Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 1 | <?php
|
| 2 | function fail2ban($_action, $_data = null) {
|
| 3 | global $redis;
|
| 4 | $_data_log = $_data;
|
| 5 | switch ($_action) {
|
| 6 | case 'get':
|
| 7 | $f2b_options = array();
|
| 8 | if ($_SESSION['mailcow_cc_role'] != "admin") {
|
| 9 | return false;
|
| 10 | }
|
| 11 | try {
|
| 12 | $f2b_options = json_decode($redis->Get('F2B_OPTIONS'), true);
|
| 13 | $f2b_options['regex'] = json_decode($redis->Get('F2B_REGEX'), true);
|
| 14 | $wl = $redis->hGetAll('F2B_WHITELIST');
|
| 15 | if (is_array($wl)) {
|
| 16 | foreach ($wl as $key => $value) {
|
| 17 | $tmp_wl_data[] = $key;
|
| 18 | }
|
| 19 | if (isset($tmp_wl_data)) {
|
| 20 | natsort($tmp_wl_data);
|
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 21 | $f2b_options['whitelist'] = implode(PHP_EOL, (array)$tmp_wl_data);
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 22 | }
|
| 23 | else {
|
| 24 | $f2b_options['whitelist'] = "";
|
| 25 | }
|
| 26 | }
|
| 27 | else {
|
| 28 | $f2b_options['whitelist'] = "";
|
| 29 | }
|
| 30 | $bl = $redis->hGetAll('F2B_BLACKLIST');
|
| 31 | if (is_array($bl)) {
|
| 32 | foreach ($bl as $key => $value) {
|
| 33 | $tmp_bl_data[] = $key;
|
| 34 | }
|
| 35 | if (isset($tmp_bl_data)) {
|
| 36 | natsort($tmp_bl_data);
|
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 37 | $f2b_options['blacklist'] = implode(PHP_EOL, (array)$tmp_bl_data);
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 38 | }
|
| 39 | else {
|
| 40 | $f2b_options['blacklist'] = "";
|
| 41 | }
|
| 42 | }
|
| 43 | else {
|
| 44 | $f2b_options['blacklist'] = "";
|
| 45 | }
|
| 46 | $pb = $redis->hGetAll('F2B_PERM_BANS');
|
| 47 | if (is_array($pb)) {
|
| 48 | foreach ($pb as $key => $value) {
|
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 49 | $f2b_options['perm_bans'][] = array(
|
| 50 | 'network'=>$key,
|
| 51 | 'ip' => strtok($key,'/')
|
| 52 | );
|
| 53 |
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 54 | }
|
| 55 | }
|
| 56 | else {
|
| 57 | $f2b_options['perm_bans'] = "";
|
| 58 | }
|
| 59 | $active_bans = $redis->hGetAll('F2B_ACTIVE_BANS');
|
| 60 | $queue_unban = $redis->hGetAll('F2B_QUEUE_UNBAN');
|
| 61 | if (is_array($active_bans)) {
|
| 62 | foreach ($active_bans as $network => $banned_until) {
|
| 63 | $queued_for_unban = (isset($queue_unban[$network]) && $queue_unban[$network] == 1) ? 1 : 0;
|
| 64 | $difference = $banned_until - time();
|
| 65 | $f2b_options['active_bans'][] = array(
|
| 66 | 'queued_for_unban' => $queued_for_unban,
|
| 67 | 'network' => $network,
|
Matthias Andreas Benkard | 7b2a3a1 | 2021-08-16 10:57:25 +0200 | [diff] [blame] | 68 | 'ip' => strtok($network,'/'),
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 69 | 'banned_until' => sprintf('%02dh %02dm %02ds', ($difference/3600), ($difference/60%60), $difference%60)
|
| 70 | );
|
| 71 | }
|
| 72 | }
|
| 73 | else {
|
| 74 | $f2b_options['active_bans'] = "";
|
| 75 | }
|
| 76 | }
|
| 77 | catch (RedisException $e) {
|
| 78 | $_SESSION['return'][] = array(
|
| 79 | 'type' => 'danger',
|
| 80 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 81 | 'msg' => array('redis_error', $e)
|
| 82 | );
|
| 83 | return false;
|
| 84 | }
|
| 85 | return $f2b_options;
|
