From 8984240e44df9f3ed6e7ad5d84ade10c0e124e51 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 13 Jun 2019 19:38:53 +0200 Subject: [PATCH] [Watchdog, Config] Added WATCHDOG_NOTIFY_BAN to disable IP ban notifications [Netfilter] Remove unused files after installation [Compose] Some new images and a new option for watchdog: WATCHDOG_NOTIFY_BAN - defaults to y --- data/Dockerfiles/netfilter/Dockerfile | 5 +++-- data/Dockerfiles/watchdog/watchdog.sh | 4 ++-- docker-compose.yml | 5 +++-- generate_config.sh | 5 +++++ update.sh | 6 ++++++ 5 files changed, 19 insertions(+), 6 deletions(-) diff --git a/data/Dockerfiles/netfilter/Dockerfile b/data/Dockerfiles/netfilter/Dockerfile index 7ed441920..76175dac3 100644 --- a/data/Dockerfiles/netfilter/Dockerfile +++ b/data/Dockerfiles/netfilter/Dockerfile @@ -5,9 +5,10 @@ ENV XTABLES_LIBDIR /usr/lib/xtables ENV PYTHON_IPTABLES_XTABLES_VERSION 12 ENV IPTABLES_LIBDIR /usr/lib -RUN apk add -U python3 python3-dev gcc musl-dev iptables ip6tables tzdata \ +RUN apk add --virtual .build-deps gcc python3-dev musl-dev libffi-dev openssl-dev \ + && apk add -U python3 iptables ip6tables tzdata \ && pip3 install --upgrade python-iptables==0.13.0 redis ipaddress dnspython \ - && apk del python3-dev gcc + && apk del .build-deps COPY server.py / CMD ["python3", "-u", "/server.py"] diff --git a/data/Dockerfiles/watchdog/watchdog.sh b/data/Dockerfiles/watchdog/watchdog.sh index 0132fa973..d2e1924c8 100755 --- a/data/Dockerfiles/watchdog/watchdog.sh +++ b/data/Dockerfiles/watchdog/watchdog.sh @@ -687,8 +687,8 @@ while true; do for host in "${F2B_RES[@]}"; do log_msg "Banned ${host}" rm /tmp/fail2ban 2> /dev/null - whois ${host} > /tmp/fail2ban - [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && mail_error "${com_pipe_answer}" "IP ban: ${host}" + whois ${host} > /tmp/fail2ban + [[ ! -z ${WATCHDOG_NOTIFY_EMAIL} ]] && [[ ${WATCHDOG_NOTIFY_BAN} =~ ^([yY][eE][sS]|[yY])+$ ]] && mail_error "${com_pipe_answer}" "IP ban: ${host}" done elif [[ ${com_pipe_answer} =~ .+-mailcow ]]; then kill -STOP ${BACKGROUND_TASKS[*]} diff --git a/docker-compose.yml b/docker-compose.yml index 7dc15f2b9..2246ab39a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -340,7 +340,7 @@ services: - acme netfilter-mailcow: - image: mailcow/netfilter:1.25 + image: mailcow/netfilter:1.26 build: ./data/Dockerfiles/netfilter stop_grace_period: 30s depends_on: @@ -364,7 +364,7 @@ services: - /lib/modules:/lib/modules:ro watchdog-mailcow: - image: mailcow/watchdog:1.46 + image: mailcow/watchdog:1.47 # Debug #command: /watchdog.sh build: ./data/Dockerfiles/watchdog @@ -381,6 +381,7 @@ services: - DBPASS=${DBPASS} - USE_WATCHDOG=${USE_WATCHDOG:-n} - WATCHDOG_NOTIFY_EMAIL=${WATCHDOG_NOTIFY_EMAIL} + - WATCHDOG_NOTIFY_BAN=${WATCHDOG_NOTIFY_BAN:-y} - MAILCOW_HOSTNAME=${MAILCOW_HOSTNAME} - IPV4_NETWORK=${IPV4_NETWORK:-172.22.1} - IP_BY_DOCKER_API=${IP_BY_DOCKER_API:-0} diff --git a/generate_config.sh b/generate_config.sh index abcce68df..27c9a0b75 100755 --- a/generate_config.sh +++ b/generate_config.sh @@ -195,10 +195,12 @@ SKIP_HTTP_VERIFICATION=n SKIP_CLAMD=${SKIP_CLAMD} # Skip Solr on low-memory systems or if you do not want to store a readable index of your mails in solr-vol-1. + SKIP_SOLR=${SKIP_SOLR} # Solr heap size in MB, there is no recommendation, please see Solr docs. # Solr is a prone to run OOM and should be monitored. Unmonitored Solr setups are not recommended. + SOLR_HEAP=1024 # Enable watchdog (watchdog-mailcow) to restart unhealthy containers (experimental) @@ -215,6 +217,9 @@ ALLOW_ADMIN_EMAIL_LOGIN=n #WATCHDOG_NOTIFY_EMAIL=a@example.com,b@example.com,c@example.com #WATCHDOG_NOTIFY_EMAIL= +# Notify about banned IP (includes whois lookup) +WATCHDOG_NOTIFY_BAN=y + # Max log lines per service to keep in Redis logs LOG_LINES=9999 diff --git a/update.sh b/update.sh index 913da049d..b034d3cfc 100755 --- a/update.sh +++ b/update.sh @@ -256,6 +256,12 @@ for option in ${CONFIG_ARRAY[@]}; do echo "#MAILDIR_SUB=Maildir" >> mailcow.conf echo "MAILDIR_SUB=" >> mailcow.conf fi + elif [[ ${option} == "WATCHDOG_NOTIFY_BAN" ]]; then + if ! grep -q ${option} mailcow.conf; then + echo "Adding new option \"${option}\" to mailcow.conf" + echo '# Notify about banned IP. Includes whois lookup.' >> mailcow.conf + echo "WATCHDOG_NOTIFY_BAN=y" >> mailcow.conf + fi elif ! grep -q ${option} mailcow.conf; then echo "Adding new option \"${option}\" to mailcow.conf" echo "${option}=n" >> mailcow.conf