diff --git a/lib/lemper-create.sh b/lib/lemper-create.sh index b2aeaa6..4ccd72e 100755 --- a/lib/lemper-create.sh +++ b/lib/lemper-create.sh @@ -1488,11 +1488,11 @@ function init_app() { # Enable fail2ban filter if [[ ${ENABLE_FAIL2BAN} == true ]]; then - echo "Enable fail2ban's ${FRAMEWORK} filter for ${SERVERNAME}..." + echo "Enable Fail2ban ${FRAMEWORK^} filter for ${SERVERNAME}..." if [[ $(command -v fail2ban-client) && -f "/etc/fail2ban/filter.d/${FRAMEWORK}.conf" ]]; then cat > "/etc/fail2ban/jail.d/${SERVERNAME}.conf" <<_EOL_ -[${FRAMEWORK}] +[${SERVERNAME}] enabled = true port = http,https filter = ${FRAMEWORK} @@ -1500,6 +1500,9 @@ action = iptables-multiport[name=webapps, port="http,https", protocol=tcp] logpath = ${WEBROOT}/access_log maxretry = 3 _EOL_ + + # Reload fail2ban + run service fail2ban reload else info "Fail2ban or filter is not installed. Please install it first." fi diff --git a/lib/lemper-manage.sh b/lib/lemper-manage.sh index 310fed0..b7b126a 100755 --- a/lib/lemper-manage.sh +++ b/lib/lemper-manage.sh @@ -134,6 +134,10 @@ Options: Disable virtual host. -e, --enable Enable virtual host. + -F, --enable-fail2ban + Enable fail2ban jail. + --disable-fail2ban + Disable fail2ban jail. -g, --enable-gzip Enable Gzip compression. -p, --enable-pagespeed @@ -295,6 +299,40 @@ function remove_vhost() { reload_nginx } + +function enable_fail2ban() { + # Verify user input hostname (domain name) + verify_vhost "${1}" + + echo "Enabling Fail2ban ${FRAMEWORK^} filter for ${1}..." + + # Get web root path from vhost config, first. + #shellcheck disable=SC2154 + local WEBROOT && \ + WEBROOT=$(grep -wE "set\ \\\$root_path" "/etc/nginx/sites-available/${1}.conf" | awk '{print $3}' | cut -d'"' -f2) + + if [[ ! -d ${WEBROOT} ]]; then + read -rp "Enter real path to website root directory containing your access_log file: " -i "${WEBROOT}" -e WEBROOT + fi + + if [[ $(command -v fail2ban-client) && -f "/etc/fail2ban/filter.d/${FRAMEWORK}.conf" ]]; then + cat > "/etc/fail2ban/jail.d/${1}.conf" <<_EOL_ +[${1}] +enabled = true +port = http,https +filter = ${FRAMEWORK} +action = iptables-multiport[name=webapps, port="http,https", protocol=tcp] +logpath = ${WEBROOT}/access_log +maxretry = 3 +_EOL_ + + # Reload fail2ban + run service fail2ban reload + else + info "Fail2ban or filter is not installed. Please install it first." + fi +} + ## # Enable Nginx's fastcgi cache. # diff --git a/scripts/install_fail2ban.sh b/scripts/install_fail2ban.sh index 68038d2..e7b733d 100755 --- a/scripts/install_fail2ban.sh +++ b/scripts/install_fail2ban.sh @@ -87,11 +87,17 @@ function init_fail2ban_install() { else SSH_PORT=${SSH_PORT:-22} + # Add Wordpress custom filter. + run cp -f etc/fail2ban/filter.d/wordpress.conf /etc/fail2ban/filter.d/ + # Enable jail cat > /etc/fail2ban/jail.local <<_EOL_ [DEFAULT] # banned for 30 days -bantime = 2592000 +bantime = 30d + +# ignored ip (googlebot) - https://ipinfo.io/AS15169 +ignoreip = 66.249.64.0/19 66.249.64.0/20 66.249.80.0/22 66.249.84.0/23 66.249.88.0/24 [sshd] enabled = true