fixes for fail2ban

export the command line variables so sub scripts can use them use sed to update log path is source is used simplify freeswitch rules to use protocol=all general tidy up of spacing in files
2016-05-27 10:30:06 +01:00 · 2016-05-27 10:30:06 +01:00 · 1a63bbe541
parent 55c5812050
commit 1a63bbe541
6 changed files with 61 additions and 134 deletions
--- a/debian/install.sh
+++ b/debian/install.sh
@ -1,21 +1,23 @@
 #!/bin/sh

 #Process command line options
-OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master -- "$@"`
+OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master,use-freeswitch-package-unofficial-arm -- "$@"`
 eval set -- "$OPTS"

 if [ $? != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi

-USE_FREESWITCH_SOURCE=false
-USE_FREESWITCH_PACKAGE_ALL=false
-USE_FREESWITCH_MASTER=false
+export USE_FREESWITCH_SOURCE=false
+export USE_FREESWITCH_PACKAGE_ALL=false
+export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
+export USE_FREESWITCH_MASTER=false
 HELP=false

 while true; do
  case "$1" in
-    --use-freeswitch-source ) USE_FREESWITCH_SOURCE=true; shift ;;
-    --use-freeswitch-package-all ) USE_FREESWITCH_PACKAGE_ALL=true; shift ;;
-    --use-freeswitch-master ) USE_FREESWITCH_MASTER=true; shift ;;
+    --use-freeswitch-source ) export USE_FREESWITCH_SOURCE=true; shift ;;
+    --use-freeswitch-package-all ) export USE_FREESWITCH_PACKAGE_ALL=true; shift ;;
+    --use-freeswitch-package-unofficial-arm ) export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=true; shift ;;
+    --use-freeswitch-master ) export USE_FREESWITCH_MASTER=true; shift ;;
    -h | --help ) HELP=true; shift ;;
    -- ) shift; break ;;
    * ) break ;;
@ -26,6 +28,7 @@ if [ $HELP = true ]; then
 	echo "Debian installer script"
 	echo "	--use-freeswitch-source will use freeswitch from source rather than (default:packages)"
 	echo "	--use-freeswitch-package-all if using packages use the meta-all package"
+	echo "	--use-freeswitch-package-unofficial-arm if your system is arm and you are using packages, use the unofficial arm repo"
 	echo "	--use-freeswitch-master will use master branch/packages instead of (default:stable)"
 	exit;
 fi
--- a/debian/resources/fail2ban.sh
+++ b/debian/resources/fail2ban.sh
@ -1,22 +1,27 @@
 #!/bin/sh

+#initialize variable encase we are called directly
+[ -z $USE_FREESWITCH_SOURCE ] && USE_FREESWITCH_SOURCE=false
+
 #send a message
 echo "Install Fail2ban"

 #add the dependencies
-apt-get install -y --force-yes  fail2ban
+apt-get install -y --force-yes fail2ban

 #move the filters
-cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
 cp resources/fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf
+cp resources/fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf
 cp resources/fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf
+cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
+cp resources/fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf
+cp resources/fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf
+cp resources/fail2ban/jail.local /etc/fail2ban/jail.local

-#move the template
-cp resources/fail2ban/jail.package /etc/fail2ban/jail.package
-cp resources/fail2ban/jail.source /etc/fail2ban/jail.source
-
-#active the filters
-cp resources/fail2ban/jail.package /etc/fail2ban/jail.local
+#update config if source is being used
+if [ $USE_FREESWITCH_SOURCE = true ]; then
+	sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local
+fi

 #restart fail2ban
 #systemd
--- a/debian/resources/fail2ban/jail.package
+++ b/debian/resources/fail2ban/jail.package
@ -1,45 +1,33 @@
-[freeswitch-tcp]
+[freeswitch]
 enabled  = true
-port     = 5060,5061,5080,5081,5070
-protocol = tcp
+port     = 5060,5061,5080,5081
+protocol = all
 filter   = freeswitch
 logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-allports[name=freeswitch-tcp, protocol=all]
-maxretry = 5
-findtime = 600
-bantime  = 600
-#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
-
-[freeswitch-udp]
-enabled  = true
-port     = 5060,5061,5080,5081,5070
-protocol = udp
-filter   = freeswitch
-logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-allports[name=freeswitch-udp, protocol=all]
+action   = iptables-allports[name=freeswitch, protocol=all]
 maxretry = 5
 findtime = 600
 bantime  = 600
 #          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed

 [freeswitch-ip]
-enabled = true
-port = 5060,5061,5080,5081
-protocol = udp
-filter = freeswitch-ip
-logpath = /var/log/freeswitch/freeswitch.log
-action = iptables-allports[name=freeswitch-ip, protocol=all]
+enabled	 = true
+port     = 5060,5061,5080,5081
+protocol = all
+filter   = freeswitch-ip
+logpath  = /var/log/freeswitch/freeswitch.log
+action   = iptables-allports[name=freeswitch-ip, protocol=all]
 maxretry = 1
 findtime = 30
 bantime  = 86400

