Add fail2ban

scripts/_common.sh

@@ -49,3 +49,64 @@ ynh_delete_file_checksum () {
 	local checksum_setting_name=checksum_${1//[\/ ]/_}	# Replace all '/' and ' ' by '_'
 	ynh_app_setting_delete $app $checksum_setting_name
 }
+
+
+#=================================================
+# EXPERIMENTAL HELPERS
+#=================================================
+
+# Create a dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_add_fail2ban_config log_file filter [max_retry [ports]]
+# | arg: log_file - Log file to be checked by fail2ban
+# | arg: failregex - Failregex to be looked for by fail2ban
+# | arg: max_retry - Maximum number of retries allowed before banning IP address - default: 3
+# | arg: ports - Ports blocked for a banned IP address - default: http,https
+ynh_add_fail2ban_config () {
+	# Process parameters
+	logpath=$1
+	failregex=$2
+	max_retry=${3:-3}
+	ports=${4:-http,https}
+
+	test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+	test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+
+	finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+	finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+	ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+	ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+
+	sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry" 
+EOF
+
+	sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregrex =" 
+EOF
+
+	ynh_store_file_checksum "$finalfail2banjailconf"
+	ynh_store_file_checksum "$finalfail2banfilterconf"
+
+	sudo systemctl restart fail2ban
+	local fail2ban_error=$(tail -n50 /var/log/fail2ban.log | grep "ERROR.*$app")
+	echo "restart=$?"
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+	ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+	ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+	sudo systemctl restart fail2ban
+}

scripts/backup

@@ -60,3 +60,10 @@ ynh_backup "/etc/php5/fpm/conf.d/20-$app.ini"
 
 ynh_mysql_dump_db "$db_name" > db.sql
 CHECK_SIZE "db.sql"
+
+#=================================================
+# BACKUP FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_backup "/etc/fail2ban/jail.d/$app.conf"
+ynh_backup "/etc/fail2ban/filter.d/$app.conf"

scripts/install

@@ -165,6 +165,7 @@ wpcli_alias="php $final_path/wp-cli.phar --allow-root --path=$final_path"
 $wpcli_alias plugin install simple-ldap-login
 $wpcli_alias plugin install http-authentication
 $wpcli_alias plugin install companion-auto-update
+$wpcli_alias plugin install wp-fail2ban
 
 #=================================================
 # SET LANGUAGE
@@ -203,6 +204,7 @@ fi
 $wpcli_alias plugin activate simple-ldap-login $plugin_network
 # Do not activate http-authentication, this plugin is sometimes unstable
 $wpcli_alias plugin activate companion-auto-update $plugin_network
+$wpcli_alias plugin activate wp-fail2ban $plugin_network
 
 #=================================================
 # STORE THE CHECKSUM OF THE CONFIG FILE
@@ -222,6 +224,12 @@ chown -R $app: $final_path
 # Sauf le fichier de config wp-config.php qui appartient à root
 chown root: $final_path/wp-config.php
 
+#=================================================
+# SETUP FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/auth.log" "Authentication (attempt for unknown user|failure for) .* from <HOST>" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================

scripts/remove

@@ -55,6 +55,12 @@ ynh_remove_nginx_config
 # Remove the dedicated php-fpm config
 ynh_remove_fpm_config
 
+#=================================================
+# REMOVE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_remove_fail2ban_config
+
 #=================================================
 # GENERIC FINALISATION
 #=================================================

scripts/restore

@@ -86,6 +86,14 @@ chown root: $final_path/wp-config.php
 ynh_restore_file "/etc/php5/fpm/pool.d/$app.conf"
 ynh_restore_file "/etc/php5/fpm/conf.d/20-$app.ini"
 
+#=================================================
+# RESTORE FAIL2BAN CONFIGURATION
+#=================================================
+
+ynh_restore_file "/etc/fail2ban/jail.d/$app.conf"
+ynh_restore_file "/etc/fail2ban/filter.d/$app.conf"
+systemctl restart fail2ban
+
 #=================================================
 # GENERIC FINALISATION
 #=================================================

scripts/upgrade

@@ -45,18 +45,18 @@ if [ -z "$language" ]; then
 	ynh_app_setting_set $app language $language
 fi
 
-if [ "$is_public" = "Yes" ]; then
+if [ "${is_public,,}" = "yes" ]; then
 	ynh_app_setting_set $app is_public 1	# Fixe is_public en booléen
 	is_public=1
-elif [ "$is_public" = "No" ]; then
+elif [ "${is_public,,}" = "no" ]; then
 	ynh_app_setting_set $app is_public 0
 	is_public=0
 fi
 
-if [ "$multisite" = "Yes" ]; then
+if [ "${multisite,,}" = "yes" ]; then
 	ynh_app_setting_set $app multisite 1	# Fixe multisite en booléen
 	multisite=1
-elif [ "$multisite" = "No" ]; then
+elif [ "${multisite,,}" = "no" ]; then
 	ynh_app_setting_set $app multisite 0
 	multisite=0
 fi
@@ -154,6 +154,8 @@ update_plugin () {
 update_plugin simple-ldap-login
 update_plugin companion-auto-update
 $wpcli_alias plugin activate companion-auto-update $plugin_network
+update_plugin wp-fail2ban
+$wpcli_alias plugin activate wp-fail2ban $plugin_network
 
 # Disable broken plugin http-authentication
 $wpcli_alias plugin is-installed http-authentication && $wpcli_alias plugin deactivate http-authentication
@@ -176,6 +178,12 @@ chown -R $app: $final_path
 # Sauf le fichier de config wp-config.php qui appartient à root
 chown root: $final_path/wp-config.php
 
+#=================================================
+# UPGRADE FAIL2BAN
+#=================================================
+
+ynh_add_fail2ban_config "/var/log/auth.log" "Authentication (attempt for unknown user|failure for) .* from <HOST>" 5
+
 #=================================================
 # SETUP SSOWAT
 #=================================================