summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoey Hess2015-11-26 09:48:42 -0400
committerJoey Hess2015-11-26 09:50:00 -0400
commit1ae0ca973d5e3dace1dd7dc881e0266ced344978 (patch)
treeab1327da55fc2acd5dc01a7d01facff3e44869e1
parentf736486013ba3d317cac808f490c1bfa956605f4 (diff)
Added Propellor.Property.Fail2Ban.
-rw-r--r--config-joey.hs2
-rw-r--r--debian/changelog1
-rw-r--r--propellor.cabal1
-rw-r--r--src/Propellor/Property/Fail2Ban.hs30
-rw-r--r--src/Propellor/Property/Postfix.hs5
-rw-r--r--src/Propellor/Property/SiteSpecific/JoeySites.hs3
6 files changed, 41 insertions, 1 deletions
diff --git a/config-joey.hs b/config-joey.hs
index 98cb195a..05ca2dff 100644
--- a/config-joey.hs
+++ b/config-joey.hs
@@ -221,7 +221,7 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64"
& Journald.systemMaxUse "500MiB"
& Ssh.passwordAuthentication True
-- Since ssh password authentication is allowed:
- & Apt.serviceInstalledRunning "fail2ban"
+ & Fail2Ban.installed
& Obnam.backupEncrypted "/" (Cron.Times "33 1 * * *")
[ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam"
, "--client-name=kitenet.net"
diff --git a/debian/changelog b/debian/changelog
index 55419200..e7afe17d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -6,6 +6,7 @@ propellor (2.14.1) UNRELEASED; urgency=medium
* Added Propellor.Property.Locale.
Thanks, Sean Whitton.
* Added changesFile property combinator.
+ * Added Propellor.Property.Fail2Ban.
-- Joey Hess <id@joeyh.name> Tue, 24 Nov 2015 17:06:12 -0400
diff --git a/propellor.cabal b/propellor.cabal
index ceb32d48..6ddc6c9d 100644
--- a/propellor.cabal
+++ b/propellor.cabal
@@ -80,6 +80,7 @@ Library
Propellor.Property.Dns
Propellor.Property.DnsSec
Propellor.Property.Docker
+ Propellor.Property.Fail2Ban
Propellor.Property.File
Propellor.Property.Firewall
Propellor.Property.Git
diff --git a/src/Propellor/Property/Fail2Ban.hs b/src/Propellor/Property/Fail2Ban.hs
new file mode 100644
index 00000000..716d376f
--- /dev/null
+++ b/src/Propellor/Property/Fail2Ban.hs
@@ -0,0 +1,30 @@
+module Propellor.Property.Fail2Ban where
+
+import Propellor.Base
+import qualified Propellor.Property.Apt as Apt
+import qualified Propellor.Property.Service as Service
+import Propellor.Property.ConfFile
+
+installed :: Property NoInfo
+installed = Apt.serviceInstalledRunning "fail2ban"
+
+reloaded :: Property NoInfo
+reloaded = Service.reloaded "fail2ban"
+
+type Jail = String
+
+-- | By default, fail2ban only enables the ssh jail, but many others
+-- are available to be enabled, for example "postfix-sasl"
+jailEnabled :: Jail -> Property NoInfo
+jailEnabled name = jailConfigured name "enabled" "true"
+ `onChange` reloaded
+
+-- | Configures a jail. For example:
+--
+-- > jailConfigured "sshd" "port" "2222"
+jailConfigured :: Jail -> IniKey -> String -> Property NoInfo
+jailConfigured name key value =
+ jailConfFile name `containsIniSetting` (name, key, value)
+
+jailConfFile :: Jail -> FilePath
+jailConfFile name = "/etc/fail2ban/jail.d/" ++ name ++ ".conf"
diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs
index 20492dc6..356a945f 100644
--- a/src/Propellor/Property/Postfix.hs
+++ b/src/Propellor/Property/Postfix.hs
@@ -134,6 +134,11 @@ dedupCf ls =
-- Does not configure postfix to use it; eg @smtpd_sasl_auth_enable = yes@
-- needs to be set to enable use. See
-- <https://wiki.debian.org/PostfixAndSASL>.
+--
+-- Password brute force attacks are possible when SASL auth is enabled.
+-- It would be wise to enable fail2ban, for example:
+--
+-- > Fail2Ban.jailEnabled "postfix-sasl"
saslAuthdInstalled :: Property NoInfo
saslAuthdInstalled = setupdaemon
`requires` Service.running "saslauthd"
diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs
index 2e34d75f..ff92bf2d 100644
--- a/src/Propellor/Property/SiteSpecific/JoeySites.hs
+++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs
@@ -17,6 +17,7 @@ import qualified Propellor.Property.Obnam as Obnam
import qualified Propellor.Property.Apache as Apache
import qualified Propellor.Property.Postfix as Postfix
import qualified Propellor.Property.Systemd as Systemd
+import qualified Propellor.Property.Fail2Ban as Fail2Ban
import Utility.FileMode
import Data.List
@@ -541,6 +542,8 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props
& dkimInstalled
& Postfix.saslAuthdInstalled
+ & Fail2Ban.installed
+ & Fail2Ban.jailEnabled "postfix-sasl"
& "/etc/default/saslauthd" `File.containsLine` "MECHANISMS=sasldb"
& Postfix.saslPasswdSet "kitenet.net" (User "errol")