diff --git a/CHANGELOG.md b/CHANGELOG.md index d46b35c7..d253a45b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,10 @@ All notable changes to this project will be documented in this file. The format > **Note**: Changes and additions listed here are contained in the `:edge` image tag. These changes may not be as stable as released changes. +### Added + +- **scripts**: fail2ban - enable network bans ([#2818](https://github.com/docker-mailserver/docker-mailserver/pull/2818)) + ### Fixed - **scripts**: Run `user-patches.sh` right before starting daemons ([#2817](https://github.com/docker-mailserver/docker-mailserver/pull/2817)) diff --git a/Dockerfile b/Dockerfile index 44c5b57e..4a641d9b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,13 +19,14 @@ SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"] # --- Install Basic Software -------------------- # ----------------------------------------------- -COPY target/scripts/build/* /build/ -COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh -RUN /bin/bash /build/packages.sh - COPY target/bin/sedfile /usr/local/bin/sedfile RUN chmod +x /usr/local/bin/sedfile +COPY target/scripts/build/* /build/ +COPY target/scripts/helpers/log.sh /usr/local/bin/helpers/log.sh + +RUN /bin/bash /build/packages.sh + # ----------------------------------------------- # --- ClamAV & FeshClam ------------------------- # ----------------------------------------------- diff --git a/target/scripts/build/packages.sh b/target/scripts/build/packages.sh index c5d1f006..5bb35437 100644 --- a/target/scripts/build/packages.sh +++ b/target/scripts/build/packages.sh @@ -146,6 +146,11 @@ function _install_fail2ban dpkg -i fail2ban.deb 2>&1 rm fail2ban.deb fail2ban.deb.asc + + _log 'debug' 'Patching Fail2ban to enable network bans' + # Enable network bans + # https://github.com/docker-mailserver/docker-mailserver/issues/2669 + sedfile -i -r 's/^_nft_add_set = .+/_nft_add_set = add set \\{ type \\; flags interval\\; \\}/' /etc/fail2ban/action.d/nftables.conf } function _post_installation_steps diff --git a/test/mail_fail2ban.bats b/test/mail_fail2ban.bats index 5f2c6fd2..11405d61 100644 --- a/test/mail_fail2ban.bats +++ b/test/mail_fail2ban.bats @@ -118,6 +118,7 @@ function teardown_file() { } @test "checking fail2ban ban" { + # Ban single IP address run docker exec mail_fail2ban fail2ban ban 192.0.66.7 assert_success assert_output "Banned custom IP: 1" @@ -136,6 +137,26 @@ function teardown_file() { run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom refute_output --partial "192.0.66.7" + + # Ban IP network + run docker exec mail_fail2ban fail2ban ban 192.0.66.0/24 + assert_success + assert_output "Banned custom IP: 1" + + run docker exec mail_fail2ban fail2ban + assert_success + assert_output --regexp "Banned in custom:.*192\.0\.66\.0/24" + + run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom + assert_success + assert_output --partial "elements = { 192.0.66.0/24 }" + + run docker exec mail_fail2ban fail2ban unban 192.0.66.0/24 + assert_success + assert_output --partial "Unbanned IP from custom: 1" + + run docker exec mail_fail2ban nft list set inet f2b-table addr-set-custom + refute_output --partial "192.0.66.0/24" } @test "checking FAIL2BAN_BLOCKTYPE is really set to drop" {