further fail2ban config

2024-10-23 17:27:59 -06:00 · 2024-10-23 17:27:59 -06:00 · 467405d95a
commit 467405d95a
parent 2eaa45bff3
5 changed files with 34 additions and 72 deletions
--- a/install/00-update-install.sh
+++ b/install/00-update-install.sh
@ -35,6 +35,8 @@ filter = sshd
 logpath = /var/log/auth.log
 maxretry = 10
 bantime = 86400
+action = iptables-multiport[name=sshd]
+         nginx-banned-ips

 [nginx-http-auth]
 enabled = true
@ -43,6 +45,8 @@ port = http,https
 logpath = /var/log/nginx/error.log
 maxretry = 5
 bantime = 3600
+action = iptables-multiport[name=nginx-http-auth]
+         nginx-banned-ips
 EOL

 # SSH hardening
--- a/install/fail2ban-nginx.sh
+++ b/install/fail2ban-nginx.sh
@ -37,6 +37,8 @@ logpath = /var/log/nginx/access.log
 maxretry = 10
 findtime = 600
 bantime = 3600
+action = iptables-multiport[name=nginx-strict]
+         nginx-banned-ips

 [nginx-4xx-moderate]
 enabled = true
@ -46,6 +48,8 @@ logpath = /var/log/nginx/access.log
 maxretry = 10
 findtime = 600
 bantime = 1800
+action = iptables-multiport[name=nginx-moderate]
+         nginx-banned-ips

 [nginx-4xx-lenient]
 enabled = true
@ -55,6 +59,8 @@ logpath = /var/log/nginx/access.log
 maxretry = 20
 findtime = 600
 bantime = 900
+action = iptables-multiport[name=nginx-lenient]
+         nginx-banned-ips
 EOL

 echo "fail2ban setup for Nginx errors completed with strict, moderate, and lenient jails."
--- a/install/mysql.sh
+++ b/install/mysql.sh
@ -52,6 +52,8 @@ logpath = /var/log/mysql/error.log
 maxretry = 10
 findtime = 600
 bantime = 3600
+action = iptables-multiport[name=mysql]
+         nginx-banned-ips
 EOL

 # Ensure fail2ban can read the MySQL log
--- a/install/nginx-cloudflare-fail2ban.sh
+++ b/install/nginx-cloudflare-fail2ban.sh
@ -6,77 +6,34 @@ if [ "$EUID" -ne 0 ]; then
    exit 1
 fi

-# Add NGINX repository
-echo "Adding NGINX repository..."
-curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
-    | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
+# Create banned IPs file
+echo "Creating banned IPs file..."
+touch /etc/nginx/conf.d/banned_ips.conf
+chown www-data:www-data /etc/nginx/conf.d/banned_ips.conf

-echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
-http://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" \
-    | sudo tee /etc/apt/sources.list.d/nginx.list
-
-# Update package lists
-apt-get update
-
-# Install requirements
-echo "Installing required packages..."
-apt-get install -y nginx-extras nginx-module-njs
-
-# Add load_module directive to nginx.conf if not present
-echo "Adding load_module directive to nginx.conf if needed..."
-if ! grep -q "^load_module.*ngx_http_js_module.so" /etc/nginx/nginx.conf; then
-    # Create temporary file
-    sed '/^events {/i load_module /usr/lib/nginx/modules/ngx_http_js_module.so;' /etc/nginx/nginx.conf > /tmp/nginx.conf.tmp
-    # Check if the modification was successful
-    if nginx -t -c /tmp/nginx.conf.tmp; then
-        mv /tmp/nginx.conf.tmp /etc/nginx/nginx.conf
-    else
-        rm /tmp/nginx.conf.tmp
-        echo "Failed to modify nginx.conf safely. Please add 'load_module /usr/lib/nginx/modules/ngx_http_js_module.so;' manually."
-        exit 1
-    fi
-fi
-
-# Create the fail2ban check script
-echo "Creating fail2ban check script..."
-tee /usr/local/bin/check_fail2ban.sh << 'SCRIPT'
-#!/bin/bash
-IP="$1"
-# Get list of all active jails
-JAILS=$(fail2ban-client status | grep "Jail list:" | sed "s/^[^:]*:[ \t]*//" | sed "s/,//g")
-
-# Check each jail for the IP
-for JAIL in $JAILS; do
-    if fail2ban-client status "$JAIL" | grep -q "IP list:\s*.*$IP"; then
-        exit 0  # IP is banned in at least one jail
-    fi
-done
-exit 1  # IP is not banned in any jail
-SCRIPT
-chmod +x /usr/local/bin/check_fail2ban.sh
-chown www-data:www-data /usr/local/bin/check_fail2ban.sh
-
-# Create the JavaScript module for NGINX
-echo "Creating NGINX JavaScript module..."
-mkdir -p /etc/nginx/modules-available/
-tee /etc/nginx/modules-available/check_ban.js << 'JSMODULE'
-function checkBan(r) {
-    var ip = r.variables.http_cf_connecting_ip;
-    var s = require('process').spawnSync('/usr/local/bin/check_fail2ban.sh', [ip]);
-    return s.status === 0 ? '1' : '0';
+# Create NGINX configuration for fail2ban check
+echo "Creating NGINX configuration..."
+tee /etc/nginx/conf.d/10-fail2ban-check.conf << 'CONFFILE'
+map $http_cf_connecting_ip $is_banned {
+    default 0;
+    include /etc/nginx/conf.d/banned_ips.conf;
 }
+CONFFILE

-export default {checkBan};
-JSMODULE
+# Create fail2ban action
+echo "Creating fail2ban action..."
+tee /etc/fail2ban/action.d/nginx-banned-ips.conf << 'ACTIONFILE'
+[Definition]
+actionstart = 
+actionstop = 
+actioncheck = 
+actionban = echo '<ip> 1;' >> /etc/nginx/conf.d/banned_ips.conf && nginx -s reload
+actionunban = sed -i '/<ip>/d' /etc/nginx/conf.d/banned_ips.conf && nginx -s reload
+ACTIONFILE

 # Test NGINX configuration
 echo "Testing NGINX configuration..."
 nginx -t

-# Restart services
-echo "Restarting services..."
-systemctl restart fail2ban
-systemctl restart nginx
-
 echo "Installation complete!"
-echo "Please check /var/log/nginx/error.log for any issues."
+echo "Now add 'nginx-banned-ips' to the action line in your existing fail2ban jail configurations"
--- a/install/nginx-conf/10-fail2ban-check.conf
+++ b/install/nginx-conf/10-fail2ban-check.conf
@ -1,7 +0,0 @@
-js_import /etc/nginx/modules-available/check_ban.js;
-js_set $exec_check_ban check_ban.checkBan;
-
-map $http_cf_connecting_ip $is_banned {
-    default 0;
-    "~.*" "${exec_check_ban $http_cf_connecting_ip}";
-}