Perpetual recidive replaced by Incremental recidive

UI-API.md

@@ -111,7 +111,7 @@ All available props to store in the fail2ban key of the esmith API
       "ApachePhpMyAdmin_status": "true",
       "HttpdAdmin_status": "true",
       "ApacheNohome_status": "true",
-      "Recidive_Perpetual": "disabled",
+      "BanTime_Incremental": "false",
       "Postfix_status": "true",
       "Vsftpd_status": "true",
       "status": "enabled",
@@ -197,7 +197,7 @@ echo '{"action":"jails","status":"enabled","ApacheAuth_status":"true","ApacheBad
 - `configuration`
 
 ```bash
-echo '{"action":"configuration","status":"enabled","Mail":"enabled","MailJailState":"disabled","BanLocalNetwork":"disabled","Recidive_Perpetual":"disabled","CustomDestemail":[],"IgnoreIP":[],"LogLevel":"INFO","MaxRetry":"3","FindTime":"3600","BanTime":"1800"}' | /usr/bin/sudo /usr/libexec/nethserver/api/nethserver-fail2ban/validate | jq
+echo '{"action":"configuration","status":"enabled","Mail":"enabled","MailJailState":"disabled","BanLocalNetwork":"disabled","BanTime_Incremental":"false","CustomDestemail":[],"IgnoreIP":[],"LogLevel":"INFO","MaxRetry":"3","FindTime":"3600","BanTime":"1800"}' | /usr/bin/sudo /usr/libexec/nethserver/api/nethserver-fail2ban/validate | jq
 ```
 
 - `unban`
@@ -211,6 +211,3 @@ Unban the specified IP
 ## update
 
 See the `validate` input example: the format is the same.
-
-
-

api/read

@@ -126,8 +126,7 @@ elsif ($cmd eq 'configuration') {
             PamGeneric_status => $db->get_prop('fail2ban','PamGeneric_status'),
             PostfixSaslAbuse_status => $db->get_prop('fail2ban','PostfixSaslAbuse_status'),
             Postfix_status => $db->get_prop('fail2ban','Postfix_status'),
-            Recidive_Perpetual => $db->get_prop('fail2ban','Recidive_Perpetual'),
-            Recidive_status => $db->get_prop('fail2ban','Recidive_status'),
+            BanTime_Incremental => $db->get_prop('fail2ban','BanTime_Incremental'),
             Roundcube_status => $db->get_prop('fail2ban','Roundcube_status'),
             Rspamd_status => $db->get_prop('fail2ban','Rspamd_status'),
             Sieve_status => $db->get_prop('fail2ban','Sieve_status'),

api/update

@@ -39,7 +39,7 @@ if ($action eq 'configuration') {
     Mail
     MailJailState
     MaxRetry
-    Recidive_Perpetual
+    BanTime_Incremental
     status
     )) {
         $cdb->set_prop('fail2ban', $prop, $data->{$prop});
@@ -48,6 +48,13 @@ if ($action eq 'configuration') {
      $cdb->set_prop('fail2ban', 'CustomDestemail',join (',',@{$data->{'CustomDestemail'}}));
      $cdb->set_prop('fail2ban', 'IgnoreIP',join (',',@{$data->{'IgnoreIP'}}));
 
+    #either recidive or incremental bantime
+    if ($data->{'BanTime_Incremental'} eq 'true') {
+        $cdb->set_prop('fail2ban', 'Recidive_status','false');
+    } elsif ($data->{'BanTime_Incremental'} eq 'false') {
+        $cdb->set_prop('fail2ban', 'Recidive_status','true');
+    }
+
     esmith::event::set_json_log(1);
     my $success = esmith::event::event_signal('nethserver-fail2ban-save');
     if($success) {
@@ -83,7 +90,6 @@ elsif ($action eq 'jails') {
     PamGeneric_status
     PostfixSaslAbuse_status
     Postfix_status
-    Recidive_status
     Roundcube_status
     Rspamd_status
     Sieve_status

