forwardemail
diff --git a/‎.env.defaults‎
Lines changed: 7 additions & 0 deletions b/‎.env.defaults‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎.env.schema‎
Lines changed: 20 additions & 0 deletions b/‎.env.schema‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎ansible/playbooks/files/portscan-protection.sh‎
Lines changed: 334 additions & 0 deletions b/‎ansible/playbooks/files/portscan-protection.sh‎
Lines changed: 334 additions & 0 deletions
@@ -1,3 +1,7 @@
+MONGO_BACKUP_BUCKET=forwardemail-backups
+REDIS_BACKUP_BUCKET=forwardemail-backups
+REDIS_DATA_DIR=/var/lib/redis
+
 ###################################
 ## ignored self test domains     ##
 ## (see `helpers/on-data-mx.js`) ##
@@ -262,7 +266,10 @@ EMAILS_MONGO_URI="mongodb://{{EMAILS_MONGO_HOST}}:{{EMAILS_MONGO_PORT}}/{{EMAILS
 REDIS_TLS=false
 REDIS_USERNAME=
 REDIS_PORT=6379
+REDIS_TLS_PORT=6380
 REDIS_HOST=localhost
+# Generate a 64-character random password (Redis can handle long passwords)
+# openssl rand -base64 48
 REDIS_PASSWORD=
 WEB_REDIS_TLS={{REDIS_TLS}}
 WEB_REDIS_USERNAME={{REDIS_USERNAME}}
 
@@ -1,3 +1,22 @@
+# MongoDB Configuration
+MONGO_HOST=
+MONGO_BACKUP_BUCKET=forwardemail-backups
+
+# Redis Configuration
+REDIS_HOST=
+REDIS_PASSWORD=
+REDIS_BACKUP_BUCKET=forwardemail-backups
+REDIS_DATA_DIR=/var/lib/redis
+
+# SSL/TLS Configuration (shared by both mongo/redis and inherited by others)
+SSL_CERT_PATH=
+SSL_KEY_PATH=
+SSL_CA_PATH=
+
+# Generate a 32-character random password
+# openssl rand -base64 32
+BACKUP_SECRET=
+
 ###################################
 ## ignored self test domains     ##
 ## (see `helpers/on-data-mx.js`) ##
@@ -263,6 +282,7 @@ EMAILS_MONGO_URI=
 REDIS_TLS=
 REDIS_USERNAME=
 REDIS_PORT=
+REDIS_TLS_PORT=
 REDIS_HOST=
 REDIS_PASSWORD=
 WEB_REDIS_TLS=
 
@@ -0,0 +1,334 @@
+#!/bin/bash
+SCRIPTNAME="Portscan Protection"
+VERSION="26-06-2023"
+SCRIPTLOCATION="/usr/local/sbin/portscan-protection.sh"
+WHITELISTLOCATION="/usr/local/sbin/portscan-protection-white.list"
+CRONLOCATION="/etc/cron.d/portscan-protection"
+GITHUBRAW="https://raw.githubusercontent.com/forwardemail/portscan-protection/master/portscan-protection.sh"
+AUTOUPDATE="YES" # Edit this variable to "NO" if you don't want to auto update this script (NOT RECOMMENDED)
+PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+#
+# Define some functions
+#
+
+IPSETCOMMANDCHECK()
+{
+	# Check the ipset command
+	! command -v ipset > /dev/null && printf "\nipset command ${RED}not found${NC}.\n" && exit 6 || printf "ipset command found. ${GR}OK.${NC}\n"
+}
+
+
+IPTABLECOMMANDCHECK()
+{
+	# Check the iptables command
+	! command -v iptables > /dev/null && printf "iptables command ${RED}not found${NC}.\n" && exit 7 || printf "iptables command found. ${GR}OK.${NC}\n"
+}
+
+
+SETCRONTAB()
+{
+	[ ! -f "$CRONLOCATION" ] || ! grep -q "reboot root sleep" "$CRONLOCATION" && printf "# $SCRIPTNAME installed at $(date)\n@reboot root sleep 30 && $SCRIPTLOCATION --cron\n\n" > "$CRONLOCATION" && printf "Crontab entry has been set. ${GR}OK.${NC}\n" || printf "Crontab entry ${GR}already set.${NC}\n"
+}
+
+
+WHITELIST()
+{
+	[ ! -f "$WHITELISTLOCATION" ] && printf "# This file is part of $SCRIPTNAME\n# Add one IP per line to this file. These IP addresses will be never blocked. Note: Only IPv4 addresses are supported.\n# More info on GitHub: https://github.com/Feriman22/portscan-protection\n# If you found it useful, please donate via PayPal: https://paypal.me/BajzaFerenc\n\n# Thank you!\n\n127.0.0.1" > $WHITELISTLOCATION
