Add new helpers for fail2ban

conf/jail_nextcloud.local

@@ -1,7 +0,0 @@
-[nextcloud]
-enabled = true
-port = 80,443
-protocol = tcp
-filter = nextcloud
-maxretry = 3
-logpath = /home/yunohost.app/nextcloud/data/nextcloud.log

conf/nextcloud_fail2ban.conf

@@ -1,3 +0,0 @@
-[Definition]
-failregex = ^.*Login failed: '.*' \(Remote IP: '<HOST>'.*$
-ignoreregex =

scripts/_common.sh

@@ -190,4 +190,51 @@ ynh_remove_logrotate () {
 	if [ -e "/etc/logrotate.d/$app" ]; then
 		sudo rm "/etc/logrotate.d/$app"
 	fi
-}
+}
+
+ynh_add_fail2ban_config () {
+   # Process parameters
+   logpath=$1
+   failregex=$2
+   max_retry=${3:-3}
+   ports=${4:-http,https}
+   
+  test -n "$logpath" || ynh_die "ynh_add_fail2ban_config expects a logfile path as first argument and received nothing."
+  test -n "$failregex" || ynh_die "ynh_add_fail2ban_config expects a failure regex as second argument and received nothing."
+  
+	finalfail2banjailconf="/etc/fail2ban/jail.d/$app.conf"
+	finalfail2banfilterconf="/etc/fail2ban/filter.d/$app.conf"
+	ynh_backup_if_checksum_is_different "$finalfail2banjailconf" 1
+	ynh_backup_if_checksum_is_different "$finalfail2banfilterconf" 1
+  
+  echo | sudo tee $finalfail2banjailconf <<EOF
+[$app]
+enabled = true
+port = $ports
+filter = $app
+logpath = $logpath
+maxretry = $max_retry" 
+EOF
+
+  echo | sudo tee $finalfail2banfilterconf <<EOF
+[INCLUDES]
+before = common.conf
+[Definition]
+failregex = $failregex
+ignoreregrex =" 
+EOF
+
+	ynh_store_file_checksum "$finalfail2banjailconf"
+	ynh_store_file_checksum "$finalfail2banfilterconf"
+  
+	sudo systemctl restart fail2ban
+}
+
+# Remove the dedicated fail2ban config (jail and filter conf files)
+#
+# usage: ynh_remove_fail2ban_config
+ynh_remove_fail2ban_config () {
+	ynh_secure_remove "/etc/fail2ban/jail.d/$app.conf"
+  ynh_secure_remove "/etc/fail2ban/filter.d/$app.conf"
+	sudo systemctl restart fail2ban
+}

scripts/install

@@ -176,14 +176,13 @@ ynh_app_setting_set "$app" skipped_regex \
     "$(sed 's/[\.\-]/\%&/g' <<< $domain)/%.well%-known/.*"
 
 
-# Set fail2ban rules
-sudo cp ../conf/nextcloud_fail2ban.conf /etc/fail2ban/filter.d/nextcloud.conf
-sudo cp ../conf/jail_nextcloud.local /etc/fail2ban/jail.d/nextcloud.local
+# Set-up fail2ban
+ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 4
 
 # Reload services
 sudo service php5-fpm restart || true
 sudo service nginx reload || true
-sudo fail2ban-client reload
+
 
 # Add cron job
 cron_path="/etc/cron.d/$app"

scripts/upgrade

@@ -210,14 +210,13 @@ ynh_app_setting_set "$real_app" unprotected_uris "/"
 ynh_app_setting_set "$real_app" skipped_regex \
     "$(sed 's/[\.\-]/\%&/g' <<< $domain)/%.well%-known/.*"
     
-# Add fail2ban rules
-sudo cp ../conf/nextcloud_fail2ban.conf /etc/fail2ban/filter.d/nextcloud.conf
-sudo cp ../conf/jail_nextcloud.local /etc/fail2ban/jail.d/nextcloud.local
+# Set-up fail2ban
+ynh_add_fail2ban_config "/var/log/${app}FailedLogins.log" "ip=<HOST>" 6
 
 # Reload services
 sudo service php5-fpm restart || true
 sudo service nginx reload || true
-sudo fail2ban-client reload
+
 
 # Add cron job
 cron_path="/etc/cron.d/$app"