From 8627d65ac19e7de82db76a5db13a12f8652e0603 Mon Sep 17 00:00:00 2001 From: Tommy Date: Fri, 16 Dec 2022 15:47:10 -0500 Subject: [PATCH] Add Fail2ban rules for wings Signed-off-by: Tommy --- README.md | 7 +++---- install.sh | 29 +++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 1289ddd..8be6c06 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Visit my Matrix group: https://matrix.to/#/#tommy:arcticfoxes.net - Daemon installation - Daemon upgrade - Basic firewall configuration +- Fail2ban for SSH and Wings - Automatic LetsEncrypt certificate generation - MariaDB SSL - HSTS enabled @@ -26,9 +27,7 @@ Visit my Matrix group: https://matrix.to/#/#tommy:arcticfoxes.net Currently, PHP, Composer, and Redis are installed from Remi's modular repository. As such, they will only get minor version updates with `dnf upgrade` (PHP 8.1.0 -> PHP 8.1.x for example). For updates between major versions of these dependencies, use `dnf module` to change the appstream for these dependencies.
```bash -dnf module reset php:remi-8.0 -dnf module install php:remi-8.1 -dnf distro-sync +dnf module switch-to php:remi-8.1 ``` NGINX, MariaDB, and Docker-CE uses upstream repositories and will get the latest version available on there automatically. @@ -41,4 +40,4 @@ Ideally, we would want everything to be reproducible from the OS to the Pterodac # Supported Distributions Only RHEL 9 and its derivatives (CentOS Stream 9, Rocky Linux 9 , AlmaLinux 9) are supported at the moment. Fedora may get supported in the future if there are interest in it. -Ubuntu, Debian, and openSUSE are unlikely to get supported, due to them not supporting modular repositories which makes dependency updates cumbersome. \ No newline at end of file +Ubuntu, Debian, and openSUSE are unlikely to get supported, due to them not supporting modular repositories which makes dependency updates cumbersome. diff --git a/install.sh b/install.sh index ff0a870..967d993 100644 --- a/install.sh +++ b/install.sh @@ -449,6 +449,35 @@ WantedBy=multi-user.target EOF systemctl enable wings + + output "Adding Fail2ban rules for Wings SFTP" + echo '[wings] +enabled = true +port = 2022 +logpath = /var/log/pterodactyl/wings.log +maxretry = 5 +findtime = 3600 +bantime = -1 +backend = systemd' | tee -a /etc/fail2ban/jail.local + + bash -c 'cat > /etc/fail2ban/conf.d/wings.conf' <<-'EOF' +# Fail2Ban filter for wings (Pterodactyl daemon) +# +# +# +# "WARN: [Sep 8 18:51:00.414] failed to validate user credentials (invalid format) ip=:51782 subsystem=sftp username=logout" +# +[INCLUDES] +before = common.conf +[Definition] +_daemon = wings +failregex = failed to validate user credentials \([^\)]+\) ip=:.* subsystem=sftp username=.*$ +ignoreregex = +[Init] +datepattern = \[%%b %%d %%H:%%M:%%S.%%f\] +EOF + systemctl restart fail2ban + output "Wings ${WINGS} has now been installed on your system." output "You should go to your panel and configure the node now." output "If you get `bash: wings: command not found` when running the auto deployment command, replace `wings` with `/usr/local/bin/wings` and it will work."