mirror of
https://github.com/YunoHost-Apps/wordpress_ynh.git
synced 2024-09-03 20:36:10 +02:00
Add fail2ban
This commit is contained in:
Maniack Crudelis
parent
b3870bcfbc
commit
8cf157217e
6 changed files with 102 additions and 4 deletions
|
|
@ -49,3 +49,64 @@ ynh_delete_file_checksum () {
|
|||
local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_'
|
||||
ynh_app_setting_delete $app $checksum_setting_name
|
||||
}
|
||||
|
||||
|
||||
#=================================================
|
||||
# EXPERIMENTAL HELPERS
|
||||
#=================================================
|
||||
|
||||
# Create a dedicated fail2ban config (jail and filter conf files)
|
||||
#
|
||||
# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
|
||||
# | arg: log_file - Log file to be checked by fail2ban
|
||||
# | arg: failregex - Failregex to be looked for by fail2ban
|
||||
# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
|
||||
# | arg: ports - Ports blocked for a banned IP address - default: http,https
|
||||
ynh_add_fail2ban_config () {
|
||||
# Process parameters
|
||||
logpath=$1
|
||||
failregex=$2
|
||||
max_retry=${3:-3}
|
||||
ports=${4:-http,https}
|
||||
|
||||
test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
|
||||
test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
|
||||
|
||||
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
|
||||
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
|
||||
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
|
||||
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
|
||||
|
||||
sudo tee $finalfail2banjailconf <<EOF
|
||||
[$app]
|
||||
enabled = true
|
||||
port = $ports
|
||||
filter = $app
|
||||
logpath = $logpath
|
||||
maxretry = $max_retry"
|
||||
EOF
|
||||
|
||||
sudo tee $finalfail2banfilterconf <<EOF
|
||||
[INCLUDES]
|
||||
before = common.conf
|
||||
[Definition]
|
||||
failregex = $failregex
|
||||
ignoreregrex ="
|
||||
EOF
|
||||
|
||||
ynh_store_file_checksum "$finalfail2banjailconf"
|
||||
ynh_store_file_checksum "$finalfail2banfilterconf"
|
||||
|
||||
sudo systemctl restart fail2ban
|
||||
local fail2ban_error=$(tail -n50 /var/log/fail2ban.log | grep "ERROR.*$app")
|
||||
echo "restart=$?"
|
||||
}
|
||||
|
||||
# Remove the dedicated fail2ban config (jail and filter conf files)
|
||||
#
|
||||
# usage: ynh_remove_fail2ban_config
|
||||
ynh_remove_fail2ban_config () {
|
||||
ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
|
||||
ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
|
||||
sudo systemctl restart fail2ban
|
||||
}
|
||||
|
|
|
|||
|
|
@ -60,3 +60,10 @@ ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
|
|||
|
||||
ynh_mysql_dump_db "$db_name" > db.sql
|
||||
CHECK_SIZE "db.sql"
|
||||
|
||||
#=================================================
|
||||
# BACKUP FAIL2BAN CONFIGURATION
|
||||
#=================================================
|
||||
|
||||
ynh_backup "/etc/fail2ban/jail.d/$app.conf"
|
||||
ynh_backup "/etc/fail2ban/filter.d/$app.conf"
|
||||
|
|
|
|||
|
|
@ -165,6 +165,7 @@ wpcli_alias="php $final_path/wp-cli.phar --allow-root --path=$final_path"
|
|||
$wpcli_alias plugin install simple-ldap-login
|
||||
$wpcli_alias plugin install http-authentication
|
||||
$wpcli_alias plugin install companion-auto-update
|
||||
$wpcli_alias plugin install wp-fail2ban
|
||||
|
||||
#=================================================
|
||||
# SET LANGUAGE
|
||||
|
|
@ -203,6 +204,7 @@ fi
|
|||
$wpcli_alias plugin activate simple-ldap-login $plugin_network
|
||||
# Do not activate http-authentication, this plugin is sometimes unstable
|
||||
$wpcli_alias plugin activate companion-auto-update $plugin_network
|
||||
$wpcli_alias plugin activate wp-fail2ban $plugin_network
|
||||
|
||||
#=================================================
|
||||
# STORE THE CHECKSUM OF THE CONFIG FILE
|
||||
|
|
@ -222,6 +224,12 @@ chown -R $app: $final_path
|
|||
# Sauf le fichier de config wp-config.php qui appartient à root
|
||||
chown root: $final_path/wp-config.php
|
||||
|
||||
#=================================================
|
||||
# SETUP FAIL2BAN
|
||||
#=================================================
|
||||
|
||||
ynh_add_fail2ban_config "/var/log/auth.log" "Authentication (attempt for unknown user|failure for) .* from <HOST>" 5
|
||||
|
||||
#=================================================
|
||||
# SETUP SSOWAT
|
||||
#=================================================
|
||||
|
|
|
|||
|
|
@ -55,6 +55,12 @@ ynh_remove_nginx_config
|
|||
# Remove the dedicated php-fpm config
|
||||
ynh_remove_fpm_config
|
||||
|
||||
#=================================================
|
||||
# REMOVE FAIL2BAN CONFIGURATION
|
||||
#=================================================
|
||||
|
||||
ynh_remove_fail2ban_config
|
||||
|
||||
#=================================================
|
||||
# GENERIC FINALISATION
|
||||
#=================================================
|
||||
|
|
|
|||
|
|
@ -86,6 +86,14 @@ chown root: $final_path/wp-config.php
|
|||
ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"
|
||||
ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
|
||||
|
||||
#=================================================
|
||||
# RESTORE FAIL2BAN CONFIGURATION
|
||||
#=================================================
|
||||
|
||||
ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
|
||||
ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
|
||||
systemctl restart fail2ban
|
||||
|
||||
#=================================================
|
||||
# GENERIC FINALISATION
|
||||
#=================================================
|
||||
|
|
|
|||
|
|
@ -45,18 +45,18 @@ if [ -z "$language" ]; then
|
|||
ynh_app_setting_set $app language $language
|
||||
fi
|
||||
|
||||
if [ "$is_public" = "Yes" ]; then
|
||||
if [ "${is_public,,}" = "yes" ]; then
|
||||
ynh_app_setting_set $app is_public 1 # Fixe is_public en booléen
|
||||
is_public=1
|
||||
elif [ "$is_public" = "No" ]; then
|
||||
elif [ "${is_public,,}" = "no" ]; then
|
||||
ynh_app_setting_set $app is_public 0
|
||||
is_public=0
|
||||
fi
|
||||
|
||||
if [ "$multisite" = "Yes" ]; then
|
||||
if [ "${multisite,,}" = "yes" ]; then
|
||||
ynh_app_setting_set $app multisite 1 # Fixe multisite en booléen
|
||||
multisite=1
|
||||
elif [ "$multisite" = "No" ]; then
|
||||
elif [ "${multisite,,}" = "no" ]; then
|
||||
ynh_app_setting_set $app multisite 0
|
||||
multisite=0
|
||||
fi
|
||||
|
|
@ -154,6 +154,8 @@ update_plugin () {
|
|||
update_plugin simple-ldap-login
|
||||
update_plugin companion-auto-update
|
||||
$wpcli_alias plugin activate companion-auto-update $plugin_network
|
||||
update_plugin wp-fail2ban
|
||||
$wpcli_alias plugin activate wp-fail2ban $plugin_network
|
||||
|
||||
# Disable broken plugin http-authentication
|
||||
$wpcli_alias plugin is-installed http-authentication && $wpcli_alias plugin deactivate http-authentication
|
||||
|
|
@ -176,6 +178,12 @@ chown -R $app: $final_path
|
|||
# Sauf le fichier de config wp-config.php qui appartient à root
|
||||
chown root: $final_path/wp-config.php
|
||||
|
||||
#=================================================
|
||||
# UPGRADE FAIL2BAN
|
||||
#=================================================
|
||||
|
||||
ynh_add_fail2ban_config "/var/log/auth.log" "Authentication (attempt for unknown user|failure for) .* from <HOST>" 5
|
||||
|
||||
#=================================================
|
||||
# SETUP SSOWAT
|
||||
#=================================================
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue