Add fail2ban conf

config/bash_completion.d/wo_auto.rc

@@ -74,7 +74,7 @@ _wo_complete()
             # HANDLE EVERYTHING AFTER THE THIRD LEVEL NAMESPACE
             "install" | "purge" | "remove" )
                 COMPREPLY=( $(compgen \
-                              -W "--web --admin --nginx --php --php73 --mysql --wpcli --phpmyadmin --adminer --utils --all --redis --phpredisadmin --composer --netdata --fail2ban" \
+                              -W "--web --admin --nginx --php --php73 --mysql --wpcli --phpmyadmin --adminer --utils --all --redis --phpredisadmin --composer --netdata --fail2ban --dashboard" \
                               -- $cur) )
                 ;;
             "upgrade" )

docs/wo.8

@@ -5,7 +5,7 @@
 .SH SYNOPSIS
 wo [ --version | --help | info | stack | site | debug | update | clean | import_slow_log | log | secure | sync | maintenance]
 .TP
-wo stack [ install | remove | purge | migrate | upgrade] [ --web | --all | --nginx | --php | --php73 | --mysql | --admin | --adminer | --redis | --phpmyadmin | --phpredisadmin | --wpcli | --utils ]
+wo stack [ install | remove | purge | migrate | upgrade] [ --web | --all | --nginx | --php | --php73 | --mysql | --admin | --adminer | --redis | --phpmyadmin | --phpredisadmin | --wpcli | --utils | --dashboard | --netdata ]
 .TP
 wo stack [ status | start | stop | reload | restart ] [--all | --nginx | --php | --php73 |--mysql | --web | --memcached | --redis]
 .TP

install

@@ -7,7 +7,7 @@
 # Copyright (c) 2019 - WordOps
 # This script is licensed under M.I.T
 # -------------------------------------------------------------------------
-# Version 3.9.5 - 2019-04-25
+# Version 3.9.5 - 2019-04-26
 # -------------------------------------------------------------------------
 readonly wo_version_old="2.2.3"
 readonly wo_version_new="3.9.5"
@@ -216,9 +216,6 @@ wo_sync_db() {
             # Copy the EasyEngine database
             cp /var/lib/ee/ee.db /var/lib/wo/dbase-ee.db
 
-            # Set the migration variable for the closing text
-            migration=1
-
             ###
             # Clean WO installation
             ###
@@ -327,9 +324,9 @@ wo_sync_db() {
 secure_wo_db() {
 
     # The owner is root
-    chown -R root:root /var/lib/wo/
+    chown -R root:root /var/lib/wo
     # Only allow access by root, block others
-    chmod -R 600 /var/lib/wo/
+    chmod -R 600 /var/lib/wo
 
 }
 
@@ -635,6 +632,12 @@ wo_clean_ee() {
     rm -f /usr/local/bin/ee /etc/bash_completion.d/ee_auto.rc /usr/lib/ee/templates /usr/local/lib/python3.6/dist-packages/ee-*.egg /etc/ee /var/lib/ee >> /var/log/wo/install.log 2>&1
 }
 
+# wo_tweak_kernel() {
+#     if [ ! -f /etc/sysctl.d/60-ubuntu-nginx-web-server.conf ]; then
+
+#     fi
+# }
+
 ###
 # 4 - WO MAIN SETUP
 ###

wo/cli/plugins/update.py

@@ -1,9 +1,10 @@
-from cement.core.controller import CementBaseController, expose
+import os
+import time
+
 from cement.core import handler, hook
+from cement.core.controller import CementBaseController, expose
 from wo.core.download import WODownload
 from wo.core.logging import Log
-import time
-import os
 
 
 def wo_update_hook(app):

wo/cli/templates/fail2ban-forbidden.mustache

@@ -0,0 +1,4 @@
+[Definition]
+failregex = ^ \[error\] \d+#\d+: .* forbidden .*, client: <HOST>, .*$
+
+ignoreregex =

wo/cli/templates/fail2ban.mustache

@@ -21,4 +21,4 @@ port = http,https
 logpath = /var/log/nginx/*error*.log
 findtime = 60
 bantime = 6000
-maxretry = 3
+maxretry = 5

wo/cli/templates/fastcgi.mustache

@@ -1,4 +1,4 @@
-# FastCGI cache settings - WO v3.9.5.1
+# FastCGI cache settings - WO v3.9.5
 fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:50m inactive=60m max_size=256M;
 fastcgi_cache_key "$scheme$request_method$host$request_uri";
 fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
@@ -17,3 +17,5 @@ fastcgi_buffer_size 32k;
 fastcgi_param SERVER_NAME $http_host;
 fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
 fastcgi_keep_conn on;
+# only available with Nginx 1.15.6 and earlier
+fastcgi_socket_keepalive on;

