fail2ban installer and refactoring for batch processing of scripts

README.md

@@ -23,9 +23,21 @@ Use QEMU to automatically generate Raspbian Images with Nextcloud
 ```
 git clone https://github.com/nachoparker/nextcloud-raspbian-generator.git
 cd nextcloud-raspbian-generator
-./install-image.sh 192.168.0.145 # change to your QEMU raspbian IP
+./install-nextcloud.sh 192.168.0.145 # change to your QEMU raspbian IP
 ```
 
+If we also want fail2ban in our image
+
+```
+./install-fail2ban.sh NextCloudPi_02-18-17.img 192.168.0.145 # change to your QEMU raspbian IP
+```
+
+Adjust for the image name generated in the first step.
+
 Get the image or find details and instructions at
 
 https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/
+
+More on the fail2ban installation
+
+https://ownyourbits.com/2017/02/24/nextcloudpi-fail2ban-installer/

fail2ban.sh

@@ -0,0 +1,133 @@
+#!/bin/bash
+
+# Fail2ban installation script for Raspbian 
+# Tested with 2017-01-11-raspbian-jessie.img (and lite)
+#
+# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+# GPL licensed (see end of file) * Use at your own risk!
+#
+# Usage:
+#   cat install-fail2ban.sh | sshpass -praspberry ssh pi@$IP
+#
+#   , or scp this file to a Raspberry Pi and run it from Raspbian
+#
+#   ./fail2ban.sh
+#
+# See the variables on the top of the script for tweaking
+
+sudo su
+
+NCLOG=/var/www/nextcloud/data/nextcloud.log     # location of Nextcloud logs
+BANTIME=600                                     # time to ban an IP that exceeded attempts
+FINDTIME=600                                    # cooldown time for incorrect passwords
+MAXRETRY=6                                      # bad attempts before banning an IP
+
+set -x
+set -e
+
+
+# INSTALLATION
+##########################################
+
+apt-get update
+apt-get install fail2ban -y
+
+touch /var/www/nextcloud/data/nextcloud.log
+chown -R www-data /var/www/nextcloud/data
+
+cd /var/www/nextcloud
+sudo -u www-data php occ config:system:set loglevel --value=2
+sudo -u www-data php occ config:system:set log_type --value=file
+sudo -u www-data php occ config:system:set logfile  --value=$NCLOG
+
+cat > /etc/fail2ban/filter.d/nextcloud.conf <<'EOF'
+[INCLUDES]
+before = common.conf
+
+[Definition]
+failregex = Login failed.*Remote IP.*'<HOST>'
+ignoreregex =
+EOF
+
+
+cat > /etc/fail2ban/jail.conf <<EOF
+# The DEFAULT allows a global definition of the options. They can be overridden
+# in each jail afterwards.
+[DEFAULT]
+
+# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
+# ban a host which matches an address in this list. Several addresses can be
+# defined using space separator.
+ignoreip = 127.0.0.1/8
+
+# "bantime" is the number of seconds that a host is banned.
+bantime  = $BANTIME
+
+# A host is banned if it has generated "maxretry" during the last "findtime"
+# seconds.
+findtime = $FINDTIME
+maxretry = $MAXRETRY
+
+#
+# ACTIONS
+#
+banaction = iptables-multiport
+protocol = tcp
+chain = INPUT
+action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
+action = %(action_)s
+
+#
+# SSH
+#
+
+[ssh]
+
+enabled  = true
+port     = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+maxretry = $MAXRETRY
+
+#
+# HTTP servers
+#
+
+[nextcloud]
+
+enabled  = true
+port     = http,https
+filter   = nextcloud
+logpath  = $NCLOG
+maxretry = $MAXRETRY
+EOF
+
+# CLEANUP
+##########################################
+
+apt-get autoremove -y
+apt-get clean
+rm /var/lib/apt/lists/* -r
+rm -f /home/pi/.bash_history
+systemctl disable ssh
+halt
+
+# License
+#
+# This script is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this script; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+# Boston, MA  02111-1307  USA
+

install-fail2ban.sh

@@ -0,0 +1,40 @@
+#!/bin/bash
+
+# fail2ban installation on QEMU emulated Raspbian image
+# Tested with 2017-01-11-raspbian-jessie.img (and lite)
+#
+# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
+# GPL licensed (see end of file) * Use at your own risk!
+#
+# Usage:
+#   ./install-fail2ban.sh <img> <IP> # Use the IP of your running QEMU Raspbian image
+
+
+IMGFILE=$1     # First argument is the image file to start from
+IP=$2          # Second argument is the QEMU Raspbian IP address
+INSTALL_SCRIPT=fail2ban.sh
+IMGOUT=$( basename $IMGFILE .img )_fail2ban.img
+
+source library.sh
+
+launch_install_qemu $INSTALL_SCRIPT $IMGFILE $IP || exit
+pack_image $IMGFILE $IMGOUT
+
+
+# License
+#
+# This script is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This script is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this script; if not, write to the
+# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
+# Boston, MA  02111-1307  USA
+

install-nextcloud.sh

@@ -18,9 +18,8 @@ EXTRACT=1      # Extract the image from zip, so start from 0
 #IMG=raspbian_latest
 IMG=raspbian_lite_latest
 INSTALL_SCRIPT=nextcloud.sh
-IMGFILE="NextCloudPi_$( date  "+%m-%d-%y" ).img"
-
-[[ "$IP" == "" ]] && { echo "usage: ./$0 <IP>"; exit; }
+IMGFILE="NextCloudPi_$( date  "+%m-%d-%y" ).img-stage0"
+IMGOUT="NextCloudPi_$( date  "+%m-%d-%y" ).img"
 
 source library.sh
 
@@ -31,7 +30,8 @@ source library.sh
   qemu-img resize $IMGFILE +1G || exit 
 }
 
-launch_install_qemu $INSTALL_SCRIPT $IMGFILE $IP
+launch_install_qemu $INSTALL_SCRIPT $IMGFILE $IP || exit
+pack_image $IMGFILE $IMGOUT
 
 
 # License

library.sh

@@ -5,40 +5,74 @@
 # Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
 # GPL licensed (see end of file) * Use at your own risk!
 
