#!/usr/bin/env bash set -euo pipefail source ./lib.sh log "Fail2Ban installieren/konfigurieren …" # Flags laden set +u [ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env set -u FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}" # Paket if ! dpkg -s fail2ban >/dev/null 2>&1; then apt-get update -qq apt-get install -y fail2ban fi install -d -m 0755 /etc/fail2ban/jail.d # Basis-Jails (praxisnah) cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF' [DEFAULT] bantime = 1h findtime = 10m maxretry = 5 backend = auto [sshd] enabled = true port = ssh logpath = /var/log/auth.log [postfix] enabled = true logpath = /var/log/mail.log port = smtp,ssmtp,submission,465 [dovecot] enabled = true logpath = /var/log/mail.log port = pop3,pop3s,imap,imaps,submission,465,587,993 # Optional: Rspamd-Controller-Auth (nur wenn Passwort/Basic-Auth genutzt wird) [rspamd-controller] enabled = true port = 11334 filter = rspamd logpath = /var/log/rspamd/rspamd.log maxretry = 5 EOF # einfacher Filter für Rspamd-Controller if [ ! -f /etc/fail2ban/filter.d/rspamd.conf ]; then cat >/etc/fail2ban/filter.d/rspamd.conf <<'EOF' [Definition] failregex = .*Authentication failed for user.* from ignoreregex = EOF fi # Dienst nach Flag if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then systemctl enable --now fail2ban else systemctl disable --now fail2ban || true fi log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit."