From 7457341424549feb22356b0cf48e2101fb7f6ba7 Mon Sep 17 00:00:00 2001
From: Jimmy Monin <jimmy@monin.net>
Date: Sun, 11 Jun 2017 16:39:51 +0200
Subject: [PATCH] Protect with fail2ban (closes #8)

---
 check_process                     |  4 ++--
 conf/fail2ban/filterd.conf        |  5 +++++
 conf/fail2ban/jaild.conf          |  6 ++++++
 conf/log_failed_logins_plugin.src |  5 +++++
 scripts/backup                    |  6 ++++++
 scripts/install                   | 21 +++++++++++++++------
 scripts/remove                    |  8 ++++++++
 scripts/restore                   |  7 +++++++
 scripts/upgrade                   | 14 ++++++++++++++
 9 files changed, 68 insertions(+), 8 deletions(-)
 create mode 100644 conf/fail2ban/filterd.conf
 create mode 100644 conf/fail2ban/jaild.conf
 create mode 100644 conf/log_failed_logins_plugin.src

diff --git a/check_process b/check_process
index 3b77ea6..1f63101 100644
--- a/check_process
+++ b/check_process
@@ -14,8 +14,8 @@
 		setup_public=1
 		upgrade=1
 		backup_restore=1
-		multi_instance=0
-		incorrect_path=0
+		multi_instance=1
+		incorrect_path=1
 		port_already_use=0
 ;;; Levels
 	Level 1=auto
diff --git a/conf/fail2ban/filterd.conf b/conf/fail2ban/filterd.conf
new file mode 100644
index 0000000..7e519a8
--- /dev/null
+++ b/conf/fail2ban/filterd.conf
@@ -0,0 +1,5 @@
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = ip=<HOST>
+ignoreregrex =
\ No newline at end of file
diff --git a/conf/fail2ban/jaild.conf b/conf/fail2ban/jaild.conf
new file mode 100644
index 0000000..bbeb1d6
--- /dev/null
+++ b/conf/fail2ban/jaild.conf
@@ -0,0 +1,6 @@
+[__NAME__]
+enabled = true
+port = http,https
+filter = __NAME__
+logpath = /var/log/__NAME__FailedLogins.log
+maxretry = 6
\ No newline at end of file
diff --git a/conf/log_failed_logins_plugin.src b/conf/log_failed_logins_plugin.src
new file mode 100644
index 0000000..2b83baa
--- /dev/null
+++ b/conf/log_failed_logins_plugin.src
@@ -0,0 +1,5 @@
+SOURCE_URL=http://piwigo.org/ext/download.php?rid=5525
+SOURCE_SUM=85b9a06f2c7ca8ae9698e6151c7631f519c945f696b02da72f9ff53243d7e4ca
+SOURCE_FORMAT=zip
+SOURCE_IN_SUBDIR=false
+
diff --git a/scripts/backup b/scripts/backup
index 2df53ce..b8918ad 100644
--- a/scripts/backup
+++ b/scripts/backup
@@ -47,6 +47,12 @@ else
 	echo "Data dir won't be saved, because backup_core_only is set." >&2
 fi
 
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+ynh_backup "/etc/fail2ban/jail.d/$app.conf" "jaild.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf" "filterd.conf"
+
 #=================================================
 # BACKUP NGINX CONFIGURATION
 #=================================================
diff --git a/scripts/install b/scripts/install
index 5023329..33c3c79 100644
--- a/scripts/install
+++ b/scripts/install
@@ -16,11 +16,6 @@ source /usr/share/yunohost/helpers
 
 ynh_abort_if_errors	# Stop script if an error is detected
 
-ynh_clean_setup () {                      # <============================================= TODO
-    log=$(sudo cat /var/log/nginx/$domain-error.log)
-    echo $log
-}
-
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
 #=================================================
@@ -82,6 +77,8 @@ ynh_app_setting_set $app final_path "$final_path"
 # Create tmp directory and fetch app inside
 TMPDIR=$(mktemp -d)
 ynh_setup_source "$TMPDIR"
+# Fetch needed plugins
+ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
 
 #=================================================
 # CREATE DEDICATED USER
@@ -145,9 +142,21 @@ ynh_replace_string "USERTOCHANGE" "$db_user" ../conf/database.inc.php
 ynh_replace_string "PASSTOCHANGE" "$db_pwd" ../conf/database.inc.php
 sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
 
-# Activate ldap plugin
+# Activate LDAP plugin
 ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('Ldap_Login','active','1.1');"
 
+# Configure and activate log_failed_logins plugin
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');"
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');"
+sudo touch "/var/log/${app}FailedLogins.log"
+sudo chown $app: "/var/log/${app}FailedLogins.log"
+
+# Set-up fail2ban
+ynh_replace_string "__NAME__" "$app" ../conf/fail2ban/jaild.conf
+sudo cp ../conf/fail2ban/jaild.conf /etc/fail2ban/jail.d/$app.conf
+sudo cp ../conf/fail2ban/filterd.conf /etc/fail2ban/filter.d/$app.conf
+sudo systemctl restart fail2ban
+
 # Protect URIs if private
 if [ $is_public -eq 0 ];
 then
diff --git a/scripts/remove b/scripts/remove
index af84138..371038c 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -38,6 +38,14 @@ ynh_mysql_remove_db "$app" "$db_name"
 ynh_secure_remove "/var/www/$app"
 ynh_secure_remove "/home/yunohost.app/$app"
 
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+sudo systemctl restart fail2ban
+
 #=================================================
 # REMOVE NGINX AND PHP-FPM CONFIGURATION
 #=================================================
diff --git a/scripts/restore b/scripts/restore
index a812318..97bb703 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -71,6 +71,13 @@ ynh_system_user_create $app	# Recreate the dedicated user, if not existing
 
 sudo chown -R $app: $final_path
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+sudo cp -a ./jaild.conf "/etc/fail2ban/jail.d/$app.conf"
+sudo cp -a ./filterd.conf "/etc/fail2ban/filter.d/$app.conf"
+sudo systemctl restart fail2ban
+
 #=================================================
 # RESTORE PHP-FPM CONFIGURATION
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index 47dae18..e6ea865 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -92,6 +92,8 @@ fi
 # Create tmp directory and fetch app inside
 TMPDIR=$(ynh_mkdir_tmp)
 ynh_setup_source "$TMPDIR"
+# Fetch needed plugins
+ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
 
 #=================================================
 # CREATE DEDICATED USER
@@ -145,6 +147,18 @@ sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
 # Activate ldap plugin
 ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='Ldap_Login';"
 
+# Configure and activate log_failed_logins plugin
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');" 2>&1 > /dev/null ||ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='log_failed_logins';"
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');" 2>&1 > /dev/null || ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE config SET value='/var/log/${app}FailedLogins.log' WHERE param='logFailedLoginsFilename';"
+sudo touch "/var/log/${app}FailedLogins.log"
+sudo chown $app: "/var/log/${app}FailedLogins.log"
+
+# Set-up fail2ban
+ynh_replace_string "__NAME__" "$app" ../conf/fail2ban/jaild.conf
+sudo cp ../conf/fail2ban/jaild.conf /etc/fail2ban/jail.d/$app.conf
+sudo cp ../conf/fail2ban/filterd.conf /etc/fail2ban/filter.d/$app.conf
+sudo systemctl restart fail2ban
+
 # Protect URIs if private
 if [ $is_public -eq 0 ];
 then