* Fri Sep 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.18-36.sme
- fix spec file [SME: 13172] - fix 05IgnoreIP fragment [SME: 12453] - whitelist wan ip [SME: 12199] - create Fail2ban chain if missing on reloading firewall [SME: 10786] - update qpsmtpd logs path - fix createlinks
This commit is contained in:
1
.gitignore
vendored
1
.gitignore
vendored
@@ -2,3 +2,4 @@
|
||||
*.log
|
||||
*spec-20*
|
||||
*.tar.gz
|
||||
*.tar.xz
|
||||
|
||||
@@ -1 +0,0 @@
|
||||
contribs10
|
||||
30
createlinks
30
createlinks
@@ -3,10 +3,9 @@
|
||||
use esmith::Build::CreateLinks qw(:all);
|
||||
|
||||
# Koozali event specific for updating with yum without reboot
|
||||
$event = "smeserver-fail2ban-update";
|
||||
#add here the path to your templates needed to expand
|
||||
#see the /etc/systemd/system-preset/49-koozali.preset should be present for systemd integration on all you yum update event
|
||||
my $event = "smeserver-fail2ban-update";
|
||||
|
||||
#add here the path to your templates needed to expand
|
||||
foreach my $file (qw(
|
||||
/etc/systemd/system-preset/49-koozali.preset
|
||||
/etc/backup-data.d/smeserver-fail2ban.include
|
||||
@@ -21,22 +20,30 @@ event_link("systemd-default", $event, "10");
|
||||
event_link("systemd-reload", $event, "50");
|
||||
|
||||
#action specific to this package
|
||||
#event_link("some event", $event, "30");
|
||||
#services we need to restart
|
||||
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/masq");
|
||||
safe_symlink("restart", "root/etc/e-smith/events/$event/services2adjust/fail2ban");
|
||||
#and Server Manager panel link
|
||||
|
||||
#and Server Manager panel link
|
||||
panel_link("fail2ban", "manager");
|
||||
|
||||
templates2events("/etc/rc.d/init.d/masq", "fail2ban-update");
|
||||
templates2events("/etc/rc.d/init.d/masq", "smeserver-fail2ban-update");
|
||||
|
||||
foreach my $event qw(smeserver-fail2ban-update fail2ban-conf bootstrap-console-save){
|
||||
# for smanager2
|
||||
safe_symlink('restart', "root/etc/e-smith/events/$event/services2adjust/smanager");
|
||||
event_link('navigation2-conf', "$event", '80');
|
||||
event_link('routes2-conf', "$event", '80');
|
||||
event_link('locales2-conf', "$event", '80');
|
||||
|
||||
|
||||
# other events
|
||||
foreach my $event (qw(smeserver-fail2ban-update fail2ban-conf bootstrap-console-save)) {
|
||||
templates2events("/etc/fail2ban/jail.conf", "$event");
|
||||
templates2events("/etc/fail2ban/fail2ban.conf", "$event");
|
||||
templates2events("/etc/logrotate.d/fail2ban", "$event");
|
||||
}
|
||||
|
||||
templates2events("/etc/fail2ban/jail.conf", "network-create");
|
||||
templates2events("/etc/fail2ban/jail.conf", "network-delete");
|
||||
templates2events("/etc/fail2ban/jail.conf", "remoteaccess-update");
|
||||
@@ -47,16 +54,5 @@ safe_symlink("restart", "root/etc/e-smith/events/network-delete/services2adjust/
|
||||
safe_symlink("restart", "root/etc/e-smith/events/remoteaccess-update/services2adjust/fail2ban");
|
||||
event_link("fail2ban-suspend-logs", "logrotate", "02");
|
||||
event_link("fail2ban-resume-logs", "logrotate", "98");
|
||||
|
||||
safe_touch("root/var/log/fail2ban/daemon.log");
|
||||
|
||||
#service_link_enhanced("fail2ban", "S99", "7");
|
||||
#service_link_enhanced("fail2ban", "K08", "6");
|
||||
#service_link_enhanced("fail2ban", "K08", "0");
|
||||
|
||||
# for smeserver-manager
|
||||
my $event = "smeserver-fail2ban-update";
|
||||
safe_symlink('restart', "root/etc/e-smith/events/$event/services2adjust/smanager");
|
||||
event_link('navigation2-conf', "$event", '80');
|
||||
event_link('routes2-conf', "$event", '80');
|
||||
