crpb I fixed both issues, a new line and umask 644. Hope this helps.

  • crpb replied to this.
    a month later

    der Boss is gerade drüber gestolpert ...
    kann ich es auf seinem system testen meines tut gerade exakt das was es soll ;)

    2 years later

    Please note, today's update (08.11.2023) changed the location for most log files, please read: https://community.grommunio.com/d/1281-prepare-for-the-ews-grommunio-2023111-release/2
    To switch the log location in jail.local, you may use this command:
    sed -i 's: /var/log/grommunio/: /var/log/nginx/:g' /etc/fail2ban/jail.local
    Currently the tar archive contains the old log paths, will be fixed in the next days.

      19 days later

      Leider funktioniert das Installationscript nicht mehr: Unter Suse 15.5

      tar_fail2ban_wh.sh
      etc/fail2ban/filter.d/grommunio-sync.conf
      etc/fail2ban/filter.d/grommunio-web-auth.conf
      etc/nginx/conf.d/x-forewarded-for.conf
      Failed to restart fail2ban.service: Unit fail2ban.service not found.

      zypper in fail2ban

      Repository-Daten werden geladen...
      Installierte Pakete werden gelesen...
      Paketabhängigkeiten werden aufgelöst...
      Problem: das zu installierende fail2ban-0.11.2-150400.2.4.noarch erfordert 'ed', aber diese Anforderung kann nicht bereitgestellt werden
      Nicht installierbare Anbieter: ed-1.17-150400.1.5.x86_64[base]
      Lösung 1: Deinstallation von busybox-ed-1.35.0-150400.4.5.1.noarch
      Lösung 2: fail2ban-0.11.2-150400.2.4.noarch nicht installieren
      Lösung 3: fail2ban-0.11.2-150400.2.4.noarch durch Ignorieren einiger Abhängigkeiten brechen
      Wählen Sie aus den obigen Lösungen mittels Nummer oder brechen Sie (a)b [1/2/3/a/d/?] (a):

      Würde wohl gehen wenn das so aussieht

      grom-test-1:~ # zypper search --match-exact ed busybox-ed
      Loading repository data...
      Reading installed packages...
      
      S  | Name       | Summary                      | Type
      ---+------------+------------------------------+--------
         | busybox-ed | Busybox applets replacing ed | package
      i+ | ed         | A line-oriented text editor  | package

      aber warum bei dir die busybox-version installiert ist kann ich dir nicht beantworten.

      rpm -qa | grep busy
      busybox sollte auf einem grommunio System nicht installiert sein!

      5 days later

      WalterH Currently the tar archive contains the old log paths, will be fixed in the next days.

      A few days late, today I updated the .tar archive with new paths.

      10 days later

      With gromox>=2.19.56, you can set /etc/gromox/gromox.cfg http_remote_host_hdr=X-Real-IP to take the reported client address from a trusted header (if you have a trusted proxy).
      Package grommunio-setup>=1.0.108 in the grommunio appliance will add this line for new installations.
      Package grommunio-common>=23.7d1954c contains the corresponding fragment for the appliance's nginx.
      Still need to figure out how to do this for zcore.

        jengelh
        I have installed gromox 2.19.88 and there is natively no /etc/gromox/gromox.cfg. Are you sure that the file has to be created?

          The current (postmodern) FHS practice is to not put boilerplate or defaults into /etc. So yes, files naturally don't exist.
          (Picture the year 2008: /etc/squid/squid.conf was almost 4300 lines in size. Only 35 lines were truly relevant, but computers don't know that, so when a new version of the config file came along, it was the admin's job to merge it somehow. Not fun. // Some other reading material: factory reset)

          10 days later

          gromox>=2.20.94 will have zcore report the address as well and the messages are more similar across daemons so to catch it with one fail2ban regex.

            Thank you for implementing this!
            Just checked the latested Debian 12 packages: 2.20.6
            Is there maybe some issue with the Debian build pipeline again? I´m just asking as the version difference seems to be a bit high.

            Decided to give /community a slower publishing pace.

            5 days later

            The [postfix-sasl] jail do not work as expected. We need to modify the jail file: /etc/fail2ban/jail.local and replace the [postfix-sasl] section with:

            [postfix-sasl]
            enabled = true
            backend = systemd
            maxentry = 3
            bantime = 1h
            filter  = postfix[mode=auth]
            port    = smtp,465,submission,imap,imaps,pop3,pop3s
            #

            Restart fail2ban with systemctl restart fail2ban, now SASL logins should be blocked.

            2 months later

            I can confirm that the issue from @faspie still applies to a grommunio SUSE appliance which was installed in November 2023 and only updated/upgraded since then. Just remove busybox-ed (whoever installed that) and let zypper in fail2ban do the rest.

            @WalterH 's templates in combination with @crpb 's installation script worked like a charm. Thanks to both of you for providing them 🎉

            © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice