From ca7324a1b4588fa549421ed39eb123fbb6d5c133 Mon Sep 17 00:00:00 2001
From: anmol <github@datamol.org>
Date: Wed, 21 Nov 2018 03:13:27 +0530
Subject: [PATCH] Added Fail2ban

---
 scripts/_common.sh | 64 ++++++++++++++++++++++++++++++++++++++++++++++
 scripts/backup     |  7 +++++
 scripts/install    |  6 +++++
 scripts/remove     |  6 +++++
 scripts/restore    |  8 ++++++
 scripts/upgrade    |  6 +++++
 6 files changed, 97 insertions(+)

diff --git a/scripts/_common.sh b/scripts/_common.sh
index 4169852..fc2b2ac 100644
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -8,3 +8,67 @@ if [ "$(lsb_release --codename --short)" == "jessie" ]; then
 else
 	pkg_dependencies="php-gd php-zip php-dom php-mbstring"
 fi
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
+}
diff --git a/scripts/backup b/scripts/backup
index 4ff3af0..d7f361a 100644
--- a/scripts/backup
+++ b/scripts/backup
@@ -55,6 +55,13 @@ ynh_backup "/etc/nginx/conf.d/${domain}.d/${app}.conf"
 
 ynh_backup "/etc/php5/fpm/pool.d/${app}.conf"
 
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
+
 #=================================================
 # BACKUP THE MYSQL DATABASE
 #=================================================
diff --git a/scripts/install b/scripts/install
index c6be758..0ab5275 100644
--- a/scripts/install
+++ b/scripts/install
@@ -141,6 +141,12 @@ chown -R root:root "$final_path"
 chown -R "$app" "$final_path"/{data,plugins,sessions}
 chmod -R 700 "$final_path"/sessions
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
diff --git a/scripts/remove b/scripts/remove
index 06959c0..75929f6 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -53,3 +53,9 @@ ynh_remove_nginx_config
 #=================================================
 
 ynh_remove_fpm_config
+
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
diff --git a/scripts/restore b/scripts/restore
index b37c685..dcefb62 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -98,6 +98,14 @@ chmod -R 700 "$final_path"/sessions
 
 ynh_restore_file "/etc/php5/fpm/pool.d/${app}.conf"
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
+
 #=================================================
 # GENERIC FINALIZATION
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index 992d464..d02369e 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -188,6 +188,12 @@ else
 	ynh_app_setting_set "$app" unprotected_uris "/jsonrpc.php"
 fi
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/$domain-error.log" "^.*authentication failure\" while reading response header from upstream, client: <HOST>,.*$" 5
+
 #=================================================
 # RELOAD NGINX
 #=================================================