diff --git a/scripts/_common.sh b/scripts/_common.sh index 4169852..fc2b2ac 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -8,3 +8,67 @@ if [ "$(lsb_release --codename --short)" == "jessie" ]; then else pkg_dependencies="php-gd php-zip php-dom php-mbstring" fi + +#================================================= +# EXPERIMENTAL HELPERS +#================================================= + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: log_file - Log file to be checked by fail2ban +# | arg: failregex - Failregex to be looked for by fail2ban +# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: ports - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + # Process parameters + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + sudo tee $finalfail2banjailconf <&2 + echo "WARNING${fail2ban_error#*WARNING}" >&2 + fi +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + sudo systemctl restart fail2ban +} diff --git a/scripts/backup b/scripts/backup index 4ff3af0..d7f361a 100644 --- a/scripts/backup +++ b/scripts/backup @@ -55,6 +55,13 @@ ynh_backup "/etc/nginx/conf.d/${domain}.d/${app}.conf" ynh_backup "/etc/php5/fpm/pool.d/${app}.conf" +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" + #================================================= # BACKUP THE MYSQL DATABASE #================================================= diff --git a/scripts/install b/scripts/install index c6be758..0ab5275 100644 --- a/scripts/install +++ b/scripts/install @@ -141,6 +141,12 @@ chown -R root:root "$final_path" chown -R "$app" "$final_path"/{data,plugins,sessions} chmod -R 700 "$final_path"/sessions +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/remove b/scripts/remove index 06959c0..75929f6 100644 --- a/scripts/remove +++ b/scripts/remove @@ -53,3 +53,9 @@ ynh_remove_nginx_config #================================================= ynh_remove_fpm_config + +#================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= + +ynh_remove_fail2ban_config diff --git a/scripts/restore b/scripts/restore index b37c685..dcefb62 100644 --- a/scripts/restore +++ b/scripts/restore @@ -98,6 +98,14 @@ chmod -R 700 "$final_path"/sessions ynh_restore_file "/etc/php5/fpm/pool.d/${app}.conf" +#================================================= +# RESTORE FAIL2BAN CONFIGURATION +#================================================= + +ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" +systemctl restart fail2ban + #================================================= # GENERIC FINALIZATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 992d464..d02369e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -188,6 +188,12 @@ else ynh_app_setting_set "$app" unprotected_uris "/jsonrpc.php" fi +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: ,.*$" 5 + #================================================= # RELOAD NGINX #=================================================