2017-01-28 10:59:40 +01:00
#!/bin/bash
2019-02-17 19:30:40 +01:00
#=================================================
# COMMON VARIABLES
#=================================================
2017-01-03 18:32:00 +01:00
2017-12-14 17:26:51 +01:00
pkg_dependencies = "php5-gd php5-imagick imagemagick"
2017-09-23 10:25:23 +02:00
2019-02-17 19:30:40 +01:00
#=================================================
# FUTURE OFFICIAL HELPERS
#=================================================
2017-09-10 09:25:22 +02:00
2017-06-18 18:24:10 +02:00
# Create a dedicated fail2ban config (jail and filter conf files)
#
2019-02-17 19:30:40 +01:00
# usage 1: ynh_add_fail2ban_config --logpath=log_file --failregex=filter [--max_retry=max_retry] [--ports=ports]
# | arg: -l, --logpath= - Log file to be checked by fail2ban
# | arg: -r, --failregex= - Failregex to be looked for by fail2ban
# | arg: -m, --max_retry= - Maximum number of retries allowed before banning IP address - default: 3
# | arg: -p, --ports= - Ports blocked for a banned IP address - default: http,https
#
# -----------------------------------------------------------------------------
#
# usage 2: ynh_add_fail2ban_config --use_template [--others_var="list of others variables to replace"]
# | arg: -t, --use_template - Use this helper in template mode
# | arg: -v, --others_var= - List of others variables to replace separeted by a space
# | for example : 'var_1 var_2 ...'
#
# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf
# __APP__ by $app
#
# You can dynamically replace others variables by example :
# __VAR_1__ by $var_1
# __VAR_2__ by $var_2
#
# Generally your template will look like that by example (for synapse):
#
# f2b_jail.conf:
# [__APP__]
# enabled = true
# port = http,https
# filter = __APP__
# logpath = /var/log/__APP__/logfile.log
# maxretry = 3
#
# f2b_filter.conf:
# [INCLUDES]
# before = common.conf
# [Definition]
#
# # Part of regex definition (just used to make more easy to make the global regex)
# __synapse_start_line = .? \- synapse\..+ \-
#
# # Regex definition.
# failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$
#
# ignoreregex =
#
# -----------------------------------------------------------------------------
#
# Note about the "failregex" option:
# regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
#
# You can find some more explainations about how to make a regex here :
# https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters
#
# Note that the logfile need to exist before to call this helper !!
#
# To validate your regex you can test with this command:
# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf
#
2017-06-18 18:24:10 +02:00
ynh_add_fail2ban_config ( ) {
2019-02-17 19:30:40 +01:00
# Declare an array to define the options of this helper.
declare -Ar args_array = ( [ l] = logpath = [ r] = failregex = [ m] = max_retry = [ p] = ports = [ t] = use_template [ v] = others_var = )
local logpath
local failregex
local max_retry
local ports
local others_var
local use_template
# Manage arguments with getopts
ynh_handle_getopts_args " $@ "
use_template = " ${ use_template :- 0 } "
max_retry = ${ max_retry :- 3 }
ports = ${ ports :- http ,https }
2018-03-08 19:08:15 +01:00
finalfail2banjailconf = " /etc/fail2ban/jail.d/ $app .conf "
finalfail2banfilterconf = " /etc/fail2ban/filter.d/ $app .conf "
2019-02-17 19:30:40 +01:00
ynh_backup_if_checksum_is_different " $finalfail2banjailconf "
ynh_backup_if_checksum_is_different " $finalfail2banfilterconf "
if [ $use_template -eq 1 ]
then
# Usage 2, templates
cp ../conf/f2b_jail.conf $finalfail2banjailconf
cp ../conf/f2b_filter.conf $finalfail2banfilterconf
if [ -n " ${ app :- } " ]
then
ynh_replace_string "__APP__" " $app " " $finalfail2banjailconf "
ynh_replace_string "__APP__" " $app " " $finalfail2banfilterconf "
fi
# Replace all other variable given as arguments
for var_to_replace in ${ others_var :- } ; do
# ${var_to_replace^^} make the content of the variable on upper-cases
# ${!var_to_replace} get the content of the variable named $var_to_replace
ynh_replace_string " __ ${ var_to_replace ^^ } __ " " ${ !var_to_replace } " " $finalfail2banjailconf "
ynh_replace_string " __ ${ var_to_replace ^^ } __ " " ${ !var_to_replace } " " $finalfail2banfilterconf "
