anyone done this so far
or any hints of how to do it

brNP

2 months later

no one done fail2ban on this project ?

22 days later

Here you can find a fail2ban configuration: https://www.hofstaedtler.com/tmp/fail2ban_grommunio_wh.tgz

  1. install fail2ban: zypper in fail2ban
  2. copy the file fail2ban_grommunio_wh.tgz e.g. to /root
  3. unpack with: tar -xzvf /root/fail2ban_grommunio_wh.tgz -C /
  4. delete the file /root/fail2ban_grommunio_wh.tgz: rm /root/fail2ban_grommunio_wh.tgz
  5. now adjust the configuration file /etc/fail2ban/jail.local
  6. restart fail2ban: systemctl restart fail2ban
  7. watch

This configuration is only minimally tested. I am happy about feedback (positive and negative).

Walter

  • crpb replied to this.

    Today I updated the TAR archive, minor corrections in all files.

    WalterH
    Aktualisierste das immer auf der URL?
    Für die Faule Brigarde

    WALTERS_PACKAGE="https://www.hofstaedtler.com/tmp/fail2ban_grommunio_wh.tgz"
    JAIL_LOCAL="/etc/fail2ban/jail.local"
    SYNC_CONF="/etc/grommunio-sync/grommunio-sync.conf.php"
    
    wget $WALTERS_PACKAGE -O src.tgz
    if [[ -f "$JAIL_LOCAL" ]]; then
      tar xvfz src.tgz -C / --exclude=etc/fail2ban/jail.local
      tar -axf src.tgz etc/fail2ban/jail.local -O |sed -n '/^\[grommunio-web-auth/, $p' >> $JAIL_LOCAL
    else
      tar xfz src.tgz -C /
    fi
    sed -i.bak '' $SYNC_CONF
    sed -i "s|LOGAUTHFAIL', false|LOGAUTHFAIL', true|g" $SYNC_CONF
    
    systemctl restart fail2ban

    Fehler sind nie auszuschließen..

    Thanks for the script, but you have to adjust at least the two mail addresses destemail and sender in jail.local, ignoreip should be adjusted too.

    And important, this is minimal tested, please feedback.

    • crpb replied to this.

      WalterH
      I will have a look,
      Could you set the umask to 0644 and also set the newline or just an empty line at the end of every file?
      @WalterH Thanks for the umask and this is my reason for the newline.

      Currently i haven't tested it at all. Just writing helpful scripts for us in our local GIT-Repo when there is time between Work.

      EDIT: Not finished but for now...

      > cat setup/fail2ban/install.sh -p
      #!/bin/bash
      export DEBIAN_FRONTEND=noninteractive
      dpkg-reconfigure debconf -f readline -p critical
      #DEB_FRONT AND debconf[..  just to be safe
      #SCRIPT_DIR="$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
      #ENFORCE-ROOT
      if [[ $EUID -ne 0 ]]; then
        echo "ERROR: $0 Must be run as root, Script terminating" ;exit 7
      fi
      #SNIP-SUDO
      #SUDO=''
      #if [[ $EUID -ne 0 ]]; then
      #  SUDO='sudo'
      #fi
      
      DESTEMAIL='monitoring@domain.tld'
      SENDER='fail2ban-grommunio@domain.tld'
      IGNOREIP="127.0.0.1 ::1"
      
      WALTERS_PACKAGE="https://www.hofstaedtler.com/tmp/fail2ban_grommunio_wh.tgz"
      JAIL_LOCAL="/etc/fail2ban/jail.local"
      SYNC_CONF="/etc/grommunio-sync/grommunio-sync.conf.php"
      
      #SC2015 ... ignored..
      grep -qF -- "suse" /etc/os-release && (zypper ref && zypper -n up) || (apt-get update && apt-get dist-upgrade --yes)
      
      #SNIP-DEBINSTALL
      #PACKAGES=("fail2ban")
      #pkg_install() {
      #  for pkg in "$@"; do
      #    is_pkg_installed=$(dpkg-query -W --showformat='${Status}' "${pkg}" | grep "install ok installed")
      #    if [ "${is_pkg_installed}" == "install ok installed" ]; then
      #      echo "${pkg}" ist installiert.
      #    else
      #      apt-get install -f "${pkg}" --yes
      #    fi
      #  done
      #}
      #pkg_install "${PACKAGES[$@]}"
      
