Merge pull request #99 from YunoHost-Apps/fail2ban

Add fail2ban to improve security
2024-09-03 19:16:06 +02:00 · 2023-09-10 23:04:44 +02:00 · 2023-09-10 23:04:44 +02:00 · 2d9913f9fb
commit 2d9913f9fb
parent 8d030bdd79 ed9fc6c961
5 changed files with 39 additions and 0 deletions
--- a/scripts/backup
+++ b/scripts/backup
@ -72,6 +72,13 @@ ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"

 ynh_backup --src_path="/etc/logrotate.d/$app"

+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup --src_path="/etc/fail2ban/jail.d/$app.conf"
+ynh_backup --src_path="/etc/fail2ban/filter.d/$app.conf"
+
 #=================================================
 # BACKUP SYSTEMD
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -284,6 +284,14 @@ ynh_script_progression --message="Configuring log rotation..." --weight=1
 # Use logrotate to manage application logfile(s)
 ynh_use_logrotate

+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+ynh_script_progression --message="Configuring fail2ban..." --weight=1
+
+# Create a dedicated Fail2Ban config
+ynh_add_fail2ban_config --logpath="/var/log/${app}/${app}.log" --failregex="statusCode=401 path=/auth/sign_in clientIP=<HOST> .* msg=\"Unauthorized:" --max_retry=5
+
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -92,6 +92,14 @@ ynh_script_progression --message="Removing logrotate configuration..." --weight=
 # Remove the app-specific logrotate config
 ynh_remove_logrotate

+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_script_progression --message="Removing fail2ban configuration..." --weight=1
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # CLOSE A PORT
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -241,6 +241,14 @@ ynh_script_progression --message="Restoring the logrotate configuration..." --we

 ynh_restore_file --origin_path="/etc/logrotate.d/$app"

+#=================================================
+# RESTORE THE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file --origin_path="/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file --origin_path="/etc/fail2ban/filter.d/$app.conf"
+ynh_systemd_action --action=restart --service_name=fail2ban
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -410,6 +410,14 @@ ynh_script_progression --message="Upgrading logrotate configuration..."
 # Use logrotate to manage app-specific logfile(s)
 ynh_use_logrotate --non-append

+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+ynh_script_progression --message="Upgrading fail2ban configuration..."
+
+# Create a dedicated Fail2Ban config
+ynh_add_fail2ban_config --logpath="/var/log/${app}/${app}.log" --failregex="statusCode=401 path=/auth/sign_in clientIP=<HOST> .* msg=\"Unauthorized:" --max_retry=5
+
 #=================================================
 # INTEGRATE SERVICE IN YUNOHOST
 #=================================================