YunoHost-Apps/piwigo_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/piwigo_ynh.git synced 2024-09-03 20:06:03 +02:00
Code Issues Activity Actions 1

Protect with fail2ban (closes #8) (#9)

Browse source 
Create and use ynh_add_fail2ban_config helper
This commit is contained in:
JimboJoe 2017-06-18 18:24:10 +02:00 committed by GitHub
parent e683d22272
commit 829a1f16d9
10 changed files with 114 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
check_process
View file

@ -14,8 +14,8 @@
setup_public=1 setup_public=1
upgrade=1 upgrade=1
backup_restore=1 backup_restore=1
multi_instance=0 multi_instance=1
incorrect_path=0 incorrect_path=1
port_already_use=0 port_already_use=0
;;; Levels ;;; Levels
Level 1=auto Level 1=auto

5
conf/fail2ban/filterd.conf Normal file
View file

@ -0,0 +1,5 @@
[INCLUDES]
before = common.conf
[Definition]
failregex = ip=<HOST>
ignoreregrex =

6
conf/fail2ban/jaild.conf Normal file
View file

@ -0,0 +1,6 @@
[__NAME__]
enabled = true
port = http,https
filter = __NAME__
logpath = /var/log/__NAME__FailedLogins.log
maxretry = 6

5
conf/log_failed_logins_plugin.src Normal file
View file

@ -0,0 +1,5 @@
SOURCE_URL=http://piwigo.org/ext/download.php?rid=5525
SOURCE_SUM=85b9a06f2c7ca8ae9698e6151c7631f519c945f696b02da72f9ff53243d7e4ca
SOURCE_FORMAT=zip
SOURCE_IN_SUBDIR=false

54
scripts/_common.sh
View file

@ -574,3 +574,57 @@ ynh_local_curl () {
# Curl the URL # Curl the URL
curl --silent --show-error -kL -H "Host: $domain" -X POST --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url" curl --silent --show-error -kL -H "Host: $domain" -X POST --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url"
} }
# Create a dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
# | arg: log_file - Log file to be checked by fail2ban
# | arg: failregex - Failregex to be looked for by fail2ban
# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
# | arg: ports - Ports blocked for a banned IP address - default: http,https
ynh_add_fail2ban_config () {
# Process parameters
logpath=$1
failregex=$2
max_retry=${3:-3}
ports=${4:-http,https}
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
echo | sudo tee $finalfail2banjailconf <<EOF
[$app]
enabled = true
port = $ports
filter = $app
logpath = $logpath
maxretry = $max_retry"
EOF
echo | sudo tee $finalfail2banfilterconf <<EOF
[INCLUDES]
before = common.conf
[Definition]
failregex = $failregex
ignoreregrex ="
EOF
ynh_store_file_checksum "$finalfail2banjailconf"
ynh_store_file_checksum "$finalfail2banfilterconf"
sudo systemctl restart fail2ban
}
# Remove the dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_remove_fail2ban_config
ynh_remove_fail2ban_config () {
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
sudo systemctl restart fail2ban
}

6
scripts/backup
View file

@ -47,6 +47,12 @@ else
echo "Data dir won't be saved, because backup_core_only is set." >&2 echo "Data dir won't be saved, because backup_core_only is set." >&2
fi fi
#=================================================
# BACKUP FAIL2BAN CONFIGURATION
#=================================================
ynh_backup "/etc/fail2ban/jail.d/$app.conf" "jaild.conf"
ynh_backup "/etc/fail2ban/filter.d/$app.conf" "filterd.conf"
#================================================= #=================================================
# BACKUP NGINX CONFIGURATION # BACKUP NGINX CONFIGURATION
#================================================= #=================================================