api/validate

@@ -36,7 +36,7 @@ switch ($data['action']) {
         $v->declareParameter('MailJailState', Validate::SERVICESTATUS);
         $v->declareParameter('MaxRetry', Validate::POSITIVE_INTEGER);
         $v->declareParameter('status', Validate::SERVICESTATUS);
-        $v->declareParameter('Recidive_Perpetual', Validate::SERVICESTATUS);
+        $v->declareParameter('BanTime_Incremental', $v->createValidator()->memberOf('true','false'));
 
         $ipValidator = $v->createValidator()->ipV4Address();
         foreach ( $data['IgnoreIP'] as $el) {
@@ -77,7 +77,6 @@ switch ($data['action']) {
         $v->declareParameter('Owncloud_status', $v->createValidator()->memberOf('true','false'));
         $v->declareParameter('PamGeneric_status', $v->createValidator()->memberOf('true','false'));
         $v->declareParameter('Postfix_status', $v->createValidator()->memberOf('true','false'));
-        $v->declareParameter('Recidive_status', $v->createValidator()->memberOf('true','false'));
         $v->declareParameter('Roundcube_status', $v->createValidator()->memberOf('true','false'));
         $v->declareParameter('Sieve_status', $v->createValidator()->memberOf('true','false'));
         $v->declareParameter('SogoAuth_status', $v->createValidator()->memberOf('true','false'));

root/etc/e-smith/db/configuration/defaults/fail2ban/BanTime_Incremental

@@ -0,0 +1 @@
+false

root/etc/e-smith/db/configuration/migrate/RemovePerpetualRecidive

@@ -0,0 +1,9 @@
+{
+    # Delete Recidive_Perpetual we support only incremental ban or recidive
+    # delete unused properties
+    use esmith::ConfigDB;
+    my $db = esmith::ConfigDB->open;
+
+    $db->get_prop_and_delete('fail2ban','Recidive_Perpetual');
+    '';
+}

root/etc/e-smith/events/actions/nethserver-fail2ban-cleanShorewallDynamic

@@ -24,8 +24,10 @@
 # This could be removed in the future version. if `IPList` is still in the json file
 # then fail2ban-statistics has not be triggered at least one time
 
-OUTPUT=$(/usr/bin/cat /var/lib/nethserver/fail2ban/fail2ban.json)
-if [[ $OUTPUT =~ 'IPList' ]]; then
+if [[ -f '/var/lib/nethserver/fail2ban/fail2ban.json' ]]; then
+    OUTPUT=$(/usr/bin/cat /var/lib/nethserver/fail2ban/fail2ban.json)
+    if [[ $OUTPUT =~ 'IPList' ]]; then
     /usr/sbin/iptables -F dynamic
     /usr/sbin/shorewall save
+    fi
 fi

root/etc/e-smith/templates/etc/fail2ban/jail.local/05GlobalSettings

@@ -5,6 +5,15 @@ findtime  = {($fail2ban{FindTime} || '900');}
 maxretry = {($fail2ban{MaxRetry} || '3');}
 usedns = yes
 
+bantime.increment = {($fail2ban{BanTime_Incremental} || 'false');}
+bantime.rndtime = 10
+# maximum timeout of ipset is 2147483
+bantime.maxtime = 1209600
+bantime.factor = 1
+# for bantime=60 the multipliers are minutes and equal: 1 min, 2 min, 4 min, 6 min, 8 min, 10 min, 20 min, 30 min, 1 hour, 5 hour, 12 hour, 1 day, 2 day
+bantime.multipliers = 1 2 4 6 8 10 20 30 40 50 60 300 720 1440 2880
+bantime.overalljails = false
+
 banaction = shorewall-ipset-proto6
 
