#!/bin/bash

if [ "$1" = "-T" ]; then
	echo -n "(c) Ispmanager.com"
	exit 0
fi

. /usr/local/mgr5/lib/pkgsh/core_pkg_funcs.sh

macro_isp="# ispmanager"
action_addon=""

if [ "${OSTYPE}" = "REDHAT" ]; then
	fail2ban_ssh="sshd"
	# for centos-7
	OSVER=$(rpm -q --qf "%{version}" -f /etc/redhat-release)
	if [ "${OSVER%%\.*}" = "7" ]; then
		if Service firewalld status >/dev/null 2>&1; then
			# firewalld enabled
			action_addon="banaction = firewallcmd-ipset"
		else
			# firewalld disabled
			action_addon="banaction = iptables-multiport"
		fi
	fi
else
	codename=$(lsb_release -c -s)
	if [ "#${codename}" = "#wheezy" ] || [ "#${codename}" = "#jessie" ] || [ "#${codename}" = "#trusty" ]; then
		fail2ban_ssh="ssh"
	else
		fail2ban_ssh="sshd"
	fi
fi

make_filter_exim_isp() {
    cat > /etc/fail2ban/filter.d/exim-isp.conf << 'EOF'
# Fail2Ban filter for exim isp
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# exim-common.local
before = exim-common.conf

[Definition]

failregex = ^%(pid)s \w+ authenticator failed for (?:[^\[\( ]* )?(?:\(\S*\) )?\[<HOST>\](?::\d+)?(?: I=\[\S+\](:\d+)?)?: 535 Incorrect authentication data( \(set_id=.*\)|: \d+ Time\(s\))?\s*$
            ^%(pid)s SMTP protocol synchronization error \([^)]*\): rejected (?:connection from|"\S+") %(host_info)s(?:next )?input=".*"\s*$
            ^%(pid)s SMTP call from (?:[^\[\( ]* )?%(host_info)sdropped: too many (?:nonmail commands|syntax or protocol errors) \(last (?:command )?was "[^"]*"\)\s*$
            ^%(pid)s SMTP protocol error in "[^"]+(?:"+[^"]*(?="))*?" %(host_info)sAUTH command used when not advertised\s*$
            ^%(pid)s no MAIL in SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sD=\d\S*s(?: C=\S*)?\s*$
            ^%(pid)s (?:[\w\-]+ )?SMTP connection from (?:[^\[\( ]* )?(?:\(\S*\) )?%(host_info)sclosed by DROP in ACL\s*$

ignoreregex =
EOF
}

make_jail_local_ssh() {
	jail_data="[${fail2ban_ssh}]\nmaxretry = 5\nenabled = true\n${action_addon}\n"
	if [ "${OSTYPE}" != "REDHAT" ] && [[ $(lsb_release -c -s) =~ bookworm|jammy|noble ]]; then
		jail_data="${jail_data}backend = systemd\n"
	fi
    	printf "${jail_data}" >> /etc/fail2ban/jail.local
}

make_jail_local_exim() {
    make_filter_exim_isp
    exim --version >/dev/null 2>&1 && enabled_jail=true || enabled_jail=false
    cat >> /etc/fail2ban/jail.local << EOF
[exim-isp]
port   = smtp,465,submission
logpath = %(exim_main_log)s
maxretry = 5
enabled = ${enabled_jail}
${action_addon}
EOF
}

make_jail_local() {
	if [ -f /etc/fail2ban/jail.local ] && grep -Eq "^\s*\[${fail2ban_ssh}\]" /etc/fail2ban/jail.local ; then
		echo "Fail2ban already configured"
	else
		test -f /etc/fail2ban/jail.local || touch /etc/fail2ban/jail.local
		printf "${macro_isp} start\n" >> /etc/fail2ban/jail.local
        make_jail_local_ssh
        make_jail_local_exim
        printf "\n${macro_isp} end\n" >> /etc/fail2ban/jail.local
	fi
}

make_jail_local && \
	Service fail2ban restart && \
	Service fail2ban enable && \
	echo "Fail2ban configured"