| 86 | break;
|
| 87 | case 'edit':
|
| 88 | if ($_SESSION['mailcow_cc_role'] != "admin") {
|
| 89 | $_SESSION['return'][] = array(
|
| 90 | 'type' => 'danger',
|
| 91 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 92 | 'msg' => 'access_denied'
|
| 93 | );
|
| 94 | return false;
|
| 95 | }
|
| 96 | // Start to read actions, if any
|
| 97 | if (isset($_data['action'])) {
|
| 98 | // Reset regex filters
|
| 99 | if ($_data['action'] == "reset-regex") {
|
| 100 | try {
|
| 101 | $redis->Del('F2B_REGEX');
|
| 102 | }
|
| 103 | catch (RedisException $e) {
|
| 104 | $_SESSION['return'][] = array(
|
| 105 | 'type' => 'danger',
|
| 106 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 107 | 'msg' => array('redis_error', $e)
|
| 108 | );
|
| 109 | return false;
|
| 110 | }
|
| 111 | // Rules will also be recreated on log events, but rules may seem empty for a second in the UI
|
| 112 | docker('post', 'netfilter-mailcow', 'restart');
|
| 113 | $fail_count = 0;
|
| 114 | $regex_result = json_decode($redis->Get('F2B_REGEX'), true);
|
| 115 | while (empty($regex_result) && $fail_count < 10) {
|
| 116 | $regex_result = json_decode($redis->Get('F2B_REGEX'), true);
|
| 117 | $fail_count++;
|
| 118 | sleep(1);
|
| 119 | }
|
| 120 | if ($fail_count >= 10) {
|
| 121 | $_SESSION['return'][] = array(
|
| 122 | 'type' => 'danger',
|
| 123 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 124 | 'msg' => array('reset_f2b_regex')
|
| 125 | );
|
| 126 | return false;
|
| 127 | }
|
| 128 | }
|
| 129 | elseif ($_data['action'] == "edit-regex") {
|
| 130 | if (!empty($_data['regex'])) {
|
| 131 | $rule_id = 1;
|
| 132 | $regex_array = array();
|
| 133 | foreach($_data['regex'] as $regex) {
|
| 134 | $regex_array[$rule_id] = $regex;
|
| 135 | $rule_id++;
|
| 136 | }
|
| 137 | if (!empty($regex_array)) {
|
| 138 | $redis->Set('F2B_REGEX', json_encode($regex_array, JSON_UNESCAPED_SLASHES));
|
| 139 | }
|
| 140 | }
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 141 | $_SESSION['return'][] = array(
|
| 142 | 'type' => 'success',
|
| 143 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 144 | 'msg' => array('object_modified', htmlspecialchars($network))
|
| 145 | );
|
| 146 | return true;
|
| 147 | }
|
| 148 |
|
| 149 | // Start actions in dependency of network
|
| 150 | if (!empty($_data['network'])) {
|
| 151 | $networks = (array)$_data['network'];
|
| 152 | foreach ($networks as $network) {
|
| 153 | // Unban network
|
| 154 | if ($_data['action'] == "unban") {
|
| 155 | if (valid_network($network)) {
|
| 156 | try {
|
| 157 | $redis->hSet('F2B_QUEUE_UNBAN', $network, 1);
|
| 158 | }
|
| 159 | catch (RedisException $e) {
|
| 160 | $_SESSION['return'][] = array(
|
| 161 | 'type' => 'danger',
|
| 162 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 163 | 'msg' => array('redis_error', $e)
|
| 164 | );
|
| 165 | continue;
|
| 166 | }
|
| 167 | }
|
| 168 | }
|
| 169 | // Whitelist network
|
| 170 | elseif ($_data['action'] == "whitelist") {
|
| 171 | if (empty($network)) { continue; }
|
| 172 | if (valid_network($network)) {
|
| 173 | try {
|
| 174 | $redis->hSet('F2B_WHITELIST', $network, 1);
|
| 175 | $redis->hDel('F2B_BLACKLIST', $network, 1);
|
| 176 | $redis->hSet('F2B_QUEUE_UNBAN', $network, 1);
|
| 177 | }
|