wo/cli/templates/sysctl.mustache

@@ -0,0 +1,266 @@
+# Kernel sysctl configuration file for Linux
+#
+# Version 1.16 - 2019-10-25
+# Michiel Klaver - IT Professional
+# Modified by VirtuBox
+#
+#  Instructions available on https://github.com/VirtuBox/ubuntu-nginx-web-server
+#
+# Sources :
+# https://klaver.it/linux/sysctl.conf
+# https://easyengine.io/tutorials/linux/sysctl-conf/
+#
+#
+# Credits:
+#
+# http://www.enigma.id.au/linux_tuning.txt
+# http://www.securityfocus.com/infocus/1729
+# http://fasterdata.es.net/TCP-tuning/linux.html
+# http://fedorahosted.org/ktune/browser/sysctl.ktune
+# http://www.cymru.com/Documents/ip-stack-tuning.html
+# http://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
+# http://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/index.html
+# http://knol.google.com/k/linux-performance-tuning-and-measurement
+# http://www.cyberciti.biz/faq/linux-kernel-tuning-virtual-memory-subsystem/
+# http://www.redbooks.ibm.com/abstracts/REDP4285.html
+# http://www.speedguide.net/read_articles.php?id=121
+# http://lartc.org/howto/lartc.kernel.obscure.html
+# http://en.wikipedia.org/wiki/Sysctl
+#
+# Usage
+# wget -O /etc/sysctl.d/60-ubuntu-nginx-web-server.conf https://virtubox.github.io/ubuntu-nginx-web-server/files/etc/sysctl.d/60-ubuntu-nginx-web-server.conf
+#
+# sysctl -e -p /etc/sysctl.d/60-ubuntu-nginx-web-server.conf
+# For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and sysctl.conf(5) for more details.
+#
+
+###
+### GENERAL SYSTEM SECURITY OPTIONS ###
+###
+
+# Controls the System Request debugging functionality of the kernel
+kernel.sysrq = 0
+
+# Controls whether core dumps will append the PID to the core filename.
+# Useful for debugging multi-threaded applications.
+kernel.core_uses_pid = 1
+
+#Allow for more PIDs
+kernel.pid_max = 65535
+
+# The contents of /proc/<pid>/maps and smaps files are only visible to
+# readers that are allowed to ptrace() the process
+kernel.maps_protect = 1
+
+#Enable ExecShield protection
+kernel.exec-shield = 1
+kernel.randomize_va_space = 2
+
+# Controls the maximum size of a message, in bytes
+kernel.msgmnb = 65535
+
+# Controls the default maxmimum size of a mesage queue
+kernel.msgmax = 65535
+
+# Restrict core dumps
+fs.suid_dumpable = 0
+
+# Hide exposed kernel pointers
+kernel.kptr_restrict = 1
+
+###
+### IMPROVE SYSTEM MEMORY MANAGEMENT ###
+###
+
+# Increase size of file handles and inode cache
+fs.file-max = 209708
+
+# Do less swapping
+vm.swappiness = 10
+vm.dirty_ratio = 30
+vm.dirty_background_ratio = 5
+
+# specifies the minimum virtual address that a process is allowed to mmap
+vm.mmap_min_addr = 4096
+
+# 50% overcommitment of available memory
+vm.overcommit_ratio = 50
+
+# allow memory overcommit required for redis
+vm.overcommit_memory = 1
+
+# Set maximum amount of memory allocated to shm to 256MB
+kernel.shmmax = 268435456
+kernel.shmall = 268435456
+
+# Keep at least 64MB of free RAM space available
+vm.min_free_kbytes = 65535
+
+###
+### GENERAL NETWORK SECURITY OPTIONS ###
+###
+
+#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached)
+net.ipv4.tcp_syncookies = 1
+net.ipv4.tcp_syn_retries = 2
+net.ipv4.tcp_synack_retries = 2
+net.ipv4.tcp_max_syn_backlog = 4096
+
+# Disables IP source routing
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+# Enable IP spoofing protection, turn on source route verification
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Disable ICMP Redirect Acceptance
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.default.secure_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Decrease the time default value for tcp_fin_timeout connection
+net.ipv4.tcp_fin_timeout = 7
+
+# Decrease the time default value for connections to keep alive
+net.ipv4.tcp_keepalive_time = 300
+net.ipv4.tcp_keepalive_probes = 5
