I am going to close this issue soon, as almost all has been done:

• Now the Debian default configuration is used where possible
• An attacker is now blocked on all ports by default, instead of only the affected one. This can be reverted back via config/fail2ban-jail.cf.
• The packets are now dropped by default, however reject can also be configured via $FAIL2BAN_BLOCKTYPE=drop|reject.
• FAIL2BAN_BLOCK_PERMANENT was not implemented. This can be easily done, by setting a pretty long bantime in config/fail2ban-jail.cf.

The changes are now merged into the master branch, but have not been released yet.

@BlockI0tChain @aendeavor @wernerfred

If available, I’d gladly test any tag/configuration on my env.

That would be great. Please test and let me know, if you encounter any problems. I use this setup now for about a week and had no issues so far.

I am not sure I understand what you asking for exactly - sorry.

Some things may not be as easy to test locally as they might be against a deployed instance. If you want to test fail2ban rules, that might also apply? (I’m not familiar with f2b much, just regarding IP or domain names)

My concern is pretty simple: I am not familiar with bats at the moment. So this part should be done by someone else with more knowledge.

I had the same problem at the start of the year with my PRs. They’re reasonably well documented I think with comments (the bats tests), although mine differs a bit, I reworked this one too which is more like most tests.

I should be able to assist/guide you with any questions about putting a test together. As the docs are being reworked, this is also a contributing section that needs to be covered, so it’s best to utilize your inexperience with writing the bats tests to get the questions and feedback to help knowing what needs to be covered 😃

I’m not sure if tests can be run via Docker (since they start containers themselves), and I opted to run my tests in a temporary $5/month VPS. You need to be on Linux otherwise I think to run the tests, or use a VM (Ubuntu 20.04) that matches what Github uses.

I recall needing to run a command for cloning over the submodules (bats being one of them) to run, and another for initializing docker-mailserver for testing (dummy accounts) that make runs, as per the Github CI workflow we have does.

Other than that, it was just making a test-name.bats file like I linked to, that describes the docker-mailserver image configuration followed by some @test sections that run commands and assert the result is what you expect for success or failure conditions.

As you’re testing new PR, you’d need to additionally build a new Docker image to test against (the tests use ${NAME}) which defaults to mailserver-testing:ci.

I can help you with any of that, or any other questions you have 👍

Currently this is defined:

# "ignoreip" can be a list of IP addresses, CIDR masks or DNS hosts. Fail2ban
# will not ban a host which matches an address in this list. Several addresses
# can be defined using space (and/or comma) separator.
ignoreip = 127.0.0.1/8

This can be overwritten/extended via config/fail2ban-jail.cf.

Does this site from the docs answer your question?

If available, I’d gladly test any tag/configuration on my env.

The following tasks have to be done (let me know if something is missing):

• Create a new branch for testing
• Remove target/fail2ban/jail.conf and go with the default debian config
• Implement things as discussed here
• Update Docu
• Testing if fail2ban works as expected
• Review/Enhance bat tests

For the bat tests, I need support from someone else. Also testing should be ideally done by more people. The other stuff I should be able to take care of within the next weeks.

Edit: “Update Docu” added.

I’ve added possible configuration options to my first post, including BLOCK_PERMANENT.

I am not too knowledgeable about F2B myself, but any bans should not be permanent

The default ban time is 3 hours and wasn’t subject to change?