diff --git a/install/00-update-install.sh b/install/00-update-install.sh index af80e36..5345e7c 100755 --- a/install/00-update-install.sh +++ b/install/00-update-install.sh @@ -35,6 +35,8 @@ filter = sshd logpath = /var/log/auth.log maxretry = 10 bantime = 86400 +action = iptables-multiport[name=sshd] + nginx-banned-ips [nginx-http-auth] enabled = true @@ -43,6 +45,8 @@ port = http,https logpath = /var/log/nginx/error.log maxretry = 5 bantime = 3600 +action = iptables-multiport[name=nginx-http-auth] + nginx-banned-ips EOL # SSH hardening diff --git a/install/fail2ban-nginx.sh b/install/fail2ban-nginx.sh index fa5cc8d..f0462ef 100755 --- a/install/fail2ban-nginx.sh +++ b/install/fail2ban-nginx.sh @@ -37,6 +37,8 @@ logpath = /var/log/nginx/access.log maxretry = 10 findtime = 600 bantime = 3600 +action = iptables-multiport[name=nginx-strict] + nginx-banned-ips [nginx-4xx-moderate] enabled = true @@ -46,6 +48,8 @@ logpath = /var/log/nginx/access.log maxretry = 10 findtime = 600 bantime = 1800 +action = iptables-multiport[name=nginx-moderate] + nginx-banned-ips [nginx-4xx-lenient] enabled = true @@ -55,6 +59,8 @@ logpath = /var/log/nginx/access.log maxretry = 20 findtime = 600 bantime = 900 +action = iptables-multiport[name=nginx-lenient] + nginx-banned-ips EOL echo "fail2ban setup for Nginx errors completed with strict, moderate, and lenient jails." diff --git a/install/mysql.sh b/install/mysql.sh index 6ee9819..f4a0a7c 100755 --- a/install/mysql.sh +++ b/install/mysql.sh @@ -52,6 +52,8 @@ logpath = /var/log/mysql/error.log maxretry = 10 findtime = 600 bantime = 3600 +action = iptables-multiport[name=mysql] + nginx-banned-ips EOL # Ensure fail2ban can read the MySQL log diff --git a/install/nginx-cloudflare-fail2ban.sh b/install/nginx-cloudflare-fail2ban.sh index 7358620..9d39330 100644 --- a/install/nginx-cloudflare-fail2ban.sh +++ b/install/nginx-cloudflare-fail2ban.sh @@ -6,77 +6,34 @@ if [ "$EUID" -ne 0 ]; then exit 1 fi -# Add NGINX repository -echo "Adding NGINX repository..." -curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ - | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null +# Create banned IPs file +echo "Creating banned IPs file..." +touch /etc/nginx/conf.d/banned_ips.conf +chown www-data:www-data /etc/nginx/conf.d/banned_ips.conf -echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ -http://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" \ - | sudo tee /etc/apt/sources.list.d/nginx.list - -# Update package lists -apt-get update - -# Install requirements -echo "Installing required packages..." -apt-get install -y nginx-extras nginx-module-njs - -# Add load_module directive to nginx.conf if not present -echo "Adding load_module directive to nginx.conf if needed..." -if ! grep -q "^load_module.*ngx_http_js_module.so" /etc/nginx/nginx.conf; then - # Create temporary file - sed '/^events {/i load_module /usr/lib/nginx/modules/ngx_http_js_module.so;' /etc/nginx/nginx.conf > /tmp/nginx.conf.tmp - # Check if the modification was successful - if nginx -t -c /tmp/nginx.conf.tmp; then - mv /tmp/nginx.conf.tmp /etc/nginx/nginx.conf - else - rm /tmp/nginx.conf.tmp - echo "Failed to modify nginx.conf safely. Please add 'load_module /usr/lib/nginx/modules/ngx_http_js_module.so;' manually." - exit 1 - fi -fi - -# Create the fail2ban check script -echo "Creating fail2ban check script..." -tee /usr/local/bin/check_fail2ban.sh << 'SCRIPT' -#!/bin/bash -IP="$1" -# Get list of all active jails -JAILS=$(fail2ban-client status | grep "Jail list:" | sed "s/^[^:]*:[ \t]*//" | sed "s/,//g") - -# Check each jail for the IP -for JAIL in $JAILS; do - if fail2ban-client status "$JAIL" | grep -q "IP list:\s*.*$IP"; then - exit 0 # IP is banned in at least one jail - fi -done -exit 1 # IP is not banned in any jail -SCRIPT -chmod +x /usr/local/bin/check_fail2ban.sh -chown www-data:www-data /usr/local/bin/check_fail2ban.sh - -# Create the JavaScript module for NGINX -echo "Creating NGINX JavaScript module..." -mkdir -p /etc/nginx/modules-available/ -tee /etc/nginx/modules-available/check_ban.js << 'JSMODULE' -function checkBan(r) { - var ip = r.variables.http_cf_connecting_ip; - var s = require('process').spawnSync('/usr/local/bin/check_fail2ban.sh', [ip]); - return s.status === 0 ? '1' : '0'; +# Create NGINX configuration for fail2ban check +echo "Creating NGINX configuration..." +tee /etc/nginx/conf.d/10-fail2ban-check.conf << 'CONFFILE' +map $http_cf_connecting_ip $is_banned { + default 0; + include /etc/nginx/conf.d/banned_ips.conf; } +CONFFILE -export default {checkBan}; -JSMODULE +# Create fail2ban action +echo "Creating fail2ban action..." +tee /etc/fail2ban/action.d/nginx-banned-ips.conf << 'ACTIONFILE' +[Definition] +actionstart = +actionstop = +actioncheck = +actionban = echo ' 1;' >> /etc/nginx/conf.d/banned_ips.conf && nginx -s reload +actionunban = sed -i '//d' /etc/nginx/conf.d/banned_ips.conf && nginx -s reload +ACTIONFILE # Test NGINX configuration echo "Testing NGINX configuration..." nginx -t -# Restart services -echo "Restarting services..." -systemctl restart fail2ban -systemctl restart nginx - echo "Installation complete!" -echo "Please check /var/log/nginx/error.log for any issues." +echo "Now add 'nginx-banned-ips' to the action line in your existing fail2ban jail configurations" diff --git a/install/nginx-conf/10-fail2ban-check.conf b/install/nginx-conf/10-fail2ban-check.conf deleted file mode 100644 index e2b5e12..0000000 --- a/install/nginx-conf/10-fail2ban-check.conf +++ /dev/null @@ -1,7 +0,0 @@ -js_import /etc/nginx/modules-available/check_ban.js; -js_set $exec_check_ban check_ban.checkBan; - -map $http_cf_connecting_ip $is_banned { - default 0; - "~.*" "${exec_check_ban $http_cf_connecting_ip}"; -} \ No newline at end of file