anyone done this so far
or any hints of how to do it
brNP
anyone done this so far
or any hints of how to do it
brNP
no one done fail2ban on this project ?
Here you can find a fail2ban configuration: https://www.hofstaedtler.com/tmp/fail2ban_grommunio_wh.tgz
zypper in fail2ban
/root
tar -xzvf /root/fail2ban_grommunio_wh.tgz -C /
rm /root/fail2ban_grommunio_wh.tgz
systemctl restart fail2ban
This configuration is only minimally tested. I am happy about feedback (positive and negative).
Walter
Today I updated the TAR archive, minor corrections in all files.
WalterH
Aktualisierste das immer auf der URL?
Für die Faule Brigarde
WALTERS_PACKAGE="https://www.hofstaedtler.com/tmp/fail2ban_grommunio_wh.tgz"
JAIL_LOCAL="/etc/fail2ban/jail.local"
SYNC_CONF="/etc/grommunio-sync/grommunio-sync.conf.php"
wget $WALTERS_PACKAGE -O src.tgz
if [[ -f "$JAIL_LOCAL" ]]; then
tar xvfz src.tgz -C / --exclude=etc/fail2ban/jail.local
tar -axf src.tgz etc/fail2ban/jail.local -O |sed -n '/^\[grommunio-web-auth/, $p' >> $JAIL_LOCAL
else
tar xfz src.tgz -C /
fi
sed -i.bak '' $SYNC_CONF
sed -i "s|LOGAUTHFAIL', false|LOGAUTHFAIL', true|g" $SYNC_CONF
systemctl restart fail2ban
Fehler sind nie auszuschließen..
Thanks for the script, but you have to adjust at least the two mail addresses destemail
and sender
in jail.local, ignoreip
should be adjusted too.
And important, this is minimal tested, please feedback.
WalterH
I will have a look,
Could you set the umask to 0644 and also set the newline or just an empty line at the end of every file?
@WalterH Thanks for the umask and this is my reason for the newline.
Currently i haven't tested it at all. Just writing helpful scripts for us in our local GIT-Repo when there is time between Work.
EDIT: Not finished but for now...
> cat setup/fail2ban/install.sh -p
#!/bin/bash
export DEBIAN_FRONTEND=noninteractive
dpkg-reconfigure debconf -f readline -p critical
#DEB_FRONT AND debconf[.. just to be safe
#SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
#ENFORCE-ROOT
if [[ $EUID -ne 0 ]]; then
echo "ERROR: $0 Must be run as root, Script terminating" ;exit 7
fi
#SNIP-SUDO
#SUDO=''
#if [[ $EUID -ne 0 ]]; then
# SUDO='sudo'
#fi
DESTEMAIL='monitoring@domain.tld'
SENDER='fail2ban-grommunio@domain.tld'
IGNOREIP="127.0.0.1 ::1"
WALTERS_PACKAGE="https://www.hofstaedtler.com/tmp/fail2ban_grommunio_wh.tgz"
JAIL_LOCAL="/etc/fail2ban/jail.local"
SYNC_CONF="/etc/grommunio-sync/grommunio-sync.conf.php"
#SC2015 ... ignored..
grep -qF -- "suse" /etc/os-release && (zypper ref && zypper -n up) || (apt-get update && apt-get dist-upgrade --yes)
#SNIP-DEBINSTALL
#PACKAGES=("fail2ban")
