+Fail2ban-Firewalld allows firewall module to run first

virtualmin · Jul 22, 2017 · afa35cf · afa35cf
1 parent df19c8b
commit afa35cf
Show file tree

Hide file tree

Showing 3 changed files with 164 additions and 19 deletions.
diff --git a/lib/Virtualmin/Config/LAMP.pm b/lib/Virtualmin/Config/LAMP.pm
@@ -17,22 +17,24 @@ sub plugins {
   # Modern system with systemd?
   if (-x "/usr/bin/systemctl" || -x "/bin/systemctl") {
     return [
-      "Webmin",    "Apache",    "Bind",         "Dovecot",
-      "Net",       "AWStats",   "Postfix",      "MySQL",
-      "Firewalld", "Procmail",  "ProFTPd",      "Quotas",
-      "SASL",      "Shells",    "Status",       "Upgrade",
-      "Usermin",   "Webalizer", "Virtualmin",
-      "ClamAV",    "NTP",       "SpamAssassin", "Fail2ban"
+      "Webmin",       "Apache",  "Bind",
+      "Dovecot",      "Net",     "AWStats",
+      "Postfix",      "MySQL",   "Firewalld",
+      "Procmail",     "ProFTPd", "Quotas",
+      "SASL",         "Shells",  "Status",
+      "Upgrade",      "Usermin", "Webalizer",
+      "Virtualmin",   "ClamAV",  "NTP",
+      "SpamAssassin", "Fail2ban-Firewalld"
     ];
   }
   else {
     return [
-      "Webmin",   "Apache",    "Bind",         "Dovecot",
-      "Net",      "AWStats",   "Postfix",      "MySQL",
-      "Firewall", "Procmail",  "ProFTPd",      "Quotas",
-      "SASL",     "Shells",    "Status",       "Upgrade",
-      "Usermin",  "Webalizer", "Virtualmin",
-      "ClamAV",   "NTP",       "SpamAssassin", "Fail2ban"
+      "Webmin",   "Apache",       "Bind",       "Dovecot",
+      "Net",      "AWStats",      "Postfix",    "MySQL",
+      "Firewall", "Procmail",     "ProFTPd",    "Quotas",
+      "SASL",     "Shells",       "Status",     "Upgrade",
+      "Usermin",  "Webalizer",    "Virtualmin", "ClamAV",
+      "NTP",      "SpamAssassin", "Fail2ban"
     ];
   }
 }

