diff --git a/scripts/_common.sh b/scripts/_common.sh index 3d0883e..b5d7203 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -106,3 +106,71 @@ $(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')" echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients" } +#================================================= +# fail2ban helpers +# taken from https://github.com/YunoHost-Apps/shaarli_ynh +#================================================= + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: log_file - Log file to be checked by fail2ban +# | arg: failregex - Failregex to be looked for by fail2ban +# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: ports - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + local logpath + local failregex + local max_retry + local ports + + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + sudo tee "$finalfail2banjailconf" <&2 + echo "WARNING${fail2ban_error#*WARNING}" >&2 + fi +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + systemctl reload fail2ban +} \ No newline at end of file diff --git a/scripts/install b/scripts/install index 0d6e6f7..767341f 100644 --- a/scripts/install +++ b/scripts/install @@ -222,6 +222,12 @@ systemctl restart "$app".target chown -R "$app": "$final_path" chmod -R 755 "$final_path/code/front/dist/" +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" ".* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" 5 + #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/remove b/scripts/remove index c379bb5..c033696 100644 --- a/scripts/remove +++ b/scripts/remove @@ -91,9 +91,15 @@ fi #================================================= # GENERIC FINALIZATION +#================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= + +ynh_remove_fail2ban_config + #================================================= # REMOVE DEDICATED USER #================================================= # Delete a system user -ynh_system_user_delete "$app" +ynh_system_user_delete "$app" \ No newline at end of file diff --git a/scripts/upgrade b/scripts/upgrade index 586aff7..5c92527 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -232,6 +232,12 @@ systemctl restart "$app".target chown -R "$app": "$final_path" chmod -R 755 "$final_path/code/front/dist/" +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-access.log" ".* \"POST /api/v1/token/ HTTP/1.1\" 400 68.*$" 5 + #================================================= # SETUP SSOWAT #=================================================