dbxe
/
fusionpbx-install.sh
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fixes for fail2ban 

export the command line variables so sub scripts can use them
use sed to update log path is source is used
simplify freeswitch rules to use protocol=all
general tidy up of spacing in files
This commit is contained in:
mafoo 2016-05-27 10:30:06 +01:00
parent 55c5812050
commit 1a63bbe541
6 changed files with 61 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
debian/install.sh vendored
View File

@ -1,21 +1,23 @@
#!/bin/sh #!/bin/sh
#Process command line options #Process command line options
OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master -- "$@"` OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master,use-freeswitch-package-unofficial-arm -- "$@"`
eval set -- "$OPTS" eval set -- "$OPTS"
if [ $? != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi if [ $? != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi
USE_FREESWITCH_SOURCE=false export USE_FREESWITCH_SOURCE=false
USE_FREESWITCH_PACKAGE_ALL=false export USE_FREESWITCH_PACKAGE_ALL=false
USE_FREESWITCH_MASTER=false export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
export USE_FREESWITCH_MASTER=false
HELP=false HELP=false
while true; do while true; do
case "$1" in case "$1" in
--use-freeswitch-source ) USE_FREESWITCH_SOURCE=true; shift ;; --use-freeswitch-source ) export USE_FREESWITCH_SOURCE=true; shift ;;
--use-freeswitch-package-all ) USE_FREESWITCH_PACKAGE_ALL=true; shift ;; --use-freeswitch-package-all ) export USE_FREESWITCH_PACKAGE_ALL=true; shift ;;
--use-freeswitch-master ) USE_FREESWITCH_MASTER=true; shift ;; --use-freeswitch-package-unofficial-arm ) export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=true; shift ;;
--use-freeswitch-master ) export USE_FREESWITCH_MASTER=true; shift ;;
-h | --help ) HELP=true; shift ;; -h | --help ) HELP=true; shift ;;
-- ) shift; break ;; -- ) shift; break ;;
* ) break ;; * ) break ;;
@ -26,6 +28,7 @@ if [ $HELP = true ]; then
echo "Debian installer script" echo "Debian installer script"
echo " --use-freeswitch-source will use freeswitch from source rather than (default:packages)" echo " --use-freeswitch-source will use freeswitch from source rather than (default:packages)"
echo " --use-freeswitch-package-all if using packages use the meta-all package" echo " --use-freeswitch-package-all if using packages use the meta-all package"
echo " --use-freeswitch-package-unofficial-arm if your system is arm and you are using packages, use the unofficial arm repo"
echo " --use-freeswitch-master will use master branch/packages instead of (default:stable)" echo " --use-freeswitch-master will use master branch/packages instead of (default:stable)"
exit; exit;
fi fi

21
debian/resources/fail2ban.sh vendored
View File

@ -1,22 +1,27 @@
#!/bin/sh #!/bin/sh
#initialize variable encase we are called directly
[ -z $USE_FREESWITCH_SOURCE ] && USE_FREESWITCH_SOURCE=false
#send a message #send a message
echo "Install Fail2ban" echo "Install Fail2ban"
#add the dependencies #add the dependencies
apt-get install -y --force-yes fail2ban apt-get install -y --force-yes fail2ban
#move the filters #move the filters
cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
cp resources/fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf cp resources/fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf
cp resources/fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf
cp resources/fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf cp resources/fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf
cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
cp resources/fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf
cp resources/fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf
cp resources/fail2ban/jail.local /etc/fail2ban/jail.local
#move the template #update config if source is being used
cp resources/fail2ban/jail.package /etc/fail2ban/jail.package if [ $USE_FREESWITCH_SOURCE = true ]; then
cp resources/fail2ban/jail.source /etc/fail2ban/jail.source sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local
fi
#active the filters
cp resources/fail2ban/jail.package /etc/fail2ban/jail.local
#restart fail2ban #restart fail2ban
#systemd #systemd

68
debian/resources/fail2ban/jail.package → debian/resources/fail2ban/jail.local vendored
View File

