mirror of
https://github.com/YunoHost-Apps/synapse_ynh.git
synced 2024-09-03 20:26:38 +02:00
Add fail2ban
This commit is contained in:
parent
b05127cbaf
commit
b9faec521c
8 changed files with 153 additions and 1 deletions
14
conf/f2b_filter.conf
Normal file
14
conf/f2b_filter.conf
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
[INCLUDES]
|
||||||
|
before = common.conf
|
||||||
|
[Definition]
|
||||||
|
|
||||||
|
# Part of regex definition (just used to make more easy to make the global regex)
|
||||||
|
__synapse_start_line = .? \- synapse\..+ \-
|
||||||
|
|
||||||
|
# Regex definition.
|
||||||
|
failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{('type': 'm.id.user'(, )?|'user'\: '(.+?)'(, )?){2}\}, medium\: None, address: None, user\: '\7'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\7\:.+ but they do not exist|Failed password login for user @\7\:.+)$
|
||||||
|
ignoreregex =
|
||||||
|
|
||||||
|
[Init]
|
||||||
|
|
||||||
|
maxlines = 20
|
6
conf/f2b_jail.conf
Normal file
6
conf/f2b_jail.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
[__APP__]
|
||||||
|
enabled = true
|
||||||
|
port = http,https
|
||||||
|
filter = __APP__
|
||||||
|
logpath = /var/log/matrix-__APP__/homeserver.log
|
||||||
|
maxretry = 3
|
|
@ -79,3 +79,10 @@ ynh_psql_dump_db "$synapse_db_name" > ${YNH_CWD}/dump.sql
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
ynh_backup "/var/log/matrix-$app"
|
ynh_backup "/var/log/matrix-$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# BACKUP FAIL2BAN CONFIG
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
ynh_backup "/etc/fail2ban/jail.d/$app.conf"
|
||||||
|
ynh_backup "/etc/fail2ban/filter.d/$app.conf"
|
||||||
|
|
|
@ -145,3 +145,98 @@ $(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')"
|
||||||
# Send the email to the recipients
|
# Send the email to the recipients
|
||||||
echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients"
|
echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Create a dedicated fail2ban config (jail and filter conf files)
