add fail2ban vhost jail

2026-04-13 08:28:21 +00:00 · 2020-05-04 23:29:43 +07:00
parent 8460685e2d
commit 1eff80c18e
1 changed files with 25 additions and 0 deletions
--- a/lib/lemper-create.sh
+++ b/lib/lemper-create.sh
@@ -150,6 +150,8 @@ Options:
      Enable FastCGI cache module.
  -D, --dryrun
      Dry run mode, only for testing.
+  -F, --enable-fail2ban
+      Enable fail2ban filter. 
  -s, --clone-skeleton
      Clone default skeleton for selected framework.
  -S, --enable-https
@@ -900,6 +902,7 @@ function init_app() {
    ENABLE_PAGESPEED=false
    ENABLE_HTTPS=false
    ENABLE_WILDCARD_DOMAIN=false
+    ENABLE_FAIL2BAN=false
    TMPDIR="/tmp/lemper"

    # Test mode
@@ -950,6 +953,9 @@ function init_app() {
            -D | --dryrun) shift
                DRYRUN=true
            ;;
+            -F | --enable-fail2ban) shift
+                DRYRUN=true
+            ;;
            -h | --help) shift
                show_usage
                exit 0
@@ -1480,6 +1486,25 @@ function init_app() {
                    fi
                fi

+                # Enable fail2ban filter
+                if [[ ${ENABLE_FAIL2BAN} == true ]]; then
+                    echo "Enable fail2ban's ${FRAMEWORK} filter for ${SERVERNAME}..."
+
+                    if [[ -n $(command -v fail2ban-client) && -f "/etc/fail2ban/filter.d/${FRAMEWORK}" ]]; then
+                        cat > "/etc/fail2ban/jail.d/${SERVERNAME}.conf" <<_EOL_
+[${FRAMEWORK}]
+enabled = true
+port = http,https
+filter = ${FRAMEWORK}
+action = iptables-multiport[name=webapps, port="http,https", protocol=tcp]
+logpath = ${WEBROOT}/access_log
+maxretry = 3
+_EOL_
+                    else
+                        info "Fail2ban is not installed. Please install it first."
+                    fi
+                fi
+
                echo "Fix files ownership and permission..."

                # Fix document root ownership.