External-Mirrors/nextcloudpi
2
0
Fork 0
mirror of https://github.com/nextcloud/nextcloudpi.git synced 2026-01-10 15:12:01 -03:30
Code Issues Packages Projects Releases Wiki Activity
nextcloudpi/fail2ban.sh

135 lines
3.5 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Fail2ban installation script for Raspbian
# Tested with 2017-01-11-raspbian-jessie.img (and lite)
#
# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
#
# Usage:
# cat install-fail2ban.sh | ssh pi@$IP
#
# , or scp this file to a Raspberry Pi and run it from Raspbian
#
# ./fail2ban.sh
#
# See the variables on the top of the script for tweaking
set -xe
sudo su
NCLOG_=/var/www/nextcloud/data/nextcloud.log # location of Nextcloud logs
BANTIME_=600 # time to ban an IP that exceeded attempts
FINDTIME_=600 # cooldown time for incorrect passwords
MAXRETRY_=6 # bad attempts before banning an IP
set -xe
# INSTALLATION
##########################################
apt-get update
apt-get install fail2ban -y
touch /var/www/nextcloud/data/nextcloud.log
chown -R www-data /var/www/nextcloud/data
cd /var/www/nextcloud
sudo -u www-data php occ config:system:set loglevel --value=2
sudo -u www-data php occ config:system:set log_type --value=file
sudo -u www-data php occ config:system:set logfile --value=$NCLOG_
cat > /etc/fail2ban/filter.d/nextcloud.conf <<'EOF'
[INCLUDES]
before = common.conf
[Definition]
failregex = Login failed.*Remote IP.*'<HOST>'
ignoreregex =
EOF
cat > /etc/fail2ban/jail.conf <<EOF
# The DEFAULT allows a global definition of the options. They can be overridden
# in each jail afterwards.
[DEFAULT]
# "ignoreip" can be an IP address, a CIDR mask or a DNS host. Fail2ban will not
# ban a host which matches an address in this list. Several addresses can be
# defined using space separator.
ignoreip = 127.0.0.1/8
# "bantime" is the number of seconds that a host is banned.
bantime = $BANTIME_
# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime = $FINDTIME_
maxretry = $MAXRETRY_
#
# ACTIONS
#
banaction = iptables-multiport
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action = %(action_)s
#
# SSH
#
[ssh]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = $MAXRETRY_
#
# HTTP servers
#
[nextcloud]
enabled = true
port = http,https
filter = nextcloud
logpath = $NCLOG_
maxretry = $MAXRETRY_
EOF
# CLEANUP
##########################################
apt-get autoremove -y
apt-get clean
rm /var/lib/apt/lists/* -r
rm -f /home/pi/.bash_history
systemctl disable ssh
halt
# License
#
# This script is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this script; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA 02111-1307 USA
Reference in New Issue View Git Blame Copy Permalink