+net.ipv4.tcp_keepalive_intvl = 15
+
+# Don't relay bootp
+net.ipv4.conf.all.bootp_relay = 0
+
+# Don't proxy arp for anyone
+net.ipv4.conf.all.proxy_arp = 0
+
+# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better
+net.ipv4.tcp_timestamps = 1
+
+# Don't ignore directed pings
+net.ipv4.icmp_echo_ignore_all = 0
+
+# Enable ignoring broadcasts request
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Enable bad error message Protection
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Allowed local port range
+net.ipv4.ip_local_port_range = 16384 65535
+
+# Enable a fix for RFC1337 - time-wait assassination hazards in TCP
+net.ipv4.tcp_rfc1337 = 1
+
+# Do not auto-configure IPv6
+net.ipv6.conf.all.autoconf=0
+net.ipv6.conf.all.accept_ra=0
+net.ipv6.conf.default.autoconf=0
+net.ipv6.conf.default.accept_ra=0
+net.ipv6.conf.all.accept_ra_defrtr = 0
+net.ipv6.conf.default.accept_ra_defrtr = 0
+net.ipv6.conf.all.accept_ra_pinfo = 0
+net.ipv6.conf.default.accept_ra_pinfo = 0
+
+###
+### TUNING NETWORK PERFORMANCE ###
+###
+
+# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12)
+net.core.default_qdisc = fq
+
+# Turn on the tcp_window_scaling
+net.ipv4.tcp_window_scaling = 1
+
+# Increase the read-buffer space allocatable
+net.ipv4.tcp_rmem = 8192 87380 16777216
+net.ipv4.udp_rmem_min = 16384
+net.core.rmem_default = 262144
+net.core.rmem_max = 16777216
+
+# Increase the write-buffer-space allocatable
+net.ipv4.tcp_wmem = 8192 65536 16777216
+net.ipv4.udp_wmem_min = 16384
+net.core.wmem_default = 262144
+net.core.wmem_max = 16777216
+
+# Increase number of incoming connections
+net.core.somaxconn = 32768
+
+# Increase number of incoming connections backlog
+net.core.netdev_max_backlog = 16384
+net.core.dev_weight = 64
+
+# Increase the maximum amount of option memory buffers
+net.core.optmem_max = 65535
+
+# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks
+net.ipv4.tcp_max_tw_buckets = 1440000
+
+# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT)
+net.ipv4.tcp_tw_recycle = 0
+net.ipv4.tcp_tw_reuse = 1
+
+# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory
+net.ipv4.tcp_max_orphans = 16384
+net.ipv4.tcp_orphan_retries = 0
+
+# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391)
+net.ipv4.ipfrag_low_thresh = 196608
+net.ipv6.ip6frag_low_thresh = 196608
+net.ipv4.ipfrag_high_thresh = 262144
+net.ipv6.ip6frag_high_thresh = 262144
+
+
+# don't cache ssthresh from previous connection
+net.ipv4.tcp_no_metrics_save = 1
+net.ipv4.tcp_moderate_rcvbuf = 1
+
+# Increase size of RPC datagram queue length
+net.unix.max_dgram_qlen = 50
+
+# Don't allow the arp table to become bigger than this
+net.ipv4.neigh.default.gc_thresh3 = 2048
+
+# Tell the gc when to become aggressive with arp table cleaning.
+# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks
+net.ipv4.neigh.default.gc_thresh2 = 1024
+
+# Adjust where the gc will leave arp table alone - set to 32.
+net.ipv4.neigh.default.gc_thresh1 = 32
+
+# Adjust to arp table gc to clean-up more often
+net.ipv4.neigh.default.gc_interval = 30
+
+# Increase TCP queue length
+net.ipv4.neigh.default.proxy_qlen = 96
+net.ipv4.neigh.default.unres_qlen = 6
+
+# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you
+net.ipv4.tcp_ecn = 1
+net.ipv4.tcp_reordering = 3
+
+# How many times to retry killing an alive TCP connection
+net.ipv4.tcp_retries2 = 15
+net.ipv4.tcp_retries1 = 3
+
+# Avoid falling back to slow start after a connection goes idle
+# keeps our cwnd large with the keep alive connections (kernel > 3.6)
+net.ipv4.tcp_slow_start_after_idle = 0
+
+# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7)
+net.ipv4.tcp_fastopen = 3
+
+# This will enusre that immediatly subsequent connections use the new values
+net.ipv4.route.flush = 1
+net.ipv6.route.flush = 1