mirror of
https://github.com/YunoHost-Apps/kanboard_ynh.git
synced 2024-09-03 19:36:17 +02:00
157 lines
5.9 KiB
Bash
157 lines
5.9 KiB
Bash
#!/bin/bash
|
|
|
|
#=================================================
|
|
# COMMON VARIABLES
|
|
#=================================================
|
|
|
|
pkg_dependencies="php-gd php-zip php-dom php-mbstring"
|
|
|
|
#=================================================
|
|
# FUTURE OFFICIAL HELPERS
|
|
#=================================================
|
|
|
|
# Create a dedicated fail2ban config (jail and filter conf files)
|
|
#
|
|
# usage 1: ynh_add_fail2ban_config --logpath=log_file --failregex=filter [--max_retry=max_retry] [--ports=ports]
|
|
# | arg: -l, --logpath= - Log file to be checked by fail2ban
|
|
# | arg: -r, --failregex= - Failregex to be looked for by fail2ban
|
|
# | arg: -m, --max_retry= - Maximum number of retries allowed before banning IP address - default: 3
|
|
# | arg: -p, --ports= - Ports blocked for a banned IP address - default: http,https
|
|
#
|
|
# -----------------------------------------------------------------------------
|
|
#
|
|
# usage 2: ynh_add_fail2ban_config --use_template [--others_var="list of others variables to replace"]
|
|
# | arg: -t, --use_template - Use this helper in template mode
|
|
# | arg: -v, --others_var= - List of others variables to replace separeted by a space
|
|
# | for example : 'var_1 var_2 ...'
|
|
#
|
|
# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf
|
|
# __APP__ by $app
|
|
#
|
|
# You can dynamically replace others variables by example :
|
|
# __VAR_1__ by $var_1
|
|
# __VAR_2__ by $var_2
|
|
#
|
|
# Generally your template will look like that by example (for synapse):
|
|
#
|
|
# f2b_jail.conf:
|
|
# [__APP__]
|
|
# enabled = true
|
|
# port = http,https
|
|
# filter = __APP__
|
|
# logpath = /var/log/__APP__/logfile.log
|
|
# maxretry = 3
|
|
#
|
|
# f2b_filter.conf:
|
|
# [INCLUDES]
|
|
# before = common.conf
|
|
# [Definition]
|
|
#
|
|
# # Part of regex definition (just used to make more easy to make the global regex)
|
|
# __synapse_start_line = .? \- synapse\..+ \-
|
|
#
|
|
# # Regex definition.
|
|
# failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$
|
|
#
|
|
# ignoreregex =
|
|
#
|
|
# -----------------------------------------------------------------------------
|
|
#
|
|
# Note about the "failregex" option:
|
|
# regex to match the password failure messages in the logfile. The
|
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
|
# be used for standard IP/hostname matching and is only an alias for
|
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
|
#
|
|
# You can find some more explainations about how to make a regex here :
|
|
# https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters
|
|
#
|
|
# Note that the logfile need to exist before to call this helper !!
|
|
#
|
|
# To validate your regex you can test with this command:
|
|
# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf
|
|
#
|
|
ynh_add_fail2ban_config () {
|
|
# Declare an array to define the options of this helper.
|
|
declare -Ar args_array=( [l]=logpath= [r]=failregex= [m]=max_retry= [p]=ports= [t]=use_template [v]=others_var=)
|
|
local logpath
|
|
local failregex
|
|
local max_retry
|
|
local ports
|
|
local others_var
|
|
local use_template
|
|
# Manage arguments with getopts
|
|
ynh_handle_getopts_args "$@"
|
|
use_template="${use_template:-0}"
|
|
max_retry=${max_retry:-3}
|
|
ports=${ports:-http,https}
|
|
|
|
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
|
|
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
|
|
ynh_backup_if_checksum_is_different "$finalfail2banjailconf"
|
|
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf"
|
|
|
|
if [ $use_template -eq 1 ]
|
|
then
|
|
# Usage 2, templates
|
|
cp ../conf/f2b_jail.conf $finalfail2banjailconf
|
|
cp ../conf/f2b_filter.conf $finalfail2banfilterconf
|
|
|
|
if [ -n "${app:-}" ]
|
|
then
|
|
ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf"
|
|
ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf"
|
|
fi
|
|
|
|
# Replace all other variable given as arguments
|
|
for var_to_replace in ${others_var:-}; do
|
|
# ${var_to_replace^^} make the content of the variable on upper-cases
|
|
# ${!var_to_replace} get the content of the variable named $var_to_replace
|
|
ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf"
|
|
ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf"
|
|
done
|
|
|
|
else
|
|
# Usage 1, no template. Build a config file from scratch.
|
|
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
|
|
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
|
|
|
|
tee $finalfail2banjailconf <<EOF
|
|
[$app]
|
|
enabled = true
|
|
port = $ports
|
|
filter = $app
|
|
logpath = $logpath
|
|
maxretry = $max_retry
|
|
EOF
|
|
|
|
tee $finalfail2banfilterconf <<EOF
|
|
[INCLUDES]
|
|
before = common.conf
|
|
[Definition]
|
|
failregex = $failregex
|
|
ignoreregex =
|
|
EOF
|
|
fi
|
|
|
|
# Common to usage 1 and 2.
|
|
ynh_store_file_checksum "$finalfail2banjailconf"
|
|
ynh_store_file_checksum "$finalfail2banfilterconf"
|
|
|
|
systemctl try-reload-or-restart fail2ban
|
|
|
|
local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
|
|
if [[ -n "$fail2ban_error" ]]; then
|
|
ynh_print_err "Fail2ban failed to load the jail for $app"
|
|
ynh_print_warn "${fail2ban_error#*WARNING}"
|
|
fi
|
|
}
|
|
|
|
# Remove the dedicated fail2ban config (jail and filter conf files)
|
|
#
|
|
# usage: ynh_remove_fail2ban_config
|
|
ynh_remove_fail2ban_config () {
|
|
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
|
|
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
|
|
systemctl try-reload-or-restart fail2ban
|
|
}
|