[enh] Update fail2ban conf_regen hook and drop wheezy support

2024-09-03 20:06:10 +02:00 · 2016-04-13 22:35:40 +02:00 · 2016-04-13 22:35:40 +02:00 · 3eacbef144
commit 3eacbef144
parent 93fa6b07da
4 changed files with 36 additions and 374 deletions
--- a/data/hooks/conf_regen-old/52-fail2ban
+++ b/data/hooks/conf_regen-old/52-fail2ban
@ -1,28 +0,0 @@
 set -e 
 force=$1
 function safe_copy () {
    if [[ "$force" == "True" ]]; then
        sudo yunohost service safecopy \
          -s fail2ban $1 $2 --force
    else
        sudo yunohost service safecopy \
          -s fail2ban $1 $2
    fi
 }
 cd /usr/share/yunohost/templates/fail2ban
 sudo mkdir -p /etc/fail2ban/filter.d
 safe_copy yunohost.conf /etc/fail2ban/filter.d/yunohost.conf
 # Compatibility: change from HDB to MDB on Jessie
 version=$(sed 's/\..*//' /etc/debian_version)
 [[ "$version" == '8' ]] \
  && sudo cp jail-jessie.conf jail.conf \
  || sudo cp jail-wheezy.conf jail.conf
 if [[ $(safe_copy jail.conf /etc/fail2ban/jail.conf | tail -n1) == "True" ]]; then
    sudo service fail2ban restart
 fi
--- a/data/hooks/conf_regen/52-fail2ban
+++ b/data/hooks/conf_regen/52-fail2ban
@ -0,0 +1,36 @@
 #!/bin/bash
 set -e 
 do_pre_regen() {
  pending_dir=$1
  cd /usr/share/yunohost/templates/fail2ban
  fail2ban_dir="${pending_dir}/etc/fail2ban"
  mkdir -p "${fail2ban_dir}/filter.d"
  cp yunohost.conf "${fail2ban_dir}/filter.d/yunohost.conf"
  cp jail.conf "${fail2ban_dir}/jail.conf"
 }
 do_post_regen() {
  sudo service fail2ban restart
 }
 FORCE=$2
 case "$1" in
  pre)
    do_pre_regen $3
    ;;
  post)
    do_post_regen
    ;;
  *)
    echo "hook called with unknown argument \`$status'" >&2
    exit 1
    ;;
 esac
 exit 0
--- a/data/templates/fail2ban/jail-wheezy.conf
+++ b/data/templates/fail2ban/jail-wheezy.conf
@ -1,346 +0,0 @@
 # Fail2Ban configuration file.
 #
 # This file was composed for Debian systems from the original one
 #  provided now under /usr/share/doc/fail2ban/examples/jail.conf
 #  for additional examples.
 #
 # To avoid merges during upgrades DO NOT MODIFY THIS FILE
 # and rather provide your changes in /etc/fail2ban/jail.local
 #
 # Author: Yaroslav O. Halchenko <debian@onerussian.com>
 #
 # $Revision$
 #
 # The DEFAULT allows a global definition of the options. They can be overridden
 # in each jail afterwards.
 [DEFAULT]
 # "ignoreip" can be an IP address, a CIDR mask or a DNS host
 ignoreip = 127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 bantime  = 600
 maxretry = 3
 # "backend" specifies the backend used to get files modification. Available
 # options are "gamin", "polling" and "auto".
 # yoh: For some reason Debian shipped python-gamin didn't work as expected
 #      This issue left ToDo, so polling is default backend for now
 backend = auto
 #
 # Destination email address used solely for the interpolations in
 # jail.{conf,local} configuration files.
 destemail = root@localhost
 #
 # ACTIONS
 #
 # Default banning action (e.g. iptables, iptables-new,
 # iptables-multiport, shorewall, etc) It is used to define
 # action_* variables. Can be overridden globally or per
 # section within jail.local file
 banaction = iptables-multiport
 # email action. Since 0.8.1 upstream fail2ban uses sendmail
 # MTA for the mailing. Change mta configuration parameter to mail
 # if you want to revert to conventional 'mail'.
 mta = sendmail
 # Default protocol
 protocol = tcp
 # Specify chain where jumps would need to be added in iptables-* actions
 chain = INPUT
 #
 # Action shortcuts. To be used to define action parameter
 # The simplest action to take: ban only
 action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
 # ban & send an e-mail with whois report to the destemail.
 action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
              %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s"]
 # ban & send an e-mail with whois report and relevant log lines
 # to the destemail.
 action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
               %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s"]
