diff options
| author | Joey Hess <joeyh@joeyh.name> | 2015-11-30 13:34:18 -0400 |
|---|---|---|
| committer | Joey Hess <joeyh@joeyh.name> | 2015-11-30 13:34:18 -0400 |
| commit | d6d63ff095e6584e5a28eb39139f1cd7e83534d3 (patch) | |
| tree | 5f6f4a94f4f73825d4c08cfc5ff252e6416445d5 | |
| parent | 703c08cd618ec3d0f299b1f715e0ebfb7233ea09 (diff) | |
| parent | b82390983dd285e18df43c979d909331f44a01da (diff) | |
Merge branch 'joeyconfig'
| -rw-r--r-- | config-joey.hs | 3 | ||||
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | propellor.cabal | 1 | ||||
| -rw-r--r-- | src/Propellor/Property/Fail2Ban.hs | 30 | ||||
| -rw-r--r-- | src/Propellor/Property/Postfix.hs | 5 | ||||
| -rw-r--r-- | src/Propellor/Property/SiteSpecific/JoeySites.hs | 3 |
6 files changed, 42 insertions, 1 deletions
diff --git a/config-joey.hs b/config-joey.hs index 98cb195a..df6e40dc 100644 --- a/config-joey.hs +++ b/config-joey.hs @@ -25,6 +25,7 @@ import qualified Propellor.Property.Gpg as Gpg import qualified Propellor.Property.Systemd as Systemd import qualified Propellor.Property.Journald as Journald import qualified Propellor.Property.Chroot as Chroot +import qualified Propellor.Property.Fail2Ban as Fail2Ban import qualified Propellor.Property.Aiccu as Aiccu import qualified Propellor.Property.OS as OS import qualified Propellor.Property.HostingProvider.CloudAtCost as CloudAtCost @@ -221,7 +222,7 @@ kite = standardSystemUnhardened "kite.kitenet.net" Testing "amd64" & Journald.systemMaxUse "500MiB" & Ssh.passwordAuthentication True -- Since ssh password authentication is allowed: - & Apt.serviceInstalledRunning "fail2ban" + & Fail2Ban.installed & Obnam.backupEncrypted "/" (Cron.Times "33 1 * * *") [ "--repository=sftp://joey@eubackup.kitenet.net/~/lib/backup/kite.obnam" , "--client-name=kitenet.net" diff --git a/debian/changelog b/debian/changelog index 55419200..e7afe17d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -6,6 +6,7 @@ propellor (2.14.1) UNRELEASED; urgency=medium * Added Propellor.Property.Locale. Thanks, Sean Whitton. * Added changesFile property combinator. + * Added Propellor.Property.Fail2Ban. -- Joey Hess <id@joeyh.name> Tue, 24 Nov 2015 17:06:12 -0400 diff --git a/propellor.cabal b/propellor.cabal index ceb32d48..6ddc6c9d 100644 --- a/propellor.cabal +++ b/propellor.cabal @@ -80,6 +80,7 @@ Library Propellor.Property.Dns Propellor.Property.DnsSec Propellor.Property.Docker + Propellor.Property.Fail2Ban Propellor.Property.File Propellor.Property.Firewall Propellor.Property.Git diff --git a/src/Propellor/Property/Fail2Ban.hs b/src/Propellor/Property/Fail2Ban.hs new file mode 100644 index 00000000..716d376f --- /dev/null +++ b/src/Propellor/Property/Fail2Ban.hs @@ -0,0 +1,30 @@ +module Propellor.Property.Fail2Ban where + +import Propellor.Base +import qualified Propellor.Property.Apt as Apt +import qualified Propellor.Property.Service as Service +import Propellor.Property.ConfFile + +installed :: Property NoInfo +installed = Apt.serviceInstalledRunning "fail2ban" + +reloaded :: Property NoInfo +reloaded = Service.reloaded "fail2ban" + +type Jail = String + +-- | By default, fail2ban only enables the ssh jail, but many others +-- are available to be enabled, for example "postfix-sasl" +jailEnabled :: Jail -> Property NoInfo +jailEnabled name = jailConfigured name "enabled" "true" + `onChange` reloaded + +-- | Configures a jail. For example: +-- +-- > jailConfigured "sshd" "port" "2222" +jailConfigured :: Jail -> IniKey -> String -> Property NoInfo +jailConfigured name key value = + jailConfFile name `containsIniSetting` (name, key, value) + +jailConfFile :: Jail -> FilePath +jailConfFile name = "/etc/fail2ban/jail.d/" ++ name ++ ".conf" diff --git a/src/Propellor/Property/Postfix.hs b/src/Propellor/Property/Postfix.hs index 20492dc6..356a945f 100644 --- a/src/Propellor/Property/Postfix.hs +++ b/src/Propellor/Property/Postfix.hs @@ -134,6 +134,11 @@ dedupCf ls = -- Does not configure postfix to use it; eg @smtpd_sasl_auth_enable = yes@ -- needs to be set to enable use. See -- <https://wiki.debian.org/PostfixAndSASL>. +-- +-- Password brute force attacks are possible when SASL auth is enabled. +-- It would be wise to enable fail2ban, for example: +-- +-- > Fail2Ban.jailEnabled "postfix-sasl" saslAuthdInstalled :: Property NoInfo saslAuthdInstalled = setupdaemon `requires` Service.running "saslauthd" diff --git a/src/Propellor/Property/SiteSpecific/JoeySites.hs b/src/Propellor/Property/SiteSpecific/JoeySites.hs index 2e34d75f..ff92bf2d 100644 --- a/src/Propellor/Property/SiteSpecific/JoeySites.hs +++ b/src/Propellor/Property/SiteSpecific/JoeySites.hs @@ -17,6 +17,7 @@ import qualified Propellor.Property.Obnam as Obnam import qualified Propellor.Property.Apache as Apache import qualified Propellor.Property.Postfix as Postfix import qualified Propellor.Property.Systemd as Systemd +import qualified Propellor.Property.Fail2Ban as Fail2Ban import Utility.FileMode import Data.List @@ -541,6 +542,8 @@ kiteMailServer = propertyList "kitenet.net mail server" $ props & dkimInstalled & Postfix.saslAuthdInstalled + & Fail2Ban.installed + & Fail2Ban.jailEnabled "postfix-sasl" & "/etc/default/saslauthd" `File.containsLine` "MECHANISMS=sasldb" & Postfix.saslPasswdSet "kitenet.net" (User "errol") |