Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix fail2ban configuration when nginx not installed

Browse Source 
* improve kernel tweaks 
* remove deprecated kernel tweaks
This commit is contained in:
VirtuBox
2020-01-30 12:35:38 +01:00
parent dce09ddadb
commit 15f3d49eed
2 changed files with 34 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
wo/cli/plugins/stack_pref.py
View File

@@ -944,6 +944,7 @@ def post_pref(self, apt_packages, packages, upgrade=False):
config_file.write(config) config_file.write(config)
config_file.close() config_file.close()
else: else:
# make sure root account have all privileges
if "PASSWORD" not in WOShellExec.cmd_exec_stdout( if "PASSWORD" not in WOShellExec.cmd_exec_stdout(
self, 'mysql -e "use mysql; show grants;"'): self, 'mysql -e "use mysql; show grants;"'):
try: try:
@@ -1017,6 +1018,7 @@ def post_pref(self, apt_packages, packages, upgrade=False):
# create fail2ban configuration files # create fail2ban configuration files
if "fail2ban" in apt_packages: if "fail2ban" in apt_packages:
WOService.restart_service(self, 'fail2ban') WOService.restart_service(self, 'fail2ban')
if os.path.exists('/etc/fail2ban:'):
WOGit.add(self, ["/etc/fail2ban"], WOGit.add(self, ["/etc/fail2ban"],
msg="Adding Fail2ban into Git") msg="Adding Fail2ban into Git")
Log.info(self, "Configuring Fail2Ban") Log.info(self, "Configuring Fail2Ban")
@@ -1026,6 +1028,7 @@ def post_pref(self, apt_packages, packages, upgrade=False):
'/etc/fail2ban/jail.d/custom.conf', '/etc/fail2ban/jail.d/custom.conf',
'fail2ban.mustache', 'fail2ban.mustache',
data, overwrite=False) data, overwrite=False)
if WOAptGet.is_exec(self, 'nginx'):
WOTemplate.deploy( WOTemplate.deploy(
self, self,
'/etc/fail2ban/filter.d/wo-wordpress.conf', '/etc/fail2ban/filter.d/wo-wordpress.conf',
@@ -1092,8 +1095,8 @@ def post_pref(self, apt_packages, packages, upgrade=False):
Log.debug(self, "{0}".format(e)) Log.debug(self, "{0}".format(e))
Log.error(self, "Unable to add UFW rules") Log.error(self, "Unable to add UFW rules")
if ((os.path.isfile("/etc/fail2ban/jail.d/custom.conf")) and if ((os.path.exists("/etc/fail2ban/jail.d/custom.conf")) and
(not WOFileUtils.grep( (not WOFileUtils.grepcheck(
self, "/etc/fail2ban/jail.d/custom.conf", self, "/etc/fail2ban/jail.d/custom.conf",
"proftpd"))): "proftpd"))):
with open("/etc/fail2ban/jail.d/custom.conf", with open("/etc/fail2ban/jail.d/custom.conf",

11
wo/cli/templates/sysctl.mustache
View File

@@ -64,6 +64,13 @@ fs.suid_dumpable = 0
# Hide exposed kernel pointers # Hide exposed kernel pointers
kernel.kptr_restrict = 1 kernel.kptr_restrict = 1
# Restrict access to kernel logs
kernel.dmesg_restrict = 1
# Restrict ptrace scope
kernel.yama.ptrace_scope = 1
### ###
### IMPROVE SYSTEM MEMORY MANAGEMENT ### ### IMPROVE SYSTEM MEMORY MANAGEMENT ###
### ###
@@ -96,6 +103,9 @@ vm.min_free_kbytes = 65535
### GENERAL NETWORK SECURITY OPTIONS ### ### GENERAL NETWORK SECURITY OPTIONS ###
### ###
# Harden BPF JIT compiler
net.core.bpf_jit_harden = 1
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) #Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 2 net.ipv4.tcp_syn_retries = 2
@@ -206,7 +216,6 @@ net.core.optmem_max = 65535
net.ipv4.tcp_max_tw_buckets = 1440000 net.ipv4.tcp_max_tw_buckets = 1440000
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) # try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
net.ipv4.tcp_tw_recycle = 0
net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_tw_reuse = 1
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory # Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory