From d4aeefafb98083251b9b53f63c7a4b44010d1a38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Wed, 12 Jun 2019 22:56:50 +0200 Subject: [PATCH] Add fail2ban --- conf/f2b_filter.conf | 21 +++++++++++++++++++++ conf/f2b_jail.conf | 18 ++++++++++++++++++ scripts/backup | 2 ++ scripts/install | 5 +++++ scripts/restore | 19 ++++++++++++------- scripts/upgrade | 9 +++++++++ 6 files changed, 67 insertions(+), 7 deletions(-) create mode 100644 conf/f2b_filter.conf create mode 100644 conf/f2b_jail.conf diff --git a/conf/f2b_filter.conf b/conf/f2b_filter.conf new file mode 100644 index 0000000..1226460 --- /dev/null +++ b/conf/f2b_filter.conf @@ -0,0 +1,21 @@ +# Fail2Ban filter for seafile +# + +[INCLUDES] + +# Read common prefixes. If any customizations available -- read them from +# common.local +before = common.conf + +[Definition] + +_daemon = seaf-server + +failregex = Login attempt limit reached.*, ip: + +ignoreregex = + +# DEV Notes: +# +# pattern : 2015-10-20 15:20:32,402 [WARNING] seahub.auth.views:155 login Login attempt limit reached, username: , ip: 1.2.3.4, attemps: 3 +# 2015-10-20 17:04:32,235 [WARNING] seahub.auth.views:163 login Login attempt limit reached, ip: 1.2.3.4, attempts: 3 diff --git a/conf/f2b_jail.conf b/conf/f2b_jail.conf new file mode 100644 index 0000000..dc85fe9 --- /dev/null +++ b/conf/f2b_jail.conf @@ -0,0 +1,18 @@ +# All standard jails are in the file configuration located +# /etc/fail2ban/jail.conf + +# Warning you may override any other parameter (e.g. banaction, +# action, port, logpath, etc) in that section within jail.local + +# Change logpath with your file log used by seafile (e.g. seahub.log) +# Also you can change the max retry var (3 attemps = 1 line written in the +# seafile log) +# So with this maxrety to 1, the user can try 3 times before his IP is banned + +[seafile] + +enabled = true +port = http,https +filter = seafile-auth +logpath = __FINAL_PATH__/logs/seahub.log +maxretry = 3 diff --git a/scripts/backup b/scripts/backup index 2a24928..b6d195d 100644 --- a/scripts/backup +++ b/scripts/backup @@ -38,6 +38,8 @@ ynh_script_progression --message="Backing configuration..." ynh_backup --src_path /etc/nginx/conf.d/$domain.d/${app}.conf ynh_backup --src_path /etc/systemd/system/seafile.service ynh_backup --src_path /etc/systemd/system/seahub.service +ynh_backup --src_path /etc/fail2ban/jail.d/$app.conf +ynh_backup --src_path /etc/fail2ban/filter.d/$app.conf # Backup mysql ynh_script_progression --message="Backing database" diff --git a/scripts/install b/scripts/install index ee1623f..0117d7c 100644 --- a/scripts/install +++ b/scripts/install @@ -125,6 +125,7 @@ echo 'EMAIL_PORT = "25"' | tee -a $final_path/conf/seahub_settings.py echo 'DEFAULT_FROM_EMAIL = "seafile@'$domain'"' | tee -a $final_path/conf/seahub_settings.py echo 'SERVER_EMAIL = "seafile@'$domain'"' | tee -a $final_path/conf/seahub_settings.py echo 'EMAIL_HOST_PASSWORD = ""' | tee -a $final_path/conf/seahub_settings.py +echo "TIME_ZONE = \"$(cat /etc/timezone)\"" | tee -a $final_path/conf/seahub_settings.py # LDAP configuration echo '[LDAP]' | tee -a $final_path/conf/ccnet.conf @@ -198,6 +199,10 @@ ynh_script_progression --message="Configuring log rotation..." ynh_use_logrotate $final_path/logs ln -s $final_path/logs /var/log/seafile +# Add fail2ban +ynh_script_progression --message="Configuring fail2ban..." --weight=10 +ynh_add_fail2ban_config --use_template --others_var 'final_path' + # register yunohost service yunohost service add seafile yunohost service add seahub diff --git a/scripts/restore b/scripts/restore index ae5ad15..c6e56ce 100644 --- a/scripts/restore +++ b/scripts/restore @@ -73,19 +73,24 @@ ln -s $final_path/logs /var/log/seafile ynh_script_progression --message="Protecting directory..." set_permission -# Add Seafile to YunoHost's monitored services -yunohost service add seafile -yunohost service add seahub - -# Reload nginx -systemctl reload nginx.service - # Enable service and start seafile ynh_script_progression --message="Reconfiguring application..." systemctl daemon-reload systemctl enable seafile systemctl enable seahub +# Add Seafile to YunoHost's monitored services +yunohost service add seafile +yunohost service add seahub + +ynh_script_progression --message="Reloading services..." + +# Reload nginx +systemctl reload nginx.service + +# Reload fail2ban +ynh_systemd_action --service_name=fail2ban --action=reload + # Avoid the current effect sleep 5 diff --git a/scripts/upgrade b/scripts/upgrade index 3d395a3..cb9b113 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -176,6 +176,11 @@ then echo "LOGIN_URL = '$path_url/accounts/login/'" | tee -a $final_path/conf/seahub_settings.py fi +if [ $(grep -c "TIME_ZONE" $final_path/conf/seahub_settings.py) == 0 ] +then + echo "TIME_ZONE = \"$(cat /etc/timezone)\"" | tee -a $final_path/conf/seahub_settings.py +fi + # Fix local warning ynh_replace_string --match_string en_US.UTF-8 --replace_string ${LANG:-'en_US.UTF-8'} --target_file $final_path/seafile-server-$seafile_version/seahub.sh @@ -217,6 +222,10 @@ set_permission ynh_script_progression --message="Configuring log rotation..." ynh_use_logrotate $final_path/logs --nonappend +# Add fail2ban +ynh_script_progression --message="Configuring fail2ban..." --weight=10 +ynh_add_fail2ban_config --use_template --others_var 'final_path' + # register yunohost service ynh_script_progression --message="Register seafile service..." yunohost service add seafile