1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/wallabag2_ynh.git synced 2024-10-01 13:35:06 +02:00

Add Fail2ban support (#65)

* Readme: Add welcome UI screenshoot 

It's always nice to have a quick look at the UI of the software you're going to install :)

* Testing  (#56)

* Fix 413 request entity too large (#55)

* [fix] 413 Request Entity Too Large

* Remove ini file for php (#57)

Have a look to YunoHost-Apps/nextcloud_ynh#138 for more information

* Add fail2ban config

* Add Fail2ban config removal helper

* Enhance fail2ban config look

* Add fail2ban backup

* Restore fail2ban config

* Add fail2ban config during upgrade

To make sure any older version will get fail2ban support

* Update minimum version to 3.5

This is needed for fail2ban helpers

* Add fail2ban info

* Fail2ban: Fix missing log file during install

* Fix feil2ban regex

* Fix fail2ban regex - 2

* Use ynh_systemd_action

* Use long getopts arguments

* Fix duplicated comment and remove blank space

* Fix fail2ban regex in upgrade script

* Improve regex - install

This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces

* Improve regex - upgrade

This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces

* Fix missing log file for fail2ban

* Indentation and variable usage
This commit is contained in:
lapineige 2019-05-08 17:01:54 +02:00 committed by GitHub
parent afadf3c74c
commit ae76c98612
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 52 additions and 4 deletions

View file

@ -3,6 +3,9 @@
This is a Wallabag v2 package for YunoHost.
![wallabag start screen](https://www.linuxbabe.com/wp-content/uploads/2016/10/wallabag-quick-start-page.png)
---
**NB: Since @jeromelebleu is no longer maintaining this package, I (@lapineige) take over this repository. But I have limited time and experience, so feel free to help !**
@ -26,6 +29,7 @@ this package:
* Integrate with YunoHost users and SSO - i.e. logout button
* Allow one user to be the administrator (set at the installation)
* Asynchronous import using Redis (need to be enabled in the *Internal Settings*). RabbitMQ import not supported (yet ?)
* Supports fail2ban - protects you from password brute force attacks.
## Known issue(s)
- Removing a Yunohost's user won't delete the related wallabag user, but only desactivate it. You need to manualy remove it from wallabag before. See: https://github.com/YunoHost-Apps/wallabag2_ynh/issues/39
@ -45,7 +49,7 @@ For the migration process, please refer to the
* YunoHost website: https://yunohost.org/
* [Video demo](https://player.vimeo.com/video/167435064)
---
---
Wallabag pour Yunohost - [Version Française]
---

View file

@ -15,7 +15,7 @@
},
"multi_instance": true,
"requirements": {
"yunohost": ">= 2.7.12"
"yunohost": ">= 3.5.0"
},
"services": [
"nginx",

View file

@ -52,3 +52,10 @@ ynh_backup "/etc/php5/fpm/pool.d/$app.conf"
ynh_mysql_dump_db "$db_name" > db.sql
CHECK_SIZE "db.sql"
#=================================================
# BACKUP FAIL2BAN CONFIGURATION
#=================================================
ynh_backup "/etc/fail2ban/jail.d/$app.conf"
ynh_backup "/etc/fail2ban/filter.d/$app.conf"

View file

@ -130,6 +130,18 @@ exec_console $app "$final_path" fos:user:promote --super "$admin"
# Configure Wallabag instance URL
ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user" <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'"
#=================================================
# CONFIGURE FAIL2BAN
#=================================================
# Create the log file is not already existing during install
mkdir -p "/var/www/$app/var/logs/"
touch "/var/www/$app/var/logs/prod.log"
chown $app: "/var/www/$app/var/logs/prod.log"
# Add fail2ban config
ynh_add_fail2ban_config --logpath="/var/www/$app/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP "<HOST>"' --max_retry=5
#=================================================
# NGINX CONFIGURATION
#=================================================

View file

@ -55,8 +55,14 @@ ynh_remove_nginx_config
systemctl restart php5-fpm
systemctl reload nginx
#=================================================
# REMOVE FAIL2BAN CONFIGURATION
#=================================================
ynh_remove_fail2ban_config
#=================================================
# REMOVE DEDICATED USER
#=================================================
ynh_system_user_delete $app
ynh_system_user_delete $app

View file

@ -76,6 +76,14 @@ ynh_system_user_create $app # Recreate the dedicated user, if not existing
chown -R $app: $final_path
#=================================================
# RESTORE FAIL2BAN CONFIGURATION
#=================================================
ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
ynh_systemd_action --action=reload --service_name=fail2ban # Reload instead of restart for better performance
#=================================================
# RESTORE PHP-FPM CONFIGURATION
#=================================================

View file

@ -113,6 +113,17 @@ exec_console $app "${final_path}" cache:clear
# Configure Wallabag instance URL
ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user" <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'"
# Set-up fail2ban
# Create the log file is not already existing
if [ ! -f "$final_path/var/logs/prod.log" ]
then
mkdir -p "$final_path/var/logs/"
touch "$final_path/var/logs/prod.log"
chown $app: "$final_path/var/logs/prod.log"
fi
# Add fail2ban config
ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP "<HOST>"' --max_retry=5 # same as install config
#=================================================
# NGINX CONFIGURATION
#=================================================
@ -139,4 +150,4 @@ ynh_app_setting_set "$app" unprotected_uris "/"
# RELOAD NGINX
#=================================================
systemctl restart php5-fpm
systemctl reload nginx
systemctl reload nginx