From 98106534c6f9450a41fa7519053b06bf2f562065 Mon Sep 17 00:00:00 2001
From: Maniack Crudelis <maniackc_dev@crudelis.fr>
Date: Mon, 11 Dec 2017 20:37:45 +0100
Subject: [PATCH] Add fail2ban

---
 README.md          |   2 +
 README_fr.md       |   2 +
 scripts/_common.sh | 271 ++++++++++++++++++++++++++++++++++++++++-----
 scripts/backup     |   7 ++
 scripts/install    |   6 +
 scripts/remove     |   6 +
 scripts/restore    |   8 ++
 scripts/upgrade    |   6 +
 8 files changed, 279 insertions(+), 29 deletions(-)

diff --git a/README.md b/README.md
index b240d22..3590611 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,8 @@ Use the admin panel of your Leed to configure this app.
 
 ## YunoHost specific features
 
+* Login secured by fail2ban
+
 #### Multi-users support
 
 Not supported.
diff --git a/README_fr.md b/README_fr.md
index 8760838..c8b6909 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -27,6 +27,8 @@ Utiliser le panneau d'administration de votre Jenkins pour configurer cette appl
 
 ## Fonctionnalités spécifiques à YunoHost
 
+* Login sécurisé par fail2ban
+
 #### Support multi-utilisateurs
 
 Non supportée.
diff --git a/scripts/_common.sh b/scripts/_common.sh
index cac8bd1..ae2d907 100755
--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@@ -1,31 +1,5 @@
 #!/bin/bash
 
-#=================================================
-# DISPLAYING
-#=================================================
-
-NO_PRINT () {	# Supprime l'affichage dans stdout pour la commande en argument.
-	set +x
-	$@
-	set -x
-}
-
-WARNING () {	# Écrit sur le canal d'erreur pour passer en warning.
-	$@ >&2
-}
-
-SUPPRESS_WARNING () {	# Force l'écriture sur la sortie standard
-	$@ 2>&1
-}
-
-QUIET () {	# Redirige la sortie standard dans /dev/null
-	$@ > /dev/null
-}
-
-ALL_QUIET () {	# Redirige la sortie standard et d'erreur dans /dev/null
-	$@ > /dev/null 2>&1
-}
-
 #=================================================
 # BACKUP
 #=================================================
@@ -42,8 +16,8 @@ CHECK_SIZE () {	# Vérifie avant chaque backup que l'espace est suffisant
 
 	if [ $free_space -le $backup_size ]
 	then
-		WARNING echo "Espace insuffisant pour sauvegarder $file_to_analyse."
-		WARNING echo "Espace disponible: $(HUMAN_SIZE $free_space)"
+		ynh_print_err "Espace insuffisant pour sauvegarder $file_to_analyse."
+		ynh_print_err "Espace disponible: $(HUMAN_SIZE $free_space)"
 		ynh_die "Espace nécessaire: $(HUMAN_SIZE $backup_size)"
 	fi
 }
@@ -57,7 +31,7 @@ IS_PACKAGE_CHECK () {	# Détermine une exécution en conteneur (Non testé)
 }
 
 #=================================================
-# NODEJS
+# EXPERIMENTAL HELPERS
 #=================================================
 