event_link('locales2-conf', "$event", '80');
|
||||
|
||||
@@ -6,7 +6,10 @@ use Net::IPv4Addr;
|
||||
my $n = esmith::NetworksDB->open_ro() ||
|
||||
die "Couldn't open networks DB\n";
|
||||
|
||||
my @ip = ("127.0.0.0/8", $LocalIP);
|
||||
# do not block localhost and LAN
|
||||
my @ip = ("127.0.0.0/8", "$LocalIP/32");
|
||||
# if ExternalIP exist do not block WAN
|
||||
push @ip, "$ExternalIP/32" if $ExternalIP;
|
||||
|
||||
# Add hosts which can access the server-manager to the whitelist
|
||||
unless (($fail2ban{FilterValidRemoteHosts} || 'disabled') eq 'enabled'){
|
||||
@@ -28,6 +31,7 @@ unless (($fail2ban{FilterLocalNetworks} || 'disabled') eq 'enabled'){
|
||||
# Add a local whitelist
|
||||
foreach (split /[,;]/, ($fail2ban{'IgnoreIP'} || '')){
|
||||
my $addr = $_;
|
||||
next unless (length $addr);
|
||||
$addr .= '/32' unless ($addr =~ m/\/\d{1,2}$/);
|
||||
my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$addr");
|
||||
push @ip, "$ip/$bits";
|
||||
|
||||
@@ -7,6 +7,8 @@ my @ports = ();
|
||||
push @ports, ($qpsmtpd{'TCPPort'} || '25');
|
||||
push @ports, ($sqpsmtpd{'TCPPort'} || '465')
|
||||
if (($sqpsmtpd{'status'} || 'disabled') eq 'enabled');
|
||||
push @ports, ($uqpsmtpd{'TCPPort'} || '587')
|
||||
if ((usqpsmtpd{'status'} || 'disabled') eq 'enabled');
|
||||
my $port = join (",", @ports);
|
||||
|
||||
my $max = $maxretry*3;
|
||||
@@ -16,7 +18,7 @@ $OUT .=<<"EOF";
|
||||
[qpsmtpd]
|
||||
enabled = true
|
||||
filter = qpsmtpd
|
||||
logpath = /var/log/*qpsmtpd/current
|
||||
logpath = /var/log/*qpsmtpd/*qpsmtpd.log
|
||||
maxretry = $max
|
||||
action = smeserver-iptables[port="$port",protocol=tcp,bantime=$bantime]
|
||||
EOF
|
||||
|
||||
@@ -1,6 +1,21 @@
|
||||
{
|
||||
my $f2bdb = esmith::ConfigDB->open_ro('fail2ban') ||
|
||||
esmith::ConfigDB->create('fail2ban');
|
||||
|
||||
# to allow reload without locking just after initial install or if chain has been deleted
|
||||
$OUT .=<<'EOF';
|
||||
iptables -n --list Fail2Ban >/dev/null 2>&1
|
||||
test=$?
|
||||
if [[ $test -eq 1 ]] ; then
|
||||
# A blacklist chain for xtables-addons Fail2Ban
|
||||
/sbin/iptables --new-chain Fail2Ban
|
||||
/sbin/iptables --new-chain Fail2Ban_1
|
||||
/sbin/iptables --append Fail2Ban -j Fail2Ban_1
|
||||
/sbin/iptables --insert INPUT 1 \
|
||||
-j Fail2Ban
|
||||
fi
|
||||
EOF
|
||||
|
||||
# Find the current Fail2Ban_$$ chain, and create a new one.
|
||||
$OUT .=<<'EOF';
|
||||
OLD_Fail2Ban=$(get_safe_id Fail2Ban filter find)
|
||||
|
||||
Binary file not shown.
@@ -1,5 +1,5 @@
|
||||
%define version 0.1.18
|
||||
%define release 35
|
||||
%define release 36
|
||||
%define name smeserver-fail2ban
|
||||
|
||||
Summary: fail2ban integration on SME Server
|
||||
@@ -10,7 +10,6 @@ Epoch: 9
|
||||
License: GPL
|
||||
Group: Networking/Daemons
|
||||
Source: %{name}-%{version}.tar.xz
|
||||
patch25: smeserver-fail2ban-0.1.18-locale-2024-09-05.patch
|
||||
|
||||
BuildRoot: /var/tmp/%{name}-%{version}-%{release}-buildroot
|
||||
BuildArchitectures: noarch
|
||||
@@ -26,6 +25,14 @@ AutoReqProv: no
|
||||
Configure fail2ban on SME Server
|
||||
|
||||
%changelog
|
||||
* Fri Sep 26 2025 Jean-Philippe Pialasse <jpp@koozali.org> 0.1.18-36.sme
|
||||
- fix spec file [SME: 13172]
|
||||
- fix 05IgnoreIP fragment [SME: 12453]
|
||||
- whitelist wan ip [SME: 12199]
|
||||
- create Fail2ban chain if missing on reloading firewall [SME: 10786]
|
||||
- update qpsmtpd logs path
|
||||
- fix createlinks
|
||||
|
||||
* Tue Sep 23 2025 Brian Read <brianr@koozali.org> 0.1.18-35.sme
|
||||
- Change $config to config in layout file(s) [SME: 13171]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user