Closes: #2276.
Functionality all over the system keeps failing due this approach. The latest is
changing hostname in ejabberd Mnesia database fails (#2276). Further, users
connecting FreedomBox to a monitor can't use a GUI.
Tests:
- Without patches, enable restricted access. Apply patches and setup.py install.
Security app is updated. Restricted access is disabled and
/etc/security/access.d/{50freedombox.conf, 10freedombox-security.conf,
10freedombox-performance.conf} are removed. It is possible to login into
non-admin account via SSH.
- On a fresh install, the configuration files are not found.
- Security page does not show 'restrict console logins' option.
- Updating security app setting works. Message 'Configuration updated.' is
shown.
- First boot succeeds. Restrict console login is not enabled.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Recommendation to use 'sysout' as log target in order to log to systemd
journal comes from the fail2ban.service file.
Tests:
- Install the changes and restart fail2ban. Notice that journalctl shows new
log lines.
- Logged to /var/log/fail2ban.log has stopped.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Since security app manages fail2ban, it makes sense to set the default
configuration in this app.
Tests performed:
- `./setup.py install` installs the file in the correct place.
- Only 10 incorrect SSH login attempts as noticed in the fail2ban log will
result in ban.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
When 'restrict console logins' is activated, debsecan hourly cron jobs fail
because the 'daemon' user is not allowed to run cron jobs. Add rule to the
login access control file to allow 'daemon' user to run cron jobs.
Fixes#1770
Tested that after I copied the file to /etc/security/access.d/10freedombox-security.conf,
there are no more debsecan cron job errors in the journalctl logs.
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: Fioddor Superconcentrado <fioddor@gmail.com>