+	for i in nano vi vim; do
+		if command -v $i > /dev/null; then
+			$i "$WHITELISTLOCATION"
+			"$SCRIPTLOCATION" --cron
+			printf "Whitelist has been activated if the file has been modified.\n" ; FOUND="1"
+			break
+		fi
+	done
+	[ "$FOUND" != "1" ] && echo "nano, vi or vim is not found. Edit manually the whitelist: $WHITELISTLOCATION"
+}
+
+
+UPDATE()
+{
+	# Getting info about the latest GitHub version
+	NEW=$(curl -s "$GITHUBRAW" | awk -F'"' '/^VERSION/ {print $2}')
+
+	# Compare the installed and the GitHub stored version - Only internal, not available by any argument
+	if [[ "$1" == "ONLYCHECK" ]] && [[ "$NEW" != "$VERSION" ]]; then
+		[ "$1" != '--cron' ] && printf "New version ${YL}available!${NC}\n"
+	else
+		[[ "$1" == "ONLYCHECK" ]] && [ "$1" != '--cron' ] && printf "The downloaded $SCRIPTNAME is ${GR}up to date.${NC}\n\n"
+	fi
+
+	# Check the current installation
+	if [[ "$1" != "ONLYCHECK" ]] && [ -f "$CRONLOCATION" ] && [ -x "$SCRIPTLOCATION" ]; then
+
+		# Check the GitHub - Is it available? - Exit if not
+  		if [[ ! "$NEW" ]]; then
+			[ "$1" != '--cron' ] && printf "GitHub is ${RED}not available now.${NC} Try again later.\n"
+   			exit 8
+   		fi
+
+		# Compare the installed and the GitHub stored version
+		if [[ "$NEW" != "$VERSION" ]]; then
+			curl -s -o "$SCRIPTLOCATION" "$GITHUBRAW"
+			SETCRONTAB
+			[ "$1" != '--cron' ] && printf "Script has been ${GR}updated.${NC}\n"
+		else
+			[ "$1" != '--cron' ] && printf "The installed $SCRIPTNAME is ${GR}up to date.${NC}\n\n"
+		fi
+	else
+		[[ "$1" != "ONLYCHECK" ]] && [ "$1" != '--cron' ] && printf "Script ${RED}not installed.${NC} Install first then you can update it.\n"
+	fi
+}
+
+
+if [ "$1" != '--cron' ]; then
+	# Coloring
+	RED='\033[0;31m' # Red Color
+	GR='\033[0;32m' # Green Color
+	YL='\033[0;33m' # Yellow Color
+	NC='\033[0m' # No Color
+
+	printf "\n$SCRIPTNAME\n"
+	echo "Author: Feriman"
+	echo "URL: https://github.com/Feriman22/portscan-protection"
+	echo "Open GitHub page to read the manual and check new releases"
+	echo "Current version: $VERSION"
+	UPDATE ONLYCHECK # Check new version
+	printf "${GR}If you found it useful${NC}, please donate via PayPal: https://paypal.me/BajzaFerenc\n\n"
+fi
+
+# Check the root permission
+[ ! "$(id -u)" = 0 ] && printf "${RED}Run as root!${NC}\n" && exit 5
+
+# Check curl, ipset, iptables commands
+for i in curl ipset iptables; do ! command -v ipset > /dev/null && echo "$i command ${RED}not found${NC}" && NOT_FOUND="1"; done
+[ "$NOT_FOUND" == "1" ] && exit 10
+
+# Define ipset and iptable rules - Used at magic and uninstall part
+IPSET1='port_scanners hash:ip family inet hashsize 32768 maxelem 65536 timeout 600'
+IPSET2='scanned_ports hash:ip,port family inet hashsize 32768 maxelem 65536 timeout 60'
+IPTABLE1='INPUT -m state --state INVALID -j DROP'
+IPTABLE2='INPUT -m state --state NEW -m set ! --match-set scanned_ports src,dst -m hashlimit --hashlimit-above 1/hour --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name portscan --hashlimit-htable-expire 10000 -j SET --add-set port_scanners src --exist'
+IPTABLE3='INPUT -m state --state NEW -m set --match-set port_scanners src -j DROP'
+IPTABLE4='INPUT -m state --state NEW -j SET --add-set scanned_ports src,dst'
+
+# Enter in this section only if run by cron - It will do the magic
+if [ "$1" == '--cron' ]; then
+
+	# Add Whitelist IPs if any
+	if [ -f $WHITELISTLOCATION ]; then
+		while read WHILELISTIP; do
+			# Validate IP address
