From 70d8aea655dc578370b16f21ecd41bd7b4d31cd1 Mon Sep 17 00:00:00 2001 From: anmol Date: Wed, 21 Nov 2018 02:33:53 +0530 Subject: [PATCH] Added Fail2ban --- scripts/_common.sh | 66 +++++++++++++++++++++++++++++++++++++++++++++- scripts/backup | 7 +++++ scripts/change_url | 5 +++- scripts/install | 6 +++++ scripts/remove | 3 +++ scripts/restore | 6 +++++ scripts/upgrade | 6 +++++ 7 files changed, 97 insertions(+), 2 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index bb04a03..217a16a 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -10,4 +10,68 @@ ynh_delete_file_checksum () { local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' ynh_app_setting_delete $app $checksum_setting_name -} \ No newline at end of file +} + +#================================================= +# EXPERIMENTAL HELPERS +#================================================= + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: log_file - Log file to be checked by fail2ban +# | arg: failregex - Failregex to be looked for by fail2ban +# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: ports - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + # Process parameters + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + sudo tee $finalfail2banjailconf <&2 + echo "WARNING${fail2ban_error#*WARNING}" >&2 + fi +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + sudo systemctl restart fail2ban +} diff --git a/scripts/backup b/scripts/backup index 9c63df7..e24e312 100755 --- a/scripts/backup +++ b/scripts/backup @@ -50,3 +50,10 @@ ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini" # SPECIFIC BACKUP #================================================= +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" + diff --git a/scripts/change_url b/scripts/change_url index 2af51af..8f11601 100644 --- a/scripts/change_url +++ b/scripts/change_url @@ -75,7 +75,7 @@ then ynh_add_nginx_config fi -# Change the domain for nginx +# Change the domain for nginx and impliment Fail2ban if [ $change_domain -eq 1 ] then # Delete file checksum for the old conf file location @@ -83,6 +83,9 @@ then mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf # Store file checksum for the new config file location ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf" + # Fail2ban configuration + ynh_add_fail2ban_config "/var/log/nginx/$new_domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + fi #================================================= diff --git a/scripts/install b/scripts/install index 046c816..d0102b8 100755 --- a/scripts/install +++ b/scripts/install @@ -211,6 +211,12 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/remove b/scripts/remove index f453065..96dfb72 100755 --- a/scripts/remove +++ b/scripts/remove @@ -46,7 +46,10 @@ ynh_remove_fpm_config #================================================= # SPECIFIC REMOVE #================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= +ynh_remove_fail2ban_config #================================================= # GENERIC FINALIZATION diff --git a/scripts/restore b/scripts/restore index f8363c7..23153b2 100755 --- a/scripts/restore +++ b/scripts/restore @@ -108,7 +108,13 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini" # SPECIFIC RESTORATION #================================================= +#================================================= +# RESTORE FAIL2BAN CONFIGURATION +#================================================= +ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" +systemctl restart fail2ban #================================================= # GENERIC FINALIZATION diff --git a/scripts/upgrade b/scripts/upgrade index 75be9a7..25b70b0 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -287,6 +287,12 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755 # chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD # find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + #================================================= # SETUP SSOWAT #=================================================