Fix fail2ban and add logautherror plugin

2024-09-03 18:26:20 +02:00 · 2019-05-12 17:06:51 +02:00 · 2019-05-12 17:06:51 +02:00 · 5951478de2
commit 5951478de2
parent 70d8aea655
5 changed files with 20 additions and 67 deletions
--- a/conf/logautherror.src
+++ b/conf/logautherror.src
@ -0,0 +1,6 @@
 SOURCE_URL=https://github.com/mallchin/dokuwiki_plugin_logautherror/archive/master.zip
 SOURCE_SUM=ac36038a710d8f4823a006416ef28c46
 SOURCE_SUM_PRG=md5sum
 SOURCE_FORMAT=zip
 SOURCE_IN_SUBDIR=true
 SOURCE_FILENAME=
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -11,67 +11,3 @@ ynh_delete_file_checksum () {
 	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
 	ynh_app_setting_delete $app $checksum_setting_name
 }
 #=================================================
 # EXPERIMENTAL HELPERS
 #=================================================
 # Create a dedicated fail2ban config (jail and filter conf files)
 #
 # usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
 # | arg: log_file - Log file to be checked by fail2ban
 # | arg: failregex - Failregex to be looked for by fail2ban
 # | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
 # | arg: ports - Ports blocked for a banned IP address - default: http,https
 ynh_add_fail2ban_config () {
   # Process parameters
   logpath=$1
   failregex=$2
   max_retry=${3:-3}
   ports=${4:-http,https}
  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
  sudo tee $finalfail2banjailconf <<EOF
 [$app]
 enabled = true
 port = $ports
 filter = $app
 logpath = $logpath
 maxretry = $max_retry
 EOF
  sudo tee $finalfail2banfilterconf <<EOF
 [INCLUDES]
 before = common.conf
 [Definition]
 failregex = $failregex
 ignoreregex =
 EOF
  ynh_store_file_checksum "$finalfail2banjailconf"
  ynh_store_file_checksum "$finalfail2banfilterconf"
  systemctl restart fail2ban
  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
  if [ -n "$fail2ban_error" ]
  then
    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
    echo "WARNING${fail2ban_error#*WARNING}" >&2
  fi
 }
 # Remove the dedicated fail2ban config (jail and filter conf files)
 #
 # usage: ynh_remove_fail2ban_config
 ynh_remove_fail2ban_config () {
  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
  sudo systemctl restart fail2ban
 }
--- a/scripts/change_url
+++ b/scripts/change_url
@ -84,7 +84,7 @@ then
 	# Store file checksum for the new config file location
 	ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf"
 	# Fail2ban configuration
-	ynh_add_fail2ban_config "/var/log/nginx/$new_domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+	ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: <HOST>,.*POST $path_url.*$" --max_retry=5
 fi
--- a/scripts/install
+++ b/scripts/install
@ -166,7 +166,12 @@ ynh_store_file_checksum "$final_path/conf/local.protected.php"
 ### Files can be modified by user, no need to store checksum as they cannot be overwritten safely by package
 #ynh_store_file_checksum "$final_path/conf/local.php"
 #ynh_store_file_checksum "$final_path/conf/acl.auth.php"
 #=================================================
 # INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN
 #=================================================
 ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror
 #=================================================
 # GENERIC FINALIZATION
@ -215,7 +220,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755
 # SETUP FAIL2BAN
 #=================================================
-ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: <HOST>,.*POST $path_url.*$" --max_retry=5
 #=================================================
 # SETUP SSOWAT
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -244,6 +244,12 @@ ynh_replace_string "__YNH_ADMIN_USER__" "$admin"  "$final_path/conf/local.protec
 # Recalculate and store the checksum of the file for the next upgrade.
 ynh_store_file_checksum "$final_path/conf/local.protected.php"
 #=================================================
 # INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN
 #=================================================
 ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
@ -291,7 +297,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755
 # SETUP FAIL2BAN
 #=================================================
-ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: <HOST>,.*POST $path_url.*$" --max_retry=5
 #=================================================
 # SETUP SSOWAT