From 5951478de2dd1c8037d8ae0295b973e0dedb559f Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 12 May 2019 17:06:51 +0200 Subject: [PATCH] Fix fail2ban and add logautherror plugin --- conf/logautherror.src | 6 ++++ scripts/_common.sh | 64 ------------------------------------------- scripts/change_url | 2 +- scripts/install | 7 ++++- scripts/upgrade | 8 +++++- 5 files changed, 20 insertions(+), 67 deletions(-) create mode 100644 conf/logautherror.src diff --git a/conf/logautherror.src b/conf/logautherror.src new file mode 100644 index 0000000..56bab0d --- /dev/null +++ b/conf/logautherror.src @@ -0,0 +1,6 @@ +SOURCE_URL=https://github.com/mallchin/dokuwiki_plugin_logautherror/archive/master.zip +SOURCE_SUM=ac36038a710d8f4823a006416ef28c46 +SOURCE_SUM_PRG=md5sum +SOURCE_FORMAT=zip +SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= diff --git a/scripts/_common.sh b/scripts/_common.sh index 217a16a..24bd7ba 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -11,67 +11,3 @@ ynh_delete_file_checksum () { local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' ynh_app_setting_delete $app $checksum_setting_name } - -#================================================= -# EXPERIMENTAL HELPERS -#================================================= - -# Create a dedicated fail2ban config (jail and filter conf files) -# -# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] -# | arg: log_file - Log file to be checked by fail2ban -# | arg: failregex - Failregex to be looked for by fail2ban -# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 -# | arg: ports - Ports blocked for a banned IP address - default: http,https -ynh_add_fail2ban_config () { - # Process parameters - logpath=$1 - failregex=$2 - max_retry=${3:-3} - ports=${4:-http,https} - - test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." - test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." - - finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" - finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" - ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 - ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 - - sudo tee $finalfail2banjailconf <&2 - echo "WARNING${fail2ban_error#*WARNING}" >&2 - fi -} - -# Remove the dedicated fail2ban config (jail and filter conf files) -# -# usage: ynh_remove_fail2ban_config -ynh_remove_fail2ban_config () { - ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" - ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" - sudo systemctl restart fail2ban -} diff --git a/scripts/change_url b/scripts/change_url index 8f11601..c3eb541 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -84,7 +84,7 @@ then # Store file checksum for the new config file location ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" # Fail2ban configuration - ynh_add_fail2ban_config "/var/log/nginx/$new_domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 fi diff --git a/scripts/install b/scripts/install index d0102b8..690bc16 100755 --- a/scripts/install +++ b/scripts/install @@ -166,7 +166,12 @@ ynh_store_file_checksum "$final_path/conf/local.protected.php" ### Files can be modified by user, no need to store checksum as they cannot be overwritten safely by package #ynh_store_file_checksum "$final_path/conf/local.php" #ynh_store_file_checksum "$final_path/conf/acl.auth.php" + #================================================= +# INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN +#================================================= + +ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror #================================================= # GENERIC FINALIZATION @@ -215,7 +220,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # SETUP FAIL2BAN #================================================= -ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 +ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 #================================================= # SETUP SSOWAT diff --git a/scripts/upgrade b/scripts/upgrade index 25b70b0..0be6262 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -244,6 +244,12 @@ ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protec # Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum "$final_path/conf/local.protected.php" +#================================================= +# INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN +#================================================= + +ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror + #================================================= # GENERIC FINALIZATION #================================================= @@ -291,7 +297,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # SETUP FAIL2BAN #================================================= -ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 +ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 #================================================= # SETUP SSOWAT