| 178 | catch (RedisException $e) {
|
| 179 | $_SESSION['return'][] = array(
|
| 180 | 'type' => 'danger',
|
| 181 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 182 | 'msg' => array('redis_error', $e)
|
| 183 | );
|
| 184 | continue;
|
| 185 | }
|
| 186 | }
|
| 187 | else {
|
| 188 | $_SESSION['return'][] = array(
|
| 189 | 'type' => 'danger',
|
| 190 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 191 | 'msg' => array('network_host_invalid', $network)
|
| 192 | );
|
| 193 | continue;
|
| 194 | }
|
| 195 | }
|
| 196 | // Blacklist network
|
| 197 | elseif ($_data['action'] == "blacklist") {
|
| 198 | if (empty($network)) { continue; }
|
| 199 | if (valid_network($network) && !in_array($network, array(
|
| 200 | '0.0.0.0',
|
| 201 | '0.0.0.0/0',
|
| 202 | getenv('IPV4_NETWORK') . '0/24',
|
| 203 | getenv('IPV4_NETWORK') . '0',
|
| 204 | getenv('IPV6_NETWORK')
|
| 205 | ))) {
|
| 206 | try {
|
| 207 | $redis->hSet('F2B_BLACKLIST', $network, 1);
|
| 208 | $redis->hDel('F2B_WHITELIST', $network, 1);
|
| 209 | //$response = docker('post', 'netfilter-mailcow', 'restart');
|
| 210 | }
|
| 211 | catch (RedisException $e) {
|
| 212 | $_SESSION['return'][] = array(
|
| 213 | 'type' => 'danger',
|
| 214 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 215 | 'msg' => array('redis_error', $e)
|
| 216 | );
|
| 217 | continue;
|
| 218 | }
|
| 219 | }
|
| 220 | else {
|
| 221 | $_SESSION['return'][] = array(
|
| 222 | 'type' => 'danger',
|
| 223 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 224 | 'msg' => array('network_host_invalid', $network)
|
| 225 | );
|
| 226 | continue;
|
| 227 | }
|
| 228 | }
|
| 229 | $_SESSION['return'][] = array(
|
| 230 | 'type' => 'success',
|
| 231 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 232 | 'msg' => array('object_modified', htmlspecialchars($network))
|
| 233 | );
|
| 234 | }
|
| 235 | return true;
|
| 236 | }
|
| 237 | }
|
| 238 | // Start default edit without specific action
|
| 239 | $is_now = fail2ban('get');
|
| 240 | if (!empty($is_now)) {
|
| 241 | $ban_time = intval((isset($_data['ban_time'])) ? $_data['ban_time'] : $is_now['ban_time']);
|
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 242 | $ban_time_increment = (isset($_data['ban_time_increment']) && $_data['ban_time_increment'] == "1") ? 1 : 0;
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 243 | $max_attempts = intval((isset($_data['max_attempts'])) ? $_data['max_attempts'] : $is_now['max_attempts']);
|
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 244 | $max_ban_time = intval((isset($_data['max_ban_time'])) ? $_data['max_ban_time'] : $is_now['max_ban_time']);
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 245 | $retry_window = intval((isset($_data['retry_window'])) ? $_data['retry_window'] : $is_now['retry_window']);
|
| 246 | $netban_ipv4 = intval((isset($_data['netban_ipv4'])) ? $_data['netban_ipv4'] : $is_now['netban_ipv4']);
|
| 247 | $netban_ipv6 = intval((isset($_data['netban_ipv6'])) ? $_data['netban_ipv6'] : $is_now['netban_ipv6']);
|
| 248 | $wl = (isset($_data['whitelist'])) ? $_data['whitelist'] : $is_now['whitelist'];
|
| 249 | $bl = (isset($_data['blacklist'])) ? $_data['blacklist'] : $is_now['blacklist'];
|
| 250 | }
|
| 251 | else {
|
