joby/webserver-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

large fail2ban and other security improvements

Browse source
This commit is contained in:
Joby 2024-10-23 17:02:32 -06:00
parent 04be6be893
commit 11c6f69c35
5 changed files with 88 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
install/01-nginx-default-root.sh
View file

@ -39,6 +39,14 @@ server {
server_name _; server_name _;
# Apply general rate limit
limit_req zone=general burst=100 nodelay;
# Check for banned IPs
if (\$is_banned) {
return 403 "Forbidden";
}
location / { location / {
try_files \$uri \$uri/ =404; try_files \$uri \$uri/ =404;
} }

21
install/mysql.sh
View file

@ -43,14 +43,15 @@ EOL
systemctl restart mysql systemctl restart mysql
# Create MySQL fail2ban configuration # Create MySQL fail2ban configuration
cat > /etc/fail2ban/jail.d/mysql.conf << EOL tee /etc/fail2ban/jail.d/mysql.conf << 'EOL'
[mysqld-auth] [mysql]
enabled = true enabled = true
filter = mysqld-auth filter = mysql
port = 3306 port = 3306
logpath = /var/log/mysql/error.log logpath = /var/log/mysql/error.log
maxretry = 5 maxretry = 10
bantime = 3600 findtime = 600
bantime = 3600
EOL EOL
# Ensure fail2ban can read the MySQL log # Ensure fail2ban can read the MySQL log
@ -58,9 +59,9 @@ EOL
# usermod -a -G adm fail2ban # usermod -a -G adm fail2ban
# Create MySQL auth filter for fail2ban # Create MySQL auth filter for fail2ban
cat > /etc/fail2ban/filter.d/mysqld-auth.conf << EOL tee /etc/fail2ban/filter.d/mysql.conf << 'EOL'
[Definition] [Definition]
failregex = ^%(__prefix_line)s[0-9]+ \[Warning\] Access denied for user '\w+'@'<HOST>' failregex = ^\s*\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d+Z\s+\d+\s+\[Warning\].*IP address '<HOST>'.*$
ignoreregex = ignoreregex =
EOL EOL

55
install/nginx-cloudflare-fail2ban.sh Normal file
View file

@ -0,0 +1,55 @@
#!/bin/bash
# Check if script is run as root
if [ "$EUID" -ne 0 ]; then
echo "Please run as root or with sudo"
exit 1
fi
# Install requirements
echo "Installing required packages..."
apt-get install -y nginx-extras
# Create the fail2ban check script
echo "Creating fail2ban check script..."
tee /usr/local/bin/check_fail2ban.sh << 'SCRIPT'
#!/bin/bash
IP="$1"
# Get list of all active jails
JAILS=$(fail2ban-client status | grep "Jail list:" | sed "s/^[^:]*:[ \t]*//" | sed "s/,//g")
# Check each jail for the IP
for JAIL in $JAILS; do
if fail2ban-client status "$JAIL" | grep -q "IP list:\s*.*$IP"; then
exit 0 # IP is banned in at least one jail
fi
done
exit 1 # IP is not banned in any jail
SCRIPT
chmod +x /usr/local/bin/check_fail2ban.sh
chown www-data:www-data /usr/local/bin/check_fail2ban.sh
# Create the JavaScript module for NGINX
echo "Creating NGINX JavaScript module..."
mkdir -p /etc/nginx/modules-available/
tee /etc/nginx/modules-available/check_ban.js << 'JSMODULE'
function checkBan(r) {
var ip = r.variables.http_cf_connecting_ip;
var s = require('process').spawnSync('/usr/local/bin/check_fail2ban.sh', [ip]);
return s.status === 0 ? '1' : '0';
}
export default {checkBan};
JSMODULE
# Test NGINX configuration
echo "Testing NGINX configuration..."
nginx -t
# Restart services
echo "Restarting services..."
systemctl restart fail2ban
systemctl restart nginx
echo "Installation complete!"
echo "Please check /var/log/nginx/error.log for any issues."

9
install/nginx-conf/10-fail2ban-check.conf Normal file
View file

@ -0,0 +1,9 @@
load_module modules/ngx_http_js_module.so;
js_import /etc/nginx/modules-available/check_ban.js;
js_set $exec_check_ban check_ban.checkBan;
map $http_cf_connecting_ip $is_banned {
default 0;
"~.*" "${exec_check_ban $http_cf_connecting_ip}";
}

6
site-config.conf
View file

@ -17,13 +17,17 @@ server {
ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
include snippets/ssl.conf; include snippets/ssl.conf;
# Check for banned IPs
if ($is_banned) {
return 403 "Forbidden";
}
# Apply general rate limit # Apply general rate limit
limit_req zone=general burst=100 nodelay; limit_req zone=general burst=100 nodelay;
# Content Security Policy (needs to be per-domain) # Content Security Policy (needs to be per-domain)
add_header Content-Security-Policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN" always; add_header Content-Security-Policy "default-src 'self' *.$DOMAIN; script-src 'self' 'unsafe-inline' 'unsafe-eval' *.$DOMAIN; style-src 'self' 'unsafe-inline' *.$DOMAIN; img-src 'self' data: *.$DOMAIN; font-src 'self' data: *.$DOMAIN; connect-src 'self' *.$DOMAIN; frame-src 'self' *.$DOMAIN; media-src 'self' *.$DOMAIN; object-src 'none'; base-uri 'self'; form-action 'self' *.$DOMAIN" always;
# Subdomain handling # Subdomain handling
set $subdomain ''; set $subdomain '';
set $full_root "/var/www/$DOMAIN/_main/www"; set $full_root "/var/www/$DOMAIN/_main/www";