+			if [[ "$WHILELISTIP" =~ ^(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))$ ]] && [ $(iptables -S | grep -cF -- "-A INPUT -s $WHILELISTIP/32 -j ACCEPT") -lt 1 ]; then
+				iptables -I INPUT -s $WHILELISTIP -j ACCEPT
+			fi
+		done < <(grep -v "^#\|^$" $WHITELISTLOCATION)
+	fi
+
+	ipset list | grep -q port_scanners || ipset create $IPSET1
+	ipset list | grep -q scanned_ports || ipset create $IPSET2
+	iptables -S | grep -qF -- "-A $IPTABLE1" || iptables -A $IPTABLE1
+	iptables -S | grep -qF -- "-A $IPTABLE2" || iptables -A $IPTABLE2
+	iptables -S | grep -qF -- "-A $IPTABLE3" || iptables -A $IPTABLE3
+	iptables -S | grep -qF -- "-A $IPTABLE4" || iptables -A $IPTABLE4
+
+	# Auto update if not disabled
+	[ "$AUTOUPDATE" == "YES" ] && UPDATE --cron
+
+	# Exit, because it run by cron
+	exit 0
+fi
+
+# Call the menu
+if [ "$1" == "-i" ] || [ "$1" == "-u" ] || [ "$1" == "-v" ] || [ "$1" == "--install" ] || [ "$1" == "--uninstall" ] || [ "$1" == "--verify" ] || [ "$1" == "-up" ] || [ "$1" == "--update" ]; then
+	OPT="$1" && OPTL="$1" && ARG="YES"
+else
+	PS3='Please enter your choice: '
+	[ -f "$SCRIPTLOCATION" ] && options=("Verify" "Edit Whitelist" "Update from GitHub" "Uninstall" "Quit")
+	[ ! -f "$SCRIPTLOCATION" ] && options=("Install" "Verify" "Quit")
+	select opt in "${options[@]}"
+	do
+		case $opt in
+			"Install")
+				OPT='-i' && OPTL='--install' && break
+				;;
+			"Uninstall")
+				OPT='-u' && OPTL='--uninstall' && break
+				;;
+			"Edit Whitelist")
+				WHITELIST ; break
+				;;
+			"Verify")
+				OPT='-v' && OPTL='--verify' && break
+				;;
+			"Update from GitHub")
+				UPDATE && break
+				;;
+			"Quit")
+				break
+				;;
+			*) echo "Invalid option $REPLY";;
+		esac
+	done
+fi
+
+##
+########### Menu: Install ###########
+##
+
+if [ "$OPT" == '-i' ] || [ "$OPTL" == '--install' ]; then
+
+	#
+	### Start Installation ###
+	#
+
+	# Start count the time of install process
+	SECONDS=0
+
+	IPSETCOMMANDCHECK
+
+	IPTABLECOMMANDCHECK
+
+	# Set crontab rule if it does not already exist
+	SETCRONTAB
+
+	# Copy the script to $SCRIPTLOCATION and add execute permission
+	INSTALLERLOCATION=$(realpath $0)
+	if [ "$INSTALLERLOCATION" != "$SCRIPTLOCATION" ]; then
+		curl -s -o "$SCRIPTLOCATION" "$GITHUBRAW" && chmod +x "$SCRIPTLOCATION" && printf "$SCRIPTNAME has been copied in $SCRIPTLOCATION ${GR}OK.${NC}\n"
+	else
+		printf "$SCRIPTNAME already copied to destination. Nothing to do. ${GR}OK.${NC}\n"
+	fi
+
+	# First "cron like" run to activate the iptable rules
+	"$SCRIPTLOCATION" --cron && printf "iptable rules have been activated. You are protected! ${GR}OK.${NC}\n"
+
+	# Finish
+	printf "\n${GR}Note:${NC} If you want to Edit Whitelist, or Verify the install, just run the below command:\nsudo $SCRIPTLOCATION\n\n"
+	printf "${GR}Done.${NC} The install was $(($SECONDS / 3600))hrs $((($SECONDS / 60) % 60))min $(($SECONDS % 60))sec. That was so quick, wasn't?\n"
+fi
+
+
+##
+########### Menu: Uninstall ###########
+##
+
+if [ "$OPT" == '-u' ] || [ "$OPTL" == '--uninstall' ]; then
+	if [ "$ARG" != 'YES' ]; then
+		loop=true;
+		while $loop; do
+			printf "${RED}UNINSTALL${NC} $SCRIPTNAME on $(hostname).\n"
+			read -p "Are you sure? [Y/n]: " var1
+			loop=false;
+			if [ "$var1" == 'Y' ] || [ "$var1" == 'y' ]; then
+				printf "Okay! You have 5 sec until starting the ${RED}UNINSTALL${NC} process on $(hostname). Press Ctrl + C to exit.\n"
+				for i in {5..1}; do echo $i && sleep 1; done
+			elif [ "$var1" == 'N' ] || [ "$var1" == 'n' ]; then
+				echo "Okay, exit."
