A free, open, self-hosted app platform (GNU AGPLv3): one-click app deploys, Traefik reverse proxy with automatic SSL, rootless Docker support, gluetun VPN routing, and a web dashboard to manage it all. Free & open forever to self-host; optional paid hosted services fund it. See PROMISE.md. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
159 lines
4.9 KiB
Bash
Executable File
159 lines
4.9 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Category : Security
|
|
# Description : Fail2Ban - Intrusion Prevention (c/u/s/r/i):
|
|
|
|
installFail2ban()
|
|
{
|
|
local config_variables="$1"
|
|
|
|
if [[ "$fail2ban" == *[cCtTuUsSrRiI]* ]]; then
|
|
dockerConfigSetupToContainer silent fail2ban;
|
|
local app_name=$CFG_FAIL2BAN_APP_NAME
|
|
initializeAppVariables $app_name;
|
|
fi
|
|
|
|
if [[ "$fail2ban" == *[cC]* ]]; then
|
|
editAppConfig $app_name;
|
|
fi
|
|
|
|
if [[ "$fail2ban" == *[uU]* ]]; then
|
|
dockerUninstallApp $app_name;
|
|
fi
|
|
|
|
if [[ "$fail2ban" == *[sS]* ]]; then
|
|
dockerComposeDown $app_name;
|
|
fi
|
|
|
|
if [[ "$fail2ban" == *[rR]* ]]; then
|
|
dockerComposeRestart $app_name;
|
|
fi
|
|
|
|
if [[ "$fail2ban" == *[iI]* ]]; then
|
|
isHeader "Install $app_name"
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Checking if $app_name can be installed."
|
|
echo ""
|
|
|
|
dockerCheckAllowedInstall "$app_name" || return 1
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Setting up install folder and config file for $app_name."
|
|
echo ""
|
|
|
|
dockerConfigSetupToContainer "loud" "$app_name" "install" "$config_variables";
|
|
isSuccessful "Install folders and Config files have been setup for $app_name."
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Setting up the $app_name docker-compose.yml file."
|
|
echo ""
|
|
|
|
dockerComposeSetupFile $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Setting up AbuseIPDB for fail2ban if api key is provided"
|
|
echo ""
|
|
|
|
if [ -n "$CFG_FAIL2BAN_ABUSEIPDB_APIKEY" ]; then
|
|
checkSuccess "API key found, setting up the config file."
|
|
|
|
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/logs)
|
|
checkSuccess "Creating logs folder"
|
|
|
|
local result=$(cd $containers_dir$app_name && createTouch $containers_dir$app_name/logs/auth.log $docker_install_user)
|
|
checkSuccess "Creating Auth.log file"
|
|
|
|
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/config/$app_name $containers_dir$app_name/config/$app_name/action.d)
|
|
checkSuccess "Creating config and action.d folders"
|
|
|
|
# AbuseIPDB
|
|
local result=$(cd $containers_dir$app_name/config/$app_name/action.d/ && sudo curl -o abuseipdb.conf https://raw.githubusercontent.com/fail2ban/fail2ban/0.11/config/action.d/abuseipdb.conf)
|
|
checkSuccess "Downloading abuseipdb.conf from GitHub"
|
|
|
|
local result=$(sudo sed -i "s/abuseipdb_apikey =/abuseipdb_apikey =$CFG_FAIL2BAN_ABUSEIPDB_APIKEY/g" $containers_dir$app_name/config/$app_name/action.d/abuseipdb.conf)
|
|
checkSuccess "Setting up abuseipdb_apikey"
|
|
|
|
# Jail.local
|
|
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/config/$app_name/)
|
|
checkSuccess "Creating $app_name folder"
|
|
|
|
local result=$(copyResource "$app_name" "jail.local" "config/$app_name" | sudo tee -a "$logs_dir/$docker_log_file" 2>&1)
|
|
checkSuccess "Coping over jail.local from Resources folder"
|
|
|
|
# Append abuseipdb action only when a key is set.
|
|
sudo tee -a "$containers_dir$app_name/config/$app_name/jail.local" >/dev/null <<EOF
|
|
|
|
[sshd]
|
|
action = %(action_)s
|
|
%(action_abuseipdb)s[abuseipdb_apikey="$CFG_FAIL2BAN_ABUSEIPDB_APIKEY", abuseipdb_category="5,14,15,18,19,21,22"]
|
|
EOF
|
|
checkSuccess "Appended AbuseIPDB action to jail.local"
|
|
else
|
|
isNotice "No API key found, please provide one if you want to use AbuseIPDB"
|
|
fi
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Updating file permissions before starting."
|
|
echo ""
|
|
|
|
fixPermissionsBeforeStart $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name"
|
|
echo ""
|
|
|
|
dockerComposeUpdateAndStartApp $app_name install;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running Application specific updates (if required)"
|
|
echo ""
|
|
|
|
appUpdateSpecifics $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Adding $app_name to the Apps Database table."
|
|
echo ""
|
|
|
|
databaseInstallApp $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Running Headscale setup (if required)"
|
|
echo ""
|
|
|
|
setupHeadscale $app_name;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. Updating WebUI config file."
|
|
echo ""
|
|
|
|
webuiContainerSetup $app_name install;
|
|
|
|
((menu_number++))
|
|
echo ""
|
|
echo "---- $menu_number. You can find $app_name files at $containers_dir$app_name"
|
|
echo ""
|
|
echo " Your $app_name service is now online!"
|
|
echo ""
|
|
|
|
menu_number=0
|
|
#sleep 3s
|
|
cd
|
|
fi
|
|
fail2ban=n
|
|
}
|