From b9faec521c7e048f47c2b62fdf905c7ef216dec2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Tue, 12 Feb 2019 21:24:25 +0100 Subject: [PATCH] Add fail2ban --- conf/f2b_filter.conf | 14 +++++ conf/f2b_jail.conf | 6 +++ scripts/backup | 9 +++- scripts/experimental_helper.sh | 95 ++++++++++++++++++++++++++++++++++ scripts/install | 9 ++++ scripts/remove | 6 +++ scripts/restore | 6 +++ scripts/upgrade | 9 ++++ 8 files changed, 153 insertions(+), 1 deletion(-) create mode 100644 conf/f2b_filter.conf create mode 100644 conf/f2b_jail.conf diff --git a/conf/f2b_filter.conf b/conf/f2b_filter.conf new file mode 100644 index 0000000..c3205ab --- /dev/null +++ b/conf/f2b_filter.conf @@ -0,0 +1,14 @@ +[INCLUDES] +before = common.conf +[Definition] + +# Part of regex definition (just used to make more easy to make the global regex) +__synapse_start_line = .? \- synapse\..+ \- + +# Regex definition. +failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- \- \d+ \- Received request\: POST /_matrix/client/r0/login\??%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{('type': 'm.id.user'(, )?|'user'\: '(.+?)'(, )?){2}\}, medium\: None, address: None, user\: '\7'%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\7\:.+ but they do not exist|Failed password login for user @\7\:.+)$ +ignoreregex = + +[Init] + +maxlines = 20 diff --git a/conf/f2b_jail.conf b/conf/f2b_jail.conf new file mode 100644 index 0000000..3680686 --- /dev/null +++ b/conf/f2b_jail.conf @@ -0,0 +1,6 @@ +[__APP__] +enabled = true +port = http,https +filter = __APP__ +logpath = /var/log/matrix-__APP__/homeserver.log +maxretry = 3 diff --git a/scripts/backup b/scripts/backup index d817ae5..15161d4 100644 --- a/scripts/backup +++ b/scripts/backup @@ -78,4 +78,11 @@ ynh_psql_dump_db "$synapse_db_name" > ${YNH_CWD}/dump.sql # BACKUP SYNAPSE LOG #================================================= -ynh_backup "/var/log/matrix-$app" \ No newline at end of file +ynh_backup "/var/log/matrix-$app" + +#================================================= +# BACKUP FAIL2BAN CONFIG +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" diff --git a/scripts/experimental_helper.sh b/scripts/experimental_helper.sh index 660007b..d640a40 100644 --- a/scripts/experimental_helper.sh +++ b/scripts/experimental_helper.sh @@ -145,3 +145,98 @@ $(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')" # Send the email to the recipients echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients" } + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config "list of others variables to replace" +# +# | arg: list of others variables to replace separeted by a space +# | for example : 'var_1 var_2 ...' +# +# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf +# __APP__ by $app +# +# You can dynamically replace others variables by example : +# __VAR_1__ by $var_1 +# __VAR_2__ by $var_2 +# +# Note about the "failregex" option: +# regex to match the password failure messages in the logfile. The +# host must be matched by a group named "host". The tag "" can +# be used for standard IP/hostname matching and is only an alias for +# (?:::f{4,6}:)?(?P[\w\-.^_]+) +# +# You can find some more explainations about how to make a regex here : +# https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters +# +# Note that the logfile need to exist before to call this helper !! +# +# Generally your template will look like that by example (for synapse): +# +# f2b_jail.conf: +# [__APP__] +# enabled = true +# port = http,https +# filter = __APP__ +# logpath = /var/log/__APP__/logfile.log +# maxretry = 3 +# +# f2b_filter.conf: +# [INCLUDES] +# before = common.conf +# [Definition] +# +# # Part of regex definition (just used to make more easy to make the global regex) +# __synapse_start_line = .? \- synapse\..+ \- +# +# # Regex definition. +# failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- \- \d+ \- Received request\: POST /_matrix/client/r0/login\??%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$ +# +# ignoreregex = +# +# To validate your regex you can test with this command: +# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf +ynh_add_fail2ban_config () { + local others_var=${1:-} + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" + + cp ../conf/f2b_jail.conf $finalfail2banjailconf + cp ../conf/f2b_filter.conf $finalfail2banfilterconf + + if test -n "${app:-}"; then + ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf" + ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf" + fi + + # Replace all other variable given as arguments + for var_to_replace in $others_var; do + # ${var_to_replace^^} make the content of the variable on upper-cases + # ${!var_to_replace} get the content of the variable named $var_to_replace + ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf" + ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf" + done + + ynh_store_file_checksum "$finalfail2banjailconf" + ynh_store_file_checksum "$finalfail2banfilterconf" + + systemctl try-reload-or-restart fail2ban + + local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")" + if [[ -n "$fail2ban_error" ]]; then + echo "[ERR] Fail2ban failed to load the jail for $app" >&2 + echo "WARNING${fail2ban_error#*WARNING}" >&2 + fi +} + +# Remove the dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_remove_fail2ban_config +ynh_remove_fail2ban_config () { + ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf" + ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf" + systemctl try-reload-or-restart fail2ban +} diff --git a/scripts/install b/scripts/install index b2ced0e..3ece083 100644 --- a/scripts/install +++ b/scripts/install @@ -347,6 +347,15 @@ yunohost service add coturn-$app systemctl restart coturn-$app.service ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app" +#================================================= +# SETUP FAIL2BAN +#================================================= + +# WARNING : theses command are used in INSTALL, UPGRADE +# For any update do it in all files + +ynh_add_fail2ban_config + #================================================= # SEND A README FOR THE ADMIN #================================================= diff --git a/scripts/remove b/scripts/remove index e3cbf9a..01dcc21 100755 --- a/scripts/remove +++ b/scripts/remove @@ -101,6 +101,12 @@ ynh_psql_remove_db $synapse_db_name $synapse_db_user ynh_system_user_delete $synapse_user +#================================================= +# REMOVE FAIL2BAN CONFIG +#================================================= + +ynh_remove_fail2ban_config $synapse_user + #================================================= # REMOVE LOGROTATE CONFIGURATION #================================================= diff --git a/scripts/restore b/scripts/restore index 46da1bd..8b940dc 100644 --- a/scripts/restore +++ b/scripts/restore @@ -211,6 +211,12 @@ systemctl reload nginx.service systemctl restart coturn-$app.service ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app" +#================================================= +# SETUP FAIL2BAN +#================================================= + +systemctl try-reload-or-restart fail2ban + #================================================= # SEND A README FOR THE ADMIN #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 503b310..269976c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -304,6 +304,15 @@ ynh_add_systemd_config matrix-$app matrix-synapse.service cp ../conf/default_coturn /etc/default/coturn-$app ynh_add_systemd_config coturn-$app coturn-synapse.service +#================================================= +# SETUP FAIL2BAN +#================================================= + +# WARNING : theses command are used in INSTALL, UPGRADE +# For any update do it in all files + +ynh_add_fail2ban_config + #================================================= # GENERIC FINALIZATION #=================================================