 [freeswitch-dos]
-enabled = true
-port = 5060,5061,5080,5081,5070
-protocol = udp
-filter = freeswitch-dos
-logpath = /var/log/freeswitch/freeswitch.log
-action = iptables-allports[name=freeswitch-dos, protocol=all]
+enabled  = true
+port     = 5060,5061,5080,5081
+protocol = all
+filter   = freeswitch-dos
+logpath  = /var/log/freeswitch/freeswitch.log
+action   = iptables-allports[name=freeswitch-dos, protocol=all]
 maxretry = 50
 findtime = 30
 bantime  = 6000
@ -57,11 +45,12 @@ findtime = 600
 bantime  = 600	

 [nginx-404]
-enabled = true
-port = http,https
-filter = nginx-404
-logpath = /var/log/nginx/access*.log
-bantime = 600
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = nginx-404
+logpath  = /var/log/nginx/access*.log
+bantime  = 600
 findtime = 600
 maxretry = 10

@ -69,10 +58,11 @@ maxretry = 10
 # Based on apache-badbots but a simple IP check (any IP requesting more than
 # 240 pages in 60 seconds, or 4p/s average, is suspicious)
 # Block for two full days.
-enabled = true
-port = http
-filter = nginx-dos
-logpath = /var/log/nginx/access*.log
+enabled  = true
+port     = 80
+protocol = tcp
+filter   = nginx-dos
+logpath  = /var/log/nginx/access*.log
 findtime = 60
-bantime = 172800
-maxretry = 240
+bantime  = 172800
+maxretry = 240
--- a/debian/resources/fail2ban/jail.source
+++ b/debian/resources/fail2ban/jail.source
@ -1,76 +0,0 @@
-[freeswitch-tcp]
-enabled  = true
-port     = 5060,5061,5080,5081,5070
-protocol = tcp
-filter   = freeswitch
-logpath  = /usr/local/freeswitch/log/freeswitch.log
-action   = iptables-allports[name=freeswitch-tcp, protocol=all]
-maxretry = 5
-findtime = 600
-bantime  = 600
-#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
-
-[freeswitch-udp]
-enabled  = true
-port     = 5060,5061,5080,5081,5070
-protocol = udp
-filter   = freeswitch
-logpath  = /usr/local/freeswitch/log/freeswitch.log
-action   = iptables-allports[name=freeswitch-udp, protocol=all]
-maxretry = 5
-findtime = 600
-bantime  = 600
-#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
-
-[freeswitch-ip]
-enabled = true
-port = 5060,5061,5080,5081
-protocol = udp
-filter = freeswitch-ip
-logpath = /usr/local/freeswitch/log/freeswitch.log
-action = iptables-allports[name=freeswitch-ip, protocol=all]
-maxretry = 1
-findtime = 30
-bantime  = 86400
-
-[freeswitch-dos]
-enabled = true
-port = 5060,5061,5080,5081,5070
-protocol = udp
-filter = freeswitch-dos
-logpath = /usr/local/freeswitch/log/freeswitch.log
-action = iptables-allports[name=freeswitch-dos, protocol=all]
-maxretry = 50
-findtime = 30
-bantime  = 6000
-
-[fusionpbx]
-enabled  = true
-port     = 80,443
-protocol = tcp
-filter   = fusionpbx
-logpath  = /var/log/auth.log
-action   = iptables-allports[name=fusionpbx, protocol=all]
-#          sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
-maxretry = 5
-findtime = 600
-bantime  = 600	
-
-[nginx-404]
-enabled = true
-port = http,https
-filter = nginx-404
-logpath = /var/log/nginx/access*.log
-bantime = 600
-findtime = 600
-maxretry = 10
-
-[nginx-dos]
-# Based on apache-badbots
-enabled = true
-port = http
-filter = nginx-dos
-logpath = /var/log/nginx/access*.log
-findtime = 60
-bantime = 172800
-maxretry = 240
--- a/debian/resources/switch/package-all.sh
+++ b/debian/resources/switch/package-all.sh
@ -1,8 +1,11 @@
 #!/bin/sh
+
+#initialize variable encase we are called directly
+[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
+
 apt-get update && apt-get install -y --force-yes curl memcached haveged
-USE_UNOFFICIAL_ARM_REPO=0
 arch=$(uname -m)
-if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then
+if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then
        echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list
        curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add -
 else
--- a/debian/resources/switch/package-release.sh
+++ b/debian/resources/switch/package-release.sh
@ -1,8 +1,10 @@
 #!/bin/sh
+#initialize variable encase we are called directly
+[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
+
 apt-get update && apt-get install -y --force-yes curl memcached haveged
-USE_UNOFFICIAL_ARM_REPO=0
 arch=$(uname -m)
-if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then
+if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then
        echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list
        curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add -
 else