diff --git a/lib/Virtualmin/Config/Plugin/Fail2ban-Firewalld.pm b/lib/Virtualmin/Config/Plugin/Fail2ban-Firewalld.pm
@@ -0,0 +1,139 @@
+package Virtualmin::Config::Plugin::Fail2ban;
+
+# Enables fail2ban and sets up a reasonable set of rules.
+# This is currently identical to Fail2ban, with a different depends.
+# We could make the dependency resolution in Config smarter to re-merge it
+# back to one file. This will do for now.
+use strict;
+use warnings;
+no warnings qw(once);
+use parent 'Virtualmin::Config::Plugin';
+
+our $config_directory;
+our (%gconfig, %miniserv);
+our $trust_unknown_referers = 1;
+
+sub new {
+  my $class = shift;
+
+  # inherit from Plugin
+  my $self = $class->SUPER::new(name => 'Fail2ban', depends => 'Firewalld');
+
+  return $self;
+}
+
+# actions method performs whatever configuration is needed for this
+# plugin. XXX Needs to make a backup so changes can be reverted.
+sub actions {
+  my $self = shift;
+  my $err;
+
+  # XXX Webmin boilerplate.
+  use Cwd;
+  my $cwd  = getcwd();
+  my $root = $self->root();
+  chdir($root);
+  $0 = "$root/virtual-server/config-system.pl";
+  push(@INC, $root);
+  eval 'use WebminCore';    ## no critic
+  init_config();
+
+  # End of Webmin boilerplate.
+
+  $self->spin();
+  eval {
+    foreign_require('init', 'init-lib.pl');
+    init::enable_at_boot('fail2ban');
+
+    if (has_command('fail2ban-server')) {
+
+      # Create a jail.local with some basic config
+      create_fail2ban_jail();
+      create_fail2ban_firewalld();
+    }
+
+    init::restart_action('fail2ban');
+    $self->done(1);
+  };
+  if ($@) {
+    $self->done(0);    # NOK!
+  }
+}
+
+sub create_fail2ban_jail {
+  if (-e "/etc/fail2ban/jail.local") {
+    die "Fail2ban already has local configuration. Will not overwrite.";
+  }
+  open(my $JAIL_LOCAL, '>', '/etc/fail2ban/jail.local');
+  print $JAIL_LOCAL <<EOF;
+[sshd]
+
+enabled = true
+port    = ssh
+logpath = %(sshd_log)s
+backend = %(sshd_backend)s
+
+[ssh-ddos]
+
+enabled = true
+port    = ssh,sftp
+filter  = sshd-ddos
+log_path = %{sshd_log}s
+
+[webmin-auth]
+
+enabled = true
+port    = 10000
+logpath = %(syslog_authpriv)s
+backend = %(syslog_backend)s
+
+[proftpd]
+
+enabled  = true
+port     = ftp,ftp-data,ftps,ftps-data
+logpath  = %(proftpd_log)s
+backend  = %(proftpd_backend)s
+
+[postfix]
+
+enabled  = true
+port     = smtp,465,submission
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+
+[dovecot]
+
+enabled = true
+port    = pop3,pop3s,imap,imaps,submission,465,sieve
+logpath = %(dovecot_log)s
+backend = %(dovecot_backend)s
+
+[postfix-sasl]
+
+enabled  = true
+port     = smtp,465,submission,imap3,imaps,pop3,pop3s
+logpath  = %(postfix_log)s
+backend  = %(postfix_backend)s
+
+EOF
+
+  close $JAIL_LOCAL;
+}
+
+sub create_fail2ban_firewalld {
+  if (has_command('firewall-cmd')
+    && !-e '/etc/fail2ban/jail.d/00-firewalld.conf')
+  {
+    # Apply firewalld actions by default
+    open(my $FIREWALLD_CONF, '>', '/etc/fail2ban/jail.d/00-firewalld.conf');
+    print $FIREWALLD_CONF <<EOF;
+# This file created by Virtualmin to enable firewalld-cmd actions by
+# default. It can be removed, if you use a different firewall.
+[DEFAULT]
+banaction = firewallcmd-ipset
+EOF
+    close $FIREWALLD_CONF;
+  }    # XXX iptables-multiport is default on CentOS, double check others.
+}
+
+1;
diff --git a/lib/Virtualmin/Config/Plugin/Fail2ban.pm b/lib/Virtualmin/Config/Plugin/Fail2ban.pm
@@ -1,4 +1,5 @@
 package Virtualmin::Config::Plugin::Fail2ban;
+
 # Enables fail2ban and sets up a reasonable set of rules.
 use strict;
 use warnings;
@@ -13,7 +14,7 @@ sub new {
   my $class = shift;
 
   # inherit from Plugin
-  my $self = $class->SUPER::new(name => 'Fail2ban');
+  my $self = $class->SUPER::new(name => 'Fail2ban', depends => 'Firewall');
 
   return $self;
 }
@@ -33,6 +34,7 @@ sub actions {
   push(@INC, $root);
   eval 'use WebminCore';    ## no critic
   init_config();
+
   # End of Webmin boilerplate.
 
   $self->spin();
@@ -41,6 +43,7 @@ sub actions {
     init::enable_at_boot('fail2ban');
 
     if (has_command('fail2ban-server')) {
+
       # Create a jail.local with some basic config
       create_fail2ban_jail();
       create_fail2ban_firewalld();
@@ -59,7 +62,7 @@ sub create_fail2ban_jail {
     die "Fail2ban already has local configuration. Will not overwrite.";
   }
   open(my $JAIL_LOCAL, '>', '/etc/fail2ban/jail.local');
-print $JAIL_LOCAL <<EOF;
+  print $JAIL_LOCAL <<EOF;
 [sshd]
 
 enabled = true
@@ -111,22 +114,23 @@ backend  = %(postfix_backend)s
 
 EOF
 
-close $JAIL_LOCAL;
+  close $JAIL_LOCAL;
 }
 
 sub create_fail2ban_firewalld {
-  if ( has_command('firewall-cmd') &&
-       ! -e '/etc/fail2ban/jail.d/00-firewalld.conf') {
+  if (has_command('firewall-cmd')
+    && !-e '/etc/fail2ban/jail.d/00-firewalld.conf')
+  {
     # Apply firewalld actions by default
-    open (my $FIREWALLD_CONF, '>', '/etc/fail2ban/jail.d/00-firewalld.conf');
+    open(my $FIREWALLD_CONF, '>', '/etc/fail2ban/jail.d/00-firewalld.conf');
     print $FIREWALLD_CONF <<EOF;
 # This file created by Virtualmin to enable firewalld-cmd actions by
 # default. It can be removed, if you use a different firewall.
 [DEFAULT]
 banaction = firewallcmd-ipset
 EOF
     close $FIREWALLD_CONF;
-  } # XXX iptables-multiport is default on CentOS, double check others.
+  }    # XXX iptables-multiport is default on CentOS, double check others.
 }
 
 1;