|
||||||
|
#
|
||||||
|
# usage: ynh_add_fail2ban_config "list of others variables to replace"
|
||||||
|
#
|
||||||
|
# | arg: list of others variables to replace separeted by a space
|
||||||
|
# | for example : 'var_1 var_2 ...'
|
||||||
|
#
|
||||||
|
# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf
|
||||||
|
# __APP__ by $app
|
||||||
|
#
|
||||||
|
# You can dynamically replace others variables by example :
|
||||||
|
# __VAR_1__ by $var_1
|
||||||
|
# __VAR_2__ by $var_2
|
||||||
|
#
|
||||||
|
# Note about the "failregex" option:
|
||||||
|
# regex to match the password failure messages in the logfile. The
|
||||||
|
# host must be matched by a group named "host". The tag "<HOST>" can
|
||||||
|
# be used for standard IP/hostname matching and is only an alias for
|
||||||
|
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
|
||||||
|
#
|
||||||
|
# You can find some more explainations about how to make a regex here :
|
||||||
|
# https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters
|
||||||
|
#
|
||||||
|
# Note that the logfile need to exist before to call this helper !!
|
||||||
|
#
|
||||||
|
# Generally your template will look like that by example (for synapse):
|
||||||
|
#
|
||||||
|
# f2b_jail.conf:
|
||||||
|
# [__APP__]
|
||||||
|
# enabled = true
|
||||||
|
# port = http,https
|
||||||
|
# filter = __APP__
|
||||||
|
# logpath = /var/log/__APP__/logfile.log
|
||||||
|
# maxretry = 3
|
||||||
|
#
|
||||||
|
# f2b_filter.conf:
|
||||||
|
# [INCLUDES]
|
||||||
|
# before = common.conf
|
||||||
|
# [Definition]
|
||||||
|
#
|
||||||
|
# # Part of regex definition (just used to make more easy to make the global regex)
|
||||||
|
# __synapse_start_line = .? \- synapse\..+ \-
|
||||||
|
#
|
||||||
|
# # Regex definition.
|
||||||
|
# failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$
|
||||||
|
#
|
||||||
|
# ignoreregex =
|
||||||
|
#
|
||||||
|
# To validate your regex you can test with this command:
|
||||||
|
# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf
|
||||||
|
ynh_add_fail2ban_config () {
|
||||||
|
local others_var=${1:-}
|
||||||
|
|
||||||
|
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
|
||||||
|
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
|
||||||
|
ynh_backup_if_checksum_is_different "$finalfail2banjailconf"
|
||||||
|
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf"
|
||||||
|
|
||||||
|
cp ../conf/f2b_jail.conf $finalfail2banjailconf
|
||||||
|
cp ../conf/f2b_filter.conf $finalfail2banfilterconf
|
||||||
|
|
||||||
|
if test -n "${app:-}"; then
|
||||||
|
ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf"
|
||||||
|
ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Replace all other variable given as arguments
|
||||||
|
for var_to_replace in $others_var; do
|
||||||
|
# ${var_to_replace^^} make the content of the variable on upper-cases
|
||||||
|
# ${!var_to_replace} get the content of the variable named $var_to_replace
|
||||||
|
ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf"
|
||||||
|
ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf"
|
||||||
|
done
|
||||||
|
|
||||||
|
ynh_store_file_checksum "$finalfail2banjailconf"
|
||||||
|
ynh_store_file_checksum "$finalfail2banfilterconf"
|
||||||
|
|
||||||
|
systemctl try-reload-or-restart fail2ban
|
||||||
|
|
||||||
|
local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
|
||||||
|
if [[ -n "$fail2ban_error" ]]; then
|
||||||
|
echo "[ERR] Fail2ban failed to load the jail for $app" >&2
|
||||||
|
echo "WARNING${fail2ban_error#*WARNING}" >&2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Remove the dedicated fail2ban config (jail and filter conf files)
|
||||||
|
#
|
||||||
|
# usage: ynh_remove_fail2ban_config
|
||||||
|
ynh_remove_fail2ban_config () {
|
||||||
|
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
|
||||||
|
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
|
||||||
|
systemctl try-reload-or-restart fail2ban
|
||||||
|
}
|
||||||
|
|
|
@ -347,6 +347,15 @@ yunohost service add coturn-$app
|
||||||
systemctl restart coturn-$app.service
|
systemctl restart coturn-$app.service
|
||||||
ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app"
|
ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# SETUP FAIL2BAN
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
# WARNING : theses command are used in INSTALL, UPGRADE
|
||||||
|
# For any update do it in all files
|
||||||
|
|
||||||
|
ynh_add_fail2ban_config
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SEND A README FOR THE ADMIN
|
# SEND A README FOR THE ADMIN
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -101,6 +101,12 @@ ynh_psql_remove_db $synapse_db_name $synapse_db_user
|
||||||
|
|
||||||
ynh_system_user_delete $synapse_user
|
ynh_system_user_delete $synapse_user
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# REMOVE FAIL2BAN CONFIG
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
ynh_remove_fail2ban_config $synapse_user
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# REMOVE LOGROTATE CONFIGURATION
|
# REMOVE LOGROTATE CONFIGURATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -211,6 +211,12 @@ systemctl reload nginx.service
|
||||||
systemctl restart coturn-$app.service
|
systemctl restart coturn-$app.service
|
||||||
ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app"
|
ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app"
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# SETUP FAIL2BAN
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
systemctl try-reload-or-restart fail2ban
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# SEND A README FOR THE ADMIN
|
# SEND A README FOR THE ADMIN
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -304,6 +304,15 @@ ynh_add_systemd_config matrix-$app matrix-synapse.service
|
||||||
cp ../conf/default_coturn /etc/default/coturn-$app
|
cp ../conf/default_coturn /etc/default/coturn-$app
|
||||||
ynh_add_systemd_config coturn-$app coturn-synapse.service
|
ynh_add_systemd_config coturn-$app coturn-synapse.service
|
||||||
|
|
||||||
|
#=================================================
|
||||||
|
# SETUP FAIL2BAN
|
||||||
|
#=================================================
|
||||||
|
|
||||||
|
# WARNING : theses command are used in INSTALL, UPGRADE
|
||||||
|
# For any update do it in all files
|
||||||
|
|
||||||
|
ynh_add_fail2ban_config
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# GENERIC FINALIZATION
|
# GENERIC FINALIZATION
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
Loading…
Reference in a new issue