 {
@@ -32,5 +41,3 @@ banaction = shorewall-ipset-proto6
 }
 
 action = {(($fail2ban{Mail} || 'enabled') eq 'enabled') ? '%(action_mw)s' : '%(action_)s' }
-
-

root/etc/e-smith/templates/etc/fail2ban/jail.local/10recidive

@@ -2,10 +2,7 @@
     use NethServer::Fail2Ban;
     my $findtime = '86400';
     my $bantime  = '1209600';
-    my $perpetual  = $fail2ban{Recidive_Perpetual} || 'disabled';
-    $bantime  = '-1' if ($perpetual eq 'enabled');
     my $maxretry = $fail2ban{Recidive_MaxRetry} || $fail2ban{MaxRetry}*2 || '6';
-    my $mail = $fail2ban{Mail} || 'enabled';
     return ("\n#recidive not used on this server\n") if (! NethServer::Fail2Ban::listRecidiveJails());
 
     foreach (NethServer::Fail2Ban::listRecidiveJails()) {
@@ -16,16 +13,6 @@
         $OUT .= "bantime  = $bantime\n";
         $OUT .= "findtime  = $findtime\n";
         $OUT .= "maxretry = $maxretry\n";
-
-        # if recidive is perpetual, ipset waits after a `O` bantime but fail2ban expects a `-1`
-        # This is an upstream bug it should be fixed but after 0.10.4 : fail2ban/fail2ban/issues/2487
-
-        if (($mail eq 'enabled') && ($perpetual eq 'enabled')) {
-            $OUT .= 'action_mw = %(banaction)s[name=%(__name__)s, bantime=0, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
-            %(mta)s-whois[name=%(__name__)s, sender="%(sender)s", dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]'."\n";
-        } elsif (($mail eq 'disabled') && ($perpetual eq 'enabled')) {
-            $OUT .= 'action_ = %(banaction)s[name=%(__name__)s, bantime=0, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]'."\n";
-        }
         $OUT .= "\n";
     }
 }

root/etc/e-smith/templates/etc/shorewall/initdone/20fail2ban

@@ -4,12 +4,8 @@
     use NethServer::Fail2Ban;
     return "" if ($fail2ban{'status'} ne 'enabled');
     my $bantime= $fail2ban{'BanTime'} || '1800';
-    my $perpetual = $fail2ban{'Recidive_Perpetual'} || 'disabled';
     foreach (NethServer::Fail2Ban::listAllJails()) {
-
-        if (($_ eq 'recidive') && ($perpetual eq 'enabled')) {
-            $OUT .= "system(\"/usr/sbin/ipset -quiet -exist create f2b-recidive hash:ip timeout 0 \");\n";
-        } elsif ($_ eq 'recidive') {
+        if ($_ eq 'recidive') {
             # max ban time for ipset is 2147483 seconds
             $OUT .= "system(\"/usr/sbin/ipset -quiet -exist create f2b-recidive hash:ip timeout 1209600 \");\n";
         } else {

root/usr/share/nethesis/NethServer/Language/en/NethServer_Module_Fail2Ban.php

@@ -44,7 +44,6 @@
 $L['PostfixSaslAbuse_status_label'] = 'Postfix sasl abuse';
 $L['Postfix_status_label'] = 'Postfix';
 $L['Recidive_status_label'] = 'Recidive';
-$L['Recidive_Perpetual_label'] = 'Recidive jail is perpetual';
 $L['Roundcube_status_label'] = 'Roundcubemail Auth';
 $L['Sieve_status_label'] = 'Sieve Auth';
 $L['SogoAuth_status_label'] = 'SOGo Auth';

