joby/webserver-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

further fail2ban config

Browse source
This commit is contained in:
Joby 2024-10-23 17:27:59 -06:00
parent 2eaa45bff3
commit 467405d95a
5 changed files with 34 additions and 72 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
install/00-update-install.sh
View file

@ -35,6 +35,8 @@ filter = sshd
logpath = /var/log/auth.log logpath = /var/log/auth.log
maxretry = 10 maxretry = 10
bantime = 86400 bantime = 86400
action = iptables-multiport[name=sshd]
nginx-banned-ips
[nginx-http-auth] [nginx-http-auth]
enabled = true enabled = true
@ -43,6 +45,8 @@ port = http,https
logpath = /var/log/nginx/error.log logpath = /var/log/nginx/error.log
maxretry = 5 maxretry = 5
bantime = 3600 bantime = 3600
action = iptables-multiport[name=nginx-http-auth]
nginx-banned-ips
EOL EOL
# SSH hardening # SSH hardening

6
install/fail2ban-nginx.sh
View file

@ -37,6 +37,8 @@ logpath = /var/log/nginx/access.log
maxretry = 10 maxretry = 10
findtime = 600 findtime = 600
bantime = 3600 bantime = 3600
action = iptables-multiport[name=nginx-strict]
nginx-banned-ips
[nginx-4xx-moderate] [nginx-4xx-moderate]
enabled = true enabled = true
@ -46,6 +48,8 @@ logpath = /var/log/nginx/access.log
maxretry = 10 maxretry = 10
findtime = 600 findtime = 600
bantime = 1800 bantime = 1800
action = iptables-multiport[name=nginx-moderate]
nginx-banned-ips
[nginx-4xx-lenient] [nginx-4xx-lenient]
enabled = true enabled = true
@ -55,6 +59,8 @@ logpath = /var/log/nginx/access.log
maxretry = 20 maxretry = 20
findtime = 600 findtime = 600
bantime = 900 bantime = 900
action = iptables-multiport[name=nginx-lenient]
nginx-banned-ips
EOL EOL
echo "fail2ban setup for Nginx errors completed with strict, moderate, and lenient jails." echo "fail2ban setup for Nginx errors completed with strict, moderate, and lenient jails."

2
install/mysql.sh
View file

@ -52,6 +52,8 @@ logpath = /var/log/mysql/error.log
maxretry = 10 maxretry = 10
findtime = 600 findtime = 600
bantime = 3600 bantime = 3600
action = iptables-multiport[name=mysql]
nginx-banned-ips
EOL EOL
# Ensure fail2ban can read the MySQL log # Ensure fail2ban can read the MySQL log

87
install/nginx-cloudflare-fail2ban.sh
View file

@ -6,77 +6,34 @@ if [ "$EUID" -ne 0 ]; then
exit 1 exit 1
fi fi
# Add NGINX repository # Create banned IPs file
echo "Adding NGINX repository..." echo "Creating banned IPs file..."
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ touch /etc/nginx/conf.d/banned_ips.conf
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null chown www-data:www-data /etc/nginx/conf.d/banned_ips.conf
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ # Create NGINX configuration for fail2ban check
http://nginx.org/packages/ubuntu $(lsb_release -cs) nginx" \ echo "Creating NGINX configuration..."
| sudo tee /etc/apt/sources.list.d/nginx.list tee /etc/nginx/conf.d/10-fail2ban-check.conf << 'CONFFILE'
map $http_cf_connecting_ip $is_banned {
# Update package lists default 0;
apt-get update include /etc/nginx/conf.d/banned_ips.conf;
# Install requirements
echo "Installing required packages..."
apt-get install -y nginx-extras nginx-module-njs
# Add load_module directive to nginx.conf if not present
echo "Adding load_module directive to nginx.conf if needed..."
if ! grep -q "^load_module.*ngx_http_js_module.so" /etc/nginx/nginx.conf; then
# Create temporary file
sed '/^events {/i load_module /usr/lib/nginx/modules/ngx_http_js_module.so;' /etc/nginx/nginx.conf > /tmp/nginx.conf.tmp
# Check if the modification was successful
if nginx -t -c /tmp/nginx.conf.tmp; then
mv /tmp/nginx.conf.tmp /etc/nginx/nginx.conf
else
rm /tmp/nginx.conf.tmp
echo "Failed to modify nginx.conf safely. Please add 'load_module /usr/lib/nginx/modules/ngx_http_js_module.so;' manually."
exit 1
fi
fi
# Create the fail2ban check script
echo "Creating fail2ban check script..."
tee /usr/local/bin/check_fail2ban.sh << 'SCRIPT'
#!/bin/bash
IP="$1"
# Get list of all active jails
JAILS=$(fail2ban-client status | grep "Jail list:" | sed "s/^[^:]*:[ \t]*//" | sed "s/,//g")
# Check each jail for the IP
for JAIL in $JAILS; do
if fail2ban-client status "$JAIL" | grep -q "IP list:\s*.*$IP"; then
exit 0 # IP is banned in at least one jail
fi
done
exit 1 # IP is not banned in any jail
SCRIPT
chmod +x /usr/local/bin/check_fail2ban.sh
chown www-data:www-data /usr/local/bin/check_fail2ban.sh
# Create the JavaScript module for NGINX
echo "Creating NGINX JavaScript module..."
mkdir -p /etc/nginx/modules-available/
tee /etc/nginx/modules-available/check_ban.js << 'JSMODULE'
function checkBan(r) {
var ip = r.variables.http_cf_connecting_ip;
var s = require('process').spawnSync('/usr/local/bin/check_fail2ban.sh', [ip]);
return s.status === 0 ? '1' : '0';
} }
CONFFILE
export default {checkBan}; # Create fail2ban action
JSMODULE echo "Creating fail2ban action..."
tee /etc/fail2ban/action.d/nginx-banned-ips.conf << 'ACTIONFILE'
[Definition]
actionstart =
actionstop =
actioncheck =
actionban = echo '<ip> 1;' >> /etc/nginx/conf.d/banned_ips.conf && nginx -s reload
actionunban = sed -i '/<ip>/d' /etc/nginx/conf.d/banned_ips.conf && nginx -s reload
ACTIONFILE
# Test NGINX configuration # Test NGINX configuration
echo "Testing NGINX configuration..." echo "Testing NGINX configuration..."
nginx -t nginx -t
# Restart services
echo "Restarting services..."
systemctl restart fail2ban
systemctl restart nginx
echo "Installation complete!" echo "Installation complete!"
echo "Please check /var/log/nginx/error.log for any issues." echo "Now add 'nginx-banned-ips' to the action line in your existing fail2ban jail configurations"

7
install/nginx-conf/10-fail2ban-check.conf
View file

@ -1,7 +0,0 @@
js_import /etc/nginx/modules-available/check_ban.js;
js_set $exec_check_ban check_ban.checkBan;
map $http_cf_connecting_ip $is_banned {
default 0;
"~.*" "${exec_check_ban $http_cf_connecting_ip}";
}