[enh] Add fail2ban helpers #364
Conversation
|
As anyone tested those? I have no knowledge of fail2ban. |
|
At the moment, only the (nearly official) Piwigo application implemented it. So maybe should we wait for a couple of other successful implementations to merge it...? |
|
As far as I know, fail2ban's conf format changed in Stretch so that might affect these helpers :s |
Any update on that? |
|
It's currently being implemented in Wordpress, and has evolved here. |
|
About this : we should be careful that the fail2ban conf format changed a bit in stretch and is backward-incompatible. I don't know if these helpers are affected... but right now, the step in the stretch migration is to remove all existing fail2ban conf and regenerate it from scratch :s |
|
Bumpitybump, is there any update on this ? Are the helpers stable enough to be considered merged in the core ? (Do they work on Stretch ?) |
|
I've updated the helpers to be on-par with the ones from Experimental_helpers. |
Yes indeed :s |
|
This helper currently only works on Stretch... |
|
Not a problem if it only works on Stretch, we could merged it only in stretch... |
|
We are now on stretch, shouldn't we merge this? |
data/helpers.d/backend
Outdated
| finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf" | ||
| finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf" | ||
| ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1 | ||
| ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1 |
There was a problem hiding this comment.
Is anyone know why is there a '1' as a second argument for this helper ?
I can't find any version of ynh_backup_if_checksum_is_different with a second argument.
This is crashing getopts, which is another problem to fix
|
@YunoHost/apps |
|
Bump @YunoHost/apps , it'd be nice to have this for 3.5 :s (in particular, @Josue-T , it was noted "Josue will have a look at integrating fail2ban in his apps, which requires to have several regex instead of just one. He'll iterate on the design." 😅 so if you happen to have time to work on this that'd be great !) |
|
Yes, I might find some time for that in theses next 2 weeks. |
…tations Using a template file make more easy to use a custom failregex. It also give the possiblitity to use custom settings in the fail2ban config
|
Now I updated the helper. Tested on synapse |
|
@Josue-T that's a completely different helper ! Maybe for synapse you need to use a template, but most of the apps don't need that and works perfectly with the previous version of this helper. |
|
It's just more like the helper nginx. I think it's the last time change the way how this helper work. And I think that probably many apps need more flexibility than what this helper provided. |
|
If you really want to keep first idea. We can make a helper |
|
nginx doesn't have a standard config, each app has a different config. Anyway, except synapse, no app is using a template for fail2ban. And so far we don't need to add that in apps. So we should keep that helper as simple to use as we can. So, like it was. Again, if you need a template feature for synapse with fail2ban, I agree to ADD this to the helper. But, this shouldn't break the way the helper was working so far. So, add 2 arguments to the helper, one for using a template, another for adding other variables. That's a good thing for those who could need a specific fail2ban config. But do not break the helper because you need a specific way to handle the config. |
|
Now there are the 2 possibility |
|
LGTM, but not tested. |
|
Bump @YunoHost/apps |
|
Let's merge in 3 days |
|
Thanks for the review folks, finally sounds like we gonna merge this \o/
|
Problems
To enhance applications protection against hackers/spammers, etc., we can propose helpers to ease the creating of fail2ban jails.
Solution
Add
ynh_add_fail2ban_configandynh_remove_fail2ban_confighelpers.A successful implementation example is the piwigo app.
PR Status
Working, but opinion welcome!
And should be implemented in other applications to validate its principle.
Validation