1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/piwigo_ynh.git synced 2024-09-03 20:06:03 +02:00

Protect with fail2ban (closes #8) (#9)

Create and use ynh_add_fail2ban_config helper
This commit is contained in:
JimboJoe 2017-06-18 18:24:10 +02:00 committed by GitHub
parent e683d22272
commit 829a1f16d9
10 changed files with 114 additions and 8 deletions

View file

@ -14,8 +14,8 @@
setup_public=1
upgrade=1
backup_restore=1
multi_instance=0
incorrect_path=0
multi_instance=1
incorrect_path=1
port_already_use=0
;;; Levels
Level 1=auto

View file

@ -0,0 +1,5 @@
[INCLUDES]
before = common.conf
[Definition]
failregex = ip=<HOST>
ignoreregrex =

6
conf/fail2ban/jaild.conf Normal file
View file

@ -0,0 +1,6 @@
[__NAME__]
enabled = true
port = http,https
filter = __NAME__
logpath = /var/log/__NAME__FailedLogins.log
maxretry = 6

View file

@ -0,0 +1,5 @@
SOURCE_URL=http://piwigo.org/ext/download.php?rid=5525
SOURCE_SUM=85b9a06f2c7ca8ae9698e6151c7631f519c945f696b02da72f9ff53243d7e4ca
SOURCE_FORMAT=zip
SOURCE_IN_SUBDIR=false

View file

@ -574,3 +574,57 @@ ynh_local_curl () {
# Curl the URL
curl --silent --show-error -kL -H "Host: $domain" -X POST --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url"
}
# Create a dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
# | arg: log_file - Log file to be checked by fail2ban
# | arg: failregex - Failregex to be looked for by fail2ban
# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
# | arg: ports - Ports blocked for a banned IP address - default: http,https
ynh_add_fail2ban_config () {
# Process parameters
logpath=$1
failregex=$2
max_retry=${3:-3}
ports=${4:-http,https}
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
echo | sudo tee $finalfail2banjailconf <<EOF
[$app]
enabled = true
port = $ports
filter = $app
logpath = $logpath
maxretry = $max_retry"
EOF
echo | sudo tee $finalfail2banfilterconf <<EOF
[INCLUDES]
before = common.conf
[Definition]
failregex = $failregex
ignoreregrex ="
EOF
ynh_store_file_checksum "$finalfail2banjailconf"
ynh_store_file_checksum "$finalfail2banfilterconf"
sudo systemctl restart fail2ban
}
# Remove the dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_remove_fail2ban_config
ynh_remove_fail2ban_config () {
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
sudo systemctl restart fail2ban
}

View file

@ -47,6 +47,12 @@ else
echo "Data dir won't be saved, because backup_core_only is set." >&2
fi
#=================================================
# BACKUP FAIL2BAN CONFIGURATION
#=================================================
ynh_backup "/etc/fail2ban/jail.d/$app.conf" "jaild.conf"
ynh_backup "/etc/fail2ban/filter.d/$app.conf" "filterd.conf"
#=================================================
# BACKUP NGINX CONFIGURATION
#=================================================

View file

@ -16,11 +16,6 @@ source /usr/share/yunohost/helpers
ynh_abort_if_errors # Stop script if an error is detected
ynh_clean_setup () { # <============================================= TODO
log=$(sudo cat /var/log/nginx/$domain-error.log)
echo $log
}
#=================================================
# RETRIEVE ARGUMENTS FROM THE MANIFEST
#=================================================
@ -82,6 +77,8 @@ ynh_app_setting_set $app final_path "$final_path"
# Create tmp directory and fetch app inside
TMPDIR=$(mktemp -d)
ynh_setup_source "$TMPDIR"
# Fetch needed plugins
ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
#=================================================
# CREATE DEDICATED USER
@ -145,9 +142,18 @@ ynh_replace_string "USERTOCHANGE" "$db_user" ../conf/database.inc.php
ynh_replace_string "PASSTOCHANGE" "$db_pwd" ../conf/database.inc.php
sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
# Activate ldap plugin
# Activate LDAP plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('Ldap_Login','active','1.1');"
# Configure and activate log_failed_logins plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');"
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');"
sudo touch "/var/log/${app}FailedLogins.log"
sudo chown $app: "/var/log/${app}FailedLogins.log"
# Set-up fail2ban
ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
# Protect URIs if private
if [ $is_public -eq 0 ];
then

View file

@ -38,6 +38,12 @@ ynh_mysql_remove_db "$app" "$db_name"
ynh_secure_remove "/var/www/$app"
ynh_secure_remove "/home/yunohost.app/$app"
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_remove_fail2ban_config
#=================================================
# REMOVE NGINX AND PHP-FPM CONFIGURATION
#=================================================

View file

@ -71,6 +71,13 @@ ynh_system_user_create $app # Recreate the dedicated user, if not existing
sudo chown -R $app: $final_path
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
sudo cp -a ./jaild.conf "/etc/fail2ban/jail.d/$app.conf"
sudo cp -a ./filterd.conf "/etc/fail2ban/filter.d/$app.conf"
sudo systemctl restart fail2ban
#=================================================
# RESTORE PHP-FPM CONFIGURATION
#=================================================

View file

@ -92,6 +92,8 @@ fi
# Create tmp directory and fetch app inside
TMPDIR=$(ynh_mkdir_tmp)
ynh_setup_source "$TMPDIR"
# Fetch needed plugins
ynh_setup_source "$TMPDIR/plugins" log_failed_logins_plugin
#=================================================
# CREATE DEDICATED USER
@ -145,6 +147,15 @@ sudo cp ../conf/database.inc.php $final_path/local/config/database.inc.php
# Activate ldap plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='Ldap_Login';"
# Configure and activate log_failed_logins plugin
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO plugins (id,state,version) VALUES ('log_failed_logins','active','1.2');" 2>&1 > /dev/null ||ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE plugins SET state='active' WHERE id='log_failed_logins';"
ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "INSERT INTO config (param, value) VALUES ('logFailedLoginsFilename','/var/log/${app}FailedLogins.log');" 2>&1 > /dev/null || ynh_mysql_connect_as $db_name $db_pwd $db_user <<< "UPDATE config SET value='/var/log/${app}FailedLogins.log' WHERE param='logFailedLoginsFilename';"
sudo touch "/var/log/${app}FailedLogins.log"
sudo chown $app: "/var/log/${app}FailedLogins.log"
# Set-up fail2ban
ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
# Protect URIs if private
if [ $is_public -eq 0 ];
then