done
else
# Usage 1, no template. Build a config file from scratch.
test -n " $logpath " || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
test -n " $failregex " || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
tee $finalfail2banjailconf <<EOF
2017-06-18 18:24:10 +02:00
[ $app ]
enabled = true
port = $ports
filter = $app
logpath = $logpath
2018-03-08 19:08:15 +01:00
maxretry = $max_retry
2017-06-18 18:24:10 +02:00
EOF
2019-02-17 19:30:40 +01:00
tee $finalfail2banfilterconf <<EOF
2017-06-18 18:24:10 +02:00
[ INCLUDES]
before = common.conf
[ Definition]
failregex = $failregex
2018-03-08 19:08:15 +01:00
ignoreregex =
2017-06-18 18:24:10 +02:00
EOF
2019-02-17 19:30:40 +01:00
fi
2017-06-18 18:24:10 +02:00
2019-02-17 19:30:40 +01:00
# Common to usage 1 and 2.
2018-03-08 19:08:15 +01:00
ynh_store_file_checksum " $finalfail2banjailconf "
ynh_store_file_checksum " $finalfail2banfilterconf "
2019-02-17 19:30:40 +01:00
systemctl try-reload-or-restart fail2ban
2018-03-08 19:08:15 +01:00
local fail2ban_error = " $( journalctl -u fail2ban | tail -n50 | grep " WARNING.* $app .* " ) "
2019-02-17 19:30:40 +01:00
if [ [ -n " $fail2ban_error " ] ] ; then
ynh_print_err " Fail2ban failed to load the jail for $app "
ynh_print_warn " ${ fail2ban_error #*WARNING } "
2018-03-08 19:08:15 +01:00
fi
2017-06-18 18:24:10 +02:00
}
# Remove the dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_remove_fail2ban_config
ynh_remove_fail2ban_config ( ) {
2018-03-08 19:08:15 +01:00
ynh_secure_remove " /etc/fail2ban/jail.d/ $app .conf "
2017-06-18 18:24:10 +02:00
ynh_secure_remove " /etc/fail2ban/filter.d/ $app .conf "
2019-02-17 19:30:40 +01:00
systemctl try-reload-or-restart fail2ban
2017-09-10 09:25:22 +02:00
}
2019-02-17 19:28:37 +01:00
#=================================================
# Check available space before creating a temp directory.
2017-09-10 09:25:22 +02:00
#
2019-02-17 19:28:37 +01:00
# usage: ynh_smart_mktemp --min_size="Min size"
2017-09-10 09:25:22 +02:00
#
2019-02-17 19:28:37 +01:00
# | arg: -s, --min_size= - Minimal size needed for the temporary directory, in Mb
ynh_smart_mktemp ( ) {
# Declare an array to define the options of this helper.
declare -Ar args_array = ( [ s] = min_size = )
local min_size
# Manage arguments with getopts
ynh_handle_getopts_args " $@ "
min_size = " ${ min_size :- 300 } "
# Transform the minimum size from megabytes to kilobytes
min_size = $(( $min_size * 1024 ))
# Check if there's enough free space in a directory
is_there_enough_space ( ) {
local free_space = $( df --output= avail " $1 " | sed 1d)
test $free_space -ge $min_size
}
if is_there_enough_space /tmp; then
local tmpdir = /tmp
elif is_there_enough_space /var; then
local tmpdir = /var
elif is_there_enough_space /; then
local tmpdir = /
elif is_there_enough_space /home; then
local tmpdir = /home
else
ynh_die "Insufficient free space to continue..."
fi
echo " $( sudo mktemp --directory --tmpdir= " $tmpdir " ) "
2017-09-10 09:25:22 +02:00
}