#pkg_install() {
# for pkg in "$@"; do
# is_pkg_installed=$(dpkg-query -W --showformat='${Status}' "${pkg}" | grep "install ok installed")
# if [ "${is_pkg_installed}" == "install ok installed" ]; then
# echo "${pkg}" ist installiert.
# else
# apt-get install -f "${pkg}" --yes
# fi
# done
#}
#pkg_install "${PACKAGES[$@]}"
wget $WALTERS_PACKAGE -O src.tgz
if [[ -f "$JAIL_LOCAL" ]]; then
tar xvfz src.tgz -C / --exclude=etc/fail2ban/jail.local
grep -qF -- "grommmunio" $JAIL_LOCAL && (tar -axf src.tgz etc/fail2ban/jail.local -O | sed -n '/^\[grommunio-web-auth/, $p' >> $JAIL_LOCAL)
else
tar xfvz src.tgz -C /
fi
#SNIP-FILEBAKDATE
sed -i."$(date +%Y%m%d%H%M)".bak '' $SYNC_CONF
sed -i "s|LOGAUTHFAIL', false|LOGAUTHFAIL', true|g" $SYNC_CONF
#IF NOT EMPTY
if [[ -z "$IGNOREIP" ]]; then
sed -i -e '/^ignoreip = / s/= .*/= '"$IGNOREIP"'/' $JAIL_LOCAL
fi
sed -i -e '/^destemail = / s/= .*/= '$DESTEMAIL'/' $JAIL_LOCAL
sed -i -e '/^sender = / s/= .*/= '$SENDER'/' $JAIL_LOCAL
systemctl restart fail2ban
improvements welcome
WalterH
Hab mal ne Kopie erstellt von meinem kram soweit..
https://github.com/crpb/grommunio
der Boss is gerade drüber gestolpert ...
kann ich es auf seinem system testen meines tut gerade exakt das was es soll ;)
Please note, today's update (08.11.2023) changed the location for most log files, please read: https://community.grommunio.com/d/1281-prepare-for-the-ews-grommunio-2023111-release/2
To switch the log location in jail.local, you may use this command:
sed -i 's: /var/log/grommunio/: /var/log/nginx/:g' /etc/fail2ban/jail.local
Currently the tar archive contains the old log paths, will be fixed in the next days.
Leider funktioniert das Installationscript nicht mehr: Unter Suse 15.5
tar_fail2ban_wh.sh
etc/fail2ban/filter.d/grommunio-sync.conf
etc/fail2ban/filter.d/grommunio-web-auth.conf
etc/nginx/conf.d/x-forewarded-for.conf
Failed to restart fail2ban.service: Unit fail2ban.service not found.
zypper in fail2ban
Repository-Daten werden geladen...
Installierte Pakete werden gelesen...
Paketabhängigkeiten werden aufgelöst...
Problem: das zu installierende fail2ban-0.11.2-150400.2.4.noarch erfordert 'ed', aber diese Anforderung kann nicht bereitgestellt werden
Nicht installierbare Anbieter: ed-1.17-150400.1.5.x86_64[base]
Lösung 1: Deinstallation von busybox-ed-1.35.0-150400.4.5.1.noarch
Lösung 2: fail2ban-0.11.2-150400.2.4.noarch nicht installieren
Lösung 3: fail2ban-0.11.2-150400.2.4.noarch durch Ignorieren einiger Abhängigkeiten brechen
Wählen Sie aus den obigen Lösungen mittels Nummer oder brechen Sie (a)b [1/2/3/a/d/?] (a):
Würde wohl gehen wenn das so aussieht
grom-test-1:~ # zypper search --match-exact ed busybox-ed
Loading repository data...
Reading installed packages...
S | Name | Summary | Type
---+------------+------------------------------+--------
| busybox-ed | Busybox applets replacing ed | package
i+ | ed | A line-oriented text editor | package
aber warum bei dir die busybox-version installiert ist kann ich dir nicht beantworten.
rpm -qa | grep busy
busybox sollte auf einem grommunio System nicht installiert sein!
With gromox>=2.19.56, you can set /etc/gromox/gromox.cfg
http_remote_host_hdr=X-Real-IP
to take the reported client address from a trusted header (if you have a trusted proxy).
Package grommunio-setup>=1.0.108 in the grommunio appliance will add this line for new installations.
Package grommunio-common>=23.7d1954c contains the corresponding fragment for the appliance's nginx.
Still need to figure out how to do this for zcore.
If you want to make use of the header, yes.
© 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice