Add fail2ban rules

scripts/_common.sh

@@ -106,3 +106,71 @@ $(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')"
 	echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients"
 }
 
+#=================================================
+# fail2ban helpers
+# taken from https://github.com/YunoHost-Apps/shaarli_ynh
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+	local logpath
+	local failregex
+	local max_retry
+	local ports
+
+	logpath=$1
+	failregex=$2
+	max_retry=${3:-3}
+	ports=${4:-http,https}
+
+	test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+	test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+
+	finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+	finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+	ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+	ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+
+	sudo tee "$finalfail2banjailconf" <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+	sudo tee "$finalfail2banfilterconf" <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+	ynh_store_file_checksum "$finalfail2banjailconf"
+	ynh_store_file_checksum "$finalfail2banfilterconf"
+
+	systemctl restart fail2ban
+	local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+	if [ -n "$fail2ban_error" ]
+	then
+		echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+		echo "WARNING${fail2ban_error#*WARNING}" >&2
+	fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+	ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+	ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+	systemctl reload fail2ban
+}

scripts/install

@@ -222,6 +222,12 @@ systemctl restart "$app".target
 chown -R "$app": "$final_path"
 chmod -R 755 "$final_path/code/front/dist/"
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================

scripts/remove

@@ -91,9 +91,15 @@ fi
 
 #=================================================
 # GENERIC FINALIZATION
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================
 
 # Delete a system user
-ynh_system_user_delete "$app"
+ynh_system_user_delete "$app"

scripts/upgrade

@@ -232,6 +232,12 @@ systemctl restart "$app".target
 chown -R "$app": "$final_path"
 chmod -R 755 "$final_path/code/front/dist/"
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" "<HOST>.* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================