From d1ab68a08f20f9bca434d8a764b9cea1db27a4d4 Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Sun, 18 Jun 2017 14:33:19 +0200 Subject: [PATCH] Create and use ynh_add_fail2ban_config helper --- scripts/_common.sh | 74 ++++++++++++++++++++++++++++++++++++++++++++++ scripts/install | 5 +--- scripts/remove | 4 +-- scripts/upgrade | 5 +--- 4 files changed, 77 insertions(+), 11 deletions(-) diff --git a/scripts/_common.sh b/scripts/_common.sh index 9e9cbbe..ed59ec9 100644 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -573,4 +573,78 @@ ynh_local_curl () { # Curl the URL curl --silent --show-error -kL -H "Host: $domain" -X POST --resolve $domain:443:127.0.0.1 $POST_data "$full_page_url" +} + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: log_file - Log file to be checked by fail2ban +# | arg: failregex - Failregex to be looked for by fail2ban +# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: ports - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + # Process parameters + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + cat > ./jaild.conf << EOF +[__NAME__] +enabled = true +port = __PORTS__ +filter = __NAME__ +logpath = __LOGPATH__ +maxretry = __MAXRETRY__ +EOF + + cat > ./filterd.conf << EOF +[INCLUDES] +before = common.conf +[Definition] +failregex = __FAILREGEX__ +ignoreregrex = +EOF + sudo mv ./jaild.conf $finalfail2banjailconf + sudo mv ./filterd.conf $finalfail2banfilterconf + + # To avoid a break by set -u, use a void substitution ${var:-}. If the variable is not set, it's simply set with an empty variable. + # Substitute in config file only if the variable is not empty + + # jail configuration file + if test -n "${app:-}"; then + ynh_replace_string "__NAME__" "$app" "$finalfail2banjailconf" + fi + if test -n "${logpath:-}"; then + ynh_replace_string "__LOGPATH__" "$logpath" "$finalfail2banjailconf" + fi + ynh_replace_string "__PORTS__" "$ports" "$finalfail2banjailconf" + ynh_replace_string "__MAXRETRY__" "$max_retry" "$finalfail2banjailconf" + + # filter configuration file + if test -n "${failregex:-}"; then + ynh_replace_string "__FAILREGEX__" "$failregex" "$finalfail2banfilterconf" + fi + + ynh_store_file_checksum "$finalfail2banjailconf" + ynh_store_file_checksum "$finalfail2banfilterconf" + + sudo systemctl restart fail2ban +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + sudo systemctl restart fail2ban } \ No newline at end of file diff --git a/scripts/install b/scripts/install index 33c3c79..c4fc9cb 100644 --- a/scripts/install +++ b/scripts/install @@ -152,10 +152,7 @@ sudo touch "/var/log/${app}FailedLogins.log" sudo chown $app: "/var/log/${app}FailedLogins.log" # Set-up fail2ban -ynh_replace_string "__NAME__" "$app" ../conf/fail2ban/jaild.conf -sudo cp ../conf/fail2ban/jaild.conf /etc/fail2ban/jail.d/$app.conf -sudo cp ../conf/fail2ban/filterd.conf /etc/fail2ban/filter.d/$app.conf -sudo systemctl restart fail2ban +ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=" 6 # Protect URIs if private if [ $is_public -eq 0 ]; diff --git a/scripts/remove b/scripts/remove index 371038c..bdccf72 100644 --- a/scripts/remove +++ b/scripts/remove @@ -42,9 +42,7 @@ ynh_secure_remove "/home/yunohost.app/$app" # REMOVE FAIL2BAN CONFIGURATION #================================================= -ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" -ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" -sudo systemctl restart fail2ban +ynh_remove_fail2ban_config #================================================= # REMOVE NGINX AND PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index e6ea865..cdf42d7 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -154,10 +154,7 @@ sudo touch "/var/log/${app}FailedLogins.log" sudo chown $app: "/var/log/${app}FailedLogins.log" # Set-up fail2ban -ynh_replace_string "__NAME__" "$app" ../conf/fail2ban/jaild.conf -sudo cp ../conf/fail2ban/jaild.conf /etc/fail2ban/jail.d/$app.conf -sudo cp ../conf/fail2ban/filterd.conf /etc/fail2ban/filter.d/$app.conf -sudo systemctl restart fail2ban +ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=" 6 # Protect URIs if private if [ $is_public -eq 0 ];