69 lines
1.4 KiB
Bash
69 lines
1.4 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
source ./lib.sh
|
|
|
|
log "Fail2Ban installieren/konfigurieren …"
|
|
|
|
# Flags laden
|
|
set +u
|
|
[ -r /etc/mailwolt/installer.env ] && . /etc/mailwolt/installer.env
|
|
set -u
|
|
FAIL2BAN_ENABLE="${FAIL2BAN_ENABLE:-1}"
|
|
|
|
# Paket
|
|
if ! dpkg -s fail2ban >/dev/null 2>&1; then
|
|
apt-get update -qq
|
|
apt-get install -y fail2ban
|
|
fi
|
|
|
|
install -d -m 0755 /etc/fail2ban/jail.d
|
|
|
|
# Basis-Jails (praxisnah)
|
|
cat >/etc/fail2ban/jail.d/mailwolt.conf <<'EOF'
|
|
[DEFAULT]
|
|
bantime = 1h
|
|
findtime = 10m
|
|
maxretry = 5
|
|
backend = auto
|
|
|
|
[sshd]
|
|
enabled = true
|
|
port = ssh
|
|
logpath = /var/log/auth.log
|
|
|
|
[postfix]
|
|
enabled = true
|
|
logpath = /var/log/mail.log
|
|
port = smtp,ssmtp,submission,465
|
|
|
|
[dovecot]
|
|
enabled = true
|
|
logpath = /var/log/mail.log
|
|
port = pop3,pop3s,imap,imaps,submission,465,587,993
|
|
|
|
# Optional: Rspamd-Controller-Auth (nur wenn Passwort/Basic-Auth genutzt wird)
|
|
[rspamd-controller]
|
|
enabled = true
|
|
port = 11334
|
|
filter = rspamd
|
|
logpath = /var/log/rspamd/rspamd.log
|
|
maxretry = 5
|
|
EOF
|
|
|
|
# einfacher Filter für Rspamd-Controller
|
|
if [ ! -f /etc/fail2ban/filter.d/rspamd.conf ]; then
|
|
cat >/etc/fail2ban/filter.d/rspamd.conf <<'EOF'
|
|
[Definition]
|
|
failregex = .*Authentication failed for user.* from <HOST>
|
|
ignoreregex =
|
|
EOF
|
|
fi
|
|
|
|
# Dienst nach Flag
|
|
if [[ "$FAIL2BAN_ENABLE" = "1" ]]; then
|
|
systemctl enable --now fail2ban
|
|
else
|
|
systemctl disable --now fail2ban || true
|
|
fi
|
|
|
|
log "[✓] Fail2Ban (ENABLE=${FAIL2BAN_ENABLE}) bereit." |