fixes for fail2ban (#10)
export the command line variables so sub scripts can use them use sed to update log path is source is used simplify freeswitch rules to use protocol=all general tidy up of spacing in files
This commit is contained in:
Mafoo
FusionPBX
parent
af853ed018
commit
bf5a253f65
|
|
@ -1,21 +1,23 @@
|
|||
#!/bin/sh
|
||||
|
||||
#Process command line options
|
||||
OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master -- "$@"`
|
||||
OPTS=`getopt -n 'install.sh' -o h -l help,use-freeswitch-source,use-freeswitch-package-all,use-freeswitch-master,use-freeswitch-package-unofficial-arm -- "$@"`
|
||||
eval set -- "$OPTS"
|
||||
|
||||
if [ $? != 0 ] ; then echo "Failed parsing options." >&2 ; exit 1 ; fi
|
||||
|
||||
USE_FREESWITCH_SOURCE=false
|
||||
USE_FREESWITCH_PACKAGE_ALL=false
|
||||
USE_FREESWITCH_MASTER=false
|
||||
export USE_FREESWITCH_SOURCE=false
|
||||
export USE_FREESWITCH_PACKAGE_ALL=false
|
||||
export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
|
||||
export USE_FREESWITCH_MASTER=false
|
||||
HELP=false
|
||||
|
||||
while true; do
|
||||
case "$1" in
|
||||
--use-freeswitch-source ) USE_FREESWITCH_SOURCE=true; shift ;;
|
||||
--use-freeswitch-package-all ) USE_FREESWITCH_PACKAGE_ALL=true; shift ;;
|
||||
--use-freeswitch-master ) USE_FREESWITCH_MASTER=true; shift ;;
|
||||
--use-freeswitch-source ) export USE_FREESWITCH_SOURCE=true; shift ;;
|
||||
--use-freeswitch-package-all ) export USE_FREESWITCH_PACKAGE_ALL=true; shift ;;
|
||||
--use-freeswitch-package-unofficial-arm ) export USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=true; shift ;;
|
||||
--use-freeswitch-master ) export USE_FREESWITCH_MASTER=true; shift ;;
|
||||
-h | --help ) HELP=true; shift ;;
|
||||
-- ) shift; break ;;
|
||||
* ) break ;;
|
||||
|
|
@ -26,6 +28,7 @@ if [ $HELP = true ]; then
|
|||
echo "Debian installer script"
|
||||
echo " --use-freeswitch-source will use freeswitch from source rather than (default:packages)"
|
||||
echo " --use-freeswitch-package-all if using packages use the meta-all package"
|
||||
echo " --use-freeswitch-package-unofficial-arm if your system is arm and you are using packages, use the unofficial arm repo"
|
||||
echo " --use-freeswitch-master will use master branch/packages instead of (default:stable)"
|
||||
exit;
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,5 +1,8 @@
|
|||
#!/bin/sh
|
||||
|
||||
#initialize variable encase we are called directly
|
||||
[ -z $USE_FREESWITCH_SOURCE ] && USE_FREESWITCH_SOURCE=false
|
||||
|
||||
#send a message
|
||||
echo "Install Fail2ban"
|
||||
|
||||
|
|
@ -7,16 +10,18 @@ echo "Install Fail2ban"
|
|||
apt-get install -y --force-yes fail2ban
|
||||
|
||||
#move the filters
|
||||
cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
|
||||
cp resources/fail2ban/freeswitch-dos.conf /etc/fail2ban/filter.d/freeswitch-dos.conf
|
||||
cp resources/fail2ban/freeswitch-ip.conf /etc/fail2ban/filter.d/freeswitch-ip.conf
|
||||
cp resources/fail2ban/freeswitch.conf /etc/fail2ban/filter.d/freeswitch.conf
|
||||
cp resources/fail2ban/fusionpbx.conf /etc/fail2ban/filter.d/fusionpbx.conf
|
||||
cp resources/fail2ban/nginx-404.conf /etc/fail2ban/filter.d/nginx-404.conf
|
||||
cp resources/fail2ban/nginx-dos.conf /etc/fail2ban/filter.d/nginx-dos.conf
|
||||
cp resources/fail2ban/jail.local /etc/fail2ban/jail.local
|
||||
|
||||
#move the template
|
||||
cp resources/fail2ban/jail.package /etc/fail2ban/jail.package
|
||||
cp resources/fail2ban/jail.source /etc/fail2ban/jail.source
|
||||
|
||||
#active the filters
|
||||
cp resources/fail2ban/jail.package /etc/fail2ban/jail.local
|
||||
#update config if source is being used
|
||||
if [ $USE_FREESWITCH_SOURCE = true ]; then
|
||||
sed 's#var/log/freeswitch#usr/local/freeswitch/log#g' -i /etc/fail2ban/jail.local
|
||||
fi
|
||||
|
||||
#restart fail2ban
|
||||
#systemd
|
||||
|
|
|
|||
|
|
@ -1,22 +1,10 @@
|
|||
[freeswitch-tcp]
|
||||
[freeswitch]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081,5070
|
||||
protocol = tcp
|
||||
port = 5060,5061,5080,5081
|
||||
protocol = all
|
||||
filter = freeswitch
|
||||
logpath = /var/log/freeswitch/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-tcp, protocol=all]
|
||||
maxretry = 5
|
||||
findtime = 600
|
||||
bantime = 600
|
||||
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
|
||||
|
||||
[freeswitch-udp]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081,5070
|
||||
protocol = udp
|
||||
filter = freeswitch
|
||||
logpath = /var/log/freeswitch/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-udp, protocol=all]
|
||||
action = iptables-allports[name=freeswitch, protocol=all]
|
||||
maxretry = 5
|
||||
findtime = 600
|
||||
bantime = 600
|
||||
|
|
@ -25,7 +13,7 @@ bantime = 600
|
|||
[freeswitch-ip]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081
|
||||
protocol = udp
|
||||
protocol = all
|
||||
filter = freeswitch-ip
|
||||
logpath = /var/log/freeswitch/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-ip, protocol=all]
|
||||
|
|
@ -35,8 +23,8 @@ bantime = 86400
|
|||
|
||||
[freeswitch-dos]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081,5070
|
||||
protocol = udp
|
||||
port = 5060,5061,5080,5081
|
||||
protocol = all
|
||||
filter = freeswitch-dos
|
||||
logpath = /var/log/freeswitch/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-dos, protocol=all]
|
||||
|
|
@ -58,7 +46,8 @@ bantime = 600
|
|||
|
||||
[nginx-404]
