From 9da9eb03e13a2123f84c85848f7d38e4805d665d Mon Sep 17 00:00:00 2001 From: Toromtomtom Date: Sat, 13 Jan 2024 14:15:15 +0100 Subject: [PATCH] Add fail2ban (#92) * fail2ban for LDAP authentication errors * fix log file path * fix regex * cleaning --------- Co-authored-by: ericgaspar --- scripts/backup | 7 +++++++ scripts/install | 11 +++++++++++ scripts/remove | 2 ++ scripts/restore | 6 ++++-- scripts/upgrade | 8 +++++++- 5 files changed, 31 insertions(+), 3 deletions(-) diff --git a/scripts/backup b/scripts/backup index 214b288..04eed75 100644 --- a/scripts/backup +++ b/scripts/backup @@ -33,6 +33,13 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf" ynh_backup --src_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf" +ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf" + #================================================= # BACKUP THE MYSQL DATABASE #================================================= diff --git a/scripts/install b/scripts/install index 2827025..e4d676d 100644 --- a/scripts/install +++ b/scripts/install @@ -55,6 +55,17 @@ ynh_add_fpm_config ynh_add_nginx_config +#================================================= +# SETUP FAIL2BAN +#================================================= +ynh_script_progression --message="Configuring fail2ban..." --weight=1 + +# Create the logfile, required before configuring fail2ban +touch "/var/log/${domain}-error.log" + +# Create a dedicated fail2ban config +ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex='"PHP message: user \(name stripped-out\) authentication failure for Baikal" while reading response header from upstream, client: ' + #================================================= # SPECIFIC SETUP #================================================= diff --git a/scripts/remove b/scripts/remove index ac762c0..8d28c8c 100644 --- a/scripts/remove +++ b/scripts/remove @@ -18,6 +18,8 @@ ynh_remove_nginx_config ynh_remove_fpm_config +ynh_remove_fail2ban_config + #================================================= # END OF SCRIPT #================================================= diff --git a/scripts/restore b/scripts/restore index 8f4c828..77daf9b 100644 --- a/scripts/restore +++ b/scripts/restore @@ -45,14 +45,16 @@ ynh_mysql_connect_as --user=$db_user --password=$db_pwd --database=$db_name < ./ #================================================= # RESTORE SYSTEM CONFIGURATIONS #================================================= -# RESTORE THE PHP-FPM CONFIGURATION -#================================================= ynh_script_progression --message="Restoring system configurations related to $app..." --weight=1 ynh_restore_file --origin_path="/etc/php/$phpversion/fpm/pool.d/$app.conf" ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf" +ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf" +ynh_systemd_action --action=restart --service_name=fail2ban + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index e9957e8..8ad1c75 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -30,7 +30,7 @@ chmod -R o-rwx "$install_dir" chown -R $app:www-data "$install_dir" #================================================= -# PHP-FPM CONFIGURATION +# SYSTEM CONFIGURATION #================================================= ynh_script_progression --message="Upgrading PHP-FPM configuration..." --weight=2 @@ -38,6 +38,12 @@ ynh_add_fpm_config ynh_add_nginx_config +# Create the logfile, required before configuring fail2ban +touch "/var/log/${domain}-error.log" + +# Create a dedicated fail2ban config +ynh_add_fail2ban_config --logpath="/var/log/nginx/${domain}-error.log" --failregex='"PHP message: user \(name stripped-out\) authentication failure for Baikal" while reading response header from upstream, client: ' + #================================================= # SPECIFIC UPGRADE #=================================================