YunoHost-Apps/nextcloud_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/nextcloud_ynh.git synced 2024-09-03 19:55:57 +02:00
Code Issues Activity Actions

Add new helpers for fail2ban

Browse source
This commit is contained in:
Rafi59 2017-06-18 18:26:14 +02:00
parent 5491800fb9
commit 7ad119d647
5 changed files with 54 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
conf/jail_nextcloud.local
View file

@ -1,7 +0,0 @@
[nextcloud]
enabled = true
port = 80,443
protocol = tcp
filter = nextcloud
maxretry = 3
logpath = /home/yunohost.app/nextcloud/data/nextcloud.log

3
conf/nextcloud_fail2ban.conf
View file

@ -1,3 +0,0 @@
[Definition]
failregex = ^.*Login failed: '.*' \(Remote IP: '<HOST>'.*$
ignoreregex =

47
scripts/_common.sh
View file

@ -191,3 +191,50 @@ ynh_remove_logrotate () {
sudo rm "/etc/logrotate.d/$app" sudo rm "/etc/logrotate.d/$app"
fi fi
} }
ynh_add_fail2ban_config () {
# Process parameters
logpath=$1
failregex=$2
max_retry=${3:-3}
ports=${4:-http,https}
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
echo | sudo tee $finalfail2banjailconf <<EOF
[$app]
enabled = true
port = $ports
filter = $app
logpath = $logpath
maxretry = $max_retry"
EOF
echo | sudo tee $finalfail2banfilterconf <<EOF
[INCLUDES]
before = common.conf
[Definition]
failregex = $failregex
ignoreregrex ="
EOF
ynh_store_file_checksum "$finalfail2banjailconf"
ynh_store_file_checksum "$finalfail2banfilterconf"
sudo systemctl restart fail2ban
}
# Remove the dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_remove_fail2ban_config
ynh_remove_fail2ban_config () {
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
sudo systemctl restart fail2ban
}

7
scripts/install
View file

@ -176,14 +176,13 @@ ynh_app_setting_set "$app" skipped_regex \
"$(sed 's/[\.\-]/\%&/g' <<< $domain)/%.well%-known/.*" "$(sed 's/[\.\-]/\%&/g' <<< $domain)/%.well%-known/.*"
# Set fail2ban rules # Set-up fail2ban
sudo cp ../conf/nextcloud_fail2ban.conf /etc/fail2ban/filter.d/nextcloud.conf ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 4
sudo cp ../conf/jail_nextcloud.local /etc/fail2ban/jail.d/nextcloud.local
# Reload services # Reload services
sudo service php5-fpm restart || true sudo service php5-fpm restart || true
sudo service nginx reload || true sudo service nginx reload || true
sudo fail2ban-client reload
# Add cron job # Add cron job
cron_path="/etc/cron.d/$app" cron_path="/etc/cron.d/$app"

7
scripts/upgrade
View file

@ -210,14 +210,13 @@ ynh_app_setting_set "$real_app" unprotected_uris "/"
ynh_app_setting_set "$real_app" skipped_regex \ ynh_app_setting_set "$real_app" skipped_regex \
"$(sed 's/[\.\-]/\%&/g' <<< $domain)/%.well%-known/.*" "$(sed 's/[\.\-]/\%&/g' <<< $domain)/%.well%-known/.*"
# Add fail2ban rules # Set-up fail2ban
sudo cp ../conf/nextcloud_fail2ban.conf /etc/fail2ban/filter.d/nextcloud.conf ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
sudo cp ../conf/jail_nextcloud.local /etc/fail2ban/jail.d/nextcloud.local
# Reload services # Reload services
sudo service php5-fpm restart || true sudo service php5-fpm restart || true
sudo service nginx reload || true sudo service nginx reload || true
sudo fail2ban-client reload
# Add cron job # Add cron job
cron_path="/etc/cron.d/$app" cron_path="/etc/cron.d/$app"