From 5567db543111c9119c790782e8c414bfb55e3568 Mon Sep 17 00:00:00 2001
From: anmol <github@datamol.org>
Date: Wed, 21 Nov 2018 03:59:22 +0530
Subject: [PATCH] Added Fail2ban

---
 scripts/_common.sh | 65 ++++++++++++++++++++++++++++++++++++++++++++++
 scripts/backup     | 19 +++++++++-----
 scripts/install    |  8 +++++-
 scripts/remove     | 18 ++++++++-----
 scripts/restore    | 20 +++++++++-----
 scripts/upgrade    |  8 +++++-
 6 files changed, 118 insertions(+), 20 deletions(-)
 create mode 100644 scripts/_common.sh

diff --git a/scripts/_common.sh b/scripts/_common.sh
new file mode 100644
index 0000000..80ff3a8
--- /dev/null
+++ b/scripts/_common.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
+}
diff --git a/scripts/backup b/scripts/backup
index c32acc2..10047a6 100644
--- a/scripts/backup
+++ b/scripts/backup
@@ -13,12 +13,12 @@ set -eu
 # IMPORT GENERIC HELPERS
 #=================================================
 
-#if [ ! -e _common.sh ]; then
-#	# Get the _common.sh file if it's not in the current directory
-#	cp ../settings/scripts/_common.sh ./_common.sh
-#	chmod a+rx _common.sh
-#fi
-#source _common.sh
+if [ ! -e _common.sh ]; then
+	# Get the _common.sh file if it's not in the current directory
+	cp ../settings/scripts/_common.sh ./_common.sh
+	chmod a+rx _common.sh
+fi
+source _common.sh
 source /usr/share/yunohost/helpers
 
 #=================================================
@@ -52,6 +52,13 @@ ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"
 
 ynh_backup "/etc/php5/fpm/pool.d/$app.conf"
 
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
+
 #=================================================
 # BACKUP THE MYSQL DATABASE
 #=================================================
diff --git a/scripts/install b/scripts/install
index 5bc8f3b..b699956 100644
--- a/scripts/install
+++ b/scripts/install
@@ -6,7 +6,7 @@
 # IMPORT GENERIC HELPERS
 #=================================================
 
-#source ./_common.sh
+source ./_common.sh
 source /usr/share/yunohost/helpers
 
 #=================================================
@@ -140,6 +140,12 @@ chown -R root: "$final_path"
 chown $app "$final_path/Specific/"{config.php,config.system.php}
 chmod 640 "$final_path/Specific/"{config.php,config.system.php}
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.*PROPFIND /baikal.*401 295.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
diff --git a/scripts/remove b/scripts/remove
index 48e5bcf..b6f23af 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -6,13 +6,13 @@
 # IMPORT GENERIC HELPERS
 #=================================================
 
-#if [ ! -e _common.sh ]; then
-#	# Get file fonction if not been to the current directory
-#	sudo cp ../settings/scripts/_common.sh ./_common.sh
-#	sudo chmod a+rx _common.sh
-#fi
+if [ ! -e _common.sh ]; then
+	# Get file fonction if not been to the current directory
+	sudo cp ../settings/scripts/_common.sh ./_common.sh
+	sudo chmod a+rx _common.sh
+fi
 # Source app helpers
-#source _common.sh
+source _common.sh
 source /usr/share/yunohost/helpers
 
 #=================================================
@@ -55,6 +55,12 @@ ynh_remove_nginx_config
 # Remove the dedicated php-fpm config
 ynh_remove_fpm_config
 
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
diff --git a/scripts/restore b/scripts/restore
index 884e1e8..eb096a0 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -13,12 +13,12 @@ set -eu
 # IMPORT GENERIC HELPERS
 #=================================================
 
-#if [ ! -e _common.sh ]; then
-#	# Get the _common.sh file if it's not in the current directory
-#	cp ../settings/scripts/_common.sh ./_common.sh
-#	chmod a+rx _common.sh
-#fi
-#source _common.sh
+if [ ! -e _common.sh ]; then
+	# Get the _common.sh file if it's not in the current directory
+	cp ../settings/scripts/_common.sh ./_common.sh
+	chmod a+rx _common.sh
+fi
+source _common.sh
 source /usr/share/yunohost/helpers
 
 #=================================================
@@ -84,6 +84,14 @@ chown $app "$final_path/Specific/"{config.php,config.system.php}
 
 ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index f787e44..621161a 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -6,7 +6,7 @@
 # IMPORT GENERIC HELPERS
 #=================================================
 
-#source _common.sh
+source _common.sh
 source /usr/share/yunohost/helpers
 
 #=================================================
@@ -145,6 +145,12 @@ chown -R root: "$final_path"
 chown $app "$final_path/Specific/"{config.php,config.system.php}
 chmod 640 "$final_path/Specific/"{config.php,config.system.php}
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.*PROPFIND /baikal.*401 295.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================