Fix fail2ban configuration when nginx not installed
* improve kernel tweaks * remove deprecated kernel tweaks
This commit is contained in:
VirtuBox
@@ -944,6 +944,7 @@ def post_pref(self, apt_packages, packages, upgrade=False):
|
|||||||
config_file.write(config)
|
config_file.write(config)
|
||||||
config_file.close()
|
config_file.close()
|
||||||
else:
|
else:
|
||||||
|
# make sure root account have all privileges
|
||||||
if "PASSWORD" not in WOShellExec.cmd_exec_stdout(
|
if "PASSWORD" not in WOShellExec.cmd_exec_stdout(
|
||||||
self, 'mysql -e "use mysql; show grants;"'):
|
self, 'mysql -e "use mysql; show grants;"'):
|
||||||
try:
|
try:
|
||||||
@@ -1017,25 +1018,27 @@ def post_pref(self, apt_packages, packages, upgrade=False):
|
|||||||
# create fail2ban configuration files
|
# create fail2ban configuration files
|
||||||
if "fail2ban" in apt_packages:
|
if "fail2ban" in apt_packages:
|
||||||
WOService.restart_service(self, 'fail2ban')
|
WOService.restart_service(self, 'fail2ban')
|
||||||
WOGit.add(self, ["/etc/fail2ban"],
|
if os.path.exists('/etc/fail2ban:'):
|
||||||
msg="Adding Fail2ban into Git")
|
WOGit.add(self, ["/etc/fail2ban"],
|
||||||
Log.info(self, "Configuring Fail2Ban")
|
msg="Adding Fail2ban into Git")
|
||||||
data = dict(release=WOVar.wo_version)
|
Log.info(self, "Configuring Fail2Ban")
|
||||||
WOTemplate.deploy(
|
data = dict(release=WOVar.wo_version)
|
||||||
self,
|
WOTemplate.deploy(
|
||||||
'/etc/fail2ban/jail.d/custom.conf',
|
self,
|
||||||
'fail2ban.mustache',
|
'/etc/fail2ban/jail.d/custom.conf',
|
||||||
data, overwrite=False)
|
'fail2ban.mustache',
|
||||||
WOTemplate.deploy(
|
data, overwrite=False)
|
||||||
self,
|
if WOAptGet.is_exec(self, 'nginx'):
|
||||||
'/etc/fail2ban/filter.d/wo-wordpress.conf',
|
WOTemplate.deploy(
|
||||||
'fail2ban-wp.mustache',
|
self,
|
||||||
data, overwrite=False)
|
'/etc/fail2ban/filter.d/wo-wordpress.conf',
|
||||||
WOTemplate.deploy(
|
'fail2ban-wp.mustache',
|
||||||
self,
|
data, overwrite=False)
|
||||||
'/etc/fail2ban/filter.d/nginx-forbidden.conf',
|
WOTemplate.deploy(
|
||||||
'fail2ban-forbidden.mustache',
|
self,
|
||||||
data, overwrite=False)
|
'/etc/fail2ban/filter.d/nginx-forbidden.conf',
|
||||||
|
'fail2ban-forbidden.mustache',
|
||||||
|
data, overwrite=False)
|
||||||
|
|
||||||
if not WOService.reload_service(self, 'fail2ban'):
|
if not WOService.reload_service(self, 'fail2ban'):
|
||||||
WOGit.rollback(
|
WOGit.rollback(
|
||||||
@@ -1092,8 +1095,8 @@ def post_pref(self, apt_packages, packages, upgrade=False):
|
|||||||
Log.debug(self, "{0}".format(e))
|
Log.debug(self, "{0}".format(e))
|
||||||
Log.error(self, "Unable to add UFW rules")
|
Log.error(self, "Unable to add UFW rules")
|
||||||
|
|
||||||
if ((os.path.isfile("/etc/fail2ban/jail.d/custom.conf")) and
|
if ((os.path.exists("/etc/fail2ban/jail.d/custom.conf")) and
|
||||||
(not WOFileUtils.grep(
|
(not WOFileUtils.grepcheck(
|
||||||
self, "/etc/fail2ban/jail.d/custom.conf",
|
self, "/etc/fail2ban/jail.d/custom.conf",
|
||||||
"proftpd"))):
|
"proftpd"))):
|
||||||
with open("/etc/fail2ban/jail.d/custom.conf",
|
with open("/etc/fail2ban/jail.d/custom.conf",
|
||||||
|
|||||||
@@ -64,6 +64,13 @@ fs.suid_dumpable = 0
|
|||||||
# Hide exposed kernel pointers
|
# Hide exposed kernel pointers
|
||||||
kernel.kptr_restrict = 1
|
kernel.kptr_restrict = 1
|
||||||
|
|
||||||
|
# Restrict access to kernel logs
|
||||||
|
kernel.dmesg_restrict = 1
|
||||||
|
|
||||||
|
# Restrict ptrace scope
|
||||||
|
kernel.yama.ptrace_scope = 1
|
||||||
|
|
||||||
|
|
||||||
###
|
###
|
||||||
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
|
### IMPROVE SYSTEM MEMORY MANAGEMENT ###
|
||||||
###
|
###
|
||||||
@@ -96,6 +103,9 @@ vm.min_free_kbytes = 65535
|
|||||||
### GENERAL NETWORK SECURITY OPTIONS ###
|
### GENERAL NETWORK SECURITY OPTIONS ###
|
||||||
###
|
###
|
||||||
|
|
||||||
|
# Harden BPF JIT compiler
|
||||||
|
net.core.bpf_jit_harden = 1
|
||||||
|
|
||||||
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
|
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
|
||||||
net.ipv4.tcp_syncookies = 1
|
net.ipv4.tcp_syncookies = 1
|
||||||
net.ipv4.tcp_syn_retries = 2
|
net.ipv4.tcp_syn_retries = 2
|
||||||
@@ -206,7 +216,6 @@ net.core.optmem_max = 65535
|
|||||||
net.ipv4.tcp_max_tw_buckets = 1440000
|
net.ipv4.tcp_max_tw_buckets = 1440000
|
||||||
|
|
||||||
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
|
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
|
||||||
net.ipv4.tcp_tw_recycle = 0
|
|
||||||
net.ipv4.tcp_tw_reuse = 1
|
net.ipv4.tcp_tw_reuse = 1
|
||||||
|
|
||||||
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
|
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
|
||||||
|
|||||||
Reference in New Issue
Block a user