@ -1,45 +1,33 @@
[freeswitch-tcp] [freeswitch]
enabled = true enabled = true
port = 5060,5061,5080,5081,5070 port = 5060,5061,5080,5081
protocol = tcp protocol = all
filter = freeswitch filter = freeswitch
logpath = /var/log/freeswitch/freeswitch.log logpath = /var/log/freeswitch/freeswitch.log
action = iptables-allports[name=freeswitch-tcp, protocol=all] action = iptables-allports[name=freeswitch, protocol=all]
maxretry = 5
findtime = 600
bantime = 600
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
[freeswitch-udp]
enabled = true
port = 5060,5061,5080,5081,5070
protocol = udp
filter = freeswitch
logpath = /var/log/freeswitch/freeswitch.log
action = iptables-allports[name=freeswitch-udp, protocol=all]
maxretry = 5 maxretry = 5
findtime = 600 findtime = 600
bantime = 600 bantime = 600
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed # sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
[freeswitch-ip] [freeswitch-ip]
enabled = true enabled = true
port = 5060,5061,5080,5081 port = 5060,5061,5080,5081
protocol = udp protocol = all
filter = freeswitch-ip filter = freeswitch-ip
logpath = /var/log/freeswitch/freeswitch.log logpath = /var/log/freeswitch/freeswitch.log
action = iptables-allports[name=freeswitch-ip, protocol=all] action = iptables-allports[name=freeswitch-ip, protocol=all]
maxretry = 1 maxretry = 1
findtime = 30 findtime = 30
bantime = 86400 bantime = 86400
[freeswitch-dos] [freeswitch-dos]
enabled = true enabled = true
port = 5060,5061,5080,5081,5070 port = 5060,5061,5080,5081
protocol = udp protocol = all
filter = freeswitch-dos filter = freeswitch-dos
logpath = /var/log/freeswitch/freeswitch.log logpath = /var/log/freeswitch/freeswitch.log
action = iptables-allports[name=freeswitch-dos, protocol=all] action = iptables-allports[name=freeswitch-dos, protocol=all]
maxretry = 50 maxretry = 50
findtime = 30 findtime = 30
bantime = 6000 bantime = 6000
@ -57,11 +45,12 @@ findtime = 600
bantime = 600 bantime = 600
[nginx-404] [nginx-404]
enabled = true enabled = true
port = http,https port = 80,443
filter = nginx-404 protocol = tcp
logpath = /var/log/nginx/access*.log filter = nginx-404
bantime = 600 logpath = /var/log/nginx/access*.log
bantime = 600
findtime = 600 findtime = 600
maxretry = 10 maxretry = 10
@ -69,10 +58,11 @@ maxretry = 10
# Based on apache-badbots but a simple IP check (any IP requesting more than # Based on apache-badbots but a simple IP check (any IP requesting more than
# 240 pages in 60 seconds, or 4p/s average, is suspicious) # 240 pages in 60 seconds, or 4p/s average, is suspicious)
# Block for two full days. # Block for two full days.
enabled = true enabled = true
port = http port = 80
filter = nginx-dos protocol = tcp
logpath = /var/log/nginx/access*.log filter = nginx-dos
logpath = /var/log/nginx/access*.log
findtime = 60 findtime = 60
bantime = 172800 bantime = 172800
maxretry = 240 maxretry = 240

76
debian/resources/fail2ban/jail.source vendored
View File

@ -1,76 +0,0 @@
[freeswitch-tcp]
enabled = true
port = 5060,5061,5080,5081,5070
protocol = tcp
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-tcp, protocol=all]
maxretry = 5
findtime = 600
bantime = 600
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
[freeswitch-udp]
enabled = true
port = 5060,5061,5080,5081,5070
protocol = udp
filter = freeswitch
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-udp, protocol=all]
maxretry = 5
findtime = 600
bantime = 600
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
[freeswitch-ip]
enabled = true
port = 5060,5061,5080,5081
protocol = udp
filter = freeswitch-ip
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-ip, protocol=all]
maxretry = 1
findtime = 30
bantime = 86400
[freeswitch-dos]
enabled = true
port = 5060,5061,5080,5081,5070
protocol = udp
filter = freeswitch-dos
logpath = /usr/local/freeswitch/log/freeswitch.log
action = iptables-allports[name=freeswitch-dos, protocol=all]
maxretry = 50
findtime = 30
bantime = 6000
[fusionpbx]
enabled = true
port = 80,443
protocol = tcp
filter = fusionpbx
logpath = /var/log/auth.log
action = iptables-allports[name=fusionpbx, protocol=all]
# sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
maxretry = 5
findtime = 600
bantime = 600
[nginx-404]
enabled = true
port = http,https
filter = nginx-404
logpath = /var/log/nginx/access*.log
bantime = 600
findtime = 600
maxretry = 10
[nginx-dos]
# Based on apache-badbots
enabled = true
port = http
filter = nginx-dos
logpath = /var/log/nginx/access*.log
findtime = 60
bantime = 172800
maxretry = 240

7
debian/resources/switch/package-all.sh vendored
View File

@ -1,8 +1,11 @@
#!/bin/sh #!/bin/sh
#initialize variable encase we are called directly
[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
apt-get update && apt-get install -y --force-yes curl memcached haveged apt-get update && apt-get install -y --force-yes curl memcached haveged
USE_UNOFFICIAL_ARM_REPO=0
arch=$(uname -m) arch=$(uname -m)
if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then
echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list
curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add - curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add -
else else

6
debian/resources/switch/package-release.sh vendored
View File

@ -1,8 +1,10 @@
#!/bin/sh #!/bin/sh
#initialize variable encase we are called directly
[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
apt-get update && apt-get install -y --force-yes curl memcached haveged apt-get update && apt-get install -y --force-yes curl memcached haveged
USE_UNOFFICIAL_ARM_REPO=0
arch=$(uname -m) arch=$(uname -m)
if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then
echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list
curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add - curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add -
else else