mirror of
https://github.com/YunoHost-Apps/piwigo_ynh.git
synced 2024-09-03 20:06:03 +02:00
Create and use ynh_add_fail2ban_config helper
This commit is contained in:
parent
e683d22272
commit
829a1f16d9
10 changed files with 114 additions and 8 deletions
|
@ -14,8 +14,8 @@
|
|||
setup_public=1
|
||||
upgrade=1
|
||||
backup_restore=1
|
||||
multi_instance=0
|
||||
incorrect_path=0
|
||||
multi_instance=1
|
||||
incorrect_path=1
|
||||
port_already_use=0
|
||||
;;; Levels
|
||||
Level 1=auto
|
||||
|
|
5
conf/fail2ban/filterd.conf
Normal file
5
conf/fail2ban/filterd.conf
Normal file
|
@ -0,0 +1,5 @@
|
|||
[INCLUDES]
|
||||
before = common.conf
|
||||
[Definition]
|
||||
failregex = ip=<HOST>
|
||||
ignoreregrex =
|
6
conf/fail2ban/jaild.conf
Normal file
6
conf/fail2ban/jaild.conf
Normal file
|
@ -0,0 +1,6 @@
|
|||
[__NAME__]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = __NAME__
|
||||
logpath = /var/log/__NAME__FailedLogins.log
|
||||
maxretry = 6
|
5
conf/log_failed_logins_plugin.src
Normal file
5
conf/log_failed_logins_plugin.src
Normal file
|
@ -0,0 +1,5 @@
|
|||
SOURCE_URL=http://piwigo.org/ext/download.php?rid=5525
|
||||
SOURCE_SUM=85b9a06f2c7ca8ae9698e6151c7631f519c945f696b02da72f9ff53243d7e4ca
|
||||
SOURCE_FORMAT=zip
|
||||
SOURCE_IN_SUBDIR=false
|
||||
|
|
@ -574,3 +574,57 @@ ynh_local_curl () {
|
|||
# Curl the URL
|
||||
curl --silent --show-error -kL -H "Host: $domain" -X POST --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url"
|
||||
}
|
||||
|
||||
# Create a dedicated fail2ban config (jail and filter conf files)
|
||||
#
|
||||
# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
|
||||
# | arg: log_file - Log file to be checked by fail2ban
|
||||
# | arg: failregex - Failregex to be looked for by fail2ban
|
||||
# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
|
||||
# | arg: ports - Ports blocked for a banned IP address - default: http,https
|
||||
ynh_add_fail2ban_config () {
|
||||
# Process parameters
|
||||
logpath=$1
|
||||
failregex=$2
|
||||
max_retry=${3:-3}
|
||||
ports=${4:-http,https}
|
||||
|
||||
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
|
||||
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
|
||||
|
||||
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
|
||||
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
|
||||
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
|
||||
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
|
||||
|
||||
echo | sudo tee $finalfail2banjailconf <<EOF
|
||||
[$app]
|
||||
enabled = true
|
||||
port = $ports
|
||||
filter = $app
|
||||
logpath = $logpath
|
||||
maxretry = $max_retry"
|
||||
EOF
|
||||
|
||||
echo | sudo tee $finalfail2banfilterconf <<EOF
|
||||
[INCLUDES]
|
||||
before = common.conf
|
||||
[Definition]
|
||||
failregex = $failregex
|
||||
ignoreregrex ="
|
||||
EOF
|
||||
|
||||
ynh_store_file_checksum "$finalfail2banjailconf"
|
||||
ynh_store_file_checksum "$finalfail2banfilterconf"
|
||||
|
||||
sudo systemctl restart fail2ban
|
||||
}
|
||||
|
||||
# Remove the dedicated fail2ban config (jail and filter conf files)
|
||||
#
|
||||
# usage: ynh_remove_fail2ban_config
|
||||
ynh_remove_fail2ban_config () {
|
||||
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
|
||||
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
|
||||
sudo systemctl restart fail2ban
|
||||
}
|
|
@ -47,6 +47,12 @@ else
|
|||
echo "Data dir won't be saved, because backup_core_only is set." >&2
|
||||
fi
|
||||
|
||||
#=================================================
|
||||
# BACKUP FAIL2BAN CONFIGURATION
|
||||
#=================================================
|
||||
ynh_backup "/etc/fail2ban/jail.d/$app.conf" "jaild.conf"
|
||||
ynh_backup "/etc/fail2ban/filter.d/$app.conf" "filterd.conf"
|
||||
|
||||
#=================================================
|
||||
# BACKUP NGINX CONFIGURATION
|
||||
#=================================================
|
||||
|
|
|
@ -16,11 +16,6 @@ source /usr/share/yunohost/helpers
|
|||
|
||||
ynh_abort_if_errors # Stop script if an error is detected
|
||||
