1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/synapse_ynh.git synced 2024-09-03 20:26:38 +02:00

Add fail2ban

This commit is contained in:
Josué Tille 2019-02-12 21:24:25 +01:00 committed by Josue-T
parent b05127cbaf
commit b9faec521c
8 changed files with 153 additions and 1 deletions

14
conf/f2b_filter.conf Normal file
View file

@ -0,0 +1,14 @@
[INCLUDES]
before = common.conf
[Definition]
# Part of regex definition (just used to make more easy to make the global regex)
__synapse_start_line = .? \- synapse\..+ \-
# Regex definition.
failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{('type': 'm.id.user'(, )?|'user'\: '(.+?)'(, )?){2}\}, medium\: None, address: None, user\: '\7'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\7\:.+ but they do not exist|Failed password login for user @\7\:.+)$
ignoreregex =
[Init]
maxlines = 20

6
conf/f2b_jail.conf Normal file
View file

@ -0,0 +1,6 @@
[__APP__]
enabled = true
port = http,https
filter = __APP__
logpath = /var/log/matrix-__APP__/homeserver.log
maxretry = 3

View file

@ -79,3 +79,10 @@ ynh_psql_dump_db "$synapse_db_name" > ${YNH_CWD}/dump.sql
#================================================= #=================================================
ynh_backup "/var/log/matrix-$app" ynh_backup "/var/log/matrix-$app"
#=================================================
# BACKUP FAIL2BAN CONFIG
#=================================================
ynh_backup "/etc/fail2ban/jail.d/$app.conf"
ynh_backup "/etc/fail2ban/filter.d/$app.conf"

View file

@ -145,3 +145,98 @@ $(yunohost tools diagnosis | grep -B 100 "services:" | sed '/services:/d')"
# Send the email to the recipients # Send the email to the recipients
echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients" echo "$mail_message" | $mail_bin -a "Content-Type: text/plain; charset=UTF-8" -s "$mail_subject" "$recipients"
} }
# Create a dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_add_fail2ban_config "list of others variables to replace"
#
# | arg: list of others variables to replace separeted by a space
# | for example : 'var_1 var_2 ...'
#
# This will use a template in ../conf/f2b_jail.conf and ../conf/f2b_filter.conf
# __APP__ by $app
#
# You can dynamically replace others variables by example :
# __VAR_1__ by $var_1
# __VAR_2__ by $var_2
#
# Note about the "failregex" option:
# regex to match the password failure messages in the logfile. The
# host must be matched by a group named "host". The tag "<HOST>" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
#
# You can find some more explainations about how to make a regex here :
# https://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Filters
#
# Note that the logfile need to exist before to call this helper !!
#
# Generally your template will look like that by example (for synapse):
#
# f2b_jail.conf:
# [__APP__]
# enabled = true
# port = http,https
# filter = __APP__
# logpath = /var/log/__APP__/logfile.log
# maxretry = 3
#
# f2b_filter.conf:
# [INCLUDES]
# before = common.conf
# [Definition]
#
# # Part of regex definition (just used to make more easy to make the global regex)
# __synapse_start_line = .? \- synapse\..+ \-
#
# # Regex definition.
# failregex = ^%(__synapse_start_line)s INFO \- POST\-(\d+)\- <HOST> \- \d+ \- Received request\: POST /_matrix/client/r0/login\??<SKIPLINES>%(__synapse_start_line)s INFO \- POST\-\1\- Got login request with identifier: \{u'type': u'm.id.user', u'user'\: u'(.+?)'\}, medium\: None, address: None, user\: u'\5'<SKIPLINES>%(__synapse_start_line)s WARNING \- \- (Attempted to login as @\5\:.+ but they do not exist|Failed password login for user @\5\:.+)$
#
# ignoreregex =
#
# To validate your regex you can test with this command:
# fail2ban-regex /var/log/YOUR_LOG_FILE_PATH /etc/fail2ban/filter.d/YOUR_APP.conf
ynh_add_fail2ban_config () {
local others_var=${1:-}
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
ynh_backup_if_checksum_is_different "$finalfail2banjailconf"
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf"
cp ../conf/f2b_jail.conf $finalfail2banjailconf
cp ../conf/f2b_filter.conf $finalfail2banfilterconf
if test -n "${app:-}"; then
ynh_replace_string "__APP__" "$app" "$finalfail2banjailconf"
ynh_replace_string "__APP__" "$app" "$finalfail2banfilterconf"
fi
# Replace all other variable given as arguments
for var_to_replace in $others_var; do
# ${var_to_replace^^} make the content of the variable on upper-cases
# ${!var_to_replace} get the content of the variable named $var_to_replace
ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banjailconf"
ynh_replace_string --match_string="__${var_to_replace^^}__" --replace_string="${!var_to_replace}" --target_file="$finalfail2banfilterconf"
done
ynh_store_file_checksum "$finalfail2banjailconf"
ynh_store_file_checksum "$finalfail2banfilterconf"
systemctl try-reload-or-restart fail2ban
local fail2ban_error="$(journalctl -u fail2ban | tail -n50 | grep "WARNING.*$app.*")"
if [[ -n "$fail2ban_error" ]]; then
echo "[ERR] Fail2ban failed to load the jail for $app" >&2
echo "WARNING${fail2ban_error#*WARNING}" >&2
fi
}
# Remove the dedicated fail2ban config (jail and filter conf files)
#
# usage: ynh_remove_fail2ban_config
ynh_remove_fail2ban_config () {
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
systemctl try-reload-or-restart fail2ban
}

View file

@ -347,6 +347,15 @@ yunohost service add coturn-$app
systemctl restart coturn-$app.service systemctl restart coturn-$app.service
ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app" ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app"
#=================================================
# SETUP FAIL2BAN
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
ynh_add_fail2ban_config
#================================================= #=================================================
# SEND A README FOR THE ADMIN # SEND A README FOR THE ADMIN
#================================================= #=================================================

View file

@ -101,6 +101,12 @@ ynh_psql_remove_db $synapse_db_name $synapse_db_user
ynh_system_user_delete $synapse_user ynh_system_user_delete $synapse_user
#=================================================
# REMOVE FAIL2BAN CONFIG
#=================================================
ynh_remove_fail2ban_config $synapse_user
#================================================= #=================================================
# REMOVE LOGROTATE CONFIGURATION # REMOVE LOGROTATE CONFIGURATION
#================================================= #=================================================

View file

@ -211,6 +211,12 @@ systemctl reload nginx.service
systemctl restart coturn-$app.service systemctl restart coturn-$app.service
ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app" ynh_check_starting "Synapse now listening on TCP port $synapse_tls_port" "/var/log/matrix-$app/homeserver.log" 300 "matrix-$app"
#=================================================
# SETUP FAIL2BAN
#=================================================
systemctl try-reload-or-restart fail2ban
#================================================= #=================================================
# SEND A README FOR THE ADMIN # SEND A README FOR THE ADMIN
#================================================= #=================================================

View file

@ -304,6 +304,15 @@ ynh_add_systemd_config matrix-$app matrix-synapse.service
cp ../conf/default_coturn /etc/default/coturn-$app cp ../conf/default_coturn /etc/default/coturn-$app
ynh_add_systemd_config coturn-$app coturn-synapse.service ynh_add_systemd_config coturn-$app coturn-synapse.service
#=================================================
# SETUP FAIL2BAN
#=================================================
# WARNING : theses command are used in INSTALL, UPGRADE
# For any update do it in all files
ynh_add_fail2ban_config
#================================================= #=================================================
# GENERIC FINALIZATION # GENERIC FINALIZATION
#================================================= #=================================================