diff --git a/data/hooks/conf_regen-old/52-fail2ban b/data/hooks/conf_regen-old/52-fail2ban deleted file mode 100644 index 9ff6714ad..000000000 --- a/data/hooks/conf_regen-old/52-fail2ban +++ /dev/null @@ -1,28 +0,0 @@ -set -e - -force=$1 - -function safe_copy () { - if [[ "$force" == "True" ]]; then - sudo yunohost service safecopy \ - -s fail2ban $1 $2 --force - else - sudo yunohost service safecopy \ - -s fail2ban $1 $2 - fi -} - -cd /usr/share/yunohost/templates/fail2ban - -sudo mkdir -p /etc/fail2ban/filter.d -safe_copy yunohost.conf /etc/fail2ban/filter.d/yunohost.conf - -# Compatibility: change from HDB to MDB on Jessie -version=$(sed 's/\..*//' /etc/debian_version) -[[ "$version" == '8' ]] \ - && sudo cp jail-jessie.conf jail.conf \ - || sudo cp jail-wheezy.conf jail.conf - -if [[ $(safe_copy jail.conf /etc/fail2ban/jail.conf | tail -n1) == "True" ]]; then - sudo service fail2ban restart -fi diff --git a/data/hooks/conf_regen/52-fail2ban b/data/hooks/conf_regen/52-fail2ban new file mode 100755 index 000000000..39fd3be21 --- /dev/null +++ b/data/hooks/conf_regen/52-fail2ban @@ -0,0 +1,36 @@ +#!/bin/bash + +set -e + +do_pre_regen() { + pending_dir=$1 + + cd /usr/share/yunohost/templates/fail2ban + + fail2ban_dir="${pending_dir}/etc/fail2ban" + mkdir -p "${fail2ban_dir}/filter.d" + + cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf" + cp jail.conf "${fail2ban_dir}/jail.conf" +} + +do_post_regen() { + sudo service fail2ban restart +} + +FORCE=$2 + +case "$1" in + pre) + do_pre_regen $3 + ;; + post) + do_post_regen + ;; + *) + echo "hook called with unknown argument \`$status'" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/data/templates/fail2ban/jail-wheezy.conf b/data/templates/fail2ban/jail-wheezy.conf deleted file mode 100644 index 8eb0e7a1e..000000000 --- a/data/templates/fail2ban/jail-wheezy.conf +++ /dev/null @@ -1,346 +0,0 @@ -# Fail2Ban configuration file. -# -# This file was composed for Debian systems from the original one -# provided now under /usr/share/doc/fail2ban/examples/jail.conf -# for additional examples. -# -# To avoid merges during upgrades DO NOT MODIFY THIS FILE -# and rather provide your changes in /etc/fail2ban/jail.local -# -# Author: Yaroslav O. Halchenko -# -# $Revision$ -# - -# The DEFAULT allows a global definition of the options. They can be overridden -# in each jail afterwards. - -[DEFAULT] - -# "ignoreip" can be an IP address, a CIDR mask or a DNS host -ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 -bantime = 600 -maxretry = 3 - -# "backend" specifies the backend used to get files modification. Available -# options are "gamin", "polling" and "auto". -# yoh: For some reason Debian shipped python-gamin didn't work as expected -# This issue left ToDo, so polling is default backend for now -backend = auto - -# -# Destination email address used solely for the interpolations in -# jail.{conf,local} configuration files. -destemail = root@localhost - -# -# ACTIONS -# - -# Default banning action (e.g. iptables, iptables-new, -# iptables-multiport, shorewall, etc) It is used to define -# action_* variables. Can be overridden globally or per -# section within jail.local file -banaction = iptables-multiport - -# email action. Since 0.8.1 upstream fail2ban uses sendmail -# MTA for the mailing. Change mta configuration parameter to mail -# if you want to revert to conventional 'mail'. -mta = sendmail - -# Default protocol -protocol = tcp - -# Specify chain where jumps would need to be added in iptables-* actions -chain = INPUT - -# -# Action shortcuts. To be used to define action parameter - -# The simplest action to take: ban only -action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report to the destemail. -action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"] - -# ban & send an e-mail with whois report and relevant log lines -# to the destemail. -action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] - %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"] - -# Choose default action. To change, just override value of 'action' with the -# interpolation to the chosen action shortcut (e.g. action_mw, action_mwl, etc) in jail.local -# globally (section [DEFAULT]) or per specific section -action = %(action_)s - -# -# JAILS -# - -# Next jails corresponds to the standard configuration in Fail2ban 0.6 which -# was shipped in Debian. Enable any defined here jail by including -# -# [SECTION_NAME] -# enabled = true - -# -# in /etc/fail2ban/jail.local. -# -# Optionally you may override any other parameter (e.g. banaction, -# action, port, logpath, etc) in that section within jail.local - -[ssh] - -enabled = true -port = ssh -filter = sshd -logpath = /var/log/auth.log -maxretry = 6 - -[dropbear] - -enabled = false -port = ssh -filter = sshd -logpath = /var/log/dropbear -maxretry = 6 - -# Generic filter for pam. Has to be used with action which bans all ports -# such as iptables-allports, shorewall -[pam-generic] - -enabled = false -# pam-generic filter can be customized to monitor specific subset of 'tty's -filter = pam-generic -# port actually must be irrelevant but lets leave it all for some possible uses -port = all -banaction = iptables-allports -port = anyport -logpath = /var/log/auth.log -maxretry = 6 - -[xinetd-fail] - -enabled = false -filter = xinetd-fail -port = all -banaction = iptables-multiport-log -logpath = /var/log/daemon.log -maxretry = 2 - - -[ssh-ddos] - -enabled = false -port = ssh -filter = sshd-ddos -logpath = /var/log/auth.log -maxretry = 6 - -# -# HTTP servers -# - -[apache] - -enabled = false -port = http,https -filter = apache-auth -logpath = /var/log/apache*/*error.log -maxretry = 6 - -# default action is now multiport, so apache-multiport jail was left -# for compatibility with previous (<0.7.6-2) releases -[apache-multiport] - -enabled = false -port = http,https -filter = apache-auth -logpath = /var/log/apache*/*error.log -maxretry = 6 - -[apache-noscript] - -enabled = false -port = http,https -filter = apache-noscript -logpath = /var/log/apache*/*error.log -maxretry = 6 - -[apache-overflows] - -enabled = false -port = http,https -filter = apache-overflows -logpath = /var/log/apache*/*error.log -maxretry = 2 - -# -# FTP servers -# - -[vsftpd] - -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = vsftpd -logpath = /var/log/vsftpd.log -# or overwrite it in jails.local to be -# logpath = /var/log/auth.log -# if you want to rely on PAM failed login attempts -# vsftpd's failregex should match both of those formats -maxretry = 6 - - -[proftpd] - -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = proftpd -logpath = /var/log/proftpd/proftpd.log -maxretry = 6 - - -[pure-ftpd] - -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = pure-ftpd -logpath = /var/log/auth.log -maxretry = 6 - - -[wuftpd] - -enabled = false -port = ftp,ftp-data,ftps,ftps-data -filter = wuftpd -logpath = /var/log/auth.log -maxretry = 6 - - -# -# Mail servers -# - -[postfix] - -enabled = true -port = smtp,ssmtp -filter = postfix -logpath = /var/log/mail.log - -[couriersmtp] - -enabled = false -port = smtp,ssmtp -filter = couriersmtp -logpath = /var/log/mail.log - - -# -# Mail servers authenticators: might be used for smtp,ftp,imap servers, so -# all relevant ports get banned -# - -[courierauth] - -enabled = false -port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s -filter = courierlogin -logpath = /var/log/mail.log - - -[sasl] - -enabled = true -port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s -filter = sasl -# You might consider monitoring /var/log/mail.warn instead if you are -# running postfix since it would provide the same log lines at the -# "warn" level but overall at the smaller filesize. -logpath = /var/log/mail.log - -[dovecot] - -enabled = true -port = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s -filter = dovecot -logpath = /var/log/mail.log - - -# DNS Servers - - -# These jails block attacks against named (bind9). By default, logging is off -# with bind9 installation. You will need something like this: -# -# logging { -# channel security_file { -# file "/var/log/named/security.log" versions 3 size 30m; -# severity dynamic; -# print-time yes; -# }; -# category security { -# security_file; -# }; -# }; -# -# in your named.conf to provide proper logging - -# !!! WARNING !!! -# Since UDP is connection-less protocol, spoofing of IP and imitation -# of illegal actions is way too simple. Thus enabling of this filter -# might provide an easy way for implementing a DoS against a chosen -# victim. See -# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html -# Please DO NOT USE this jail unless you know what you are doing. -#[named-refused-udp] -# -#enabled = false -#port = domain,953 -#protocol = udp -#filter = named-refused -#logpath = /var/log/named/security.log - -[named-refused-tcp] - -enabled = false -port = domain,953 -protocol = tcp -filter = named-refused -logpath = /var/log/named/security.log - -[nginx] - -enabled = true -port = http,https -filter = apache-auth -logpath = /var/log/nginx*/*error.log -maxretry = 6 - -[nginx-noscript] - -enabled = false -port = http,https -filter = apache-noscript -logpath = /var/log/nginx*/*error.log -maxretry = 6 - -[nginx-overflows] - -enabled = false -port = http,https -filter = apache-overflows -logpath = /var/log/nginx*/*error.log -maxretry = 4 - -[yunohost] - -enabled = true -port = http,https -protocol = tcp -filter = yunohost -logpath = /var/log/nginx/*.log -maxretry = 6 diff --git a/data/templates/fail2ban/jail-jessie.conf b/data/templates/fail2ban/jail.conf similarity index 100% rename from data/templates/fail2ban/jail-jessie.conf rename to data/templates/fail2ban/jail.conf