ajout choix ssh only ou nginx filters + debug

1 year ago · f55af5829e
parent b36d73173b
commit f55af5829e
4 changed files with 66 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -45,7 +45,7 @@ bantime = 259200
 maxretry = 100
 ```
-Note:
+> Note:
 - Filter renvoie à la configuration de la prison quant aux lois qui la provoque (sous la forme de REGEX)
 - Action est les processus mis en place pour bannir l'IP, les configurations se trouvent dans /etc/fail2ban/action.d/
 - Logpath correspond au chemin des logs à surveiller.
@ -71,10 +71,10 @@ sudo fail2ban-client status ssh
 - Bannir une IP manuellement:
 ```bash
-fail2ban-client set [nom de la prison] banip [IP concerné]
+sudo fail2ban-client set [nom de la prison] banip [IP concerné]
 ```
 - Débannir une IP manuellement:
 ```bash
-fail2ban-client set [nom de la prison] unbanip [IP concerné]
+sudo fail2ban-client unban [IP concerné] [nom de la prison]
 ```
--- a/fail2ban-conf/jail.local-nginx
+++ b/fail2ban-conf/jail.local-nginx
@ -16,14 +16,6 @@ port     = http,https
 logpath  = /var/log/nginx/*error.log
 bantime = 259200
 #[nginx-badbots]
 #enabled  = true
 #port     = http,https
 #filter   = nginx-badbots
 #logpath  = /var/log/nginx/access.log
 #maxretry = 2
 [nginx-badbots]
 enabled = true
--- a/fail2ban-conf/jail.local-ssh-only
+++ b/fail2ban-conf/jail.local-ssh-only
@ -0,0 +1,18 @@
 [DEFAULT]
 ignoreip = 127.0.0.1/8 IP
 bantime = 3600
 findtime = 3600
 #mta = mail
 #destemail = 
 #sendername = Fail2BanAlerts
 #action = %(action_mwl)s
 [ssh]
 enabled = true
 port = SSH_PORT
 filter = sshd
 logpath = /var/log/auth.log
 maxretry = 3
 bantime = -1
--- a/install.sh
+++ b/install.sh
@ -6,26 +6,58 @@ if [ "$EUID" -ne 0 ]
  exit
 fi
-# update et install fail2ban
+# choix SSH only ou avec Nginx filters
-apt update -y && apt install fail2ban -y
+choice=$(whiptail --title "Fail2ban" --menu "Choisissez une option:" 15 60 4 \
-
+"1" "Installer le filtre SSH seulement" \
-# copie des confs
+"2" "Installer le filtre SSH et Nginx" \
-cp fail2ban-nginx-filters/* /etc/fail2ban/filter.d/
+"3" "Quitter" 3>&1 1>&2 2>&3)
-cp fail2ban-conf/* /etc/fail2ban/
+exitstatus=$?
-rm -rf /etc/fail2ban/jail.d/*
+if [ $exitstatus = 0 ]; then
    case $choice in
        1)
            echo "Vous avez choisi l'option SSH seulement."
            # update et install fail2ban
            apt update -y && apt install fail2ban -y
            # copie des fichiers
            cp fail2ban-conf/jail.local-ssh-only /etc/fail2ban/jail.local
            cp fail2ban-conf/jail.conf /etc/fail2ban/jail.conf
            ;;
        2)
            echo "Vous avez choisi l'option SSH avec Nginx."
            # update et install fail2ban
            apt update -y && apt install fail2ban -y
            # copie des fichiers
            cp fail2ban-nginx-filters/* /etc/fail2ban/filter.d/
            cp fail2ban-conf/jail.local-nginx /etc/fail2ban/jail.local
            cp fail2ban-conf/jail.conf /etc/fail2ban/jail.conf
            ;;
        3)
            echo "Vous avez choisi de quitter, fail2ban ne serat pas installé"
            exit
            ;;
    esac
 else
    echo "Vous avez annulé."
 fi
 # recup de l'ip pour la conf
 IP=$(ip route get 1.2.3.4 | awk '{print $7}')
-sed -i "s/IP/$IP/" /etc/fail2ban/jail.local
+# recup du port SSH (TODO: ajouter check si port SSH renseigné)
 SSH=$(grep "^Port" /etc/ssh/sshd_config | awk '{print $2}')
-# recup du port ssh
+# change IP et SSH port
-SSH=$(grep Port /etc/ssh/sshd_config); SSH=${SSH##*(Port)}; SSH=${SSH%%*(#GatewayPorts no)}
+sed -i "s/IP/"$IP"/" /etc/fail2ban/jail.local
-sed -i "s/SSH_PORT/$SSH/" /etc/fail2ban/jail.local
+sed -i "s/SSH_PORT/"$SSH"/" /etc/fail2ban/jail.local
-# changement dbpurge
+# changement dbpurge tout les ans
 sed -i "s/1d/365d/" /etc/fail2ban/fail2ban.conf
 systemctl restart fail2ban
-fail2ban-client status
+systemctl status fail2ban
 echo "la configuration pour les autres prisons que le SSH sont de 72h (bannissement à vie pour le SSH)"