-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathstart.sh
148 lines (129 loc) · 3.49 KB
/
start.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/bin/bash
# Fix socket
rm -f /run/fail2ban/*
if ! mountpoint -q /nextcloud; then
echo "/nextcloud is not a mountpoint which it must be!"
exit 1
fi
while ! [ -f /nextcloud/data/nextcloud.log ]; do
echo "Waiting for /nextcloud/data/nextcloud.log to become available"
sleep 5
done
cat << FILTER > /etc/fail2ban/filter.d/nextcloud.conf
[INCLUDES]
before = common.conf
[Definition]
_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
FILTER
cat << JAIL > /etc/fail2ban/jail.d/nextcloud.local
[nextcloud]
enabled = true
port = 80,443,8080,8443,3478
protocol = tcp,udp
filter = nextcloud
banaction = %(banaction_allports)s
maxretry = 3
bantime = 14400
findtime = 14400
logpath = /nextcloud/data/nextcloud.log
chain=DOCKER-USER
JAIL
if [ -f /vaultwarden/vaultwarden.log ]; then
echo "Configuring vaultwarden for logs"
# Vaultwarden conf
cat << BW_CONF > /etc/fail2ban/filter.d/vaultwarden.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =
BW_CONF
# Vaultwarden jail
cat << BW_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden.local
[vaultwarden]
enabled = true
port = 80,443,8812
protocol = tcp,udp
filter = vaultwarden
banaction = %(banaction_allports)s
logpath = /vaultwarden/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
chain=DOCKER-USER
BW_JAIL_CONF
# Vaultwarden-admin conf
cat << BWA_CONF > /etc/fail2ban/filter.d/vaultwarden-admin.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
ignoreregex =
BWA_CONF
# Vaultwarden-admin jail
cat << BWA_JAIL_CONF > /etc/fail2ban/jail.d/vaultwarden-admin.local
[vaultwarden-admin]
enabled = true
port = 80,443,8812
protocol = tcp,udp
filter = vaultwarden-admin
banaction = %(banaction_allports)s
logpath = /vaultwarden/vaultwarden.log
maxretry = 3
bantime = 14400
findtime = 14400
chain=DOCKER-USER
BWA_JAIL_CONF
fi
if [ -d /jellyfin/log ]; then
echo "Configuring jellyfin for logs"
# Jellyfin conf
cat << JELLYFIN_CONF > /etc/fail2ban/filter.d/jellyfin.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.
JELLYFIN_CONF
# Jellyfin jail
cat << JELLYFIN_JAIL_CONF > /etc/fail2ban/jail.d/jellyfin.local
[jellyfin]
enabled = true
port = 80,443,8096,8920,1900,7359
protocol = tcp,udp
filter = jellyfin
banaction = %(banaction_allports)s
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /jellyfin/log/*.log
chain=DOCKER-USER
JELLYFIN_JAIL_CONF
fi
if [ -d /jellyseerr/logs ]; then
echo "Configuring jellyseerr for logs"
# Jellyseerr conf
cat << JELLYSEERR_CONF > /etc/fail2ban/filter.d/jellyseerr.conf
[INCLUDES]
before = common.conf
[Definition]
failregex = .*\[warn\]\[API\]\: Failed sign-in attempt.*"ip":"<HOST>"
JELLYSEERR_CONF
# Jellyseerr jail
cat << JELLYSEERR_JAIL_CONF > /etc/fail2ban/jail.d/jellyseerr.local
[jellyseerr]
enabled = true
port = 80,443,5055
protocol = tcp,udp
filter = jellyseerr
banaction = %(banaction_allports)s
maxretry = 3
bantime = 86400
findtime = 43200
logpath = /jellyseerr/logs/*.log
chain=DOCKER-USER
JELLYSEERR_JAIL_CONF
fi
fail2ban-server -f --logtarget stderr --loglevel info