diff -Nur smeserver-fail2ban-0.1.18.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/fail2ban smeserver-fail2ban-0.1.18/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/fail2ban --- smeserver-fail2ban-0.1.18.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/fail2ban 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/fail2ban 2019-04-09 22:32:20.723000000 -0400 @@ -0,0 +1,190 @@ + + + SERVICE_STATUS + Fail2ban service status. + + + STATUS + Status + + + FilterLocalNetworks_STATUS + Whitelist all the local network defined. + + + FilterLocalNetworks + FilterLocalNetworks status + + + FilterValidRemoteHosts_STATUS + Whitelist all the authorized remote hosts allowed to acces server-manager. + + + FilterValidRemoteHosts + FilterValidRemoteHosts status + + + BANTIME + Set the default ban time for jails (Initial default is 1800 seconds). + + + DEFAULT_BANTIME + Bantime + + + FINDTIME + >Set the default find time for jails (Initial default is 900 seconds). + + + DEFAULT_FINDTIME + Findtime + + + MAXRETRY + Set the default max retry allowed before being ban (Initial default is 3). + + + DEFAULT_MAXRETRY + Maxretry + + + SSHD_STATUS + Status of sshd jail. + + + SSHD + sshd + + + QPSMTPD_STATUS + Status of qpsmtpd (incoming emails) jail. + + + QPSMTPD + qpsmtpd + + + IMAP_STATUS + Status of dovecot (imap service to retrieve emails) jail. + + + IMAP + dovecot + + + HTTPD_STATUS + Status of httpd jails. Multiple features are enabled at once there. + + + HTTPD + httpd + + + FTP_STATUS + Status of proftpd jail. + + + FTP + proftpd + + + LEMONLDAP_STATUS + Status of LemonLDAP jail, if installed. Nothing is running if LemonLDAP is not installed or disabled. + + + LEMONLDAP + LemonLDAP + + + EJABBERD_STATUS + Status of ejabberd jail, if installed. Nothing is running if ejabberd is not installed or disabled. + + + EJABBERD + ejabberd + + + SOGOD_STATUS + Status of SOGO jail, if installed. Nothing is running if SOGO is not installed or disabled. + + + SOGOD + SOGO + + + WORDPRESS_STATUS + Status of wordpress jails. You need to activate it manually whether you have it in an ibay or use the contrib. Please also install the plugin in all your wordpress instances. + + + WORDPRESS + wordpress + + + VALIDFROM_DESC + +

Allowed Hosts

+

This is a list of hosts that will not be blocked by fail2ban.

+ ]]> + + + + NO_ENTRIES_YET + No Entries Yet + + + DESC_ADD_IP + To add a new allowed network, enter the details below. + + + ADD_IP + Authorized network + + + DESC_ADD_BITS + To add a new allowed network, enter the associated subnet using bits eg 22, 25 or 32). + + + ADD_BITS + Authorized network subnet + + + CURRENT_DENY_DESC + + Blocked Hosts +

This is a list of hosts that are currently blocked. + ]]> + + + + FIRST_SEEN + Host first seen + + + SUCCESS + The new fail2ban settings have been saved. + + + ERR_NO_RECORD + Unable to locate fail2ban record in configuration db + + + ERROR_STOPPING + Error while trying to stop service + + + SUCCESS_IP + The following IP has been unbanned + + + SUCCESS_IP_WHITE + The following IP has been unbanned and whitelisted + + + ERROR_UPDATING + Unable to unban + + + ERROR_UPDATING_WHITE + Unable to unban and whitelist + + diff -Nur smeserver-fail2ban-0.1.18.old/root/etc/e-smith/web/functions/fail2ban smeserver-fail2ban-0.1.18/root/etc/e-smith/web/functions/fail2ban --- smeserver-fail2ban-0.1.18.old/root/etc/e-smith/web/functions/fail2ban 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/etc/e-smith/web/functions/fail2ban 2019-04-09 22:33:38.413000000 -0400 @@ -0,0 +1,143 @@ +#!