99 lines
2.3 KiB
Bash
99 lines
2.3 KiB
Bash
#!/bin/bash
|
|
# =============================================================================
|
|
# Fail2ban configuration module
|
|
# =============================================================================
|
|
|
|
# Set script directory
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
|
|
# Source common functions and variables
|
|
source "./common.sh"
|
|
|
|
# Function to install and configure fail2ban
|
|
configure_fail2ban() {
|
|
log_message "INFO" "Installing fail2ban"
|
|
|
|
# Install fail2ban if not already installed
|
|
if ! is_package_installed "fail2ban"; then
|
|
apt-get install -y fail2ban
|
|
|
|
if [ $? -ne 0 ]; then
|
|
log_message "ERROR" "Failed to install fail2ban"
|
|
return 1
|
|
fi
|
|
else
|
|
log_message "INFO" "fail2ban is already installed"
|
|
fi
|
|
|
|
# Create fail2ban local configuration
|
|
local FAIL2BAN_LOCAL="/etc/fail2ban/jail.local"
|
|
|
|
log_message "INFO" "Creating fail2ban configuration"
|
|
backup_file "$FAIL2BAN_LOCAL"
|
|
|
|
cat > "$FAIL2BAN_LOCAL" << EOF
|
|
[DEFAULT]
|
|
# Ban hosts for 1 hour
|
|
bantime = 3600
|
|
# Check for new failed login attempts every 10 minutes
|
|
findtime = 600
|
|
# Ban after 5 failures
|
|
maxretry = 5
|
|
# Use both iptables and nftables (if available)
|
|
banaction = iptables-multiport
|
|
banaction_allports = iptables-allports
|
|
|
|
# Email notifications (uncomment and configure to enable)
|
|
# mta = mail
|
|
# sender = fail2ban@example.com
|
|
# destemail = admin@example.com
|
|
# action = %(action_mwl)s
|
|
|
|
# SSH jail configuration (custom port)
|
|
[sshd]
|
|
enabled = true
|
|
port = 22
|
|
filter = sshd
|
|
logpath = /var/log/auth.log
|
|
maxretry = 3
|
|
bantime = 86400
|
|
|
|
# HTTP jail
|
|
[apache-auth]
|
|
enabled = true
|
|
port = http,https
|
|
filter = apache-auth
|
|
logpath = /var/log/apache2/error.log
|
|
maxretry = 3
|
|
|
|
# NGINX jail
|
|
[nginx-http-auth]
|
|
enabled = true
|
|
port = http,https
|
|
filter = nginx-http-auth
|
|
logpath = /var/log/nginx/error.log
|
|
maxretry = 3
|
|
EOF
|
|
|
|
log_message "SUCCESS" "fail2ban configuration created at $FAIL2BAN_LOCAL"
|
|
|
|
# Restart fail2ban service
|
|
log_message "INFO" "Restarting fail2ban service"
|
|
systemctl enable fail2ban
|
|
systemctl restart fail2ban
|
|
|
|
if [ $? -eq 0 ]; then
|
|
log_message "SUCCESS" "fail2ban service restarted successfully"
|
|
else
|
|
log_message "ERROR" "Failed to restart fail2ban service"
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
#
|
|
log_message "SCRIPT" "ssh_hardening.sh"
|
|
|
|
# Main execution for fail2ban
|
|
configure_fail2ban
|
|
|
|
log_message "SUCCESS" "fail2ban configuration completed" |