 # INFOS
@@ -234,6 +208,245 @@ EOF
 	chmod +x "/etc/cron.daily/node_update"
 }
 
+#=================================================
+
+# Start or restart a service and follow its booting
+#
+# usage: ynh_check_starting "Line to match" [Log file] [Timeout]
+#
+# | arg: Line to match - The line to find in the log to attest the service have finished to boot.
+# | arg: Log file - The log file to watch
+# /var/log/$app/$app.log will be used if no other log is defined.
+# | arg: Timeout - The maximum time to wait before ending the watching. Defaut 300 seconds.
+ynh_check_starting () {
+	local line_to_match="$1"
+	local app_log="${2:-/var/log/$app/$app.log}"
+	local timeout=${3:-300}
+
+	ynh_clean_check_starting () {
+		# Stop the execution of tail.
+		kill -s 15 $pid_tail 2>&1
+		ynh_secure_remove "$templog" 2>&1
+	}
+
+	echo "Starting of $app" >&2
+	systemctl restart $app
+	local templog="$(mktemp)"
+	# Following the starting of the app in its log
+	tail -f -n1 "$app_log" > "$templog" &
+	# Get the PID of the tail command
+	local pid_tail=$!
+
+	local i=0
+	for i in `seq 1 $timeout`
+	do
+		# Read the log until the sentence is found, that means the app finished to start. Or run until the timeout
+		if grep --quiet "$line_to_match" "$templog"
+		then
+			echo "The service $app has correctly started." >&2
+			break
+		fi
+		echo -n "." >&2
+		sleep 1
+	done
+	if [ $i -eq $timeout ]
+	then
+		echo "The service $app didn't fully started before the timeout." >&2
+	fi
+
+	echo ""
+	ynh_clean_check_starting
+}
+
+#=================================================
+
+ynh_print_log () {
+  echo "${1}"
+}
+
+# Print an info on stdout
+#
+# usage: ynh_print_info "Text to print"
+# | arg: text - The text to print
+ynh_print_info () {
+  ynh_print_log "[INFO] ${1}"
+}
+
+# Print a warning on stderr
+#
+# usage: ynh_print_warn "Text to print"
+# | arg: text - The text to print
+ynh_print_warn () {
+  ynh_print_log "[WARN] ${1}" >&2
+}
+
+# Print a error on stderr
+#
+# usage: ynh_print_err "Text to print"
+# | arg: text - The text to print
+ynh_print_err () {
+  ynh_print_log "[ERR] ${1}" >&2
+}
+
+# Execute a command and print the result as an error
+#
+# usage: ynh_exec_err command to execute
+# usage: ynh_exec_err "command to execute | following command"
+# In case of use of pipes, you have to use double quotes. Otherwise, this helper will be executed with the first command, then be send to the next pipe.
+#
+# | arg: command - command to execute
+ynh_exec_err () {
+	ynh_print_err "$(eval $@)"
+}
+
+# Execute a command and print the result as a warning
+#
+# usage: ynh_exec_warn command to execute
+# usage: ynh_exec_warn "command to execute | following command"
+# In case of use of pipes, you have to use double quotes. Otherwise, this helper will be executed with the first command, then be send to the next pipe.
+#
+# | arg: command - command to execute
+ynh_exec_warn () {
+	ynh_print_warn "$(eval $@)"
+}
+
+# Execute a command and force the result to be printed on stdout
+#
+# usage: ynh_exec_warn_less command to execute
+# usage: ynh_exec_warn_less "command to execute | following command"
+# In case of use of pipes, you have to use double quotes. Otherwise, this helper will be executed with the first command, then be send to the next pipe.
+#
+# | arg: command - command to execute
+ynh_exec_warn_less () {
+	eval $@ 2>&1
+}
+
+# Execute a command and redirect stdout in /dev/null
+#
+# usage: ynh_exec_quiet command to execute
+# usage: ynh_exec_quiet "command to execute | following command"
+# In case of use of pipes, you have to use double quotes. Otherwise, this helper will be executed with the first command, then be send to the next pipe.
+#
+# | arg: command - command to execute
+ynh_exec_quiet () {
+	eval $@ > /dev/null
+}
+
+# Execute a command and redirect stdout and stderr in /dev/null
+#
+# usage: ynh_exec_fully_quiet command to execute
+# usage: ynh_exec_fully_quiet "command to execute | following command"
+# In case of use of pipes, you have to use double quotes. Otherwise, this helper will be executed with the first command, then be send to the next pipe.
+#
+# | arg: command - command to execute
+ynh_exec_fully_quiet () {
+	eval $@ > /dev/null 2>&1
+}
+
+#=================================================
+
+# Install or update the main directory yunohost.multimedia
+#
+# usage: ynh_multimedia_build_main_dir
+ynh_multimedia_build_main_dir () {
+	wget -nv https://github.com/YunoHost-Apps/yunohost.multimedia/archive/master.zip 2>&1
+	unzip -q master.zip
+	./yunohost.multimedia-master/script/ynh_media_build.sh
+}
+
+# Add a directory in yunohost.multimedia
+# This "directory" will be a symbolic link to a existing directory.
+#
+# usage: ynh_multimedia_addfolder "Source directory" "Destination directory"
+#
+# | arg: Source directory - The real directory which contains your medias.
+# | arg: Destination directory - The name and the place of the symbolic link, relative to "/home/yunohost.multimedia"
+ynh_multimedia_addfolder () {
+	local source_dir="$1"
+	local dest_dir="$2"
+	./yunohost.multimedia-master/script/ynh_media_addfolder.sh --source="$source_dir" --dest="$dest_dir"
+}
+
+# Move a directory in yunohost.multimedia, and replace by a symbolic link
+#
+# usage: ynh_multimedia_movefolder "Source directory" "Destination directory"
+#
+# | arg: Source directory - The real directory which contains your medias.
+# It will be moved to "Destination directory"
+# A symbolic link will replace it.
+# | arg: Destination directory - The new name and place of the directory, relative to "/home/yunohost.multimedia"
+ynh_multimedia_movefolder () {
+	local source_dir="$1"
+	local dest_dir="$2"
+	./yunohost.multimedia-master/script/ynh_media_addfolder.sh --inv --source="$source_dir" --dest="$dest_dir"
+}
+
+# Allow an user to have an write authorisation in multimedia directories
+#
+# usage: ynh_multimedia_addaccess user_name
+#
+# | arg: user_name - The name of the user which gain this access.
+ynh_multimedia_addaccess () {
+	local user_name=$1
+	groupadd -f multimedia
+	usermod -a -G multimedia $user_name
+}
+
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+	# Process parameters
+	logpath=$1
+	failregex=$2
+	max_retry=${3:-3}
+	ports=${4:-http,https}
+
+	test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+	test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+
+	finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+	finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+	ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+	ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+
+	sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry" 
+EOF
+
+	sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregrex =" 
+EOF
+
+	ynh_store_file_checksum "$finalfail2banjailconf"
+	ynh_store_file_checksum "$finalfail2banfilterconf"
+
+	sudo systemctl restart fail2ban
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+	ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+	ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+	sudo systemctl restart fail2ban
+}
 