| 252 | $_SESSION['return'][] = array(
|
| 253 | 'type' => 'danger',
|
| 254 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 255 | 'msg' => 'access_denied'
|
| 256 | );
|
| 257 | return false;
|
| 258 | }
|
| 259 | $f2b_options = array();
|
| 260 | $f2b_options['ban_time'] = ($ban_time < 60) ? 60 : $ban_time;
|
Matthias Andreas Benkard | d1f5b68 | 2023-11-18 13:18:30 +0100 | [diff] [blame^] | 261 | $f2b_options['ban_time_increment'] = ($ban_time_increment == 1) ? true : false;
|
| 262 | $f2b_options['max_ban_time'] = ($max_ban_time < 60) ? 60 : $max_ban_time;
|
Matthias Andreas Benkard | b382b10 | 2021-01-02 15:32:21 +0100 | [diff] [blame] | 263 | $f2b_options['netban_ipv4'] = ($netban_ipv4 < 8) ? 8 : $netban_ipv4;
|
| 264 | $f2b_options['netban_ipv6'] = ($netban_ipv6 < 8) ? 8 : $netban_ipv6;
|
| 265 | $f2b_options['netban_ipv4'] = ($netban_ipv4 > 32) ? 32 : $netban_ipv4;
|
| 266 | $f2b_options['netban_ipv6'] = ($netban_ipv6 > 128) ? 128 : $netban_ipv6;
|
| 267 | $f2b_options['max_attempts'] = ($max_attempts < 1) ? 1 : $max_attempts;
|
| 268 | $f2b_options['retry_window'] = ($retry_window < 1) ? 1 : $retry_window;
|
| 269 | try {
|
| 270 | $redis->Set('F2B_OPTIONS', json_encode($f2b_options));
|
| 271 | $redis->Del('F2B_WHITELIST');
|
| 272 | $redis->Del('F2B_BLACKLIST');
|
| 273 | if(!empty($wl)) {
|
| 274 | $wl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $wl));
|
| 275 | $wl_array = array_filter($wl_array);
|
| 276 | if (is_array($wl_array)) {
|
| 277 | foreach ($wl_array as $wl_item) {
|
| 278 | if (valid_network($wl_item) || valid_hostname($wl_item)) {
|
| 279 | $redis->hSet('F2B_WHITELIST', $wl_item, 1);
|
| 280 | }
|
| 281 | else {
|
| 282 | $_SESSION['return'][] = array(
|
| 283 | 'type' => 'danger',
|
| 284 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 285 | 'msg' => array('network_host_invalid', $wl_item)
|
| 286 | );
|
| 287 | continue;
|
| 288 | }
|
| 289 | }
|
| 290 | }
|
| 291 | }
|
| 292 | if(!empty($bl)) {
|
| 293 | $bl_array = array_map('trim', preg_split( "/( |,|;|\n)/", $bl));
|
| 294 | $bl_array = array_filter($bl_array);
|
| 295 | if (is_array($bl_array)) {
|
| 296 | foreach ($bl_array as $bl_item) {
|
| 297 | if (valid_network($bl_item) && !in_array($bl_item, array(
|
| 298 | '0.0.0.0',
|
| 299 | '0.0.0.0/0',
|
| 300 | getenv('IPV4_NETWORK') . '0/24',
|
| 301 | getenv('IPV4_NETWORK') . '0',
|
| 302 | getenv('IPV6_NETWORK')
|
| 303 | ))) {
|
| 304 | $redis->hSet('F2B_BLACKLIST', $bl_item, 1);
|
| 305 | }
|
| 306 | else {
|
| 307 | $_SESSION['return'][] = array(
|
| 308 | 'type' => 'danger',
|
| 309 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 310 | 'msg' => array('network_host_invalid', $bl_item)
|
| 311 | );
|
| 312 | continue;
|
| 313 | }
|
| 314 | }
|
| 315 | }
|
| 316 | }
|
| 317 | }
|
| 318 | catch (RedisException $e) {
|
| 319 | $_SESSION['return'][] = array(
|
| 320 | 'type' => 'danger',
|
| 321 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 322 | 'msg' => array('redis_error', $e)
|
| 323 | );
|
| 324 | return false;
|
| 325 | }
|
| 326 | $_SESSION['return'][] = array(
|
| 327 | 'type' => 'success',
|
| 328 | 'log' => array(__FUNCTION__, $_action, $_data_log),
|
| 329 | 'msg' => 'f2b_modified'
|
| 330 | );
|
| 331 | break;
|
| 332 | }
|
| 333 | }
|