Protect with fail2ban (closes #8)

check_process

@@ -14,8 +14,8 @@
 		setup_public=1
 		upgrade=1
 		backup_restore=1
-		multi_instance=0
-		incorrect_path=0
+		multi_instance=1
+		incorrect_path=1
 		port_already_use=0
 ;;; Levels
 	Level 1=auto

conf/fail2ban/filterd.conf

@@ -0,0 +1,5 @@
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = ip=<HOST>
+ignoreregrex =

conf/fail2ban/jaild.conf

@@ -0,0 +1,6 @@
+[__NAME__]
+enabled = true
+port = http,https
+filter = __NAME__
+logpath = /var/log/__NAME__FailedLogins.log
+maxretry = 6

conf/log_failed_logins_plugin.src

@@ -0,0 +1,5 @@
+SOURCE_URL=http://piwigo.org/ext/download.php?rid=5525
+SOURCE_SUM=85b9a06f2c7ca8ae9698e6151c7631f519c945f696b02da72f9ff53243d7e4ca
+SOURCE_FORMAT=zip
+SOURCE_IN_SUBDIR=false
+

scripts/backup

@@ -47,6 +47,12 @@ else
 	echo "Data dir won't be saved, because backup_core_only is set." >&2
 fi
 
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+ynh_backup "/etc/fail2ban/jail.d/$app.conf" "jaild.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf" "filterd.conf"
+
 #=================================================
 # BACKUP NGINX CONFIGURATION
 #=================================================

scripts/install

@@ -16,11 +16,6 @@ source /usr/share/yunohost/helpers
 
 ynh_abort_if_errors	# Stop script if an error is detected
 
-ynh_clean_setup () {                      # <============================================= TODO
-    log=$(sudo cat /var/log/nginx/$domain-error.log)
-    echo $log
-}
-
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
 #=================================================
@@ -82,6 +77,8 @@ ynh_app_setting_set $app final_path "$final_path"
 # Create tmp directory and fetch app inside
 TMPDIR=$(mktemp -d)
 ynh_setup_source "$TMPDIR"
+# Fetch needed plugins
+ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
 
 #=================================================
 # CREATE DEDICATED USER
@@ -145,9 +142,21 @@ ynh_replace_string "USERTOCHANGE" "$db_user" ../conf/database.inc.php
 ynh_replace_string "PASSTOCHANGE" "$db_pwd" ../conf/database.inc.php
 sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
 
-# Activate ldap plugin
+# Activate LDAP plugin
 ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('Ldap_Login','active','1.1');"
 
+# Configure and activate log_failed_logins plugin
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');"
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');"
+sudo touch "/var/log/${app}FailedLogins.log"
+sudo chown $app: "/var/log/${app}FailedLogins.log"
+
+# Set-up fail2ban
+ynh_replace_string "__NAME__" "$app" ../conf/fail2ban/jaild.conf
+sudo cp ../conf/fail2ban/jaild.conf /etc/fail2ban/jail.d/$app.conf
+sudo cp ../conf/fail2ban/filterd.conf /etc/fail2ban/filter.d/$app.conf
+sudo systemctl restart fail2ban
+
 # Protect URIs if private
 if [ $is_public -eq 0 ];
 then

scripts/remove

@@ -38,6 +38,14 @@ ynh_mysql_remove_db "$app" "$db_name"
 ynh_secure_remove "/var/www/$app"
 ynh_secure_remove "/home/yunohost.app/$app"
 
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+sudo systemctl restart fail2ban
+
 #=================================================
 # REMOVE NGINX AND PHP-FPM CONFIGURATION
 #=================================================

scripts/restore

@@ -71,6 +71,13 @@ ynh_system_user_create $app	# Recreate the dedicated user, if not existing
 
 sudo chown -R $app: $final_path
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+sudo cp -a ./jaild.conf "/etc/fail2ban/jail.d/$app.conf"
+sudo cp -a ./filterd.conf "/etc/fail2ban/filter.d/$app.conf"
+sudo systemctl restart fail2ban
+
 #=================================================
 # RESTORE PHP-FPM CONFIGURATION
 #=================================================

scripts/upgrade

@@ -92,6 +92,8 @@ fi
 # Create tmp directory and fetch app inside
 TMPDIR=$(ynh_mkdir_tmp)
 ynh_setup_source "$TMPDIR"
+# Fetch needed plugins
+ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
 
 #=================================================
 # CREATE DEDICATED USER
@@ -145,6 +147,18 @@ sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
 # Activate ldap plugin
 ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='Ldap_Login';"
 
+# Configure and activate log_failed_logins plugin
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');" 2>&1 > /dev/null ||ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='log_failed_logins';"
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');" 2>&1 > /dev/null || ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE config SET value='/var/log/${app}FailedLogins.log' WHERE param='logFailedLoginsFilename';"
+sudo touch "/var/log/${app}FailedLogins.log"
+sudo chown $app: "/var/log/${app}FailedLogins.log"
+
+# Set-up fail2ban
+ynh_replace_string "__NAME__" "$app" ../conf/fail2ban/jaild.conf
+sudo cp ../conf/fail2ban/jaild.conf /etc/fail2ban/jail.d/$app.conf
+sudo cp ../conf/fail2ban/filterd.conf /etc/fail2ban/filter.d/$app.conf
+sudo systemctl restart fail2ban
+
 # Protect URIs if private
 if [ $is_public -eq 0 ];
 then