/usr/bin/perl -wT +# vim: ft=xml ts=8 sw=4 noet: +#---------------------------------------------------------------------- +# heading : Security +# description : Fail2Ban +# navigation : 5000 5250 +#---------------------------------------------------------------------- + +use strict; +use esmith::FormMagick::Panel::fail2ban; +my $f = esmith::FormMagick::Panel::fail2ban->new(); +$f->display(); + +__DATA__ +

+ + + + + SERVICE_STATUS + + + + FilterLocalNetworks_STATUS + + + + FilterValidRemoteHosts_STATUS + + + + + SEND_MAIL_STATUS + + + + BANTIME + + + + + FINDTIME + + + + MAXRETRY + + + + + + SSHD_STATUS + + + + QPSMTPD_STATUS + + + + IMAP_STATUS + + + + HTTPD_STATUS + + + + FTP_STATUS + + + + LEMONLDAP_STATUS + + + + EJABBERD_STATUS + + + + SOGOD_STATUS + + + + WORDPRESS_STATUS + + + + + + + DESC_ADD_IP + + + + DESC_ADD_BITS + + + + + + + + + + + + +
+ diff -Nur smeserver-fail2ban-0.1.18.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/fail2ban.pm smeserver-fail2ban-0.1.18/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/fail2ban.pm --- smeserver-fail2ban-0.1.18.old/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/fail2ban.pm 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/root/usr/share/perl5/vendor_perl/esmith/FormMagick/Panel/fail2ban.pm 2019-04-09 22:35:27.295000000 -0400 @@ -0,0 +1,428 @@ +#!/usr/bin/perl -w + +package esmith::FormMagick::Panel::fail2ban; + +use strict; +use esmith::ConfigDB; +use esmith::FormMagick; +use esmith::util; +use esmith::cgi; +use File::Basename; +use Exporter; +use Carp; +use Data::Validate::IP; + +our @ISA = qw(esmith::FormMagick Exporter); + +our @EXPORT = qw(get_value get_prop change_settings RemoveIP); + +our $VERSION = sprintf '%d.%03d', q$Revision: 1.2 $ =~ /: (\d+).(\d+)/; +our $db = esmith::ConfigDB->open + || warn "Couldn't open configuration database (permissions problems?)"; +my $scriptname = basename($0); + +#TODO +#- translation +#- userpanel without settings + +my %defaultval=('FilterLocalNetworks'=> "enabled", + 'FilterValidRemoteHosts'=> "enabled", + "Mail" => "enabled", + "BanTime" => '1800', + "FindTime" => '900', + "MaxRetry" => '3', + "sshd" => 'enabled', + "qpsmtpd" => 'enabled', + "dovecot" => 'enabled', + "httpd-e-smith" => 'enabled', + "ftp" => 'enabled', + "lemonldap" => 'enabled', + "ejabberd" => 'enabled', + "sogod" => 'enabled', + "wordpress" => 'disabled', + + ) ; + +sub new { + shift; + my $self = esmith::FormMagick->new(); + $self->{calling_package} = (caller)[0]; + bless $self; + return $self; +} + +sub get_prop +{ + my $fm = shift; + my $item = shift; + my $prop = shift; + my $value = $db->get_prop($item, $prop) || ''; + if ( $value eq "" && exists($defaultval{$prop}) && $item eq "fail2ban") + { + $value=$defaultval{$prop}; + } + elsif ( $value eq "" && exists($defaultval{$item}) && $prop eq "Fail2Ban" && $item ne "fail2ban" ) + { + $value=$defaultval{$item}; + } + return $value; +} + +sub get_value { + my $fm = shift; + my $item = shift; + return ($db->get($item)->value()); +} + +sub ip_number_or_blank +{ + my $self = shift; + my $ip = shift; + + if (!defined($ip) || $ip eq "") + { + return 'OK'; + } + return CGI::FormMagick::Validator::ip_number($self, $ip); +} + +sub subnet_mask_bit +{ + my ($self, $mask) = @_; + my @allowed = (8,9,12,14,16,17,20,22,24,25,28,30,32); +# if ($self->ip_number_or_blank($mask) eq 'OK') + if ( !defined($mask) || $mask eq "" || grep( /^$mask$/, @allowed ) ) + { + return "OK"; + } + return "INVALID_SUBNET_MASK"; +} + +sub validate_network_and_mask +{ + my $self = shift; + my $mask = shift || ""; + + my $net = $self->cgi->param('ip') || ""; + if ($net xor $mask) + { + return $self->localise('ERR_INVALID_PARAMS'); + } + return 'OK'; +} + + + +sub _get_valid_from +{ + my $self = shift; + + my $rec = $db->get('fail2ban'); + return undef unless($rec); + my @vals = (split ',', ($rec->prop('IgnoreIP') || '')); + return @vals; +} + +sub ip_sort(@) +{ + return esmith::util::IPquadToAddr($a) <=> esmith::util::IPquadToAddr($b); +} + +sub show_valid_from_list +{ + my $self = shift; + my $q = $self->{cgi}; + + print '',$q->p($self->localise('VALIDFROM_DESC')),''; + + my @vals = $self->_get_valid_from(); + if (@vals) + { + print '', + $q->start_table({class => "sme-border"}),"\n"; + print $q->Tr( + esmith::cgi::genSmallCell($q, $self->localise('NETWORK'),"header"), + esmith::cgi::genSmallCell($q, $self->localise('REMOVE'),"header")); + my @vals_sorted= sort ip_sort @vals; + my @cbGroup = $q->checkbox_group(-name => 'validFromRemove', + -values => [@vals_sorted], -labels => { map {$_ => ''} @vals_sorted }); + foreach my $val (@vals_sorted) + { + print $q->Tr( + esmith::cgi::genSmallCell($q, $val, "normal"), + esmith::cgi::genSmallCell($q, shift(@cbGroup), + "normal")); + } + print ''; + } + else + { + print $q->Tr($q->td($q->b($self->localise('NO_ENTRIES_YET')))); + } + return ''; +} + +sub show_current_deny +{ + my $self = shift; + my $q = $self->{cgi}; + + print '',$q->p($self->localise('CURRENT_DENY_DESC')),''; + + my %vals = (); + if (open(DENY, "/etc/hosts.deny_ssh") ) { + %vals = map { m{DenyHosts: (.*) \| (.*)$}; $2 => $1; } grep /DenyHosts:/, ; + close DENY; + } + my @strvals = `/usr/bin/sfail2ban`; + + if (%vals) + { + print '', + $q->start_table({class => "sme-border"}),"\n"; + print $q->Tr( + esmith::cgi::genSmallCell($q, $self->localise('IP_ADDRESS'),"header"), + esmith::cgi::genSmallCell($q, $self->localise('JAIL'),"header"), + esmith::cgi::genSmallCell($q, $self->localise('ACTION'),"header")); + foreach my $sval (@strvals) + { + my @ssval= split(':',$sval); + my $curjail=$ssval[0]; + my @ssvalip = split(' ',$ssval[1]); + foreach my $sssval (@ssvalip) + { + my $ip=$sssval; + my $action3 ="".$self->localise('REMOVE')."" . + " ".$self->localise('WHITELIST')."" ; + + print $q->Tr( + esmith::cgi::genSmallCell($q, $ip, "normal"), + esmith::cgi::genSmallCell($q, $curjail, "normal"), + esmith::cgi::genSmallCell($q, $action3, "normal")); + } + + + } + print ''; + } + else + { + print $q->Tr($q->td($q->b($self->localise('NO_ENTRIES_YET')))); + } + return ''; +} + +sub add_new_valid_from +{ + my $self = shift; + my $q = $self->{cgi}; + + my $ip = $q->param('ip'); + my $bits = $q->param('bits'); + # do nothing if no ip was added + return 1 unless ($ip); + + my $rec = $db->get('fail2ban'); + unless ($rec) + { + return $self->error('ERR_NO_RECORD'); + } + + my $prop = $rec->prop('IgnoreIP') || ''; + + my @vals = split /,/, $prop; + return '' if (grep /^$ip\/$bits$/, @vals); # already have this entry + + if ($prop ne '') + { + $prop .