Topic: Test: Enabling Fail2ban with FreeBSD
==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.3.2 from Github
- Deployed with iRedMail Easy or the downloadable installer? Download from Github
- Linux/BSD distribution name and version: FreeBSD
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): PGSQL (12)
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
DISCLAIMER: I use this on my own risk. If you want to do the same, make sure you understand and do it at your own risk. No support will be provided.
This is a Test to configure `fail2ban` during the installation as I have done manually recently. The iRedMail code already provides the installation for `fail2ban` in all platforms and was commented out on FreeBSD as the package filter can vary.
I normally do a few tweaks of my own on the code to suit my preferences. This mainly addresses (most) current software versions available in `ports` for FreeBSD. From iRedMail v1.0 I have done less and less as the code matches most of the recent ports. These modifications are tests, as I do not reinstall the production servers.
I still modify the ports flags to UNset the installation of documentation. I see no point in having documentation in a production server.
# diff(s)
./update/ldap/updateLDAPValues_095_1_to_096.py
75c75
< except Exception as e:
---
> except Exception, e:
./update/ldap/update-ldap-dovecot-2.3.py
58c58
< except Exception as e:
---
> except Exception, e:
./dialog/optional_components.sh
32a33,35
> if [ X"${DISTRO}" == X'FREEBSD' ]; then
> export DIALOG_SELECTABLE_FAIL2BAN='NO'
> fi
./functions/packages_freebsd.sh
52c52
< freebsd_make_conf_add 'DEFAULT_VERSIONS' "ssl=openssl python=${PREFERRED_PY3_VER} python3=${PREFERRED_PY3_VER} pgsql=${PGSQL_VERSION} php=7.4"
---
> freebsd_make_conf_add 'DEFAULT_VERSIONS' "ssl=libressl python=${PREFERRED_PY3_VER} python3=${PREFERRED_PY3_VER} pgsql=${PGSQL_VERSION} php=7.4 mysql=10.5m"
81c81
< lang_perl5.30 \
---
> lang_perl5.20 \
162c162
< cat > /var/db/ports/lang_perl5.30/options <<EOF
---
> cat > /var/db/ports/lang_perl5.20/options <<EOF
322,323c322,323
< OPTIONS_FILE_UNSET+=DOCS
< OPTIONS_FILE_UNSET+=EXAMPLES
---
> OPTIONS_FILE_SET+=DOCS
> OPTIONS_FILE_SET+=EXAMPLES
527c527
< OPTIONS_FILE_UNSET+=DOCS
---
> OPTIONS_FILE_SET+=DOCS
539c539
< OPTIONS_FILE_UNSET+=TEST
---
> OPTIONS_FILE_SET+=TEST
589,590c589,590
< OPTIONS_FILE_UNSET+=DEBUG
< OPTIONS_FILE_UNSET+=DEBUGLOG
---
> OPTIONS_FILE_SET+=DEBUG
> OPTIONS_FILE_SET+=DEBUGLOG
739a740
> OPTIONS_FILE_SET+=MCRYPT
971,974c972,975
< if [ X"${USE_FAIL2BAN}" == X'YES' ]; then
< # python-ldap.
< ALL_PORTS="${ALL_PORTS} security/py-fail2ban"
< fi
---
> #if [ X"${USE_FAIL2BAN}" == X'YES' ]; then
> # # python-ldap.
> # ALL_PORTS="${ALL_PORTS} security/py-fail2ban"
> #fi
./functions/fail2ban.sh
137,142d136
< if [ X"${DISTRO}" == X'FREEBSD' ]; then
< cp -f ${SAMPLE_DIR}/fail2ban/action.d/ipfw-iredmail.conf ${FAIL2BAN_ACTION_DIR}
< ECHO_DEBUG "Copy sample firewall config files."
< cp -f ${SAMPLE_DIR}/firewall/ipfw/ipfw.rules /usr/local/etc # ${FIREWALL_RULE_CONF update in global for FREEBSD}
< chmod 0700 /usr/local/etc/ipfw.rules
< fi
149,155c143
< if [ X"${DISTRO}" == X'FREEBSD' ]; then
< service_control enable 'firewall_enable' 'YES' >> ${INSTALL_LOG} 2>&1
< service_control enable 'firewall_quiet' 'YES' >> ${INSTALL_LOG} 2>&1
< service_control enable 'firewall_type' 'OPEN' >> ${INSTALL_LOG} 2>&1
< service_control enable 'firewall_script' '/usr/local/etc/ipfw.rules' >> ${INSTALL_LOG} 2>&1
< service_control enable 'fail2ban' 'YES' >> ${INSTALL_LOG} 2>&1
< elif [ X"${DISTRO}" == X'OPENBSD' ]; then
---
> if [ X"${DISTRO}" == X'OPENBSD' ]; then
./samples/fail2ban/action.d/ipfw-iredmail.conf
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = ipfw table 10 add <ip>
actionunban = ipfw table 10 delete <ip>
./samples/firewall/ipfw/ipfw.rules
# NOTE: This set of rules are intended to allow 'ipfw' and 'fail2ban' to work with each other only.
# It is **NOT** intended to close or protect the server.
# Call initial firewall setup as per FreeBSD's standards using the "OPEN" profile
/bin/sh /etc/rc.firewall open
# Create a Table to hold the IPs worked by fail2ban
# The number "10" is just an ID for the table
if ! ipfw table 10 info > /dev/null 2>&1; then
ipfw -q table 10 create
ipfw -q table 10 flush
fi
# create (an early) rule to deny access to the offender on the table
ipfw -q add 00050 deny ip from "table(10)" to meStay safe.
----
Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.