root/usr/share/nethesis/NethServer/Module/Fail2Ban/Fail2BanSettings.php

@@ -48,7 +48,6 @@ public function initialize()
     $this->declareParameter('PamGeneric_status', $this->createValidator()->memberOf('true','false'), array('configuration', 'fail2ban', 'PamGeneric_status'));
     $this->declareParameter('Postfix_status', $this->createValidator()->memberOf('true','false'), array('configuration', 'fail2ban', 'Postfix_status'));
     $this->declareParameter('Recidive_status', $this->createValidator()->memberOf('true','false'), array('configuration', 'fail2ban', 'Recidive_status'));
-    $this->declareParameter('Recidive_Perpetual', Validate::SERVICESTATUS, array('configuration', 'fail2ban', 'Recidive_Perpetual'));
     $this->declareParameter('Roundcube_status', $this->createValidator()->memberOf('true','false'), array('configuration', 'fail2ban', 'Roundcube_status'));
     $this->declareParameter('Sieve_status', $this->createValidator()->memberOf('true','false'), array('configuration', 'fail2ban', 'Sieve_status'));
     $this->declareParameter('SogoAuth_status', $this->createValidator()->memberOf('true','false'), array('configuration', 'fail2ban', 'SogoAuth_status'));

root/usr/share/nethesis/NethServer/Template/Fail2Ban/Fail2BanSettings.php

@@ -5,7 +5,6 @@
 $advanced = $view->fieldset(NULL, $view::FIELDSET_EXPANDABLE)->setAttribute('template', $T('Advanced_label'))
 ->insert($view->columns()
     ->insert($view->slider('MaxRetry', $view::SLIDER_ENUMERATIVE | $view::LABEL_ABOVE)->setAttribute('label', $T('Retry_number_label')))
-    ->insert($view->checkBox('Recidive_Perpetual', 'enabled')->setAttribute('uncheckedValue', 'disabled'))
 )
 
 ->insert($view->columns()

ui/public/i18n/language.json

@@ -26,7 +26,6 @@
         "notify_to": "Notify to",
         "add_email": "Add an email",
         "MailJailState": "Notify on jail start/stop events",
-        "Recidive_Perpetual": "Recidive jail is perpetual",
         "BanLocalNetwork": "Allow bans on the LAN",
         "LogLevel": "Logging Level",
         "LogLevel_INFO": "INFO",
@@ -38,6 +37,9 @@
         "MaxRetry": "Number of attempts",
         "FindTime": "Time span",
         "BanTime": "Ban time",
+        "BanTime_Incremental": "Incremental ban time",
+        "Recidive_BanTime": "Static ban time",
+        "Recidive": "Ban the recidive",
         "slider_value": "Value",
         "FindTime_600": "10 minutes",
         "FindTime_900": "15 minutes",
@@ -48,6 +50,15 @@
         "FindTime_172800": "2 days",
         "FindTime_604800": "1 week",
         "FindTime_1209600": "2 weeks",
+        "BanTime_60": "1 minutes",
+        "BanTime_120": "2 minutes",
+        "BanTime_180": "3 minutes",
+        "BanTime_240": "4 minutes",
+        "BanTime_300": "5 minutes",
+        "BanTime_360": "6 minutes",
+        "BanTime_420": "7 minutes",
+        "BanTime_480": "8 minutes",
+        "BanTime_540": "9 minutes",
         "BanTime_600": "10 minutes",
         "BanTime_900": "15 minutes",
         "BanTime_1800": "30 minutes",
@@ -58,9 +69,7 @@
         "BanTime_604800": "1 week",
         "BanTime_1209600": "2 weeks",
         "settings_updated_error": "settings updated with errors",
-        "settings_updated_ok": "settings updated",
-        "recidive_perpetual_label":"The perpetual recidive jail can consume many server resources.",
-        "recidive_perpetual_info": "When the jail is full of IPs (maximum is 65536 IPs), it can greatly slowdown fail2ban and firewall restart. Please use it carefully and for a limited period of time."
+        "settings_updated_ok": "settings updated"
     },
     "jails":{
         "title": "Jails",
@@ -120,6 +129,9 @@
         "IgnoreIP": "All IP in this list will never be banned by Fail2ban (One IP per line)",
         "MailJailState": "All relative events to the jail (start or stop), will be notified to root and other recipients",
         "FindTime": "When fail2ban starts, the service looks for attackers in the logs for this time interval",
-        "LogLevel": "The DEBUG level could generate huge log size and fill your disk space"
+        "LogLevel": "The DEBUG level could generate huge log size and fill your disk space",
+        "Incremental_BanTime": "The incremental ban time allows to increase the time of ban after each failure found in log. It allows you to set a shorter ban time, a valid user can be banned for a short time but a brute force attacker will be banned for a long time.",
+        "Recidive": "Ban the brute force attack bots",
+        "Recidive_BanTime": "The static ban time allows you to block an IP with the recidive jail for two weeks when the IP has been banned in the fail2ban log at least X times."
     }
 }