      wget $WALTERS_PACKAGE -O src.tgz
      
      if [[ -f "$JAIL_LOCAL" ]]; then
        tar xvfz src.tgz -C / --exclude=etc/fail2ban/jail.local
        grep -qF -- "grommmunio" $JAIL_LOCAL && (tar -axf src.tgz etc/fail2ban/jail.local -O | sed -n '/^\[grommunio-web-auth/, $p' >> $JAIL_LOCAL)
      else
        tar xfvz src.tgz -C /
      fi
      #SNIP-FILEBAKDATE
      sed -i."$(date +%Y%m%d%H%M)".bak '' $SYNC_CONF
      sed -i "s|LOGAUTHFAIL', false|LOGAUTHFAIL', true|g" $SYNC_CONF
      #IF NOT EMPTY
      if [[ -z "$IGNOREIP" ]]; then
        sed -i -e '/^ignoreip = / s/= .*/= '"$IGNOREIP"'/' $JAIL_LOCAL
      fi
      sed -i -e '/^destemail = / s/= .*/= '$DESTEMAIL'/' $JAIL_LOCAL
      sed -i -e '/^sender = / s/= .*/= '$SENDER'/' $JAIL_LOCAL
      
      systemctl restart fail2ban

      improvements welcome

        mwilliams changed the title to [ENHANCEMENT] fail2ban for grommunio .

        crpb I fixed both issues, a new line and umask 644. Hope this helps.

        • crpb replied to this.
          a month later

          der Boss is gerade drüber gestolpert ...
          kann ich es auf seinem system testen meines tut gerade exakt das was es soll ;)

          2 years later

          Please note, today's update (08.11.2023) changed the location for most log files, please read: https://community.grommunio.com/d/1281-prepare-for-the-ews-grommunio-2023111-release/2
          To switch the log location in jail.local, you may use this command:
          sed -i 's: /var/log/grommunio/: /var/log/nginx/:g' /etc/fail2ban/jail.local
          Currently the tar archive contains the old log paths, will be fixed in the next days.

            19 days later

            Leider funktioniert das Installationscript nicht mehr: Unter Suse 15.5

            tar_fail2ban_wh.sh
            etc/fail2ban/filter.d/grommunio-sync.conf
            etc/fail2ban/filter.d/grommunio-web-auth.conf
            etc/nginx/conf.d/x-forewarded-for.conf
            Failed to restart fail2ban.service: Unit fail2ban.service not found.

            zypper in fail2ban

            Repository-Daten werden geladen...
            Installierte Pakete werden gelesen...
            Paketabhängigkeiten werden aufgelöst...
            Problem: das zu installierende fail2ban-0.11.2-150400.2.4.noarch erfordert 'ed', aber diese Anforderung kann nicht bereitgestellt werden
            Nicht installierbare Anbieter: ed-1.17-150400.1.5.x86_64[base]
            Lösung 1: Deinstallation von busybox-ed-1.35.0-150400.4.5.1.noarch
            Lösung 2: fail2ban-0.11.2-150400.2.4.noarch nicht installieren
            Lösung 3: fail2ban-0.11.2-150400.2.4.noarch durch Ignorieren einiger Abhängigkeiten brechen
            Wählen Sie aus den obigen Lösungen mittels Nummer oder brechen Sie (a)b [1/2/3/a/d/?] (a):

            Würde wohl gehen wenn das so aussieht

            grom-test-1:~ # zypper search --match-exact ed busybox-ed
            Loading repository data...
            Reading installed packages...
            
            S  | Name       | Summary                      | Type
            ---+------------+------------------------------+--------
               | busybox-ed | Busybox applets replacing ed | package
            i+ | ed         | A line-oriented text editor  | package

            aber warum bei dir die busybox-version installiert ist kann ich dir nicht beantworten.

            rpm -qa | grep busy
            busybox sollte auf einem grommunio System nicht installiert sein!

            5 days later

            WalterH Currently the tar archive contains the old log paths, will be fixed in the next days.

            A few days late, today I updated the .tar archive with new paths.

            10 days later

            With gromox>=2.19.56, you can set /etc/gromox/gromox.cfg http_remote_host_hdr=X-Real-IP to take the reported client address from a trusted header (if you have a trusted proxy).
            Package grommunio-setup>=1.0.108 in the grommunio appliance will add this line for new installations.
            Package grommunio-common>=23.7d1954c contains the corresponding fragment for the appliance's nginx.
            Still need to figure out how to do this for zcore.

              jengelh
              I have installed gromox 2.19.88 and there is natively no /etc/gromox/gromox.cfg. Are you sure that the file has to be created?

                © 2020-2024 grommunio GmbH. All rights reserved. | https://grommunio.com | Data Protection | Legal notice