Added fail2ban and updated readme

README.md

@@ -14,17 +14,11 @@ Current snapshot in *sources*:
 * https://framagit.org/hubzilla/core: 3.8.3 (commit a9fd3608ea50ec4522075b3315a35c8eed9581d7)
 * https://framagit.org/hubzilla/addons: 3.8.3 (commit fc752b052c57e4ad209eb44dc0fc821e22f40772)
 
-## To-Do's
-- [X] Installation and remove script.
-- [X] Ldap integration.
-- [X] Upgrade script.
-- [X] Backup and restore script(Need to be tested,but hopefully will work).
-- [X] Remove the admin email,path and is_public form installation form.
-- [X] Stop modification of php.ini : exec().
-- [X] Make changes to nginx configuration accouding to Hubzilla official guide.
-- [X] Force redirection to https by default.
-- [X] Multi-instance.
-- [X] Adeed php.log in the root folder for debugging php, with logrotate applied on it.(can be accesssed by admin->logs and entering the php.log).
+## This app claims following features:
+- [X] Ldap integration
+- [X] Multi-instance
+- [X] Adeed php.log in the root folder for debugging php, with logrotate applied on it (can be accesssed by **admin->logs** and entering the **php.log**).
+- [X] Fail2ban 
 
 ## Important Notes
 
@@ -49,10 +43,10 @@ Use the YunoHost admin panel to install Hubzilla by entering the GitHub repo add
 
 Make sure to select your domain from the previous section as the application domain.
 
-When installation is complete, you will need to visit your new hub's page and login with the admin account which was entered at the time of installation process. You should then be able to create your first channel and have the admin rights for the hub.
+**For admin rights**: When installation is complete, you will need to visit your new hub's page and login with the **admin account username** which was entered at the time of installation process. You should then be able to create your first channel and have the admin rights for the hub.
 
 **For normal YunoHost users:** Normal LDAP users can login through Ldap authentication and create there channels.
 
-**If the admin cannot access the admin settings:** If you cannot access the admin settings at `https://hub.example.com/admin` when you log in as the administrator, or you want to grant admin rights to any other user(s) on the hub, then you have to manually add 4096 to the account_roles under accounts for that user in the database through phpMYAdmin.
+**If the admin cannot access the admin settings:** If the admin cannot access the admin settings at `https://hubzilla.example.com/admin` or you want to grant admin rights to any other user(s) on the hub, then you have to **manually add 4096** to the **account_roles** under **accounts** for that user in the **database through phpMYAdmin**.
 
-**For logs:**: Go to admin->logs and enter the file name **php.log**. 
+**For logs:**: Go to **admin->logs** and enter the file name **php.log**. 

scripts/_common.sh

@@ -11,3 +11,67 @@ ynh_delete_file_checksum () {
 	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
 	ynh_app_setting_delete $app $checksum_setting_name
 }
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
+}

scripts/backup

@@ -68,3 +68,10 @@ ynh_backup "/etc/logrotate.d/$app"
 #=================================================
 
 ynh_backup "/etc/cron.d/$app"
+
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"

scripts/install

@@ -161,6 +161,12 @@ ynh_store_file_checksum "$final_path/.htconfig.php"
 # Use logrotate to manage application logfile(s)
 ynh_use_logrotate "$final_path/php.log"
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "$final_path/php.log" "^.*auth\.php.*failed login attempt.*from IP <HOST>.*$" 5
+
 # Reload services
 systemctl reload nginx
 sudo yunohost app ssowatconf

scripts/remove

@@ -64,6 +64,12 @@ ynh_remove_logrotate "$final_path/php.log"
 # Remove a cron file
 ynh_secure_remove "/etc/cron.d/$app"
 
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================

scripts/restore

@@ -96,6 +96,14 @@ ynh_restore_file "/etc/cron.d/$app"
 
 ynh_restore_file "/etc/logrotate.d/$app"
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
+
 # Make app public
 ynh_app_setting_set $app skipped_uris "/"
 

scripts/upgrade

@@ -120,6 +120,12 @@ ynh_store_file_checksum "$final_path/.htconfig.php"
 # Use logrotate to manage app-specific logfile(s)
 ynh_use_logrotate  "$final_path/php.log" --non-append
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "$final_path/php.log" "^.*auth\.php.*failed login attempt.*from IP <HOST>.*$" 5
+
 # Set up poller
 ynh_replace_string  "YNH_WWW_PATH" "$final_path" ../conf/poller-cron
 ynh_replace_string "__USER__" "$app"  ../conf/poller-cron