ui/src/views/Jails.vue

@@ -474,23 +474,6 @@
           </div>
         </div>
 
-        <div
-          v-if="view.security"
-          :class="['form-group', errors.Recidive_status.hasError ? 'has-error' : '']"
-          >
-          <label
-            class="col-sm-2 control-label"
-            for="textInput-modal-markup"
-          >Recidive</label>
-          <div class="col-sm-5">
-            <input type="checkbox" v-model="configuration.Recidive_status" class="form-control">
-            <span
-              v-if="errors.Recidive_status.hasError"
-              class="help-block"
-            >{{errors.Recidive_status.message}}</span>
-          </div>
-        </div>
-
         <!-- ssh_jails -->
         <legend  class="fields-section-header-pf" aria-expanded="true">
             <span
@@ -771,7 +754,6 @@ export default {
               NginxBotSearch_status: "true",
               HttpdAdmin_status: "true",
               PamGeneric_status:"true",
-              Recidive_status: "true",
               Sshd_status:"true",
               SshdDdos_status:"true",
               OpenVpnAuth_status:"true",
@@ -782,7 +764,8 @@ export default {
               Rspamd_status: "true",
               SogoAuth_status: "true",
               Urbackup_status: "true",
-              Webtop_status: "true"
+              Webtop_status: "true",
+              BanTime_Incremental: "false"
       },
       loaders: false,
       errors: this.initErrors()
@@ -883,10 +866,6 @@ export default {
         hasError: false,
         message: ""
       },
-      Recidive_status: {
-        hasError: false,
-        message: ""
-      },
       Sshd_status: {
         hasError: false,
         message: ""
@@ -976,7 +955,6 @@ export default {
           context.configuration.NginxBotSearch_status = success.configuration.props.NginxBotSearch_status == "true";
           context.configuration.HttpdAdmin_status = success.configuration.props.HttpdAdmin_status == "true";
           context.configuration.PamGeneric_status = success.configuration.props.PamGeneric_status == "true";
-          context.configuration.Recidive_status = success.configuration.props.Recidive_status == "true";
           context.configuration.Sshd_status = success.configuration.props.Sshd_status == "true";
           context.configuration.SshdDdos_status = success.configuration.props.SshdDdos_status == "true";
           context.configuration.OpenVpnAuth_status = success.configuration.props.OpenVpnAuth_status == "true";
@@ -988,7 +966,7 @@ export default {
           context.configuration.SogoAuth_status = success.configuration.props.SogoAuth_status == "true";
           context.configuration.Urbackup_status = success.configuration.props.Urbackup_status == "true";
           context.configuration.Webtop_status = success.configuration.props.Webtop_status == "true";
-
+          context.configuration.BanTime_Incremental = success.configuration.props.BanTime_Incremental;
           context.view.isLoaded = true;
         },
         function(error) {
@@ -1070,9 +1048,6 @@ export default {
           PamGeneric_status: context.configuration.PamGeneric_status
             ? "true"
             : "false",
-          Recidive_status: context.configuration.Recidive_status
-            ? "true"
-            : "false",
           Sshd_status: context.configuration.Sshd_status
             ? "true"
             : "false",