1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/kanboard_ynh.git synced 2024-09-03 19:36:17 +02:00

Merge pull request #75 from anmol26s/master

Added Fail2ban
This commit is contained in:
JimboJoe 2018-12-31 09:24:00 +01:00 committed by GitHub
commit bbe84a1fc0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 97 additions and 0 deletions

View file

@ -8,3 +8,67 @@ if [ "$(lsb_release --codename --short)" == "jessie" ]; then
else
pkg_dependencies="php-gd php-zip php-dom php-mbstring"
fi
#=================================================
# EXPERIMENTAL HELPERS
#=================================================
# Create a dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
# | arg: log_file - Log file to be checked by fail2ban
# | arg: failregex - Failregex to be looked for by fail2ban
# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
# | arg: ports - Ports blocked for a banned IP address - default: http,https
ynh_add_fail2ban_config () {
# Process parameters
logpath=$1
failregex=$2
max_retry=${3:-3}
ports=${4:-http,https}
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
sudo tee $finalfail2banjailconf <<EOF
[$app]
enabled = true
port = $ports
filter = $app
logpath = $logpath
maxretry = $max_retry
EOF
sudo tee $finalfail2banfilterconf <<EOF
[INCLUDES]
before = common.conf
[Definition]
failregex = $failregex
ignoreregex =
EOF
ynh_store_file_checksum "$finalfail2banjailconf"
ynh_store_file_checksum "$finalfail2banfilterconf"
systemctl restart fail2ban
local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
if [ -n "$fail2ban_error" ]
then
echo "[ERR] Fail2ban failed to load the jail for $app" >&2
echo "WARNING${fail2ban_error#*WARNING}" >&2
fi
}
# Remove the dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_remove_fail2ban_config
ynh_remove_fail2ban_config () {
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
sudo systemctl restart fail2ban
}

View file

@ -55,6 +55,13 @@ ynh_backup "/etc/nginx/conf.d/${domain}.d/${app}.conf"
ynh_backup "/etc/php5/fpm/pool.d/${app}.conf"
#=================================================
# BACKUP FAIL2BAN CONFIGURATION
#=================================================
ynh_backup "/etc/fail2ban/jail.d/$app.conf"
ynh_backup "/etc/fail2ban/filter.d/$app.conf"
#=================================================
# BACKUP THE MYSQL DATABASE
#=================================================

View file

@ -141,6 +141,12 @@ chown -R root:root "$final_path"
chown -R "$app" "$final_path"/{data,plugins,sessions}
chmod -R 700 "$final_path"/sessions
#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
#=================================================
# SETUP SSOWAT
#=================================================

View file

@ -53,3 +53,9 @@ ynh_remove_nginx_config
#=================================================
ynh_remove_fpm_config
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_remove_fail2ban_config

View file

@ -98,6 +98,14 @@ chmod -R 700 "$final_path"/sessions
ynh_restore_file "/etc/php5/fpm/pool.d/${app}.conf"
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
systemctl restart fail2ban
#=================================================
# GENERIC FINALIZATION
#=================================================

View file

@ -188,6 +188,12 @@ else
ynh_app_setting_set "$app" unprotected_uris "/jsonrpc.php"
fi
#=================================================
# SETUP FAIL2BAN
#=================================================
ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
#=================================================
# RELOAD NGINX
#=================================================