Fixed Fail2Ban for centos

2020-12-09 21:35:01 +01:00
parent d6cebfefb2
commit 9e9211c475
10 changed files with 38 additions and 12 deletions
--- a/AppendCMS.sh
+++ b/AppendCMS.sh
@@ -8,7 +8,7 @@ if [ ! -f "/etc/ICTM/phpvar.list" ] ; then echo 'Php var list missing,Please run
 source /etc/ICTM/selopts.list
 source /etc/ICTM/mainvar.list
 source /etc/ICTM/phpvar.list
-if [ ! -f "/etc/ICTM/apachevar.list" ] ; then source /etc/ICTM/apachevar.list; fi
+if [ -f "/etc/ICTM/apachevar.list" ] ; then source /etc/ICTM/apachevar.list; fi
 rm /tmp/pkg.list > $OUTPUT 2>&1
 source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/ModulesMenu.list)

--- a/AppendModule.sh
+++ b/AppendModule.sh
@@ -12,6 +12,7 @@ if [ ! -f "/etc/ICTM/phpvar.list" ] ; then echo 'Php var list missing,Please run
 source /etc/ICTM/selopts.list
 source /etc/ICTM/mainvar.list
 source /etc/ICTM/phpvar.list
+if [ -f "/etc/ICTM/apachevar.list" ] ; then source /etc/ICTM/apachevar.list; fi
 rm /tmp/pkg.list
 source <(curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/ModulesMenu.list)

--- a/CMS/nextcloud/conf.sh
+++ b/CMS/nextcloud/conf.sh
@@ -54,13 +54,8 @@ sed -i -e 's/SITEname/'$sitename'/' /etc/update-motd.d/51-nextnotice-"${sitename
 chmod +x /etc/update-motd.d/51-nextnotice-"${sitename//_}"


-#Nextcloud logging location
-mkdir /var/log/nextcloud
-chmod 774 -R /var/log/nextcloud
-ln -s /var/www/"$domain"/html/data/nextcloud.log /var/log/nextcloud/"$sitename"
-
 #fail2ban
 curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/Jails/nextcloud_unconfigured -o /etc/fail2ban/jail.d/"$sitename"-nextcloud.local
-sed -i 's/SITEname/'$sitename'/' /etc/fail2ban/jail.d/"$sitename"-nextcloud.local
+sed -i 's/DOMain/'$domain'/' /etc/fail2ban/jail.d/"$sitename"-nextcloud.local

 systemctl reload "$phpFPMService"
--- a/CMS/wordpress/conf.sh
+++ b/CMS/wordpress/conf.sh
@@ -44,7 +44,7 @@ systemctl reload $phpFPMService
 if [ ! -f /etc/fail2ban/jail.d/wordpress-syslog.local ]; then
    curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/Jails/wordpress-syslog.jail -o /etc/fail2ban/jail.d/wordpress-syslog.local
    if [ "$shortdist" = "el8" ]; then
-        sed -i '/logpath/c\logpath = /var/log/secure' /etc/fail2ban/jail.d/wordpress-syslog.local
+        sed -i '/logpath/c\logpath = /var/log/messages' /etc/fail2ban/jail.d/wordpress-syslog.local
    fi
 fi

--- a/CoreModules/generic/conf.sh
+++ b/CoreModules/generic/conf.sh
@@ -44,6 +44,10 @@ curl --retry 7 --retry-delay 5 -s https://plugins.svn.wordpress.org/wp-fail2ban/

 if [ "$shortdist" = "el8" ]; then
    curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/fail2ban/action.d/ufw.conf -o /etc/fail2ban/action.d/ufw.conf
+    curl --retry 7 --retry-delay 5 -s "$repo"/raw/"$branchtype"/"$branch"/config/selinux/policies/fail2ban-allowhttpd.te -o /tmp/fail2ban-allowhttpd.te
+    checkmodule -M -m -o /tmp/fail2ban-allowhttpd.mod /tmp/fail2ban-allowhttpd.te
+    semodule_package -o /tmp/fail2ban-allowhttpd.pp -m /tmp/fail2ban-allowhttpd.mod
+    semodule -i /tmp/fail2ban-allowhttpd.pp
 fi

 #Start fail2ban service
--- a/SubModules/php-fpm/conf.sh
+++ b/SubModules/php-fpm/conf.sh
@@ -20,6 +20,7 @@ if [ "$shortdist" = "el8" ]; then
 echo "pdo_mysql.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini
 echo "mysql.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini
 echo "mysqli.default_socket = '/var/run/mysqld/mysqld.sock'" >> /etc/opt/remi/php${phpver//.}/php.d/60-mysql_sock.ini
+echo "d /run/php              0755 www-data www-data -   -" > /usr/lib/tmpfiles.d/php-custom.conf
 #Centos php Bin 
 sudo ln -s /usr/bin/php${phpver//.} /usr/bin/php
 #Centos SeLinux
--- a/SubModules/postfix/conf.sh
+++ b/SubModules/postfix/conf.sh
@@ -13,4 +13,6 @@ root:          $email
 EOF
 newaliases

-systemctl reload postfix postfix@- 
+systemctl start postfix 
+systemctl enable postfix
+systemctl reload postfix
--- a/SubModules/postfix/preconf.sh
+++ b/SubModules/postfix/preconf.sh
@@ -7,5 +7,7 @@ if [ -z "${domain}" ]; then
    fi
 fi

-debconf-set-selections <<< "postfix postfix/mailname string $domain"
-debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
+if [ "$shortdist" = "ubu1804" ] || [ "$osrel" = "ubu2004" ] || [ "$osrel" = "deb10" ] ; then
+    debconf-set-selections <<< "postfix postfix/mailname string $domain"
+    debconf-set-selections <<< "postfix postfix/main_mailer_type string 'Internet Site'"
+fi
--- a/config/fail2ban/Jails/nextcloud_unconfigured
+++ b/config/fail2ban/Jails/nextcloud_unconfigured
@@ -6,4 +6,4 @@ filter = nextcloud
 maxretry = 15
 bantime = 900
 findtime = 900
-logpath = /var/log/nextcloud/SITEname
+logpath = /var/www/DOMain/html/data/nextcloud.log
--- a/config/selinux/policies/fail2ban-allowhttpd.te
+++ b/config/selinux/policies/fail2ban-allowhttpd.te
@@ -0,0 +1,21 @@
+module fail2ban-allowhttpd 1.1;
+
+require {
+	type httpd_sys_rw_content_t;
+        type fail2ban_t;
+        type syslogd_var_run_t;
+        type fail2ban_client_t;
+        class capability dac_override;
+        class dir { read getattr search ioctl };
+        class file { getattr read open search ioctl };
+}
+
+#============= fail2ban_client_t ==============
+allow fail2ban_client_t httpd_sys_rw_content_t:file getattr;
+allow fail2ban_client_t self:capability dac_override;
+
+#============= fail2ban_t ==============
+allow fail2ban_t httpd_sys_rw_content_t:dir { read getattr search ioctl };
+allow fail2ban_t httpd_sys_rw_content_t:file { read getattr open search ioctl };
+allow fail2ban_t syslogd_var_run_t:dir read;
+allow fail2ban_t syslogd_var_run_t:file { read getattr open };