|
||||
ynh_clean_setup () { # <============================================= TODO
|
||||
log=$(sudo cat /var/log/nginx/$domain-error.log)
|
||||
echo $log
|
||||
}
|
||||
|
||||
#=================================================
|
||||
# RETRIEVE ARGUMENTS FROM THE MANIFEST
|
||||
#=================================================
|
||||
|
@ -82,6 +77,8 @@ ynh_app_setting_set $app final_path "$final_path"
|
|||
# Create tmp directory and fetch app inside
|
||||
TMPDIR=$(mktemp -d)
|
||||
ynh_setup_source "$TMPDIR"
|
||||
# Fetch needed plugins
|
||||
ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
|
||||
|
||||
#=================================================
|
||||
# CREATE DEDICATED USER
|
||||
|
@ -145,9 +142,18 @@ ynh_replace_string "USERTOCHANGE" "$db_user" ../conf/database.inc.php
|
|||
ynh_replace_string "PASSTOCHANGE" "$db_pwd" ../conf/database.inc.php
|
||||
sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
|
||||
|
||||
# Activate ldap plugin
|
||||
# Activate LDAP plugin
|
||||
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('Ldap_Login','active','1.1');"
|
||||
|
||||
# Configure and activate log_failed_logins plugin
|
||||
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');"
|
||||
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');"
|
||||
sudo touch "/var/log/${app}FailedLogins.log"
|
||||
sudo chown $app: "/var/log/${app}FailedLogins.log"
|
||||
|
||||
# Set-up fail2ban
|
||||
ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
|
||||
|
||||
# Protect URIs if private
|
||||
if [ $is_public -eq 0 ];
|
||||
then
|
||||
|
|
|
@ -38,6 +38,12 @@ ynh_mysql_remove_db "$app" "$db_name"
|
|||
ynh_secure_remove "/var/www/$app"
|
||||
ynh_secure_remove "/home/yunohost.app/$app"
|
||||
|
||||
#=================================================
|
||||
# REMOVE FAIL2BAN CONFIGURATION
|
||||
#=================================================
|
||||
|
||||
ynh_remove_fail2ban_config
|
||||
|
||||
#=================================================
|
||||
# REMOVE NGINX AND PHP-FPM CONFIGURATION
|
||||
#=================================================
|
||||
|
|
|
@ -71,6 +71,13 @@ ynh_system_user_create $app # Recreate the dedicated user, if not existing
|
|||
|
||||
sudo chown -R $app: $final_path
|
||||
|
||||
#=================================================
|
||||
# RESTORE FAIL2BAN CONFIGURATION
|
||||
#=================================================
|
||||
sudo cp -a ./jaild.conf "/etc/fail2ban/jail.d/$app.conf"
|
||||
sudo cp -a ./filterd.conf "/etc/fail2ban/filter.d/$app.conf"
|
||||
sudo systemctl restart fail2ban
|
||||
|
||||
#=================================================
|
||||
# RESTORE PHP-FPM CONFIGURATION
|
||||
#=================================================
|
||||
|
|
|
@ -92,6 +92,8 @@ fi
|
|||
# Create tmp directory and fetch app inside
|
||||
TMPDIR=$(ynh_mkdir_tmp)
|
||||
ynh_setup_source "$TMPDIR"
|
||||
# Fetch needed plugins
|
||||
ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
|
||||
|
||||
#=================================================
|
||||
# CREATE DEDICATED USER
|
||||
|
@ -145,6 +147,15 @@ sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
|
|||
# Activate ldap plugin
|
||||
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='Ldap_Login';"
|
||||
|
||||
# Configure and activate log_failed_logins plugin
|
||||
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');" 2>&1 > /dev/null ||ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='log_failed_logins';"
|
||||
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');" 2>&1 > /dev/null || ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE config SET value='/var/log/${app}FailedLogins.log' WHERE param='logFailedLoginsFilename';"
|
||||
sudo touch "/var/log/${app}FailedLogins.log"
|
||||
sudo chown $app: "/var/log/${app}FailedLogins.log"
|
||||
|
||||
# Set-up fail2ban
|
||||
ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
|
||||
|
||||
# Protect URIs if private
|
||||
if [ $is_public -eq 0 ];
|
||||
then
|
||||
|
|
Loading…
Reference in a new issue