 46 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@@ -2,3 +2,4 @@
*.log *.log
*spec-20* *spec-20*
*.tar.gz *.tar.gz
*.tar.xz

1
contriborbase
View File

@@ -1 +0,0 @@
contribs10

30
createlinks
View File

@@ -3,10 +3,9 @@
use esmith::Build::CreateLinks qw(:all); use esmith::Build::CreateLinks qw(:all);
# Koozali event specific for updating with yum without reboot # Koozali event specific for updating with yum without reboot
$event = "smeserver-fail2ban-update"; my $event = "smeserver-fail2ban-update";
#add here the path to your templates needed to expand
#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
#add here the path to your templates needed to expand
foreach my $file (qw( foreach my $file (qw(
/etc/systemd/system-preset/49-koozali.preset /etc/systemd/system-preset/49-koozali.preset
/etc/backup-data.d/smeserver-fail2ban.include /etc/backup-data.d/smeserver-fail2ban.include
@@ -21,22 +20,30 @@ event_link("systemd-default", $event, "10");
event_link("systemd-reload", $event, "50"); event_link("systemd-reload", $event, "50");
#action specific to this package #action specific to this package
#event_link("some event", $event, "30");
#services we need to restart #services we need to restart
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/masq"); safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/masq");
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/fail2ban"); safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/fail2ban");
#and Server Manager panel link
#and Server Manager panel link
panel_link("fail2ban", "manager"); panel_link("fail2ban", "manager");
templates2events("/etc/rc.d/init.d/masq", "fail2ban-update"); templates2events("/etc/rc.d/init.d/masq", "fail2ban-update");
templates2events("/etc/rc.d/init.d/masq", "smeserver-fail2ban-update"); templates2events("/etc/rc.d/init.d/masq", "smeserver-fail2ban-update");
foreach my $event qw(smeserver-fail2ban-update fail2ban-conf bootstrap-console-save){ # for smanager2
safe_symlink('restart', "root/etc/e-smith/events/$event/services2adjust/smanager");
event_link('navigation2-conf', "$event", '80');
event_link('routes2-conf', "$event", '80');
event_link('locales2-conf', "$event", '80');
# other events
foreach my $event (qw(smeserver-fail2ban-update fail2ban-conf bootstrap-console-save)) {
templates2events("/etc/fail2ban/jail.conf", "$event"); templates2events("/etc/fail2ban/jail.conf", "$event");
templates2events("/etc/fail2ban/fail2ban.conf", "$event"); templates2events("/etc/fail2ban/fail2ban.conf", "$event");
templates2events("/etc/logrotate.d/fail2ban", "$event"); templates2events("/etc/logrotate.d/fail2ban", "$event");
} }
templates2events("/etc/fail2ban/jail.conf", "network-create"); templates2events("/etc/fail2ban/jail.conf", "network-create");
templates2events("/etc/fail2ban/jail.conf", "network-delete"); templates2events("/etc/fail2ban/jail.conf", "network-delete");
templates2events("/etc/fail2ban/jail.conf", "remoteaccess-update"); templates2events("/etc/fail2ban/jail.conf", "remoteaccess-update");
@@ -47,16 +54,5 @@ safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/
safe_symlink("restart", "root/etc/e-smith/events/remoteaccess-update/services2adjust/fail2ban"); safe_symlink("restart", "root/etc/e-smith/events/remoteaccess-update/services2adjust/fail2ban");
event_link("fail2ban-suspend-logs", "logrotate", "02"); event_link("fail2ban-suspend-logs", "logrotate", "02");
event_link("fail2ban-resume-logs", "logrotate", "98"); event_link("fail2ban-resume-logs", "logrotate", "98");
safe_touch("root/var/log/fail2ban/daemon.log"); safe_touch("root/var/log/fail2ban/daemon.log");
#service_link_enhanced("fail2ban", "S99", "7");
#service_link_enhanced("fail2ban", "K08", "6");
#service_link_enhanced("fail2ban", "K08", "0");
# for smeserver-manager
my $event = "smeserver-fail2ban-update";
safe_symlink('restart', "root/etc/e-smith/events/$event/services2adjust/smanager");
event_link('navigation2-conf', "$event", '80');
event_link('routes2-conf', "$event", '80');
event_link('locales2-conf', "$event", '80');

