Add fail2ban

This commit is contained in:
Josué Tille 2019-06-12 22:56:50 +02:00
parent ff97d28f63
commit d4aeefafb9
No known key found for this signature in database
GPG key ID: 716A6C99B04194EF
6 changed files with 67 additions and 7 deletions

21
conf/f2b_filter.conf Normal file
View file

@ -0,0 +1,21 @@
# Fail2Ban filter for seafile
#
[INCLUDES]
# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf
[Definition]
_daemon = seaf-server
failregex = Login attempt limit reached.*, ip: <HOST>
ignoreregex =
# DEV Notes:
#
# pattern : 2015-10-20 15:20:32,402 [WARNING] seahub.auth.views:155 login Login attempt limit reached, username: <user>, ip: 1.2.3.4, attemps: 3
# 2015-10-20 17:04:32,235 [WARNING] seahub.auth.views:163 login Login attempt limit reached, ip: 1.2.3.4, attempts: 3

18
conf/f2b_jail.conf Normal file
View file

@ -0,0 +1,18 @@
# All standard jails are in the file configuration located
# /etc/fail2ban/jail.conf
# Warning you may override any other parameter (e.g. banaction,
# action, port, logpath, etc) in that section within jail.local
# Change logpath with your file log used by seafile (e.g. seahub.log)
# Also you can change the max retry var (3 attemps = 1 line written in the
# seafile log)
# So with this maxrety to 1, the user can try 3 times before his IP is banned
[seafile]
enabled = true
port = http,https
filter = seafile-auth
logpath = __FINAL_PATH__/logs/seahub.log
maxretry = 3

View file

@ -38,6 +38,8 @@ ynh_script_progression --message="Backing configuration..."
ynh_backup --src_path /etc/nginx/conf.d/$domain.d/${app}.conf
ynh_backup --src_path /etc/systemd/system/seafile.service
ynh_backup --src_path /etc/systemd/system/seahub.service
ynh_backup --src_path /etc/fail2ban/jail.d/$app.conf
ynh_backup --src_path /etc/fail2ban/filter.d/$app.conf
# Backup mysql
ynh_script_progression --message="Backing database"

View file

@ -125,6 +125,7 @@ echo 'EMAIL_PORT = "25"' | tee -a $final_path/conf/seahub_settings.py
echo 'DEFAULT_FROM_EMAIL = "seafile@'$domain'"' | tee -a $final_path/conf/seahub_settings.py
echo 'SERVER_EMAIL = "seafile@'$domain'"' | tee -a $final_path/conf/seahub_settings.py
echo 'EMAIL_HOST_PASSWORD = ""' | tee -a $final_path/conf/seahub_settings.py
echo "TIME_ZONE = \"$(cat /etc/timezone)\"" | tee -a $final_path/conf/seahub_settings.py
# LDAP configuration
echo '[LDAP]' | tee -a $final_path/conf/ccnet.conf
@ -198,6 +199,10 @@ ynh_script_progression --message="Configuring log rotation..."
ynh_use_logrotate $final_path/logs
ln -s $final_path/logs /var/log/seafile
# Add fail2ban
ynh_script_progression --message="Configuring fail2ban..." --weight=10
ynh_add_fail2ban_config --use_template --others_var 'final_path'
# register yunohost service
yunohost service add seafile
yunohost service add seahub

View file

@ -73,19 +73,24 @@ ln -s $final_path/logs /var/log/seafile
ynh_script_progression --message="Protecting directory..."
set_permission
# Add Seafile to YunoHost's monitored services
yunohost service add seafile
yunohost service add seahub
# Reload nginx
systemctl reload nginx.service
# Enable service and start seafile
ynh_script_progression --message="Reconfiguring application..."
systemctl daemon-reload
systemctl enable seafile
systemctl enable seahub
# Add Seafile to YunoHost's monitored services
yunohost service add seafile
yunohost service add seahub
ynh_script_progression --message="Reloading services..."
# Reload nginx
systemctl reload nginx.service
# Reload fail2ban
ynh_systemd_action --service_name=fail2ban --action=reload
# Avoid the current effect
sleep 5

View file

@ -176,6 +176,11 @@ then
echo "LOGIN_URL = '$path_url/accounts/login/'" | tee -a $final_path/conf/seahub_settings.py
fi
if [ $(grep -c "TIME_ZONE" $final_path/conf/seahub_settings.py) == 0 ]
then
echo "TIME_ZONE = \"$(cat /etc/timezone)\"" | tee -a $final_path/conf/seahub_settings.py
fi
# Fix local warning
ynh_replace_string --match_string en_US.UTF-8 --replace_string ${LANG:-'en_US.UTF-8'} --target_file $final_path/seafile-server-$seafile_version/seahub.sh
@ -217,6 +222,10 @@ set_permission
ynh_script_progression --message="Configuring log rotation..."
ynh_use_logrotate $final_path/logs --nonappend
# Add fail2ban
ynh_script_progression --message="Configuring fail2ban..." --weight=10
ynh_add_fail2ban_config --use_template --others_var 'final_path'
# register yunohost service
ynh_script_progression --message="Register seafile service..."
yunohost service add seafile