Added Fail2ban

scripts/_common.sh

@@ -10,4 +10,68 @@
 ynh_delete_file_checksum () {
 	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
 	ynh_app_setting_delete $app $checksum_setting_name
-}
+}
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
+}

scripts/backup

@@ -50,3 +50,10 @@ ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
 # SPECIFIC BACKUP
 #=================================================
 
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
+

scripts/change_url

@@ -75,7 +75,7 @@ then
 	ynh_add_nginx_config
 fi
 
-# Change the domain for nginx
+# Change the domain for nginx and impliment Fail2ban
 if [ $change_domain -eq 1 ]
 then
 	# Delete file checksum for the old conf file location
@@ -83,6 +83,9 @@ then
 	mv $nginx_conf_path /etc/nginx/conf.d/$new_domain.d/$app.conf
 	# Store file checksum for the new config file location
 	ynh_store_file_checksum "/etc/nginx/conf.d/$new_domain.d/$app.conf"
+	# Fail2ban configuration
+	ynh_add_fail2ban_config "/var/log/nginx/$new_domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+
 fi
 
 #=================================================

scripts/install

@@ -211,6 +211,12 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755
 # chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
 # find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================

scripts/remove

@@ -46,7 +46,10 @@ ynh_remove_fpm_config
 #=================================================
 # SPECIFIC REMOVE
 #=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
 
+ynh_remove_fail2ban_config
 
 #=================================================
 # GENERIC FINALIZATION

scripts/restore

@@ -108,7 +108,13 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
 # SPECIFIC RESTORATION
 #=================================================
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
 
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
 
 #=================================================
 # GENERIC FINALIZATION

scripts/upgrade

@@ -287,6 +287,12 @@ find $final_path/lib -type d -print0 | xargs -0 chmod 0755
 # chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
 # find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================