Add Fail2ban support (#65)

* Readme: Add welcome UI screenshoot It's always nice to have a quick look at the UI of the software you're going to install :) * Testing (#56) * Fix 413 request entity too large (#55) * [fix] 413 Request Entity Too Large * Remove ini file for php (#57) Have a look to YunoHost-Apps/nextcloud_ynh#138 for more information * Add fail2ban config * Add Fail2ban config removal helper * Enhance fail2ban config look * Add fail2ban backup * Restore fail2ban config * Add fail2ban config during upgrade To make sure any older version will get fail2ban support * Update minimum version to 3.5 This is needed for fail2ban helpers * Add fail2ban info * Fail2ban: Fix missing log file during install * Fix feil2ban regex * Fix fail2ban regex - 2 * Use ynh_systemd_action * Use long getopts arguments * Fix duplicated comment and remove blank space * Fix fail2ban regex in upgrade script * Improve regex - install This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces * Improve regex - upgrade This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces * Fix missing log file for fail2ban * Indentation and variable usage
2024-10-01 13:35:06 +02:00 · 2019-05-08 17:01:54 +02:00 · 2019-05-08 17:01:54 +02:00 · ae76c98612
commit ae76c98612
parent afadf3c74c
7 changed files with 52 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -3,6 +3,9 @@

 This is a Wallabag v2 package for YunoHost.

+![wallabag start screen](https://www.linuxbabe.com/wp-content/uploads/2016/10/wallabag-quick-start-page.png)
+
+
 ---

 **NB: Since @jeromelebleu is no longer maintaining this package, I (@lapineige) take over this repository. But I have limited time and experience, so feel free to help !**
@ -26,6 +29,7 @@ this package:
 * Integrate with YunoHost users and SSO - i.e. logout button
 * Allow one user to be the administrator (set at the installation)
 * Asynchronous import using Redis (need to be enabled in the *Internal Settings*). RabbitMQ import not supported (yet ?)
+ * Supports fail2ban - protects you from password brute force attacks.

 ## Known issue(s)
 - Removing a Yunohost's user won't delete the related wallabag user, but only desactivate it. You need to manualy remove it from wallabag before. See: https://github.com/YunoHost-Apps/wallabag2_ynh/issues/39
@ -45,7 +49,7 @@ For the migration process, please refer to the
 * YunoHost website: https://yunohost.org/
 * [Video demo](https://player.vimeo.com/video/167435064)
 
- 
+--- 
 ---
 Wallabag pour Yunohost - [Version Française]
 ---
--- a/manifest.json
+++ b/manifest.json
@ -15,7 +15,7 @@
    },
    "multi_instance": true,
    "requirements": {
-        "yunohost": ">= 2.7.12"
+        "yunohost": ">= 3.5.0"
    },
    "services": [
        "nginx",
--- a/scripts/backup
+++ b/scripts/backup
@ -52,3 +52,10 @@ ynh_backup "/etc/php5/fpm/pool.d/$app.conf"

 ynh_mysql_dump_db "$db_name" > db.sql
 CHECK_SIZE "db.sql"
+
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"
--- a/scripts/install
+++ b/scripts/install
@ -130,6 +130,18 @@ exec_console $app "$final_path" fos:user:promote --super "$admin"
 # Configure Wallabag instance URL
 ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user"  <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'"

+#=================================================
+# CONFIGURE FAIL2BAN
+#=================================================
+
+# Create the log file is not already existing during install
+mkdir -p "/var/www/$app/var/logs/"
+touch "/var/www/$app/var/logs/prod.log"
+chown $app: "/var/www/$app/var/logs/prod.log"
+# Add fail2ban config
+ynh_add_fail2ban_config --logpath="/var/www/$app/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP "<HOST>"' --max_retry=5
+
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -55,8 +55,14 @@ ynh_remove_nginx_config
 systemctl restart php5-fpm
 systemctl reload nginx

+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # REMOVE DEDICATED USER
 #=================================================

-ynh_system_user_delete $app
+ynh_system_user_delete $app
--- a/scripts/restore
+++ b/scripts/restore
@ -76,6 +76,14 @@ ynh_system_user_create $app	# Recreate the dedicated user, if not existing

 chown -R $app: $final_path

+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+
+ynh_systemd_action --action=reload --service_name=fail2ban # Reload instead of restart for better performance
+
 #=================================================
 # RESTORE PHP-FPM CONFIGURATION
 #=================================================
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -113,6 +113,17 @@ exec_console $app "${final_path}" cache:clear
 # Configure Wallabag instance URL
 ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user"  <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'"

+# Set-up fail2ban
+# Create the log file is not already existing
+if [ ! -f "$final_path/var/logs/prod.log" ]
+then
+  mkdir -p "$final_path/var/logs/"
+  touch "$final_path/var/logs/prod.log"
+  chown $app: "$final_path/var/logs/prod.log"
+fi
+# Add fail2ban config
+ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP "<HOST>"' --max_retry=5 # same as install config
+
 #=================================================
 # NGINX CONFIGURATION
 #=================================================
@ -139,4 +150,4 @@ ynh_app_setting_set "$app" unprotected_uris "/"
 # RELOAD NGINX
 #=================================================
 systemctl restart php5-fpm
-systemctl reload nginx
+systemctl reload nginx