+				exit 9
+			else
+				echo "Enter a valid response Y or n";
+				loop=true;
+			fi
+		done
+	fi
+
+	#
+	### Starting Uninstall ###
+	#
+
+	# Remove crontab file
+	if [ -f "$CRONLOCATION" ]; then
+		rm -r "$CRONLOCATION"
+		printf "\nCrontab file has been removed. ${GR}OK.${NC}\n"
+	else
+		printf "\nCrontab file not found. ${GR}OK.${NC}\n"
+	fi
+
+	# Remove the script
+	[ -f "$SCRIPTLOCATION" ] && rm -f "$SCRIPTLOCATION" && printf "$SCRIPTNAME has been removed. ${GR}OK.${NC}\n" || printf "Script not found. ${GR}OK.${NC}\n"
+
+	# Remove iptable rules
+	N=1
+	for IPTABLERULE in "$IPTABLE1" "$IPTABLE2" "$IPTABLE3" "$IPTABLE4"; do
+		if iptables -S | grep -qF -- "-A $IPTABLERULE"; then
+			iptables -D $IPTABLERULE
+			printf "#$N iptable rule has been removed. ${GR}OK.${NC}\n"
+		else
+			printf "#$N iptable rule not found. ${GR}OK.${NC}"
+		fi
+  		((N++))
+	done
+
+	# Remove Whitelist rules
+	if [ -f $WHITELISTLOCATION ]; then
+		while read WHILELISTIP; do
+			# Validate IP address
+			if [[ "$WHILELISTIP" =~ ^(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))$ ]]; then
+				iptables -D INPUT -s $WHILELISTIP -j ACCEPT
+			fi
+		done < <(grep -v "^#\|^$" $WHITELISTLOCATION)
+		printf "Whitelist removed from iptables if any. ${GR}OK.${NC}"
+	fi
+
+	# Remove Whitelist
+	[ -f "$WHITELISTLOCATION" ] && rm -f "$WHITELISTLOCATION" && printf "Whitelist has been removed. ${GR}OK.${NC}\n" || printf "Whitelist not found. ${GR}OK.${NC}\n"
+
+	# Remove ipset rules
+	for IPSETRULE in scanned_ports port_scanners; do
+		if ipset list | grep -q "$IPSETRULE"; then
+			sleep 1
+			ipset destroy $IPSETRULE
+			printf "$IPSETRULE ipset rule has been removed. ${GR}OK.${NC}\n"
+		else
+			printf "$IPSETRULE ipset rule not found. ${GR}OK.${NC}\n"
+		fi
+	done
+
+	printf "\nIf the $SCRIPTNAME removed accidently, run this below command to install it again:\n"
+	printf "curl -s $GITHUBRAW | sudo bash /dev/stdin -i\n"
+fi
+
+##
+########### Menu: Verify ###########
+##
+
+if [ "$OPT" == '-v' ] || [ "$OPTL" == '--verify' ]; then
+
+	# Crontab verify
+	[ ! -f "$CRONLOCATION" ] && printf "\nCrontab entry ${RED}not found.${NC}\n" || printf "\nCrontab entry found. ${GR}OK.${NC}\n"
+
+	# Verify script location
+	if [ -f "$SCRIPTLOCATION" ]; then
+		printf "Script found. ${GR}OK.${NC}\n"
+
+		# Verify execute permission
+		[ -x "$SCRIPTLOCATION" ] && printf "The script is executable. ${GR}OK.${NC}\n" || printf "The execute permission is ${RED}missing.${NC} Fix it by run: chmod +x $SCRIPTLOCATION\n"
+
+	else
+		printf "Script ${RED}not found.${NC}\n"
+	fi
+
+	IPSETCOMMANDCHECK
+
+	IPTABLECOMMANDCHECK
+
+	iptables -S | grep -q port_scanners && iptables -S | grep -q scanned_ports && printf "iptables rules have been configured. You are protected! ${GR}OK.${NC}\n" || printf "iptables rules are ${RED}not configured!${NC}\n"
+
+	if [ -f $WHITELISTLOCATION ]; then
+		while read WHILELISTIP; do
+			# Validate IP address
+			if [[ ! "$WHILELISTIP" =~ ^(([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))\.){3}([1-9]?[0-9]|1[0-9][0-9]|2([0-4][0-9]|5[0-5]))$ ]]; then
+				printf "$WHILELISTIP is ${RED}not valid${NC} IPv4 address in the Whitelist and it will be ignored. May you have to fix it by choose Edit Whitelist from the menu.\n"
+			fi
+		done < <(grep -v "^#\|^$" $WHITELISTLOCATION)
+	fi
+fi
+
+
+##
+########### Menu: Update ###########
+##
+
+[ "$OPT" == '-up' ] || [ "$OPTL" == '--update' ] && UPDATE