|
||||
enabled = true
|
||||
port = http,https
|
||||
port = 80,443
|
||||
protocol = tcp
|
||||
filter = nginx-404
|
||||
logpath = /var/log/nginx/access*.log
|
||||
bantime = 600
|
||||
|
|
@ -70,7 +59,8 @@ maxretry = 10
|
|||
# 240 pages in 60 seconds, or 4p/s average, is suspicious)
|
||||
# Block for two full days.
|
||||
enabled = true
|
||||
port = http
|
||||
port = 80
|
||||
protocol = tcp
|
||||
filter = nginx-dos
|
||||
logpath = /var/log/nginx/access*.log
|
||||
findtime = 60
|
||||
|
|
@ -1,76 +0,0 @@
|
|||
[freeswitch-tcp]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081,5070
|
||||
protocol = tcp
|
||||
filter = freeswitch
|
||||
logpath = /usr/local/freeswitch/log/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-tcp, protocol=all]
|
||||
maxretry = 5
|
||||
findtime = 600
|
||||
bantime = 600
|
||||
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
|
||||
|
||||
[freeswitch-udp]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081,5070
|
||||
protocol = udp
|
||||
filter = freeswitch
|
||||
logpath = /usr/local/freeswitch/log/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-udp, protocol=all]
|
||||
maxretry = 5
|
||||
findtime = 600
|
||||
bantime = 600
|
||||
# sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
|
||||
|
||||
[freeswitch-ip]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081
|
||||
protocol = udp
|
||||
filter = freeswitch-ip
|
||||
logpath = /usr/local/freeswitch/log/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-ip, protocol=all]
|
||||
maxretry = 1
|
||||
findtime = 30
|
||||
bantime = 86400
|
||||
|
||||
[freeswitch-dos]
|
||||
enabled = true
|
||||
port = 5060,5061,5080,5081,5070
|
||||
protocol = udp
|
||||
filter = freeswitch-dos
|
||||
logpath = /usr/local/freeswitch/log/freeswitch.log
|
||||
action = iptables-allports[name=freeswitch-dos, protocol=all]
|
||||
maxretry = 50
|
||||
findtime = 30
|
||||
bantime = 6000
|
||||
|
||||
[fusionpbx]
|
||||
enabled = true
|
||||
port = 80,443
|
||||
protocol = tcp
|
||||
filter = fusionpbx
|
||||
logpath = /var/log/auth.log
|
||||
action = iptables-allports[name=fusionpbx, protocol=all]
|
||||
# sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
|
||||
maxretry = 5
|
||||
findtime = 600
|
||||
bantime = 600
|
||||
|
||||
[nginx-404]
|
||||
enabled = true
|
||||
port = http,https
|
||||
filter = nginx-404
|
||||
logpath = /var/log/nginx/access*.log
|
||||
bantime = 600
|
||||
findtime = 600
|
||||
maxretry = 10
|
||||
|
||||
[nginx-dos]
|
||||
# Based on apache-badbots
|
||||
enabled = true
|
||||
port = http
|
||||
filter = nginx-dos
|
||||
logpath = /var/log/nginx/access*.log
|
||||
findtime = 60
|
||||
bantime = 172800
|
||||
maxretry = 240
|
||||
|
|
@ -1,8 +1,11 @@
|
|||
#!/bin/sh
|
||||
|
||||
#initialize variable encase we are called directly
|
||||
[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
|
||||
|
||||
apt-get update && apt-get install -y --force-yes curl memcached haveged
|
||||
USE_UNOFFICIAL_ARM_REPO=0
|
||||
arch=$(uname -m)
|
||||
if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then
|
||||
if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then
|
||||
echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list
|
||||
curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add -
|
||||
else
|
||||
|
|
|
|||
|
|
@ -1,8 +1,10 @@
|
|||
#!/bin/sh
|
||||
#initialize variable encase we are called directly
|
||||
[ -z $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM ] && USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM=false
|
||||
|
||||
apt-get update && apt-get install -y --force-yes curl memcached haveged
|
||||
USE_UNOFFICIAL_ARM_REPO=0
|
||||
arch=$(uname -m)
|
||||
if [ $arch = 'armv7l' ] && [ $USE_UNOFFICIAL_ARM_REPO -eq 1 ]; then
|
||||
if [ $arch = 'armv7l' ] && [ $USE_FREESWITCH_PACKAGE_UNOFFICIAL_ARM = true ]; then
|
||||
echo "deb http://repo.sip247.com/debian/freeswitch-stable-armhf/ jessie main" > /etc/apt/sources.list.d/freeswitch.list
|
||||
curl http://repo.sip247.com/debian/sip247.com.gpg.key | apt-key add -
|
||||
else
|
||||
|
|
|
|||
Loading…
Reference in New Issue