From 15f3d49eed15db16d39e7bacaaa0ef5f5c2efd9d Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Thu, 30 Jan 2020 12:35:38 +0100 Subject: [PATCH] Fix fail2ban configuration when nginx not installed * improve kernel tweaks * remove deprecated kernel tweaks --- wo/cli/plugins/stack_pref.py | 45 +++++++++++++++++--------------- wo/cli/templates/sysctl.mustache | 11 +++++++- 2 files changed, 34 insertions(+), 22 deletions(-) diff --git a/wo/cli/plugins/stack_pref.py b/wo/cli/plugins/stack_pref.py index 6ad0bcd..4e7aeca 100644 --- a/wo/cli/plugins/stack_pref.py +++ b/wo/cli/plugins/stack_pref.py @@ -944,6 +944,7 @@ def post_pref(self, apt_packages, packages, upgrade=False): config_file.write(config) config_file.close() else: + # make sure root account have all privileges if "PASSWORD" not in WOShellExec.cmd_exec_stdout( self, 'mysql -e "use mysql; show grants;"'): try: @@ -1017,25 +1018,27 @@ def post_pref(self, apt_packages, packages, upgrade=False): # create fail2ban configuration files if "fail2ban" in apt_packages: WOService.restart_service(self, 'fail2ban') - WOGit.add(self, ["/etc/fail2ban"], - msg="Adding Fail2ban into Git") - Log.info(self, "Configuring Fail2Ban") - data = dict(release=WOVar.wo_version) - WOTemplate.deploy( - self, - '/etc/fail2ban/jail.d/custom.conf', - 'fail2ban.mustache', - data, overwrite=False) - WOTemplate.deploy( - self, - '/etc/fail2ban/filter.d/wo-wordpress.conf', - 'fail2ban-wp.mustache', - data, overwrite=False) - WOTemplate.deploy( - self, - '/etc/fail2ban/filter.d/nginx-forbidden.conf', - 'fail2ban-forbidden.mustache', - data, overwrite=False) + if os.path.exists('/etc/fail2ban:'): + WOGit.add(self, ["/etc/fail2ban"], + msg="Adding Fail2ban into Git") + Log.info(self, "Configuring Fail2Ban") + data = dict(release=WOVar.wo_version) + WOTemplate.deploy( + self, + '/etc/fail2ban/jail.d/custom.conf', + 'fail2ban.mustache', + data, overwrite=False) + if WOAptGet.is_exec(self, 'nginx'): + WOTemplate.deploy( + self, + '/etc/fail2ban/filter.d/wo-wordpress.conf', + 'fail2ban-wp.mustache', + data, overwrite=False) + WOTemplate.deploy( + self, + '/etc/fail2ban/filter.d/nginx-forbidden.conf', + 'fail2ban-forbidden.mustache', + data, overwrite=False) if not WOService.reload_service(self, 'fail2ban'): WOGit.rollback( @@ -1092,8 +1095,8 @@ def post_pref(self, apt_packages, packages, upgrade=False): Log.debug(self, "{0}".format(e)) Log.error(self, "Unable to add UFW rules") - if ((os.path.isfile("/etc/fail2ban/jail.d/custom.conf")) and - (not WOFileUtils.grep( + if ((os.path.exists("/etc/fail2ban/jail.d/custom.conf")) and + (not WOFileUtils.grepcheck( self, "/etc/fail2ban/jail.d/custom.conf", "proftpd"))): with open("/etc/fail2ban/jail.d/custom.conf", diff --git a/wo/cli/templates/sysctl.mustache b/wo/cli/templates/sysctl.mustache index f4e9440..9caf30b 100644 --- a/wo/cli/templates/sysctl.mustache +++ b/wo/cli/templates/sysctl.mustache @@ -64,6 +64,13 @@ fs.suid_dumpable = 0 # Hide exposed kernel pointers kernel.kptr_restrict = 1 +# Restrict access to kernel logs +kernel.dmesg_restrict = 1 + +# Restrict ptrace scope +kernel.yama.ptrace_scope = 1 + + ### ### IMPROVE SYSTEM MEMORY MANAGEMENT ### ### @@ -96,6 +103,9 @@ vm.min_free_kbytes = 65535 ### GENERAL NETWORK SECURITY OPTIONS ### ### +# Harden BPF JIT compiler +net.core.bpf_jit_harden = 1 + #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syn_retries = 2 @@ -206,7 +216,6 @@ net.core.optmem_max = 65535 net.ipv4.tcp_max_tw_buckets = 1440000 # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) -net.ipv4.tcp_tw_recycle = 0 net.ipv4.tcp_tw_reuse = 1 # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory