From 2a6de08f75fb0058bda1e3e4d58f3db13d50337f Mon Sep 17 00:00:00 2001 From: Bram Prieshof Date: Wed, 9 Dec 2020 13:29:25 +0100 Subject: [PATCH] Fixed fail2ban and replaced cent8 with el8 --- CMS/nextcloud/conf.sh | 2 +- CMS/none/conf.sh | 2 +- CMS/wordpress/conf.sh | 2 +- CoreModules/generic/conf.sh | 13 ++++++++-- CoreModules/generic/preconf.sh | 2 +- Scripts/GeneratePhplist.sh | 2 +- Scripts/SMI.sh | 2 +- SubModules/php-fpm/conf.sh | 2 +- SubModules/php-fpm/preconf.sh | 2 +- SubModules/redis/preconf.sh | 2 +- config/fail2ban/action.d/ufw.conf | 42 +++++++++++++++++++++++++++++++ installer.sh | 2 +- 12 files changed, 63 insertions(+), 12 deletions(-) create mode 100644 config/fail2ban/action.d/ufw.conf diff --git a/CMS/nextcloud/conf.sh b/CMS/nextcloud/conf.sh index 73e6b14..d6e78d5 100644 --- a/CMS/nextcloud/conf.sh +++ b/CMS/nextcloud/conf.sh @@ -39,7 +39,7 @@ EOF #Setting Permsissions chown "$sitename":"$sitename" -R /var/www/"$domain"/html -if [ "$shortdist" = "cent8" ]; then +if [ "$shortdist" = "el8" ]; then #Setting SeLiux perms for centos semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/$domain/html(/.*)?" > $OUTPUT 2>&1 restorecon -vr /var/www/ > $OUTPUT 2>&1 diff --git a/CMS/none/conf.sh b/CMS/none/conf.sh index cf3e561..4a424cf 100644 --- a/CMS/none/conf.sh +++ b/CMS/none/conf.sh @@ -18,7 +18,7 @@ echo "$webserv has been succsefully installed by the Wi #Setting Permsissions chown "$sitename":"$sitename" -R /var/www/"$domain"/html -if [ "$shortdist" = "cent8" ]; then +if [ "$shortdist" = "el8" ]; then #Setting SeLiux perms for centos semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/$domain/html(/.*)?" > $OUTPUT 2>&1 restorecon -vr /var/www/ > $OUTPUT 2>&1 diff --git a/CMS/wordpress/conf.sh b/CMS/wordpress/conf.sh index 15b5d91..4e49c1b 100644 --- a/CMS/wordpress/conf.sh +++ b/CMS/wordpress/conf.sh @@ -48,7 +48,7 @@ fi #Setting Permsissions chown "$sitename":"$sitename" -R /var/www/"$domain"/html -if [ "$shortdist" = "cent8" ]; then +if [ "$shortdist" = "el8" ]; then #Setting SeLiux perms for centos semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/$domain/html(/.*)?" > $OUTPUT 2>&1 restorecon -vr /var/www/ > $OUTPUT 2>&1 diff --git a/CoreModules/generic/conf.sh b/CoreModules/generic/conf.sh index edd1117..a29d275 100644 --- a/CoreModules/generic/conf.sh +++ b/CoreModules/generic/conf.sh @@ -1,7 +1,7 @@ ##----------## # Centos # ##----------## -if [ "$shortdist" = "cent8" ]; then +if [ "$shortdist" = "el8" ]; then #SeLinux semanage port -a -t ssh_port_t -p tcp 4242 systemctl enable ufw > $OUTPUT 2>&1 @@ -14,7 +14,7 @@ fi # UFW # ##-------## -if [ "$shortdist" = "cent8" ]; then +if [ "$shortdist" = "el8" ]; then sed -i -e '/tuple/d' -e '/dapp/d' /usr/share/ufw/iptables/user.rules sed -i -e '/tuple/d' -e '/dapp/d' /usr/share/ufw/iptables/user6.rules echo "y" | ufw reset > $OUTPUT 2>&1 @@ -42,6 +42,15 @@ curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fai curl --retry 7 --retry-delay 5 -s https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-hard.conf -o /etc/fail2ban/filter.d/wordpress-hard.local curl --retry 7 --retry-delay 5 -s https://plugins.svn.wordpress.org/wp-fail2ban/trunk/filters.d/wordpress-soft.conf -o /etc/fail2ban/filter.d/wordpress-soft.local +if [ "$shortdist" = "el8" ]; then + curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/Filters/action.d/ufw.conf -o /etc/fail2ban/action.d/ufw.conf + ln -s /var/log/secure /var/log/auth.log +fi + +#Start fail2ban service +systemctl start fail2ban +systemctl enable fail2ban + #General jails rm /etc/fail2ban/jail.d/* curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/Jails/sshd.jail -o /etc/fail2ban/jail.d/sshd.local diff --git a/CoreModules/generic/preconf.sh b/CoreModules/generic/preconf.sh index e7379ee..1f2e951 100644 --- a/CoreModules/generic/preconf.sh +++ b/CoreModules/generic/preconf.sh @@ -31,7 +31,7 @@ if [ "$shortdist" = "ubu1804" ] || [ "$osrel" = "ubu2004" ] || [ "$osrel" = "deb if dpkg-query -Wf'${db:Status-abbrev}' postfix 2>/dev/null | grep -q '^i'; then apt purge -y postfix > $OUTPUT 2>&1; fi -elif [ "$shortdist" = "cent8" ]; then +elif [ "$shortdist" = "el8" ]; then ################ # Centos # ################ diff --git a/Scripts/GeneratePhplist.sh b/Scripts/GeneratePhplist.sh index a814e45..b31f088 100644 --- a/Scripts/GeneratePhplist.sh +++ b/Scripts/GeneratePhplist.sh @@ -7,7 +7,7 @@ if [ "$shortdist" = "ubu1804" ] || [ "$osrel" = "ubu2004" ] || [ "$osrel" = "deb phpMainConf=/etc/php/${phpver}/fpm/php.ini phpFPMService=php${phpver}-fpm -elif [ "$shortdist" = "cent8" ]; then +elif [ "$shortdist" = "el8" ]; then # Centos Php variable phpPoolDir=/etc/opt/remi/php${phpver//.