merge: fail2ban broke, released v0.19a

86457e5b · Joshua Tauberer · 8cf2e468 · 7c9f3e0b · 86457e5b · 86457e5b
Commit 86457e5b authored Aug 18, 2016 by Joshua Tauberer
7 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,13 @@ ownCloud:
 * Updated to ownCloud to 8.2.7.
+v0.19a (August 18, 2016)
+------------------------
+This update corrects a security issue in v0.19.
+* fail2ban won't start if Roundcube had not yet been used - new installations probably do not have fail2ban running.
 v0.19 (August 13, 2016)
 -----------------------

--- a/README.md
+++ b/README.md
@@ -59,7 +59,7 @@ by me:
 	$ curl -s https://keybase.io/joshdata/key.asc | gpg --import
 	gpg: key C10BDD81: public key "Joshua Tauberer <jt@occams.info>" imported
-	$ git verify-tag v0.19
+	$ git verify-tag v0.19a
 	gpg: Signature made ..... using RSA key ID C10BDD81
 	gpg: Good signature from "Joshua Tauberer <jt@occams.info>"
 	gpg: WARNING: This key is not certified with a trusted signature!
@@ -72,7 +72,7 @@ and on my [personal homepage](https://razor.occams.info/). (Of course, if this r
 Checkout the tag corresponding to the most recent release:
-	$ git checkout v0.19
+	$ git checkout v0.19a
 Begin the installation.

--- a/setup/bootstrap.sh
+++ b/setup/bootstrap.sh
@@ -7,7 +7,7 @@
 #########################################################
 if [ -z "$TAG" ]; then
-	TAG=v0.19
+	TAG=v0.19a
 fi
 # Are we running as root?

--- a/setup/start.sh
+++ b/setup/start.sh
@@ -111,15 +111,22 @@ source setup/zpush.sh
 source setup/management.sh
 source setup/munin.sh
-# Ping the management daemon to write the DNS and nginx configuration files.
+# Wait for the management daemon to start...
 until nc -z -w 4 127.0.0.1 10222
 do
 	echo Waiting for the Mail-in-a-Box management daemon to start...
 	sleep 2
 done
+# ...and then have it write the DNS and nginx configuration files and start those
+# services.
 tools/dns_update
 tools/web_update
+# Give fail2ban another restart. The log files may not all have been present when
+# fail2ban was first configured, but they should exist now.
+restart_service fail2ban
 # If DNS is already working, try to provision TLS certficates from Let's Encrypt.
 # Suppress extra reasons why domains aren't getting a new certificate.
 management/ssl_certificates.py -q

--- a/setup/system.sh
+++ b/setup/system.sh
@@ -299,4 +299,9 @@ cat conf/fail2ban/jails.conf \
 	> /etc/fail2ban/jail.d/mailinabox.conf
 cp -f conf/fail2ban/filter.d/* /etc/fail2ban/filter.d/
+# On first installation, the log files that the jails look at don't all exist.
+# e.g., The roundcube error log isn't normally created until someone logs into
+# Roundcube for the first time. This causes fail2ban to fail to start. Later
+# scripts will ensure the files exist and then fail2ban is given another
+# restart at the very end of setup.
 restart_service fail2ban
--- a/setup/webmail.sh
+++ b/setup/webmail.sh
@@ -133,6 +133,9 @@ EOF
 mkdir -p /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
 chown -R www-data.www-data /var/log/roundcubemail /tmp/roundcubemail $STORAGE_ROOT/mail/roundcube
+# Ensure the log file monitored by fail2ban exists, or else fail2ban can't start.
+sudo -u www-data touch /var/log/roundcubemail/errors
 # Password changing plugin settings
 # The config comes empty by default, so we need the settings 
 # we're not planning to change in config.inc.dist...

--- a/tests/fail2ban.py
+++ b/tests/fail2ban.py
 # Test that a box's fail2ban setting are working
 # correctly by attempting a bunch of failed logins.
-# Specify SSH login information the command line -
+#
-# we use that to reset fail2ban after each test,
+# Specify a SSH login command (which we use to reset
-# and we extract the hostname from that to open
+# fail2ban after each test) and the hostname to
-# connections to.
+# try to log in to.
 ######################################################################
 import sys, os, time, functools
 # parse command line
-if len(sys.argv) < 2:
+if len(sys.argv) != 3:
-	print("Usage: tests/fail2ban.py user@hostname")
+	print("Usage: tests/fail2ban.py \"ssh user@hostname\" hostname")
 	sys.exit(1)
-ssh_user, hostname = sys.argv[1].split("@", 1)
+ssh_command, hostname = sys.argv[1:3]
 # define some test types
@@ -85,7 +85,8 @@ def http_test(url, expected_status, postdata=None, qsargs=None, auth=None):
 			auth=HTTPBasicAuth(*auth) if auth else None,
 			data=postdata,
 			headers={'User-Agent': 'Mail-in-a-Box fail2ban tester'},
-			timeout=8)
+			timeout=8,
+			verify=False) # don't bother with HTTPS validation, it may not be configured yet
 	except requests.exceptions.ConnectTimeout as e:
 		raise IsBlocked()
 	except requests.exceptions.ConnectionError as e:
@@ -106,7 +107,7 @@ def restart_fail2ban_service(final=False):
 	if not final:
 		# Stop recidive jails during testing.
 		command += " && sudo fail2ban-client stop recidive"
-	os.system("ssh %s@%s \"%s\"" % (ssh_user, hostname, command))
+	os.system("%s \"%s\"" % (ssh_command, command))
 def testfunc_runner(i, testfunc, *args):
 	print(i+1, end=" ", flush=True)