Added logrotate,fail2ban

2024-09-03 20:26:10 +02:00 · 2018-09-28 02:14:34 +05:30 · 2018-09-28 02:14:34 +05:30 · 01cce20693
commit 01cce20693
parent d861b1d6c1
7 changed files with 165 additions and 29 deletions
--- a/README.md
+++ b/README.md
@ -26,6 +26,7 @@ Maintainer: @Lapineige
 - [X] Backup/restore scripts
 - [X] Upgrade Script
 - [X] Change url
+- [X] Integrate fail2ban for the app

 ## Installation information

@ -36,7 +37,7 @@ After the installation go to the domain and create your account. After the creat
 ## TODO
    
 - [ ] Integrate the LDAP/SSOWAT authentication (currently the authentication is done by Shaarli)
- [ ] Integrate fail2ban for the app
+

 ## Changelog

--- a/scripts/_common.sh
+++ b/scripts/_common.sh
@ -1,29 +1,78 @@
+#!/bin/bash
+
+# ============= FUTURE YUNOHOST HELPER =============
+# Delete a file checksum from the app settings
 #
-# Common helpers
+# $app should be defined when calling this helper
 #
-
-
-# Download and extract Shaarli sources to the given directory
-# usage: extract_shaarli DESTDIR [AS_USER]
-extract_shaarli() {
-    local AS_USER=${6:-$USER}
-
-    # Retrieve and extract Shaarli tarball
-    sh_tarball="/tmp/shaarli.tar.gz"
-    rm -f "$sh_tarball"
-    wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \
-        || ynh_die "Unable to download Shaarli tarball"
-    echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \
-        || ynh_die "Invalid checksum of downloaded tarball"
-    sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \
-        || ynh_die "Unable to extract Shaarli tarball"
-    rm -f "$sh_tarball"
-
-    wget -q -O "$sh_tarball" "$SHAARLI_SOURCE_URL" \
-        || ynh_die "Unable to download Shaarli tarball"
-    echo "$SHAARLI_SOURCE_SHA256 $sh_tarball" | sha256sum -c >/dev/null \
-        || ynh_die "Invalid checksum of downloaded tarball"
-    sudo tar xf "$sh_tarball" -C "$final_path" --strip-components 1 \
-        || ynh_die "Unable to extract Shaarli tarball"
-    sudo chown -R www-data: $final_path
+# usage: ynh_remove_file_checksum file
+# | arg: file - The file for which the checksum will be deleted
+ynh_delete_file_checksum () {
+	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
+	ynh_app_setting_delete $app $checksum_setting_name
+}
+
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+  finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+  finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+  ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+  ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry
+EOF
+
+  sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregex =
+EOF
+
+  ynh_store_file_checksum "$finalfail2banjailconf"
+  ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+  systemctl restart fail2ban
+  local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
+  if [ -n "$fail2ban_error" ]
+  then
+    echo "[ERR] Fail2ban failed to load the jail for $app" >&2
+    echo "WARNING${fail2ban_error#*WARNING}" >&2
+  fi
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+  ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+  sudo systemctl restart fail2ban
 }
--- a/scripts/backup
+++ b/scripts/backup
@ -50,3 +50,16 @@ ynh_backup "/etc/nginx/conf.d/$domain.d/$app.conf"

 ynh_backup "/etc/php5/fpm/pool.d/$app.conf"
 ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
+
+#=================================================
+# BACKUP LOGROTATE
+#=================================================
+
+ynh_backup "/etc/logrotate.d/$app"
+
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
--- a/scripts/install
+++ b/scripts/install
@ -75,7 +75,7 @@ ynh_app_setting_set $app is_public $is_public


 # Install dependencies
-ynh_install_app_dependencies php5-cli 
+ynh_install_app_dependencies php-cli 


 #=================================================
@ -114,6 +114,28 @@ sudo find $final_path -type d | xargs sudo chmod 755
 # Set right permissions for curl install
 chown -R $app: $final_path

+#=================================================
+# SETUP LOGROTATE
+#=================================================
+
+### `ynh_use_logrotate` is used to configure a logrotate configuration for the logs of this app.
+### Use this helper only if there is effectively a log file for this app.
+### If you're not using this helper:
+###		- Remove the section "BACKUP LOGROTATE" in the backup script
+###		- Remove also the section "REMOVE LOGROTATE CONFIGURATION" in the remove script
+###		- As well as the section "RESTORE THE LOGROTATE CONFIGURATION" in the restore script
+###		- And the section "SETUP LOGROTATE" in the upgrade script
+
+# Use logrotate to manage application logfile(s)
+ynh_use_logrotate "$final_path/data/log.txt"
+
+
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -19,6 +19,14 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$(ynh_app_setting_get $app domain)
 final_path=$(ynh_app_setting_get $app final_path)

+
+#=================================================
+# REMOVE DEPENDENCIES
+#=================================================
+
+# Remove metapackage and its dependencies
+ynh_remove_app_dependencies
+
 #=================================================
 # REMOVE APP MAIN DIR
 #=================================================
@ -40,6 +48,19 @@ ynh_remove_nginx_config
 # Remove the dedicated php-fpm config
 ynh_remove_fpm_config

+#=================================================
+# REMOVE LOGROTATE CONFIGURATION
+#=================================================
+
+# Remove the app-specific logrotate config
+ynh_remove_logrotate
+
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================
--- a/scripts/restore
+++ b/scripts/restore
@ -83,7 +83,21 @@ ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
 #=================================================

 # Define and install dependencies
-ynh_install_app_dependencies php5-cli 
+ynh_install_app_dependencies php-cli 
+
+#=================================================
+# RESTORE THE LOGROTATE CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/logrotate.d/$app"
+
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban

 #=================================================
 # GENERIC FINALIZATION
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -87,6 +87,9 @@ sudo rm -Rf "$tmpdir"
 # Create a dedicated nginx config
 ynh_add_nginx_config

+# Install dependencies
+ynh_install_app_dependencies php-cli 
+
 #=================================================
 # CREATE DEDICATED USER
 #=================================================
@ -101,6 +104,19 @@ ynh_system_user_create $app
 # Create a dedicated php-fpm config
 ynh_add_fpm_config

+#=================================================
+# SETUP LOGROTATE
+#=================================================
+
+# Use logrotate to manage app-specific logfile(s)
+ynh_use_logrotate --non-append
+
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "$final_path/data/log.txt" "\s-\s<HOST>\s-\sLogin failed for user.*$" 5
+
 # Set right permissions 
 chown -R $app: $final_path