From 70d8aea655dc578370b16f21ecd41bd7b4d31cd1 Mon Sep 17 00:00:00 2001 From: anmol Date: Wed, 21 Nov 2018 02:33:53 +0530 Subject: [PATCH 1/5] Added Fail2ban --- scripts/_common.sh | 66 +++++++++++++++++++++++++++++++++++++++++++++- scripts/backup | 7 +++++ scripts/change_url | 5 +++- scripts/install | 6 +++++ scripts/remove | 3 +++ scripts/restore | 6 +++++ scripts/upgrade | 6 +++++ 7 files changed, 97 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index bb04a03..217a16a 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -10,4 +10,68 @@ ynh_delete_file_checksum () { local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' ynh_app_setting_delete $app $checksum_setting_name -} \ No newline at end of file +} + +#================================================= +# EXPERIMENTAL HELPERS +#================================================= + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: log_file - Log file to be checked by fail2ban +# | arg: failregex - Failregex to be looked for by fail2ban +# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: ports - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + # Process parameters + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + sudo tee $finalfail2banjailconf <&2 + echo "WARNING${fail2ban_error#*WARNING}" >&2 + fi +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + sudo systemctl restart fail2ban +} diff --git a/scripts/backup b/scripts/backup index 9c63df7..e24e312 100755 --- a/scripts/backup +++ b/scripts/backup @@ -50,3 +50,10 @@ ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini" # SPECIFIC BACKUP #================================================= +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" + diff --git a/scripts/change_url b/scripts/change_url index 2af51af..8f11601 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -75,7 +75,7 @@ then ynh_add_nginx_config fi -# Change the domain for nginx +# Change the domain for nginx and impliment Fail2ban if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location @@ -83,6 +83,9 @@ then mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf # Store file checksum for the new config file location ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" + # Fail2ban configuration + ynh_add_fail2ban_config "/var/log/nginx/$new_domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + fi #================================================= diff --git a/scripts/install b/scripts/install index 046c816..d0102b8 100755 --- a/scripts/install +++ b/scripts/install @@ -211,6 +211,12 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/remove b/scripts/remove index f453065..96dfb72 100755 --- a/scripts/remove +++ b/scripts/remove @@ -46,7 +46,10 @@ ynh_remove_fpm_config #================================================= # SPECIFIC REMOVE #================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= +ynh_remove_fail2ban_config #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index f8363c7..23153b2 100755 --- a/scripts/restore +++ b/scripts/restore @@ -108,7 +108,13 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini" # SPECIFIC RESTORATION #================================================= +#================================================= +# RESTORE FAIL2BAN CONFIGURATION +#================================================= +ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" +systemctl restart fail2ban #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 75be9a7..25b70b0 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -287,6 +287,12 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + #================================================= # SETUP SSOWAT #================================================= From 5951478de2dd1c8037d8ae0295b973e0dedb559f Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 12 May 2019 17:06:51 +0200 Subject: [PATCH 2/5] Fix fail2ban and add logautherror plugin --- conf/logautherror.src | 6 ++++ scripts/_common.sh | 64 ------------------------------------------- scripts/change_url | 2 +- scripts/install | 7 ++++- scripts/upgrade | 8 +++++- 5 files changed, 20 insertions(+), 67 deletions(-) create mode 100644 conf/logautherror.src diff --git a/conf/logautherror.src b/conf/logautherror.src new file mode 100644 index 0000000..56bab0d --- /dev/null +++ b/conf/logautherror.src @@ -0,0 +1,6 @@ +SOURCE_URL=https://github.com/mallchin/dokuwiki_plugin_logautherror/archive/master.zip +SOURCE_SUM=ac36038a710d8f4823a006416ef28c46 +SOURCE_SUM_PRG=md5sum +SOURCE_FORMAT=zip +SOURCE_IN_SUBDIR=true +SOURCE_FILENAME= diff --git a/scripts/_common.sh b/scripts/_common.sh index 217a16a..24bd7ba 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -11,67 +11,3 @@ ynh_delete_file_checksum () { local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' ynh_app_setting_delete $app $checksum_setting_name } - -#================================================= -# EXPERIMENTAL HELPERS -#================================================= - -# Create a dedicated fail2ban config (jail and filter conf files) -# -# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] -# | arg: log_file - Log file to be checked by fail2ban -# | arg: failregex - Failregex to be looked for by fail2ban -# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 -# | arg: ports - Ports blocked for a banned IP address - default: http,https -ynh_add_fail2ban_config () { - # Process parameters - logpath=$1 - failregex=$2 - max_retry=${3:-3} - ports=${4:-http,https} - - test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." - test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." - - finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" - finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" - ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 - ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 - - sudo tee $finalfail2banjailconf <&2 - echo "WARNING${fail2ban_error#*WARNING}" >&2 - fi -} - -# Remove the dedicated fail2ban config (jail and filter conf files) -# -# usage: ynh_remove_fail2ban_config -ynh_remove_fail2ban_config () { - ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" - ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" - sudo systemctl restart fail2ban -} diff --git a/scripts/change_url b/scripts/change_url index 8f11601..c3eb541 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -84,7 +84,7 @@ then # Store file checksum for the new config file location ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" # Fail2ban configuration - ynh_add_fail2ban_config "/var/log/nginx/$new_domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 fi diff --git a/scripts/install b/scripts/install index d0102b8..690bc16 100755 --- a/scripts/install +++ b/scripts/install @@ -166,7 +166,12 @@ ynh_store_file_checksum "$final_path/conf/local.protected.php" ### Files can be modified by user, no need to store checksum as they cannot be overwritten safely by package #ynh_store_file_checksum "$final_path/conf/local.php" #ynh_store_file_checksum "$final_path/conf/acl.auth.php" + #================================================= +# INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN +#================================================= + +ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror #================================================= # GENERIC FINALIZATION @@ -215,7 +220,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # SETUP FAIL2BAN #================================================= -ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 +ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 #================================================= # SETUP SSOWAT diff --git a/scripts/upgrade b/scripts/upgrade index 25b70b0..0be6262 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -244,6 +244,12 @@ ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protec # Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum "$final_path/conf/local.protected.php" +#================================================= +# INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN +#================================================= + +ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror + #================================================= # GENERIC FINALIZATION #================================================= @@ -291,7 +297,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # SETUP FAIL2BAN #================================================= -ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 +ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 #================================================= # SETUP SSOWAT From d058c86a478471a014ed60424ae567687f8dcaa6 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 12 May 2019 17:09:42 +0200 Subject: [PATCH 3/5] Typo fix --- scripts/change_url | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index c3eb541..a91a6fd 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -75,7 +75,7 @@ then ynh_add_nginx_config fi -# Change the domain for nginx and impliment Fail2ban +# Change the domain for nginx and update Fail2ban if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location @@ -83,9 +83,9 @@ then mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf # Store file checksum for the new config file location ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" - # Fail2ban configuration - ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 + # Update Fail2ban configuration + ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 fi #================================================= From 71b270ab186ca96782877db03a13c2a94d184508 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Sun, 12 May 2019 17:22:25 +0200 Subject: [PATCH 4/5] Normalization... --- scripts/backup | 5 +++-- scripts/install | 2 ++ scripts/remove | 1 + scripts/restore | 7 ++++--- scripts/upgrade | 2 ++ 5 files changed, 12 insertions(+), 5 deletions(-) diff --git a/scripts/backup b/scripts/backup index 36a90b8..bb1439a 100755 --- a/scripts/backup +++ b/scripts/backup @@ -52,9 +52,10 @@ ynh_backup "/etc/php/7.0/fpm/pool.d/$app.conf" #================================================= # BACKUP FAIL2BAN CONFIGURATION #================================================= +ynh_script_progression --message="Backing up fail2ban configuration..." -ynh_backup "/etc/fail2ban/jail.d/$app.conf" -ynh_backup "/etc/fail2ban/filter.d/$app.conf" +ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf" +ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf" #================================================= # END OF SCRIPT diff --git a/scripts/install b/scripts/install index 5262e1a..ef4f3e7 100755 --- a/scripts/install +++ b/scripts/install @@ -161,6 +161,7 @@ ynh_store_file_checksum "$final_path/conf/local.protected.php" #================================================= # INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN #================================================= +ynh_script_progression --message="Installing logautherror plugin for fail2ban..." --weight=2 ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror @@ -210,6 +211,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 #================================================= # SETUP FAIL2BAN #================================================= +ynh_script_progression --message="Configuring fail2ban..." --weight=7 ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 diff --git a/scripts/remove b/scripts/remove index f1d9798..5797d12 100755 --- a/scripts/remove +++ b/scripts/remove @@ -48,6 +48,7 @@ ynh_remove_fpm_config #================================================= # REMOVE FAIL2BAN CONFIGURATION #================================================= +ynh_script_progression --message="Removing fail2ban configuration..." --weight=7 ynh_remove_fail2ban_config diff --git a/scripts/restore b/scripts/restore index ac6fec6..2e7c1cd 100755 --- a/scripts/restore +++ b/scripts/restore @@ -94,10 +94,11 @@ ynh_restore_file "/etc/php/7.0/fpm/pool.d/$app.conf" #================================================= # RESTORE FAIL2BAN CONFIGURATION #================================================= +ynh_script_progression --message="Restoring the fail2ban configuration..." --weight=7 -ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" -ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" -systemctl restart fail2ban +ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf" +ynh_systemd_action --action=restart --service_name=fail2ban #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 5fc992e..1f07a9c 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -242,6 +242,7 @@ ynh_store_file_checksum "$final_path/conf/local.protected.php" #================================================= # INSTALL LOGAUTHERROR PLUGIN FOR FAIL2BAN #================================================= +ynh_script_progression --message="Upgrading logautherror plugin for fail2ban..." --weight=2 ynh_setup_source --dest_dir="$final_path/lib/plugins/logautherror" --source_id=logautherror @@ -291,6 +292,7 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 #================================================= # SETUP FAIL2BAN #================================================= +ynh_script_progression --message="Reconfiguring fail2ban..." --weight=7 ynh_add_fail2ban_config --logpath="/var/log/nginx/$domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 From eb4f85bd841211de9bf8bede9f2b20d38352a420 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Thu, 30 May 2019 00:14:48 +0200 Subject: [PATCH 5/5] Upgrade fail2ban for new_path and new_domain --- scripts/change_url | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/scripts/change_url b/scripts/change_url index d705d5e..249d73b 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -75,7 +75,7 @@ then ynh_add_nginx_config fi -# Change the domain for nginx and update Fail2ban +# Change the domain for nginx if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location @@ -83,11 +83,17 @@ then mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf # Store file checksum for the new config file location ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" - - # Update Fail2ban configuration - ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $path_url.*$" --max_retry=5 fi +#================================================= +# SPECIFIC MODIFICATIONS +#================================================= +# UPGRADE FAIL2BAN +#================================================= +ynh_script_progression --message="Reconfiguring fail2ban..." --weight=6 + +ynh_add_fail2ban_config --logpath="/var/log/nginx/$new_domain-error.log" --failregex="^.*authentication failure. while reading response header from upstream, client: ,.*POST $new_path.*$" --max_retry=5 + #================================================= # GENERIC FINALISATION #=================================================