Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Fail2ban support #65

Merged
merged 22 commits into from May 8, 2019

Conversation

Projects
None yet
3 participants
@lapineige
Copy link
Member

commented Apr 24, 2019

Problem

  • Wallabag is not protected by fail2ban against brute force
    See #37

Solution

  • Add fail2ban config.

The number of retry is set to 5, I think it allows users to make a reasonable number of errors while restricting brute force possibilities.

Warning : this PR will drop support for version older than 3.5, in particular Yunohost 2.7 (Debian 8).

PR Status

  • Code finished.
  • Tested with Package_check.
  • Fix or enhancement tested.
  • Upgrade from last version tested.
  • Can be reviewed and tested.

Validation


Minor decision

  • Upgrade previous version :
  • Code review : Maniack C
  • Approval (LGTM) : Maniack C
  • Approval (LGTM) : JimboJoe
  • CI succeeded :
    Build Status
    When the PR is marked as ready to merge, you have to wait for 3 days before really merging it.

maniackcrudelis and others added some commits Jul 7, 2018

Readme: Add welcome UI screenshoot
It's always nice to have a quick look at the UI of the software you're going to install :)
Testing (#56)
* Fix 413 request entity too large (#55)

* [fix] 413 Request Entity Too Large

* Remove ini file for php (#57)

Have a look to YunoHost-Apps/nextcloud_ynh#138 for more information
Add fail2ban config during upgrade
To make sure any older version will get fail2ban support
Update minimum version to 3.5
This is needed for fail2ban helpers

@lapineige lapineige requested review from JimboJoe and maniackcrudelis and removed request for JimboJoe Apr 24, 2019

@lapineige lapineige changed the base branch from testing to master Apr 24, 2019

@lapineige

This comment has been minimized.

Copy link
Member Author

commented Apr 24, 2019

Changed the base branch to master, as it is an high priority issue, we can't wait for testing to be merged.

lapineige added some commits Apr 24, 2019

@lapineige

This comment has been minimized.

Copy link
Member Author

commented Apr 24, 2019

I fixed the regex conf, at first I did not understand how to configure it correctly.

I tried a fresh install + removal, it works. Fail2ban seems to be active: after 5 failed login attempts, the login page doesn't load.

It's ready for review.

@maniackcrudelis maniackcrudelis changed the base branch from master to testing Apr 27, 2019

Show resolved Hide resolved scripts/remove Outdated
Show resolved Hide resolved scripts/restore Outdated
@maniackcrudelis

This comment has been minimized.

Copy link
Contributor

commented Apr 27, 2019

Adding fail2ban is a good improvement, not a security issue needed to be quickly fixed.

@lapineige

This comment has been minimized.

Copy link
Member Author

commented May 1, 2019

Ok, only upgrade from this version fails…

I found the issue: I fixed the regex syntax in the install script, but not in the upgrade one
Should be fixed now.

@lapineige lapineige requested a review from maniackcrudelis May 1, 2019

lapineige added some commits May 1, 2019

Improve regex - install
This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces
Improve regex - upgrade
This allow empty username (not possible, but may still block some extra brute force spammers) and username with spaces
@JimboJoe

This comment has been minimized.

Copy link
Contributor

commented May 4, 2019

Upgrade is stille failing on the CI.

Warning: yunohost.hook <lambda> - [3344.1] Job for fail2ban.service failed because the control process exited with error code.
Warning: yunohost.hook <lambda> - [3344.1] See "systemctl status fail2ban.service" and "journalctl -xe" for details.
Warning: yunohost.hook <lambda> - [3344.1] !!
Warning: yunohost.hook <lambda> - [3344.1]   wallabag2's script has encountered an error. Its execution was cancelled.
Warning: yunohost.hook <lambda> - [3344.1] !!
Warning: yunohost.hook <lambda> - [3344.1] ./upgrade: line 61: ynh_backup_after_failed_upgrade: command not found
@lapineige

This comment has been minimized.

Copy link
Member Author

commented May 4, 2019

But we don't have the log for fail2ban… :(

@JimboJoe

This comment has been minimized.

Copy link
Contributor

commented May 4, 2019

Isn't the problem reproducible with package_check in your environment?

@lapineige

This comment has been minimized.

Copy link
Member Author

commented May 4, 2019

How do I use it ?

@JimboJoe

This comment has been minimized.

Copy link
Contributor

commented May 4, 2019

As an app maintainer, you will love package_check! Have a look at the README, you can install it on your test server/VM. It's been developed mainly by @maniackcrudelis, and it's what produces the results of the CI.

@lapineige

This comment has been minimized.

Copy link
Member Author

commented May 4, 2019

I don't have any VM or test server for that :/

@JimboJoe

This comment has been minimized.

Copy link
Contributor

commented May 4, 2019

Then you'll be interested by this forum post 😉

@lapineige

This comment has been minimized.

Copy link
Member Author

commented May 4, 2019

Ok, I tried again on my main server (backup + remove old wallabag + install master + upgrade to this branch), the error is:

No file(s) found for glob /var/www/wallabag2/var/logs/prod.log

I fixed that in the install script, but not in the upgrade script 😅
I'll do it.

@JimboJoe

This comment has been minimized.

Copy link
Contributor

commented May 5, 2019

By the way, more relevant link here to use the CI available for app packagers 😉

@lapineige

This comment has been minimized.

Copy link
Member Author

commented May 5, 2019

CI is succeeding right now.

Let's merge ?

@JimboJoe
Copy link
Contributor

left a comment

LGTM 👍

@JimboJoe

This comment has been minimized.

Copy link
Contributor

commented May 5, 2019

Can be merged in 3 days (if @maniackcrudelis confirms his code review after late changes)

@JimboJoe JimboJoe referenced this pull request May 5, 2019

Merged

Update to 2.3.7 #61

7 of 8 tasks complete
@JimboJoe

This comment has been minimized.

Copy link
Contributor

commented May 5, 2019

Can be merged in 3 days.

@lapineige

This comment has been minimized.

Copy link
Member Author

commented May 5, 2019

Thanks @maniackcrudelis for the improvements :)

@lapineige lapineige merged commit ae76c98 into testing May 8, 2019

@lapineige lapineige deleted the fail2ban branch May 8, 2019

@maniackcrudelis maniackcrudelis referenced this pull request May 13, 2019

Merged

Testing #70

7 of 8 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.