}/php-fpm.d/ phpPkgName=php${phpver//.}-php diff --git a/Scripts/SMI.sh b/Scripts/SMI.sh index ce79f09..06ac178 100644 --- a/Scripts/SMI.sh +++ b/Scripts/SMI.sh @@ -50,7 +50,7 @@ elif [[ "${dist}" == *"centos"* ]] && [[ "${dist_ver}" == *"8"* ]]; then PKGM="dnf" PKGI="${PKGM} install --setopt=install_weak_deps=False --best -y" PKGLIST="dnf" - shortdist=cent8 + shortdist=el8 echo "This OS is not supported" exit else diff --git a/SubModules/php-fpm/conf.sh b/SubModules/php-fpm/conf.sh index c0820fc..204ab22 100644 --- a/SubModules/php-fpm/conf.sh +++ b/SubModules/php-fpm/conf.sh @@ -15,7 +15,7 @@ sed -i 's/upload_max_filesize = 2/upload_max_filesize = 128/g' "$phpMainConf" sed -i 's/post_max_size = 8/post_max_size = 64/g' "$phpMainConf" -if [ "$shortdist" = "cent8" ]; then +if [ "$shortdist" = "el8" ]; then # Centos Mysql config echo "pdo_mysql.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini echo "mysql.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini diff --git a/SubModules/php-fpm/preconf.sh b/SubModules/php-fpm/preconf.sh index 6ab7b7f..db90f43 100644 --- a/SubModules/php-fpm/preconf.sh +++ b/SubModules/php-fpm/preconf.sh @@ -5,7 +5,7 @@ if [ "$shortdist" = "ubu1804" ] || [ "$osrel" = "ubu2004" ] || [ "$osrel" = "deb phpMainConf=/etc/php/${phpver}/fpm/php.ini phpFPMService=php${phpver}-fpm -elif [ "$shortdist" = "cent8" ]; then +elif [ "$shortdist" = "el8" ]; then # Centos Php variable phpPoolDir=/etc/opt/remi/php${phpver//.}/php-fpm.d/ phpPkgName=php${phpver//.}-php diff --git a/SubModules/redis/preconf.sh b/SubModules/redis/preconf.sh index f868b2d..a94f95a 100644 --- a/SubModules/redis/preconf.sh +++ b/SubModules/redis/preconf.sh @@ -4,7 +4,7 @@ if [ "$shortdist" = "ubu1804" ] || [ "$osrel" = "ubu2004" ] || [ "$osrel" = "deb # Debian/Ubunbtu redis variables redisService=redis-server -elif [ "$shortdist" = "cent8" ]; then +elif [ "$shortdist" = "el8" ]; then # Centos redis variable redisService=redis fi diff --git a/config/fail2ban/action.d/ufw.conf b/config/fail2ban/action.d/ufw.conf new file mode 100644 index 0000000..d2f731f --- /dev/null +++ b/config/fail2ban/action.d/ufw.conf @@ -0,0 +1,42 @@ +# Fail2Ban action configuration file for ufw +# +# You are required to run "ufw enable" before this will have any effect. +# +# The insert position should be appropriate to block the required traffic. +# A number after an allow rule to the application won't be of much use. + +[Definition] + +actionstart = + +actionstop = + +actioncheck = + +actionban = [ -n "" ] && app="app " + ufw insert from to $app + +actionunban = [ -n "" ] && app="app " + ufw delete from to $app + +[Init] +# Option: insertpos +# Notes.: The position number in the firewall list to insert the block rule +insertpos = 1 + +# Option: blocktype +# Notes.: reject or deny +blocktype = reject + +# Option: destination +# Notes.: The destination address to block in the ufw rule +destination = any + +# Option: application +# Notes.: application from sudo ufw app list +application = + +# DEV NOTES: +# +# Author: Guilhem Lettron +# Enhancements: Daniel Black diff --git a/installer.sh b/installer.sh index 4d84c74..70efcfe 100644 --- a/installer.sh +++ b/installer.sh @@ -63,7 +63,7 @@ elif [[ "${dist}" == *"centos"* ]] && [[ "${dist_ver}" == *"8"* ]]; then PKGUP="$PKGM update -y" PKGI="${PKGM} install --setopt=install_weak_deps=False --best -y" PKGLIST="dnf" - shortdist=cent8 + shortdist=el8 echo "The support for this os is being worked on" else echo "This os in not supported"