From 1ae0ca973d5e3dace1dd7dc881e0266ced344978 Mon Sep 17 00:00:00 2001 From: Joey Hess Date: Thu, 26 Nov 2015 09:48:42 -0400 Subject: Added Propellor.Property.Fail2Ban. --- src/Propellor/Property/Fail2Ban.hs | 30 ++++++++++++++++++++++++ src/Propellor/Property/Postfix.hs | 5 ++++ src/Propellor/Property/SiteSpecific/JoeySites.hs | 3 +++ 3 files changed, 38 insertions(+) create mode 100644 src/Propellor/Property/Fail2Ban.hs (limited to 'src') diff --git a/src/Propellor/Property/Fail2Ban.hs b/src/Propellor/Property/Fail2Ban.hs new file mode 100644 index 00000000..716d376f --- /dev/null +++ b/src/Propellor/Property/Fail2Ban.hs @@ -0,0 +1,30 @@ +module Propellor.Property.Fail2Ban where + +import Propellor.Base +import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.Service as Service +import Propellor.Property.ConfFile + +installed :: Property NoInfo +installed = Apt.serviceInstalledRunning "fail2ban" + +reloaded :: Property NoInfo +reloaded = Service.reloaded "fail2ban" + +type Jail = String + +-- | By default, fail2ban only enables the ssh jail, but many others +-- are available to be enabled, for example "postfix-sasl" +jailEnabled :: Jail -> Property NoInfo +jailEnabled name = jailConfigured name "enabled" "true" + `onChange` reloaded + +-- | Configures a jail. For example: +-- +-- > jailConfigured "sshd" "port" "2222" +jailConfigured :: Jail -> IniKey -> String -> Property NoInfo +jailConfigured name key value = + jailConfFile name `containsIniSetting` (name, key, value) + +jailConfFile :: Jail -> FilePath +jailConfFile name = "/etc/fail2ban/jail.d/" ++ name ++ ".conf" diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs index 20492dc6..356a945f 100644 --- a/src/Propellor/Property/Postfix.hs +++ b/src/Propellor/Property/Postfix.hs @@ -134,6 +134,11 @@ dedupCf ls = -- Does not configure postfix to use it; eg @smtpd_sasl_auth_enable = yes@ -- needs to be set to enable use. See -- . +-- +-- Password brute force attacks are possible when SASL auth is enabled. +-- It would be wise to enable fail2ban, for example: +-- +-- > Fail2Ban.jailEnabled "postfix-sasl" saslAuthdInstalled :: Property NoInfo saslAuthdInstalled = setupdaemon `requires` Service.running "saslauthd" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 2e34d75f..ff92bf2d 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -17,6 +17,7 @@ import qualified Propellor.Property.Obnam as Obnam import qualified Propellor.Property.Apache as Apache import qualified Propellor.Property.Postfix as Postfix import qualified Propellor.Property.Systemd as Systemd +import qualified Propellor.Property.Fail2Ban as Fail2Ban import Utility.FileMode import Data.List @@ -541,6 +542,8 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props & dkimInstalled & Postfix.saslAuthdInstalled + & Fail2Ban.installed + & Fail2Ban.jailEnabled "postfix-sasl" & "/etc/default/saslauthd" `File.containsLine` "MECHANISMS=sasldb" & Postfix.saslPasswdSet "kitenet.net" (User "errol") -- cgit v1.2.3