Added Fail2ban

2024-09-03 18:16:11 +02:00 · 2018-11-21 03:59:22 +05:30 · 2018-11-21 03:59:22 +05:30 · 5567db5431
commit 5567db5431
parent c7eefc2013
6 changed files with 118 additions and 20 deletions
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -0,0 +1,65 @@
+#!/bin/bash
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
+}
--- a/scripts/backup
+++ b/scripts/backup
@ -13,12 +13,12 @@ set -eu
 # IMPORT GENERIC HELPERS
 #=================================================

-#if [ ! -e _common.sh ]; then
-#	# Get the _common.sh file if it's not in the current directory
-#	cp ../settings/scripts/_common.sh ./_common.sh
-#	chmod a+rx _common.sh
-#fi
-#source _common.sh
+if [ ! -e _common.sh ]; then
+	# Get the _common.sh file if it's not in the current directory
+	cp ../settings/scripts/_common.sh ./_common.sh
+	chmod a+rx _common.sh
+fi
+source _common.sh
 source /usr/share/yunohost/helpers

 #=================================================
@ -52,6 +52,13 @@ ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"

 ynh_backup "/etc/php5/fpm/pool.d/$app.conf"

+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
+
 #=================================================
 # BACKUP THE MYSQL DATABASE
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -6,7 +6,7 @@
 # IMPORT GENERIC HELPERS
 #=================================================

-#source ./_common.sh
+source ./_common.sh
 source /usr/share/yunohost/helpers

 #=================================================
@ -140,6 +140,12 @@ chown -R root: "$final_path"
 chown $app "$final_path/Specific/"{config.php,config.system.php}
 chmod 640 "$final_path/Specific/"{config.php,config.system.php}

+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.*PROPFIND /baikal.*401 295.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -6,13 +6,13 @@
 # IMPORT GENERIC HELPERS
 #=================================================

-#if [ ! -e _common.sh ]; then
-#	# Get file fonction if not been to the current directory
-#	sudo cp ../settings/scripts/_common.sh ./_common.sh
-#	sudo chmod a+rx _common.sh
-#fi
+if [ ! -e _common.sh ]; then
+	# Get file fonction if not been to the current directory
+	sudo cp ../settings/scripts/_common.sh ./_common.sh
+	sudo chmod a+rx _common.sh
+fi
 # Source app helpers
-#source _common.sh
+source _common.sh
 source /usr/share/yunohost/helpers

 #=================================================
@ -55,6 +55,12 @@ ynh_remove_nginx_config
 # Remove the dedicated php-fpm config
 ynh_remove_fpm_config

+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -13,12 +13,12 @@ set -eu
 # IMPORT GENERIC HELPERS
 #=================================================

-#if [ ! -e _common.sh ]; then
-#	# Get the _common.sh file if it's not in the current directory
-#	cp ../settings/scripts/_common.sh ./_common.sh
-#	chmod a+rx _common.sh
-#fi
-#source _common.sh
+if [ ! -e _common.sh ]; then
+	# Get the _common.sh file if it's not in the current directory
+	cp ../settings/scripts/_common.sh ./_common.sh
+	chmod a+rx _common.sh
+fi
+source _common.sh
 source /usr/share/yunohost/helpers

 #=================================================
@ -84,6 +84,14 @@ chown $app "$final_path/Specific/"{config.php,config.system.php}

 ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"

+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -6,7 +6,7 @@
 # IMPORT GENERIC HELPERS
 #=================================================

-#source _common.sh
+source _common.sh
 source /usr/share/yunohost/helpers

 #=================================================
@ -145,6 +145,12 @@ chown -R root: "$final_path"
 chown $app "$final_path/Specific/"{config.php,config.system.php}
 chmod 640 "$final_path/Specific/"{config.php,config.system.php}

+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.*PROPFIND /baikal.*401 295.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================