18
scripts/install
View file

@ -16,11 +16,6 @@ source /usr/share/yunohost/helpers
ynh_abort_if_errors # Stop script if an error is detected ynh_abort_if_errors # Stop script if an error is detected
ynh_clean_setup () { # <============================================= TODO
log=$(sudo cat /var/log/nginx/$domain-error.log)
echo $log
}
#================================================= #=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST # RETRIEVE ARGUMENTS FROM THE MANIFEST
#================================================= #=================================================
@ -82,6 +77,8 @@ ynh_app_setting_set $app final_path "$final_path"
# Create tmp directory and fetch app inside # Create tmp directory and fetch app inside
TMPDIR=$(mktemp -d) TMPDIR=$(mktemp -d)
ynh_setup_source "$TMPDIR" ynh_setup_source "$TMPDIR"
# Fetch needed plugins
ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
#================================================= #=================================================
# CREATE DEDICATED USER # CREATE DEDICATED USER
@ -145,9 +142,18 @@ ynh_replace_string "USERTOCHANGE" "$db_user" ../conf/database.inc.php
ynh_replace_string "PASSTOCHANGE" "$db_pwd" ../conf/database.inc.php ynh_replace_string "PASSTOCHANGE" "$db_pwd" ../conf/database.inc.php
sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
# Activate ldap plugin # Activate LDAP plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('Ldap_Login','active','1.1');" ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('Ldap_Login','active','1.1');"
# Configure and activate log_failed_logins plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');"
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');"
sudo touch "/var/log/${app}FailedLogins.log"
sudo chown $app: "/var/log/${app}FailedLogins.log"
# Set-up fail2ban
ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
# Protect URIs if private # Protect URIs if private
if [ $is_public -eq 0 ]; if [ $is_public -eq 0 ];
then then

6
scripts/remove
View file

@ -38,6 +38,12 @@ ynh_mysql_remove_db "$app" "$db_name"
ynh_secure_remove "/var/www/$app" ynh_secure_remove "/var/www/$app"
ynh_secure_remove "/home/yunohost.app/$app" ynh_secure_remove "/home/yunohost.app/$app"
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_remove_fail2ban_config
#================================================= #=================================================
# REMOVE NGINX AND PHP-FPM CONFIGURATION # REMOVE NGINX AND PHP-FPM CONFIGURATION
#================================================= #=================================================

7
scripts/restore
View file

@ -71,6 +71,13 @@ ynh_system_user_create $app # Recreate the dedicated user, if not existing
sudo chown -R $app: $final_path sudo chown -R $app: $final_path
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
sudo cp -a ./jaild.conf "/etc/fail2ban/jail.d/$app.conf"
sudo cp -a ./filterd.conf "/etc/fail2ban/filter.d/$app.conf"
sudo systemctl restart fail2ban
#================================================= #=================================================
# RESTORE PHP-FPM CONFIGURATION # RESTORE PHP-FPM CONFIGURATION
#================================================= #=================================================

11
scripts/upgrade
View file

@ -92,6 +92,8 @@ fi
# Create tmp directory and fetch app inside # Create tmp directory and fetch app inside
TMPDIR=$(ynh_mkdir_tmp) TMPDIR=$(ynh_mkdir_tmp)
ynh_setup_source "$TMPDIR" ynh_setup_source "$TMPDIR"
# Fetch needed plugins
ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
#================================================= #=================================================
# CREATE DEDICATED USER # CREATE DEDICATED USER
@ -145,6 +147,15 @@ sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
# Activate ldap plugin # Activate ldap plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='Ldap_Login';" ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='Ldap_Login';"
# Configure and activate log_failed_logins plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');" 2>&1 > /dev/null ||ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='log_failed_logins';"
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');" 2>&1 > /dev/null || ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE config SET value='/var/log/${app}FailedLogins.log' WHERE param='logFailedLoginsFilename';"
sudo touch "/var/log/${app}FailedLogins.log"
sudo chown $app: "/var/log/${app}FailedLogins.log"
# Set-up fail2ban
ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
# Protect URIs if private # Protect URIs if private
if [ $is_public -eq 0 ]; if [ $is_public -eq 0 ];
then then