New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[enh] Add fail2ban helpers #364
[enh] Add fail2ban helpers #364
Conversation
As anyone tested those? I have no knowledge of fail2ban. |
At the moment, only the (nearly official) Piwigo application implemented it. So maybe should we wait for a couple of other successful implementations to merge it...? |
As far as I know, fail2ban's conf format changed in Stretch so that might affect these helpers :s |
Any update on that? |
It's currently being implemented in Wordpress, and has evolved here. |
About this : we should be careful that the fail2ban conf format changed a bit in stretch and is backward-incompatible. I don't know if these helpers are affected... but right now, the step in the stretch migration is to remove all existing fail2ban conf and regenerate it from scratch :s |
Bumpitybump, is there any update on this ? Are the helpers stable enough to be considered merged in the core ? (Do they work on Stretch ?) |
I've updated the helpers to be on-par with the ones from Experimental_helpers. |
Yes indeed :s |
This helper currently only works on Stretch... |
Not a problem if it only works on Stretch, we could merged it only in stretch... |
We are now on stretch, shouldn't we merge this? |
data/helpers.d/backend
Outdated
finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" | ||
finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" | ||
ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 | ||
ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is anyone know why is there a '1' as a second argument for this helper ?
I can't find any version of ynh_backup_if_checksum_is_different
with a second argument.
This is crashing getopts, which is another problem to fix
@YunoHost/apps |
Bump @YunoHost/apps , it'd be nice to have this for 3.5 :s (in particular, @Josue-T , it was noted "Josue will have a look at integrating fail2ban in his apps, which requires to have several regex instead of just one. He'll iterate on the design." 😅 so if you happen to have time to work on this that'd be great !) |
Yes, I might find some time for that in theses next 2 weeks. |
…tations Using a template file make more easy to use a custom failregex. It also give the possiblitity to use custom settings in the fail2ban config
Now I updated the helper. Tested on synapse |
@Josue-T that's a completely different helper ! Maybe for synapse you need to use a template, but most of the apps don't need that and works perfectly with the previous version of this helper. |
It's just more like the helper nginx. I think it's the last time change the way how this helper work. And I think that probably many apps need more flexibility than what this helper provided. |
If you really want to keep first idea. We can make a helper |
nginx doesn't have a standard config, each app has a different config. Anyway, except synapse, no app is using a template for fail2ban. And so far we don't need to add that in apps. So we should keep that helper as simple to use as we can. So, like it was. Again, if you need a template feature for synapse with fail2ban, I agree to ADD this to the helper. But, this shouldn't break the way the helper was working so far. So, add 2 arguments to the helper, one for using a template, another for adding other variables. That's a good thing for those who could need a specific fail2ban config. But do not break the helper because you need a specific way to handle the config. |
Now there are the 2 possibility |
LGTM, but not tested. |
Bump @YunoHost/apps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really reviewed but trusting you guys ... Would merge in a few days if no opposition (still would be nice to have other opinions from @YunoHost/apps )
Let's merge in 3 days |
Problems
To enhance applications protection against hackers/spammers, etc., we can propose helpers to ease the creating of fail2ban jails.
Solution
Add
ynh_add_fail2ban_config
andynh_remove_fail2ban_config
helpers.A successful implementation example is the piwigo app.
PR Status
Working, but opinion welcome!
And should be implemented in other applications to validate its principle.
Validation