From: Peter Palfrader Date: Wed, 10 Oct 2018 09:19:12 +0000 (+0200) Subject: use fail2ban to block some abusive smtp clients on our MXs (re: RT#7515) X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=b3d9dd83da3f8ac34ccbdf912e1113f1ef49a64c;p=mirror%2Fdsa-puppet.git use fail2ban to block some abusive smtp clients on our MXs (re: RT#7515) --- diff --git a/modules/exim/manifests/mx.pp b/modules/exim/manifests/mx.pp index c30bd4cda..42604eb95 100644 --- a/modules/exim/manifests/mx.pp +++ b/modules/exim/manifests/mx.pp @@ -1,6 +1,7 @@ class exim::mx inherits exim { include clamav include postgrey + include fail2ban::exim file { '/etc/exim4/ccTLD.txt': source => 'puppet:///modules/exim/common/ccTLD.txt', diff --git a/modules/fail2ban/files/filter/dsa-exim.conf b/modules/fail2ban/files/filter/dsa-exim.conf new file mode 100644 index 000000000..7e43af9e2 --- /dev/null +++ b/modules/fail2ban/files/filter/dsa-exim.conf @@ -0,0 +1,7 @@ +# + +[INCLUDES] +before = exim-common.conf + +[Definition] +failregex = ^%(pid)s SMTP protocol error in "AUTH LOGIN" .* \[\] AUTH command used when not advertised$ diff --git a/modules/fail2ban/files/jail/dsa-exim.conf b/modules/fail2ban/files/jail/dsa-exim.conf new file mode 100644 index 000000000..7c8c9bb38 --- /dev/null +++ b/modules/fail2ban/files/jail/dsa-exim.conf @@ -0,0 +1,9 @@ +[dsa-exim] +enabled = true +filter = dsa-exim +port = smtp,ssmtp +logpath = /var/log/exim4/mainlog +maxretry = 4 +# action = %(action_mwl)s +# destemail = root-fail2ban@$DOMAIN +bantime = 3600 diff --git a/modules/fail2ban/manifests/exim.pp b/modules/fail2ban/manifests/exim.pp new file mode 100644 index 000000000..f1b34ddfa --- /dev/null +++ b/modules/fail2ban/manifests/exim.pp @@ -0,0 +1,10 @@ +class fail2ban::exim inherits fail2ban { + file { '/etc/fail2ban/filter.d/dsa-exim.conf': + source => 'puppet:///modules/fail2ban/filter/dsa-exim.conf', + notify => Service['fail2ban'], + } + file { '/etc/fail2ban/jail.d/dsa-exim.conf': + source => 'puppet:///modules/fail2ban/jail/dsa-exim.conf', + notify => Service['fail2ban'], + } +} diff --git a/modules/fail2ban/manifests/init.pp b/modules/fail2ban/manifests/init.pp new file mode 100644 index 000000000..3051b9975 --- /dev/null +++ b/modules/fail2ban/manifests/init.pp @@ -0,0 +1,17 @@ +class fail2ban { + package { 'fail2ban': + ensure => installed, + } + + service { 'fail2ban': + ensure => running, + } + + @ferm::conf { 'f2b': + content => @(EOF), + @hook post "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true"; + @hook flush "type fail2ban-client > /dev/null && (fail2ban-client ping > /dev/null && fail2ban-client reload > /dev/null ) || true"; + | EOF + } + +}