Added Fail2ban

2024-09-03 19:36:17 +02:00 · 2018-11-21 03:13:27 +05:30 · 2018-11-21 03:13:27 +05:30 · ca7324a1b4
commit ca7324a1b4
parent 8de78fbd53
6 changed files with 97 additions and 0 deletions
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -8,3 +8,67 @@ if [ "$(lsb_release --codename --short)" == "jessie" ]; then
 else
 	pkg_dependencies="php-gd php-zip php-dom php-mbstring"
 fi
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
+}
--- a/scripts/backup
+++ b/scripts/backup
@ -55,6 +55,13 @@ ynh_backup "/etc/nginx/conf.d/${domain}.d/${app}.conf"

 ynh_backup "/etc/php5/fpm/pool.d/${app}.conf"

+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
+
 #=================================================
 # BACKUP THE MYSQL DATABASE
 #=================================================
--- a/scripts/install
+++ b/scripts/install
@ -141,6 +141,12 @@ chown -R root:root "$final_path"
 chown -R "$app" "$final_path"/{data,plugins,sessions}
 chmod -R 700 "$final_path"/sessions

+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -53,3 +53,9 @@ ynh_remove_nginx_config
 #=================================================

 ynh_remove_fpm_config
+
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
--- a/scripts/restore
+++ b/scripts/restore
@ -98,6 +98,14 @@ chmod -R 700 "$final_path"/sessions

 ynh_restore_file "/etc/php5/fpm/pool.d/${app}.conf"

+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -188,6 +188,12 @@ else
 	ynh_app_setting_set "$app" unprotected_uris "/jsonrpc.php"
 fi

+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+
 #=================================================
 # RELOAD NGINX
 #=================================================