From ae76c986122d4f65b83ef102395eda64dea5e4f3 Mon Sep 17 00:00:00 2001 From: lapineige Date: Wed, 8 May 2019 17:01:54 +0200 Subject: [PATCH] Add Fail2ban support (#65) * Readme: Add welcome UI screenshoot It's always nice to have a quick look at the UI of the software you're going to install :) * Testing (#56) * Fix 413 request entity too large (#55) * [fix] 413 Request Entity Too Large * Remove ini file for php (#57) Have a look to YunoHost-Apps/nextcloud_ynh#138 for more information * Add fail2ban config * Add Fail2ban config removal helper * Enhance fail2ban config look * Add fail2ban backup * Restore fail2ban config * Add fail2ban config during upgrade To make sure any older version will get fail2ban support * Update minimum version to 3.5 This is needed for fail2ban helpers * Add fail2ban info * Fail2ban: Fix missing log file during install * Fix feil2ban regex * Fix fail2ban regex - 2 * Use ynh_systemd_action * Use long getopts arguments * Fix duplicated comment and remove blank space * Fix fail2ban regex in upgrade script * Improve regex - install This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces * Improve regex - upgrade This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces * Fix missing log file for fail2ban * Indentation and variable usage --- README.md | 6 +++++- manifest.json | 2 +- scripts/backup | 7 +++++++ scripts/install | 12 ++++++++++++ scripts/remove | 8 +++++++- scripts/restore | 8 ++++++++ scripts/upgrade | 13 ++++++++++++- 7 files changed, 52 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 38cf006..9df955c 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,9 @@ This is a Wallabag v2 package for YunoHost. +![wallabag start screen](https://www.linuxbabe.com/wp-content/uploads/2016/10/wallabag-quick-start-page.png) + + --- **NB: Since @jeromelebleu is no longer maintaining this package, I (@lapineige) take over this repository. But I have limited time and experience, so feel free to help !** @@ -26,6 +29,7 @@ this package: * Integrate with YunoHost users and SSO - i.e. logout button * Allow one user to be the administrator (set at the installation) * Asynchronous import using Redis (need to be enabled in the *Internal Settings*). RabbitMQ import not supported (yet ?) + * Supports fail2ban - protects you from password brute force attacks. ## Known issue(s) - Removing a Yunohost's user won't delete the related wallabag user, but only desactivate it. You need to manualy remove it from wallabag before. See: https://github.com/YunoHost-Apps/wallabag2_ynh/issues/39 @@ -45,7 +49,7 @@ For the migration process, please refer to the * YunoHost website: https://yunohost.org/ * [Video demo](https://player.vimeo.com/video/167435064) - +--- --- Wallabag pour Yunohost - [Version Française] --- diff --git a/manifest.json b/manifest.json index f51b0de..30bcb9e 100644 --- a/manifest.json +++ b/manifest.json @@ -15,7 +15,7 @@ }, "multi_instance": true, "requirements": { - "yunohost": ">= 2.7.12" + "yunohost": ">= 3.5.0" }, "services": [ "nginx", diff --git a/scripts/backup b/scripts/backup index 0d42f42..a607aa6 100644 --- a/scripts/backup +++ b/scripts/backup @@ -52,3 +52,10 @@ ynh_backup "/etc/php5/fpm/pool.d/$app.conf" ynh_mysql_dump_db "$db_name" > db.sql CHECK_SIZE "db.sql" + +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" diff --git a/scripts/install b/scripts/install index 93fc374..af7c450 100644 --- a/scripts/install +++ b/scripts/install @@ -130,6 +130,18 @@ exec_console $app "$final_path" fos:user:promote --super "$admin" # Configure Wallabag instance URL ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user" <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'" +#================================================= +# CONFIGURE FAIL2BAN +#================================================= + +# Create the log file is not already existing during install +mkdir -p "/var/www/$app/var/logs/" +touch "/var/www/$app/var/logs/prod.log" +chown $app: "/var/www/$app/var/logs/prod.log" +# Add fail2ban config +ynh_add_fail2ban_config --logpath="/var/www/$app/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP ""' --max_retry=5 + + #================================================= # NGINX CONFIGURATION #================================================= diff --git a/scripts/remove b/scripts/remove index 4a4ae81..174210a 100644 --- a/scripts/remove +++ b/scripts/remove @@ -55,8 +55,14 @@ ynh_remove_nginx_config systemctl restart php5-fpm systemctl reload nginx +#================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= + +ynh_remove_fail2ban_config + #================================================= # REMOVE DEDICATED USER #================================================= -ynh_system_user_delete $app \ No newline at end of file +ynh_system_user_delete $app diff --git a/scripts/restore b/scripts/restore index 3e82943..44bc1c8 100644 --- a/scripts/restore +++ b/scripts/restore @@ -76,6 +76,14 @@ ynh_system_user_create $app # Recreate the dedicated user, if not existing chown -R $app: $final_path +#================================================= +# RESTORE FAIL2BAN CONFIGURATION +#================================================= +ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" + +ynh_systemd_action --action=reload --service_name=fail2ban # Reload instead of restart for better performance + #================================================= # RESTORE PHP-FPM CONFIGURATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 6810d90..e66cb6e 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -113,6 +113,17 @@ exec_console $app "${final_path}" cache:clear # Configure Wallabag instance URL ynh_mysql_connect_as "$db_name" "$db_pwd" "$db_user" <<< "UPDATE craue_config_setting SET value = 'https://$domain$path_url' WHERE name = 'wallabag_url'" +# Set-up fail2ban +# Create the log file is not already existing +if [ ! -f "$final_path/var/logs/prod.log" ] +then + mkdir -p "$final_path/var/logs/" + touch "$final_path/var/logs/prod.log" + chown $app: "$final_path/var/logs/prod.log" +fi +# Add fail2ban config +ynh_add_fail2ban_config --logpath="$final_path/var/logs/prod.log" --failregex='app.ERROR: Authentication failure for user "([\w]+)?", from IP ""' --max_retry=5 # same as install config + #================================================= # NGINX CONFIGURATION #================================================= @@ -139,4 +150,4 @@ ynh_app_setting_set "$app" unprotected_uris "/" # RELOAD NGINX #================================================= systemctl restart php5-fpm -systemctl reload nginx \ No newline at end of file +systemctl reload nginx