+SSH=( ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ServerAliveInterval=5 -o ConnectTimeout=1 -o LogLevel=quiet )
+
 function launch_install_qemu()
 {
   local INSTALL_SCRIPT=$1
-  local IMGFILE=$2
+  local IMG=$2
   local IP=$3
-  [[ "$IP" == "" ]] && { echo "usage: launch_install_qemu <script> <img> <IP>"; exit; }
-  local SSH="ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o ServerAliveInterval=5 -o ConnectTimeout=1 -o LogLevel=quiet"
+  [[ "$IP" == "" ]] && { echo "usage: launch_install_qemu <script> <img> <IP>"; return 1; }
+  test -f $IMG            || { echo "input file $IMG            not found"; return 1; }
+  test -f $INSTALL_SCRIPT || { echo "input file $INSTALL_SCRIPT not found"; return 1; }
+
+  # take a copy of the input image for processing ( append "-stage1" )
+  local BASE=$( sed 's=-stage[[:digit:]]=='         <<< $IMG )
+  local NUM=$(  sed 's=.*-stage\([[:digit:]]\)=\1=' <<< $IMG )
+  [[ "$BASE" == "$IMG" ]] && NUM=0
+  local IMGFILE="$BASE-stage$(( NUM+1 ))"
+  cp -v $IMG $IMGFILE || return 1
+
   local NUM_REBOOTS=$( grep -c reboot $INSTALL_SCRIPT )
-
-  test -d qemu-raspbian-network || git clone https://github.com/nachoparker/qemu-raspbian-network.git
-  sed -i '30s/NO_NETWORK=1/NO_NETWORK=0/' qemu-raspbian-network/qemu-pi.sh
-
   while [[ $NUM_REBOOTS != -1 ]]; do
-    echo "Starting QEMU"
-    cd qemu-raspbian-network
-    sudo ./qemu-pi.sh ../$IMGFILE &
-    cd -
-
+    launch_qemu $IMGFILE &
     sleep 10
-    echo "Waiting for SSH to be up"
-    while true; do
-      sshpass -praspberry $SSH pi@$IP ls &>/dev/null && break
-      sleep 1
-    done
-
-    sleep 120
-    echo "Launching installation"
-    cat $INSTALL_SCRIPT | sshpass -praspberry $SSH pi@$IP
+    wait_SSH $IP
+    sleep 120                               # FIXME for some reason, SSH is ready but blocks for PIXEL image
+    launch_installation $INSTALL_SCRIPT 
     wait 
     NUM_REBOOTS=$(( NUM_REBOOTS-1 ))
   done
-  echo "$IMGFILE generated successfully. Compressing"
-  local TARNAME=$( basename $IMGFILE ).tar.bz2
-  test -f $TARNAME || tar -I pbzip2 -cvf $TARNAME  $IMGFILE
+  echo "$IMGFILE generated successfully"
+}
+
+function launch_qemu()
+{
+  local IMG=$1
+  test -f $1 || { echo "Image $IMG not found"; return 1; }
+  test -d qemu-raspbian-network || git clone https://github.com/nachoparker/qemu-raspbian-network.git
+  sed -i '30s/NO_NETWORK=1/NO_NETWORK=0/' qemu-raspbian-network/qemu-pi.sh
+  echo "Starting QEMU image $IMG"
+  ( cd qemu-raspbian-network && sudo ./qemu-pi.sh ../$IMG )
+}
+
+function wait_SSH()
+{
+  local IP=$1
+  echo "Waiting for SSH to be up on $IP..."
+  while true; do
+    sshpass -praspberry ${SSH[@]} pi@$IP ls &>/dev/null && break
+    sleep 1
+  done
+  echo "SSH is up"
+}
+
+function launch_installation()
+{
+  local INSTALL_SCRIPT=$1
+  test -f $1 || { echo "File $INSTALL_SCRIPT not found"; return 1; }
+  echo "Launching installation"
+  cat $INSTALL_SCRIPT | sshpass -praspberry ${SSH[@]} pi@$IP
+}
+
+function pack_image()
+{
+  local IMGFILE="$1"
+  local IMGOUT="$2"
+  local TARNAME=$( basename $IMGOUT .img ).tar.bz2
+  cp -v $( ls -1t $IMGFILE-stage* | head -1 ) $IMGOUT
+  tar -I pbzip2 -cvf $TARNAME $IMGOUT &>/dev/null && \
+    echo -e "$TARNAME packed successfully"
 }
 
 # License

nextcloud.sh

@@ -7,7 +7,11 @@
 # GPL licensed (see end of file) * Use at your own risk!
 #
 # Usage:
-#   cat install-nextcloud.sh | sshpass -praspberry ssh pi@$IP
+#   cat nextcloud.sh | sshpass -praspberry ssh pi@$IP
+#
+#   , or scp this file to a Raspberry Pi and run it from Raspbian
+#
+#   ./nextcloud.sh
 #
 # Notes:
 #   Upon each necessary restart, the system will cut the SSH session, therefore
@@ -136,7 +140,6 @@ EOF
   wget https://download.nextcloud.com/server/releases/nextcloud-$VER.tar.bz2 -O nextcloud.tar.bz2
   tar -xvf nextcloud.tar.bz2
   rm nextcloud.tar.bz2
-  mkdir /var/log/nextcloud
   mkdir /var/www/nextcloud/.opcache
 
   ocpath='/var/www/nextcloud'
@@ -190,8 +193,8 @@ cat > /etc/apache2/sites-available/nextcloud.conf <<'EOF'
 <IfModule mod_ssl.c>
   <VirtualHost _default_:443>
     DocumentRoot /var/www/nextcloud
-    CustomLog /var/log/nextcloud/access.log combined
-    ErrorLog /var/log/nextcloud/error.log
+    CustomLog /var/www/nextcloud/data/access.log combined
+    ErrorLog /var/www/nextcloud/data/error.log
     SSLEngine on
     SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
     SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
@@ -264,6 +267,7 @@ EOF
   apt-get autoremove -y
   apt-get clean
   rm /var/lib/apt/lists/* -r
+  rm -f /home/pi/.bash_history
 
   systemctl disable ssh
   rm $STATE_FILE