Protect with fail2ban (closes #8) (#9)

Create and use ynh_add_fail2ban_config helper

check_process

@@ -14,8 +14,8 @@
 		setup_public=1
 		upgrade=1
 		backup_restore=1
-		multi_instance=0
-		incorrect_path=0
+		multi_instance=1
+		incorrect_path=1
 		port_already_use=0
 ;;; Levels
 	Level 1=auto

conf/fail2ban/filterd.conf

@@ -0,0 +1,5 @@
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = ip=<HOST>
+ignoreregrex =

conf/fail2ban/jaild.conf

@@ -0,0 +1,6 @@
+[__NAME__]
+enabled = true
+port = http,https
+filter = __NAME__
+logpath = /var/log/__NAME__FailedLogins.log
+maxretry = 6

conf/log_failed_logins_plugin.src

@@ -0,0 +1,5 @@
+SOURCE_URL=http://piwigo.org/ext/download.php?rid=5525
+SOURCE_SUM=85b9a06f2c7ca8ae9698e6151c7631f519c945f696b02da72f9ff53243d7e4ca
+SOURCE_FORMAT=zip
+SOURCE_IN_SUBDIR=false
+

scripts/_common.sh

@@ -573,4 +573,58 @@ ynh_local_curl () {
 
 	# Curl the URL
 	curl --silent --show-error -kL -H "Host: $domain" -X POST --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url"
+}
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+	finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+	finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+	ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+	ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  echo | sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry" 
+EOF
+
+  echo | sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregrex =" 
+EOF
+
+	ynh_store_file_checksum "$finalfail2banjailconf"
+	ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+	sudo systemctl restart fail2ban
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+	ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+	sudo systemctl restart fail2ban
 }

scripts/backup

@@ -47,6 +47,12 @@ else
 	echo "Data dir won't be saved, because backup_core_only is set." >&2
 fi
 
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+ynh_backup "/etc/fail2ban/jail.d/$app.conf" "jaild.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf" "filterd.conf"
+
 #=================================================
 # BACKUP NGINX CONFIGURATION
 #=================================================

scripts/install

@@ -16,11 +16,6 @@ source /usr/share/yunohost/helpers
 
 ynh_abort_if_errors	# Stop script if an error is detected
 
-ynh_clean_setup () {                      # <============================================= TODO
-    log=$(sudo cat /var/log/nginx/$domain-error.log)
-    echo $log
-}
-
 #=================================================
 # RETRIEVE ARGUMENTS FROM THE MANIFEST
 #=================================================
@@ -82,6 +77,8 @@ ynh_app_setting_set $app final_path "$final_path"
 # Create tmp directory and fetch app inside
 TMPDIR=$(mktemp -d)
 ynh_setup_source "$TMPDIR"
+# Fetch needed plugins
+ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
 
 #=================================================
 # CREATE DEDICATED USER
@@ -145,9 +142,18 @@ ynh_replace_string "USERTOCHANGE" "$db_user" ../conf/database.inc.php
 ynh_replace_string "PASSTOCHANGE" "$db_pwd" ../conf/database.inc.php
 sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
 
-# Activate ldap plugin
+# Activate LDAP plugin
 ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('Ldap_Login','active','1.1');"
 
+# Configure and activate log_failed_logins plugin
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');"
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');"
+sudo touch "/var/log/${app}FailedLogins.log"
+sudo chown $app: "/var/log/${app}FailedLogins.log"
+
+# Set-up fail2ban
+ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
+
 # Protect URIs if private
 if [ $is_public -eq 0 ];
 then

scripts/remove

@@ -38,6 +38,12 @@ ynh_mysql_remove_db "$app" "$db_name"
 ynh_secure_remove "/var/www/$app"
 ynh_secure_remove "/home/yunohost.app/$app"
 
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # REMOVE NGINX AND PHP-FPM CONFIGURATION
 #=================================================

scripts/restore

@@ -71,6 +71,13 @@ ynh_system_user_create $app	# Recreate the dedicated user, if not existing
 
 sudo chown -R $app: $final_path
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+sudo cp -a ./jaild.conf "/etc/fail2ban/jail.d/$app.conf"
+sudo cp -a ./filterd.conf "/etc/fail2ban/filter.d/$app.conf"
+sudo systemctl restart fail2ban
+
 #=================================================
 # RESTORE PHP-FPM CONFIGURATION
 #=================================================

scripts/upgrade

@@ -92,6 +92,8 @@ fi
 # Create tmp directory and fetch app inside
 TMPDIR=$(ynh_mkdir_tmp)
 ynh_setup_source "$TMPDIR"
+# Fetch needed plugins
+ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
 
 #=================================================
 # CREATE DEDICATED USER
@@ -145,6 +147,15 @@ sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
 # Activate ldap plugin
 ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='Ldap_Login';"
 
+# Configure and activate log_failed_logins plugin
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');" 2>&1 > /dev/null ||ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='log_failed_logins';"
+ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');" 2>&1 > /dev/null || ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE config SET value='/var/log/${app}FailedLogins.log' WHERE param='logFailedLoginsFilename';"
+sudo touch "/var/log/${app}FailedLogins.log"
+sudo chown $app: "/var/log/${app}FailedLogins.log"
+
+# Set-up fail2ban
+ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
+
 # Protect URIs if private
 if [ $is_public -eq 0 ];
 then