6
root/etc/e-smith/templates/etc/fail2ban/jail.conf/05IgnoreIP
View File

@@ -6,7 +6,10 @@ use Net::IPv4Addr;
my $n = esmith::NetworksDB->open_ro() || my $n = esmith::NetworksDB->open_ro() ||
die "Couldn't open networks DB\n"; die "Couldn't open networks DB\n";
my @ip = ("127.0.0.0/8", $LocalIP); # do not block localhost and LAN
my @ip = ("127.0.0.0/8", "$LocalIP/32");
# if ExternalIP exist do not block WAN
push @ip, "$ExternalIP/32" if $ExternalIP;
# Add hosts which can access the server-manager to the whitelist # Add hosts which can access the server-manager to the whitelist
unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){ unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){
@@ -28,6 +31,7 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
# Add a local whitelist # Add a local whitelist
foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){ foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
my $addr = $_; my $addr = $_;
next unless (length $addr);
$addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/); $addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr"); my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
push @ip, "$ip/$bits"; push @ip, "$ip/$bits";

4
root/etc/e-smith/templates/etc/fail2ban/jail.conf/30Service20qpsmtpd
View File

@@ -7,6 +7,8 @@ my @ports = ();
push @ports, ($qpsmtpd{'TCPPort'} || '25'); push @ports, ($qpsmtpd{'TCPPort'} || '25');
push @ports, ($sqpsmtpd{'TCPPort'} || '465') push @ports, ($sqpsmtpd{'TCPPort'} || '465')
if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled'); if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled');
push @ports, ($uqpsmtpd{'TCPPort'} || '587')
if ((usqpsmtpd{'status'} || 'disabled') eq 'enabled');
my $port = join (",", @ports); my $port = join (",", @ports);
my $max = $maxretry*3; my $max = $maxretry*3;
@@ -16,7 +18,7 @@ $OUT .=<<"EOF";
[qpsmtpd] [qpsmtpd]
enabled = true enabled = true
filter = qpsmtpd filter = qpsmtpd
logpath = /var/log/*qpsmtpd/current logpath = /var/log/*qpsmtpd/*qpsmtpd.log
maxretry = $max maxretry = $max
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime] action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
EOF EOF

15
root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustFail2Ban
View File

@@ -1,6 +1,21 @@
{ {
my $f2bdb = esmith::ConfigDB->open_ro('fail2ban') || my $f2bdb = esmith::ConfigDB->open_ro('fail2ban') ||
esmith::ConfigDB->create('fail2ban'); esmith::ConfigDB->create('fail2ban');
# to allow reload without locking just after initial install or if chain has been deleted
$OUT .=<<'EOF';
iptables -n --list Fail2Ban >/dev/null 2>&1
test=$?
if [[ $test -eq 1 ]] ; then
# A blacklist chain for xtables-addons Fail2Ban
/sbin/iptables --new-chain Fail2Ban
/sbin/iptables --new-chain Fail2Ban_1
/sbin/iptables --append Fail2Ban -j Fail2Ban_1
/sbin/iptables --insert INPUT 1 \
-j Fail2Ban
fi
EOF
# Find the current Fail2Ban_$$ chain, and create a new one. # Find the current Fail2Ban_$$ chain, and create a new one.
$OUT .=<<'EOF'; $OUT .=<<'EOF';
OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find) OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find)

BIN
smeserver-fail2ban-0.1.18.tar.xz
View File

Binary file not shown.

11
smeserver-fail2ban.spec
View File

@@ -1,5 +1,5 @@
%define version 0.1.18 %define version 0.1.18
%define release 35 %define release 36
%define name smeserver-fail2ban %define name smeserver-fail2ban
Summary: fail2ban integration on SME Server Summary: fail2ban integration on SME Server
@@ -10,7 +10,6 @@ Epoch: 9
License: GPL License: GPL
Group: Networking/Daemons Group: Networking/Daemons
Source: %{name}-%{version}.tar.xz Source: %{name}-%{version}.tar.xz
patch25: smeserver-fail2ban-0.1.18-locale-2024-09-05.patch
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
BuildArchitectures: noarch BuildArchitectures: noarch
@@ -26,6 +25,14 @@ AutoReqProv: no
Configure fail2ban on SME Server Configure fail2ban on SME Server
%changelog %changelog
* Fri Sep 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.18-36.sme
- fix spec file [SME: 13172]
- fix 05IgnoreIP fragment [SME: 12453]
- whitelist wan ip [SME: 12199]
- create Fail2ban chain if missing on reloading firewall [SME: 10786]
- update qpsmtpd logs path
- fix createlinks
* Tue Sep 23 2025 Brian Read <brianr@koozali.org> 0.1.18-35.sme * Tue Sep 23 2025 Brian Read <brianr@koozali.org> 0.1.18-35.sme
- Change $config to config in layout file(s) [SME: 13171] - Change $config to config in layout file(s) [SME: 13171]