From 7ad119d6478fda2c2c80884c2942a1be2ed6df18 Mon Sep 17 00:00:00 2001 From: Rafi59 Date: Sun, 18 Jun 2017 18:26:14 +0200 Subject: [PATCH] Add new helpers for fail2ban --- conf/jail_nextcloud.local | 7 ------ conf/nextcloud_fail2ban.conf | 3 --- scripts/_common.sh | 49 +++++++++++++++++++++++++++++++++++- scripts/install | 7 +++--- scripts/upgrade | 7 +++--- 5 files changed, 54 insertions(+), 19 deletions(-) delete mode 100644 conf/jail_nextcloud.local delete mode 100644 conf/nextcloud_fail2ban.conf diff --git a/conf/jail_nextcloud.local b/conf/jail_nextcloud.local deleted file mode 100644 index 560d195..0000000 --- a/conf/jail_nextcloud.local +++ /dev/null @@ -1,7 +0,0 @@ -[nextcloud] -enabled = true -port = 80,443 -protocol = tcp -filter = nextcloud -maxretry = 3 -logpath = /home/yunohost.app/nextcloud/data/nextcloud.log diff --git a/conf/nextcloud_fail2ban.conf b/conf/nextcloud_fail2ban.conf deleted file mode 100644 index aa67aac..0000000 --- a/conf/nextcloud_fail2ban.conf +++ /dev/null @@ -1,3 +0,0 @@ -[Definition] -failregex = ^.*Login failed: '.*' \(Remote IP: ''.*$ -ignoreregex = diff --git a/scripts/_common.sh b/scripts/_common.sh index 5f85ebc..0891d6e 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -190,4 +190,51 @@ ynh_remove_logrotate () { if [ -e "/etc/logrotate.d/$app" ]; then sudo rm "/etc/logrotate.d/$app" fi -} \ No newline at end of file +} + +ynh_add_fail2ban_config () { + # Process parameters + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + echo | sudo tee $finalfail2banjailconf <" 4 # Reload services sudo service php5-fpm restart || true sudo service nginx reload || true -sudo fail2ban-client reload + # Add cron job cron_path="/etc/cron.d/$app" diff --git a/scripts/upgrade b/scripts/upgrade index 2f93ab9..b60cb98 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -210,14 +210,13 @@ ynh_app_setting_set "$real_app" unprotected_uris "/" ynh_app_setting_set "$real_app" skipped_regex \ "$(sed 's/[\.\-]/\%&/g' <<< $domain)/%.well%-known/.*" -# Add fail2ban rules -sudo cp ../conf/nextcloud_fail2ban.conf /etc/fail2ban/filter.d/nextcloud.conf -sudo cp ../conf/jail_nextcloud.local /etc/fail2ban/jail.d/nextcloud.local +# Set-up fail2ban +ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=" 6 # Reload services sudo service php5-fpm restart || true sudo service nginx reload || true -sudo fail2ban-client reload + # Add cron job cron_path="/etc/cron.d/$app"