From 1a63bbe541760609c255cca27fe7e52eda7212d2 Mon Sep 17 00:00:00 2001 From: mafoo Date: Fri, 27 May 2016 10:30:06 +0100 Subject: [PATCH] fixes for fail2ban export the command line variables so sub scripts can use them use sed to update log path is source is used simplify freeswitch rules to use protocol=all general tidy up of spacing in files --- debian/install.sh | 17 +++-- debian/resources/fail2ban.sh | 21 +++-- .../fail2ban/{jail.package => jail.local} | 68 +++++++---------- debian/resources/fail2ban/jail.source | 76 ------------------- debian/resources/switch/package-all.sh | 7 +- debian/resources/switch/package-release.sh | 6 +- 6 files changed, 61 insertions(+), 134 deletions(-) rename debian/resources/fail2ban/{jail.package => jail.local} (50%) delete mode 100644 debian/resources/fail2ban/jail.source diff --git a/debian/install.sh b/debian/install.sh index 50568f2..d64dbe9 100755 --- a/debian/install.sh +++ b/debian/install.sh @@ -1,21 +1,23 @@ #!/bin/sh #Process command line options -OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master -- "$@"` +OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master,use-freeswitch-package-unofficial-arm -- "$@"` eval set -- "$OPTS" if [ $? != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi -USE_FREESWITCH_SOURCE=false -USE_FREESWITCH_PACKAGE_ALL=false -USE_FREESWITCH_MASTER=false +export USE_FREESWITCH_SOURCE=false +export USE_FREESWITCH_PACKAGE_ALL=false +export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false +export USE_FREESWITCH_MASTER=false HELP=false while true; do case "$1" in - --use-freeswitch-source ) USE_FREESWITCH_SOURCE=true; shift ;; - --use-freeswitch-package-all ) USE_FREESWITCH_PACKAGE_ALL=true; shift ;; - --use-freeswitch-master ) USE_FREESWITCH_MASTER=true; shift ;; + --use-freeswitch-source ) export USE_FREESWITCH_SOURCE=true; shift ;; + --use-freeswitch-package-all ) export USE_FREESWITCH_PACKAGE_ALL=true; shift ;; + --use-freeswitch-package-unofficial-arm ) export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=true; shift ;; + --use-freeswitch-master ) export USE_FREESWITCH_MASTER=true; shift ;; -h | --help ) HELP=true; shift ;; -- ) shift; break ;; * ) break ;; @@ -26,6 +28,7 @@ if [ $HELP = true ]; then echo "Debian installer script" echo " --use-freeswitch-source will use freeswitch from source rather than (default:packages)" echo " --use-freeswitch-package-all if using packages use the meta-all package" + echo " --use-freeswitch-package-unofficial-arm if your system is arm and you are using packages, use the unofficial arm repo" echo " --use-freeswitch-master will use master branch/packages instead of (default:stable)" exit; fi diff --git a/debian/resources/fail2ban.sh b/debian/resources/fail2ban.sh index bab0619..e2fa22f 100755 --- a/debian/resources/fail2ban.sh +++ b/debian/resources/fail2ban.sh @@ -1,22 +1,27 @@ #!/bin/sh +#initialize variable encase we are called directly +[ -z $USE_FREESWITCH_SOURCE ] && USE_FREESWITCH_SOURCE=false + #send a message echo "Install Fail2ban" #add the dependencies -apt-get install -y --force-yes fail2ban +apt-get install -y --force-yes fail2ban #move the filters -cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf cp resources/fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf +cp resources/fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf cp resources/fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf +cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf +cp resources/fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf +cp resources/fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf +cp resources/fail2ban/jail.local /etc/fail2ban/jail.local -#move the template -cp resources/fail2ban/jail.package /etc/fail2ban/jail.package -cp resources/fail2ban/jail.source /etc/fail2ban/jail.source - -#active the filters -cp resources/fail2ban/jail.package /etc/fail2ban/jail.local +#update config if source is being used +if [ $USE_FREESWITCH_SOURCE = true ]; then + sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local +fi #restart fail2ban #systemd diff --git a/debian/resources/fail2ban/jail.package b/debian/resources/fail2ban/jail.local similarity index 50% rename from debian/resources/fail2ban/jail.package rename to debian/resources/fail2ban/jail.local index f3425b1..0677859 100644 --- a/debian/resources/fail2ban/jail.package +++ b/debian/resources/fail2ban/jail.local @@ -1,45 +1,33 @@ -[freeswitch-tcp] +[freeswitch] enabled = true -port = 5060,5061,5080,5081,5070 -protocol = tcp +port = 5060,5061,5080,5081 +protocol = all filter = freeswitch logpath = /var/log/freeswitch/freeswitch.log -action = iptables-allports[name=freeswitch-tcp, protocol=all] -maxretry = 5 -findtime = 600 -bantime = 600 -# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed - -[freeswitch-udp] -enabled = true -port = 5060,5061,5080,5081,5070 -protocol = udp -filter = freeswitch -logpath = /var/log/freeswitch/freeswitch.log -action = iptables-allports[name=freeswitch-udp, protocol=all] +action = iptables-allports[name=freeswitch, protocol=all] maxretry = 5 findtime = 600 bantime = 600 # sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed [freeswitch-ip] -enabled = true -port = 5060,5061,5080,5081 -protocol = udp -filter = freeswitch-ip -logpath = /var/log/freeswitch/freeswitch.log -action = iptables-allports[name=freeswitch-ip, protocol=all] +enabled = true +port = 5060,5061,5080,5081 +protocol = all +filter = freeswitch-ip +logpath = /var/log/freeswitch/freeswitch.log +action = iptables-allports[name=freeswitch-ip, protocol=all] maxretry = 1 findtime = 30 bantime = 86400 [freeswitch-dos] -enabled = true -port = 5060,5061,5080,5081,5070 -protocol = udp -filter = freeswitch-dos -logpath = /var/log/freeswitch/freeswitch.log -action = iptables-allports[name=freeswitch-dos, protocol=all] +enabled = true +port = 5060,5061,5080,5081 +protocol = all +filter = freeswitch-dos +logpath = /var/log/freeswitch/freeswitch.log +action = iptables-allports[name=freeswitch-dos, protocol=all] maxretry = 50 findtime = 30 bantime = 6000 @@ -57,11 +45,12 @@ findtime = 600 bantime = 600 [nginx-404] -enabled = true -port = http,https -filter = nginx-404 -logpath = /var/log/nginx/access*.log -bantime = 600 +enabled = true +port = 80,443 +protocol = tcp +filter = nginx-404 +logpath = /var/log/nginx/access*.log +bantime = 600 findtime = 600 maxretry = 10 @@ -69,10 +58,11 @@ maxretry = 10 # Based on apache-badbots but a simple IP check (any IP requesting more than # 240 pages in 60 seconds, or 4p/s average, is suspicious) # Block for two full days. -enabled = true -port = http -filter = nginx-dos -logpath = /var/log/nginx/access*.log +enabled = true +port = 80 +protocol = tcp +filter = nginx-dos +logpath = /var/log/nginx/access*.log findtime = 60 -bantime = 172800 -maxretry = 240 \ No newline at end of file +bantime = 172800 +maxretry = 240 diff --git a/debian/resources/fail2ban/jail.source b/debian/resources/fail2ban/jail.source deleted file mode 100644 index d307eb3..0000000 --- a/debian/resources/fail2ban/jail.source +++ /dev/null @@ -1,76 +0,0 @@ -[freeswitch-tcp] -enabled = true -port = 5060,5061,5080,5081,5070 -protocol = tcp -filter = freeswitch -logpath = /usr/local/freeswitch/log/freeswitch.log -action = iptables-allports[name=freeswitch-tcp, protocol=all] -maxretry = 5 -findtime = 600 -bantime = 600 -# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed - -[freeswitch-udp] -enabled = true -port = 5060,5061,5080,5081,5070 -protocol = udp -filter = freeswitch -logpath = /usr/local/freeswitch/log/freeswitch.log -action = iptables-allports[name=freeswitch-udp, protocol=all] -maxretry = 5 -findtime = 600 -bantime = 600 -# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed - -[freeswitch-ip] -enabled = true -port = 5060,5061,5080,5081 -protocol = udp -filter = freeswitch-ip -logpath = /usr/local/freeswitch/log/freeswitch.log -action = iptables-allports[name=freeswitch-ip, protocol=all] -maxretry = 1 -findtime = 30 -bantime = 86400 - -[freeswitch-dos] -enabled = true -port = 5060,5061,5080,5081,5070 -protocol = udp -filter = freeswitch-dos -logpath = /usr/local/freeswitch/log/freeswitch.log -action = iptables-allports[name=freeswitch-dos, protocol=all] -maxretry = 50 -findtime = 30 -bantime = 6000 - -[fusionpbx] -enabled = true -port = 80,443 -protocol = tcp -filter = fusionpbx -logpath = /var/log/auth.log -action = iptables-allports[name=fusionpbx, protocol=all] -# sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed -maxretry = 5 -findtime = 600 -bantime = 600 - -[nginx-404] -enabled = true -port = http,https -filter = nginx-404 -logpath = /var/log/nginx/access*.log -bantime = 600 -findtime = 600 -maxretry = 10 - -[nginx-dos] -# Based on apache-badbots -enabled = true -port = http -filter = nginx-dos -logpath = /var/log/nginx/access*.log -findtime = 60 -bantime = 172800 -maxretry = 240 diff --git a/debian/resources/switch/package-all.sh b/debian/resources/switch/package-all.sh index 790af2a..5604c1c 100755 --- a/debian/resources/switch/package-all.sh +++ b/debian/resources/switch/package-all.sh @@ -1,8 +1,11 @@ #!/bin/sh + +#initialize variable encase we are called directly +[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false + apt-get update && apt-get install -y --force-yes curl memcached haveged -USE_UNOFFICIAL_ARM_REPO=0 arch=$(uname -m) -if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then +if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add - else diff --git a/debian/resources/switch/package-release.sh b/debian/resources/switch/package-release.sh index d70e3b1..f0c3260 100755 --- a/debian/resources/switch/package-release.sh +++ b/debian/resources/switch/package-release.sh @@ -1,8 +1,10 @@ #!/bin/sh +#initialize variable encase we are called directly +[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false + apt-get update && apt-get install -y --force-yes curl memcached haveged -USE_UNOFFICIAL_ARM_REPO=0 arch=$(uname -m) -if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then +if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add - else