= ",$ip/$bits"; + } + else + { + $prop = "$ip/$bits"; + } + $rec->set_prop('IgnoreIP', $prop); + $q->delete('ip'); + $q->delete('bits'); + return 1; +} + +sub remove_valid_from +{ + my $self = shift; + my $q = $self->{cgi}; + + my @remove = $q->param('validFromRemove'); + my @vals = $self->_get_valid_from(); + + foreach my $entry (@remove) + { + return undef unless $entry; + + unless (@vals) + { + print STDERR "ERROR: unable to load IgnoreIP property from conf db\n"; + return undef; + } + + @vals = (grep { $entry ne $_ } @vals); + } + + my $prop; + if (@vals) + { + $prop = join ',',@vals; + } + else + { + $prop = ''; + } + $db->get('fail2ban')->set_prop('IgnoreIP', $prop); + $q->delete('validFromRemove'); + + return 1; +} + +sub change_settings { + my ($fm) = @_; + my $q = $fm->{'cgi'}; + + my %conf; + + # Don't process the form unless we clicked the Save button. The event is + # called even if we chose the Remove link or the Add link. + return unless($q->param('Next') eq $fm->localise('SAVE')); + + my $ip = ($q->param ('ip') || ''); + my $status = ($q->param ('status') || 'status'); + my $FilterLocalNetworks = ($q->param ('FilterLocalNetworks') || "enabled"); + my $FilterValidRemoteHosts= ($q->param ('FilterValidRemoteHosts') || "enabled"); + my $Mail= ($q->param ("Mail") || "enabled"); + my $BanTime= ($q->param ("BanTime") || '1800'); + my $FindTime= ($q->param ("FindTime") || '900'); + my $MaxRetry= ($q->param ("MaxRetry") || '3'); + # those are stored in a different key dedicated to the service + my %services; + $services{'sshd'}= ($q->param ("sshd") ||'enabled'); + $services{'qpsmtp'}= ($q->param ("qpsmtpd") ||'enabled'); + $services{'dovecot'}= ($q->param ("dovecot") ||'enabled'); + $services{'httpd-e-smith'}= ($q->param ("httpd-e-smith") ||'enabled'); + $services{'ftp'}= ($q->param ("ftp") ||'enabled'); + $services{'lemonldap'}= ($q->param ("lemonldap") ||'enabled'); + $services{'ejabberd'}= ($q->param ("ejabberd" ) ||'enabled'); + $services{'sogod'}= ($q->param ("sogod" ) ||'enabled'); + $services{'wordpress'}= ($q->param ("wordpress") ||'enabled'); + + + #------------------------------------------------------------ + # Looks good; go ahead and change the access. + #------------------------------------------------------------ + + my $rec = $db->get('fail2ban'); + if ($rec) + { + $rec->set_prop('status', $status); + # unless prop empty and value eq default + $rec->set_prop('FilterLocalNetworks', $FilterLocalNetworks) unless ( ! $db->get_prop('fail2ban','FilterLocalNetworks') && $FilterLocalNetworks eq $defaultval{'FilterLocalNetworks'} ); + $rec->set_prop('FilterValidRemoteHosts', $FilterValidRemoteHosts) unless ( ! $db->get_prop('fail2ban','FilterValidRemoteHosts') && $FilterValidRemoteHosts eq $defaultval{'FilterValidRemoteHosts'} ); + $rec->set_prop('Mail', $Mail) unless ( ! $db->get_prop('fail2ban','Mail') && $Mail eq $defaultval{'Mail'} ); + $rec->set_prop('BanTime', $BanTime) unless ( ! $db->get_prop('fail2ban','BanTime') && $BanTime eq $defaultval{'BanTime'} ); + $rec->set_prop('FindTime', $FindTime) unless ( ! $db->get_prop('fail2ban','FindTime') && $FindTime eq $defaultval{'FindTime'} ); + $rec->set_prop('MaxRetry', $MaxRetry) unless ( ! $db->get_prop('fail2ban','MaxRetry') && $MaxRetry eq $defaultval{'MaxRetry'} ); + } + # for the 9 services update unless key does not exist and property does not exist and value eq default + foreach my $key (keys %services) + { + if ($key eq "wordpress") + { + $rec = $db->get('fail2ban'); + my $getprop = $db->get_prop('fail2ban',$key) || ""; + $rec->set_prop($key, $services{$key} ) unless ( ! $rec || (! $db->get_prop('fail2ban', $key) && $services{$key} eq $defaultval{$key} ) ); + } + else + { + $rec = $db->get($key); + my $getprop = $db->get_prop($key,'Fail2Ban') || ""; + $rec->set_prop('Fail2Ban', $services{$key} ) unless ( ! $rec || (! $db->get_prop($key,'Fail2Ban') && $services{$key} eq $defaultval{$key} ) ); + } + } +# this seems to prevent reload of service if we update something and remove or add an ip... +# return '' unless $fm->add_new_valid_from; +# return '' unless $fm->remove_valid_from; + + unless ( system( "/sbin/e-smith/signal-event", "fail2ban-update" ) == 0 ) + { + $fm->error('ERROR_UPDATING'); + return undef; + } + + if ( $rec->prop('status') eq 'disabled' ) + { + unless ( `/etc/init.d/fail2ban stop` ) + { + $fm->error('ERROR_STOPPING'); + return undef; + } + } + + $fm->success('SUCCESS'); +} + +# validate subnet + + + +# RemoveIP after validation +sub RemoveIP { + my $fm = shift; + my $q = $fm->{'cgi'}; + my %conf; + my $ip = ($q->param('IP') || ''); + my $whitelist = ($q->param('Whitelist'))? "true" : ''; + #check ip + my $validator=Data::Validate::IP->new; + + unless ($validator->is_ipv4($ip)) + { + $fm->error('ERROR_STOPPING'); + return undef; + } + $ip = $validator->is_ipv4($ip); + # validate and untaint jail + my $jail = ($q->param('jail') || ''); + # could be [a-zA-Z0-9_\-] + $jail = $jail =~ /([a-zA-Z0-9_\-]+)/ ? $1 : undef; + $fm->error('ERROR_UPDATING') unless $jail; + return undef unless $jail; + unless ( system( "/usr/bin/fail2ban-client set $jail unbanip $ip ".' >/dev/null 2>&1' ) == 0 ) + { + $fm->error('ERROR_UPDATING'); + return undef; + } + if ($whitelist ne "" ) { + # add $ip to whitelist for the current $jail + warn "/sbin/e-smith/db configuration setprop fail2ban IgnoreIP `/sbin/e-smith/db configuration getprop fail2ban IgnoreIP`,$ip/32"; + unless ( system( "/sbin/e-smith/db configuration setprop fail2ban IgnoreIP `/sbin/e-smith/db configuration getprop fail2ban IgnoreIP`,$ip/32 ".' >/dev/null 2>&1' ) == 0 + && system( "/usr/bin/fail2ban-client reload ".' >/dev/null 2>&1' ) == 0 + ) + { + $fm->error('ERROR_UPDATING_WHITE'); + return undef; + } + + $fm->success($fm->localise('SUCCESS_IP_WHITE').": $ip",'First'); + } + else + { + $fm->success($fm->localise('SUCCESS_IP').": $ip",'First'); + } +} + +sub back { + my $fm = shift; + my $q = $fm->{'cgi'}; + print "".$fm->localise('Back').""; +return; +} + +1; diff -Nur smeserver-fail2ban-0.1.18.old/usr/bin/sfail2ban smeserver-fail2ban-0.1.18/usr/bin/sfail2ban --- smeserver-fail2ban-0.1.18.old/usr/bin/sfail2ban 1969-12-31 19:00:00.000000000 -0500 +++ smeserver-fail2ban-0.1.18/usr/bin/sfail2ban 2019-04-09 22:34:41.216000000 -0400 @@ -0,0 +1,6 @@ +#!/bin/bash +for SERVI in $(fail2ban-client status|grep 'Jail list'|cut -d':' -f2|sed 's/, / /g'| sed -e 's/^[ \t]*//') +do +fail2ban-client status $SERVI |grep -E 'IP list|Status for the jail' |sed 'N;s/\n/:/'|cut -d: -f2,4 +done + diff -Nur smeserver-fail2ban-0.1.18.old/createlinks smeserver-fail2ban-0.1.18/createlinks --- smeserver-fail2ban-0.1.18.old/createlinks 2017-10-27 08:34:58.000000000 -0400 +++ smeserver-fail2ban-0.1.18/createlinks 2019-04-09 23:39:11.772000000 -0400 @@ -2,6 +2,8 @@ use esmith::Build::CreateLinks qw(:all); +panel_link("fail2ban", "manager"); + templates2events("/etc/rc.d/init.d/masq", "fail2ban-update"); foreach my $event qw(fail2ban-conf bootstrap-console-save){