Commit 83d8dbca authored by Joshua Tauberer's avatar Joshua Tauberer

fail2ban won't start until the roundcube log file is created

fixes #911
parent cdd0a821
CHANGELOG CHANGELOG
========= =========
In Development
--------------
* fail2ban won't start if Roundcube had not yet been used - new installations probably do not have fail2ban running.
v0.19 (August 13, 2016) v0.19 (August 13, 2016)
----------------------- -----------------------
......
...@@ -111,15 +111,22 @@ source setup/zpush.sh ...@@ -111,15 +111,22 @@ source setup/zpush.sh
source setup/management.sh source setup/management.sh
source setup/munin.sh source setup/munin.sh
# Ping the management daemon to write the DNS and nginx configuration files. # Wait for the management daemon to start...
until nc -z -w 4 127.0.0.1 10222 until nc -z -w 4 127.0.0.1 10222
do do
echo Waiting for the Mail-in-a-Box management daemon to start... echo Waiting for the Mail-in-a-Box management daemon to start...
sleep 2 sleep 2
done done
# ...and then have it write the DNS and nginx configuration files and start those
# services.
tools/dns_update tools/dns_update
tools/web_update tools/web_update
# Give fail2ban another restart. The log files may not all have been present when
# fail2ban was first configured, but they should exist now.
restart_service fail2ban
# If DNS is already working, try to provision TLS certficates from Let's Encrypt. # If DNS is already working, try to provision TLS certficates from Let's Encrypt.
# Suppress extra reasons why domains aren't getting a new certificate. # Suppress extra reasons why domains aren't getting a new certificate.
management/ssl_certificates.py -q management/ssl_certificates.py -q
......
...@@ -299,4 +299,9 @@ cat conf/fail2ban/jails.conf \ ...@@ -299,4 +299,9 @@ cat conf/fail2ban/jails.conf \
> /etc/fail2ban/jail.d/mailinabox.conf > /etc/fail2ban/jail.d/mailinabox.conf
cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/ cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
# On first installation, the log files that the jails look at don't all exist.
# e.g., The roundcube error log isn't normally created until someone logs into
# Roundcube for the first time. This causes fail2ban to fail to start. Later
# scripts will ensure the files exist and then fail2ban is given another
# restart at the very end of setup.
restart_service fail2ban restart_service fail2ban
...@@ -133,6 +133,9 @@ EOF ...@@ -133,6 +133,9 @@ EOF
mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
sudo -u www-data touch /var/log/roundcubemail/errors
# Password changing plugin settings # Password changing plugin settings
# The config comes empty by default, so we need the settings # The config comes empty by default, so we need the settings
# we're not planning to change in config.inc.dist... # we're not planning to change in config.inc.dist...
......
# Test that a box's fail2ban setting are working # Test that a box's fail2ban setting are working
# correctly by attempting a bunch of failed logins. # correctly by attempting a bunch of failed logins.
# Specify SSH login information the command line - #
# we use that to reset fail2ban after each test, # Specify a SSH login command (which we use to reset
# and we extract the hostname from that to open # fail2ban after each test) and the hostname to
# connections to. # try to log in to.
###################################################################### ######################################################################
import sys, os, time, functools import sys, os, time, functools
# parse command line # parse command line
if len(sys.argv) < 2: if len(sys.argv) != 3:
print("Usage: tests/fail2ban.py user@hostname") print("Usage: tests/fail2ban.py \"ssh user@hostname\" hostname")
sys.exit(1) sys.exit(1)
ssh_user, hostname = sys.argv[1].split("@", 1) ssh_command, hostname = sys.argv[1:3]
# define some test types # define some test types
...@@ -85,7 +85,8 @@ def http_test(url, expected_status, postdata=None, qsargs=None, auth=None): ...@@ -85,7 +85,8 @@ def http_test(url, expected_status, postdata=None, qsargs=None, auth=None):
auth=HTTPBasicAuth(*auth) if auth else None, auth=HTTPBasicAuth(*auth) if auth else None,
data=postdata, data=postdata,
headers={'User-Agent': 'Mail-in-a-Box fail2ban tester'}, headers={'User-Agent': 'Mail-in-a-Box fail2ban tester'},
timeout=8) timeout=8,
verify=False) # don't bother with HTTPS validation, it may not be configured yet
except requests.exceptions.ConnectTimeout as e: except requests.exceptions.ConnectTimeout as e:
raise IsBlocked() raise IsBlocked()
except requests.exceptions.ConnectionError as e: except requests.exceptions.ConnectionError as e:
...@@ -106,7 +107,7 @@ def restart_fail2ban_service(final=False): ...@@ -106,7 +107,7 @@ def restart_fail2ban_service(final=False):
if not final: if not final:
# Stop recidive jails during testing. # Stop recidive jails during testing.
command += " && sudo fail2ban-client stop recidive" command += " && sudo fail2ban-client stop recidive"
os.system("ssh %s@%s \"%s\"" % (ssh_user, hostname, command)) os.system("%s \"%s\"" % (ssh_command, command))
def testfunc_runner(i, testfunc, *args): def testfunc_runner(i, testfunc, *args):
print(i+1, end=" ", flush=True) print(i+1, end=" ", flush=True)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment