diff --git a/scripts/_common.sh b/scripts/_common.sh index 0177d37..165efa2 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -49,3 +49,64 @@ ynh_delete_file_checksum () { local checksum_setting_name=checksum_${1//[\/ ]/_} # Replace all '/' and ' ' by '_' ynh_app_setting_delete $app $checksum_setting_name } + + +#================================================= +# EXPERIMENTAL HELPERS +#================================================= + +# Create a dedicated fail2ban config (jail and filter conf files) +# +# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]] +# | arg: log_file - Log file to be checked by fail2ban +# | arg: failregex - Failregex to be looked for by fail2ban +# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3 +# | arg: ports - Ports blocked for a banned IP address - default: http,https +ynh_add_fail2ban_config () { + # Process parameters + logpath=$1 + failregex=$2 + max_retry=${3:-3} + ports=${4:-http,https} + + test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing." + test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing." + + finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" + finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" + ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 + ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 + + sudo tee $finalfail2banjailconf < db.sql CHECK_SIZE "db.sql" + +#================================================= +# BACKUP FAIL2BAN CONFIGURATION +#================================================= + +ynh_backup "/etc/fail2ban/jail.d/$app.conf" +ynh_backup "/etc/fail2ban/filter.d/$app.conf" diff --git a/scripts/install b/scripts/install index c10a556..7567d65 100644 --- a/scripts/install +++ b/scripts/install @@ -165,6 +165,7 @@ wpcli_alias="php $final_path/wp-cli.phar --allow-root --path=$final_path" $wpcli_alias plugin install simple-ldap-login $wpcli_alias plugin install http-authentication $wpcli_alias plugin install companion-auto-update +$wpcli_alias plugin install wp-fail2ban #================================================= # SET LANGUAGE @@ -203,6 +204,7 @@ fi $wpcli_alias plugin activate simple-ldap-login $plugin_network # Do not activate http-authentication, this plugin is sometimes unstable $wpcli_alias plugin activate companion-auto-update $plugin_network +$wpcli_alias plugin activate wp-fail2ban $plugin_network #================================================= # STORE THE CHECKSUM OF THE CONFIG FILE @@ -222,6 +224,12 @@ chown -R $app: $final_path # Sauf le fichier de config wp-config.php qui appartient à root chown root: $final_path/wp-config.php +#================================================= +# SETUP FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/auth.log" "Authentication (attempt for unknown user|failure for) .* from " 5 + #================================================= # SETUP SSOWAT #================================================= diff --git a/scripts/remove b/scripts/remove index 2126460..b4fdb89 100755 --- a/scripts/remove +++ b/scripts/remove @@ -55,6 +55,12 @@ ynh_remove_nginx_config # Remove the dedicated php-fpm config ynh_remove_fpm_config +#================================================= +# REMOVE FAIL2BAN CONFIGURATION +#================================================= + +ynh_remove_fail2ban_config + #================================================= # GENERIC FINALISATION #================================================= diff --git a/scripts/restore b/scripts/restore index 2d6cdea..a750d6d 100644 --- a/scripts/restore +++ b/scripts/restore @@ -86,6 +86,14 @@ chown root: $final_path/wp-config.php ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf" ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini" +#================================================= +# RESTORE FAIL2BAN CONFIGURATION +#================================================= + +ynh_restore_file "/etc/fail2ban/jail.d/$app.conf" +ynh_restore_file "/etc/fail2ban/filter.d/$app.conf" +systemctl restart fail2ban + #================================================= # GENERIC FINALISATION #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index 7a02faa..170dbe8 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -45,18 +45,18 @@ if [ -z "$language" ]; then ynh_app_setting_set $app language $language fi -if [ "$is_public" = "Yes" ]; then +if [ "${is_public,,}" = "yes" ]; then ynh_app_setting_set $app is_public 1 # Fixe is_public en booléen is_public=1 -elif [ "$is_public" = "No" ]; then +elif [ "${is_public,,}" = "no" ]; then ynh_app_setting_set $app is_public 0 is_public=0 fi -if [ "$multisite" = "Yes" ]; then +if [ "${multisite,,}" = "yes" ]; then ynh_app_setting_set $app multisite 1 # Fixe multisite en booléen multisite=1 -elif [ "$multisite" = "No" ]; then +elif [ "${multisite,,}" = "no" ]; then ynh_app_setting_set $app multisite 0 multisite=0 fi @@ -154,6 +154,8 @@ update_plugin () { update_plugin simple-ldap-login update_plugin companion-auto-update $wpcli_alias plugin activate companion-auto-update $plugin_network +update_plugin wp-fail2ban +$wpcli_alias plugin activate wp-fail2ban $plugin_network # Disable broken plugin http-authentication $wpcli_alias plugin is-installed http-authentication && $wpcli_alias plugin deactivate http-authentication @@ -176,6 +178,12 @@ chown -R $app: $final_path # Sauf le fichier de config wp-config.php qui appartient à root chown root: $final_path/wp-config.php +#================================================= +# UPGRADE FAIL2BAN +#================================================= + +ynh_add_fail2ban_config "/var/log/auth.log" "Authentication (attempt for unknown user|failure for) .* from " 5 + #================================================= # SETUP SSOWAT #=================================================