 # Choose default action.  To change, just override value of 'action' with the
 # interpolation to the chosen action shortcut (e.g.  action_mw, action_mwl, etc) in jail.local
 # globally (section [DEFAULT]) or per specific section
 action = %(action_)s
 #
 # JAILS
 #
 # Next jails corresponds to the standard configuration in Fail2ban 0.6 which
 # was shipped in Debian. Enable any defined here jail by including
 #
 # [SECTION_NAME]
 # enabled = true
 #
 # in /etc/fail2ban/jail.local.
 #
 # Optionally you may override any other parameter (e.g. banaction,
 # action, port, logpath, etc) in that section within jail.local
 [ssh]
 enabled  = true
 port     = ssh
 filter   = sshd
 logpath  = /var/log/auth.log
 maxretry = 6
 [dropbear]
 enabled  = false
 port     = ssh
 filter   = sshd
 logpath  = /var/log/dropbear
 maxretry = 6
 # Generic filter for pam. Has to be used with action which bans all ports
 # such as iptables-allports, shorewall
 [pam-generic]
 enabled  = false
 # pam-generic filter can be customized to monitor specific subset of 'tty's
 filter   = pam-generic
 # port actually must be irrelevant but lets leave it all for some possible uses
 port     = all
 banaction = iptables-allports
 port     = anyport
 logpath  = /var/log/auth.log
 maxretry = 6
 [xinetd-fail]
 enabled   = false
 filter    = xinetd-fail
 port      = all
 banaction = iptables-multiport-log
 logpath   = /var/log/daemon.log
 maxretry  = 2
 [ssh-ddos]
 enabled  = false
 port     = ssh
 filter   = sshd-ddos
 logpath  = /var/log/auth.log
 maxretry = 6
 #
 # HTTP servers
 #
 [apache]
 enabled  = false
 port     = http,https
 filter   = apache-auth
 logpath  = /var/log/apache*/*error.log
 maxretry = 6
 # default action is now multiport, so apache-multiport jail was left
 # for compatibility with previous (<0.7.6-2) releases
 [apache-multiport]
 enabled   = false
 port      = http,https
 filter    = apache-auth
 logpath   = /var/log/apache*/*error.log
 maxretry  = 6
 [apache-noscript]
 enabled  = false
 port     = http,https
 filter   = apache-noscript
 logpath  = /var/log/apache*/*error.log
 maxretry = 6
 [apache-overflows]
 enabled  = false
 port     = http,https
 filter   = apache-overflows
 logpath  = /var/log/apache*/*error.log
 maxretry = 2
 #
 # FTP servers
 #
 [vsftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = vsftpd
 logpath  = /var/log/vsftpd.log
 # or overwrite it in jails.local to be
 # logpath = /var/log/auth.log
 # if you want to rely on PAM failed login attempts
 # vsftpd's failregex should match both of those formats
 maxretry = 6
 [proftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = proftpd
 logpath  = /var/log/proftpd/proftpd.log
 maxretry = 6
 [pure-ftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = pure-ftpd
 logpath  = /var/log/auth.log
 maxretry = 6
 [wuftpd]
 enabled  = false
 port     = ftp,ftp-data,ftps,ftps-data
 filter   = wuftpd
 logpath  = /var/log/auth.log
 maxretry = 6
 #
 # Mail servers
 #
 [postfix]
 enabled  = true
 port     = smtp,ssmtp
 filter   = postfix
 logpath  = /var/log/mail.log
 [couriersmtp]
 enabled  = false
 port     = smtp,ssmtp
 filter   = couriersmtp
 logpath  = /var/log/mail.log
 #
 # Mail servers authenticators: might be used for smtp,ftp,imap servers, so
 # all relevant ports get banned
 #
 [courierauth]
 enabled  = false
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = courierlogin
 logpath  = /var/log/mail.log
 [sasl]
 enabled  = true
 port     = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter   = sasl
 # You might consider monitoring /var/log/mail.warn instead if you are
 # running postfix since it would provide the same log lines at the
 # "warn" level but overall at the smaller filesize.
 logpath  = /var/log/mail.log
 [dovecot]
 enabled = true
 port    = smtp,ssmtp,imap2,imap3,imaps,pop3,pop3s
 filter  = dovecot
 logpath = /var/log/mail.log
 # DNS Servers
 # These jails block attacks against named (bind9). By default, logging is off
 # with bind9 installation. You will need something like this:
 #
 # logging {
 #     channel security_file {
 #         file "/var/log/named/security.log" versions 3 size 30m;
 #         severity dynamic;
 #         print-time yes;
 #     };
 #     category security {
 #         security_file;
 #     };
 # };
 #
 # in your named.conf to provide proper logging
 # !!! WARNING !!!
 #   Since UDP is connection-less protocol, spoofing of IP and imitation
 #   of illegal actions is way too simple.  Thus enabling of this filter
 #   might provide an easy way for implementing a DoS against a chosen
 #   victim. See
 #    http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html
 #   Please DO NOT USE this jail unless you know what you are doing.
 #[named-refused-udp]
 #
 #enabled  = false
 #port     = domain,953
 #protocol = udp
 #filter   = named-refused
 #logpath  = /var/log/named/security.log
 [named-refused-tcp]
 enabled  = false
 port     = domain,953
 protocol = tcp
 filter   = named-refused
 logpath  = /var/log/named/security.log
 [nginx]
 enabled = true
 port    = http,https
 filter  = apache-auth
 logpath = /var/log/nginx*/*error.log
 maxretry = 6
 [nginx-noscript]
 enabled = false
 port    = http,https
 filter  = apache-noscript
 logpath = /var/log/nginx*/*error.log
 maxretry = 6
 [nginx-overflows]
 enabled = false
 port    = http,https
 filter  = apache-overflows
 logpath = /var/log/nginx*/*error.log
 maxretry = 4
 [yunohost]
 enabled  = true
 port     = http,https
 protocol = tcp
 filter   = yunohost
 logpath  = /var/log/nginx/*.log
 maxretry = 6
--- a/data/templates/fail2ban/jail-jessie.conf
+++ b/data/templates/fail2ban/jail-jessie.conf