 #=================================================
 #============= FUTURE YUNOHOST HELPER ============
diff --git a/scripts/backup b/scripts/backup
index 8084cd1..79e9241 100644
--- a/scripts/backup
+++ b/scripts/backup
@@ -61,6 +61,13 @@ ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
 ynh_mysql_dump_db "$db_name" > db.sql
 CHECK_SIZE "db.sql"
 
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
+
 #=================================================
 # SPECIFIC BACKUP
 #=================================================
diff --git a/scripts/install b/scripts/install
index d6ab867..66377cc 100644
--- a/scripts/install
+++ b/scripts/install
@@ -133,6 +133,12 @@ chown -R root: $final_path
 mkdir $final_path/cache
 chown -R $app $final_path/cache $final_path/plugins $final_path/updates
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/${domain}-error.log" "PHP message: Leed: wrong login for .* client: <HOST>" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
diff --git a/scripts/remove b/scripts/remove
index 4ff1011..3df10eb 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -44,6 +44,12 @@ ynh_remove_nginx_config	# Suppression de la configuration nginx
 
 ynh_remove_fpm_config	# Suppression de la configuration du pool php-fpm
 
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # SPECIFIC REMOVE
 #=================================================
diff --git a/scripts/restore b/scripts/restore
index 477e042..08b36c3 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -76,6 +76,14 @@ ynh_system_user_create $app	# Recreate the dedicated user, if not exist
 ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"
 ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
+
 #=================================================
 # SPECIFIC RESTORE
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index 3b28a5b..7b05633 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -143,6 +143,12 @@ ynh_local_curl "/"
 
 #=================================================
 # GENERIC FINALISATION
+#=================================================
+# UPGRADE FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/nginx/${domain}-error.log" "PHP message: Leed: wrong login for .* client: <HOST>" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================