performance - rsyslog and fail2ban removing
This commit is contained in:
parent
5bcbb38638
commit
eb2d0d330d
|
@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY dependencies.sh /tmp/dependencies.sh
|
||||
RUN chmod +x /tmp/dependencies.sh && \
|
||||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
|
@ -14,7 +19,9 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
|
|
@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY dependencies.sh /tmp/dependencies.sh
|
||||
RUN chmod +x /tmp/dependencies.sh && \
|
||||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
|
@ -14,7 +19,9 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
|
|
@ -13,6 +13,11 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY dependencies.sh /tmp/dependencies.sh
|
||||
RUN chmod +x /tmp/dependencies.sh && \
|
||||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
|
@ -21,7 +26,9 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
|
|
@ -13,6 +13,11 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY dependencies.sh /tmp/dependencies.sh
|
||||
RUN chmod +x /tmp/dependencies.sh && \
|
||||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
|
@ -21,7 +26,9 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
|
|
@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \
|
|||
/tmp/compile.sh && \
|
||||
rm -rf /tmp/*
|
||||
|
||||
COPY dependencies.sh /tmp/dependencies.sh
|
||||
RUN chmod +x /tmp/dependencies.sh && \
|
||||
/tmp/dependencies.sh && \
|
||||
rm -rf /tmp/dependencies.sh
|
||||
|
||||
COPY entrypoint/ /opt/entrypoint
|
||||
COPY confs/ /opt/confs
|
||||
COPY scripts/ /opt/scripts
|
||||
|
@ -14,7 +19,9 @@ COPY logs/ /opt/logs
|
|||
COPY lua/ /opt/lua
|
||||
|
||||
COPY prepare.sh /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
|
||||
RUN chmod +x /tmp/prepare.sh && \
|
||||
/tmp/prepare.sh && \
|
||||
rm -f /tmp/prepare.sh
|
||||
|
||||
# fix CVE-2021-20205
|
||||
RUN apk add "libjpeg-turbo>=2.1.0-r0"
|
||||
|
|
|
@ -10,8 +10,8 @@ load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
|
|||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
|
||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
|
||||
|
||||
# run as daemon
|
||||
daemon on;
|
||||
# run in foreground
|
||||
daemon off;
|
||||
|
||||
# PID file
|
||||
pid /tmp/nginx.pid;
|
||||
|
@ -52,8 +52,8 @@ http {
|
|||
|
||||
# write logs to local syslog
|
||||
log_format logf '%LOG_FORMAT%';
|
||||
access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
|
||||
error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 info;
|
||||
access_log /var/log/access.log logf;
|
||||
error_log /var/log/error.log info;
|
||||
|
||||
# temp paths
|
||||
proxy_temp_path /tmp/proxy_temp;
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
#!/bin/sh
|
||||
|
||||
# install dependencies
|
||||
apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl clamav apache2-utils openssl lua libgd go jq mariadb-connector-c bash brotli
|
|
@ -92,7 +92,7 @@ $ docker run -p 80:8080 \
|
|||
|
||||
## Bad behaviors detection
|
||||
|
||||
TODO
|
||||
When attackers search for and/or exploit vulnerabilities they might generate some suspicious HTTP status codes that a "regular" user won't generate within a period of time. If we detect that kind of behavior we can ban the offending IP address and force the attacker to come with a new one.
|
||||
|
||||
## Antibot challenge
|
||||
|
||||
|
|
|
@ -91,9 +91,6 @@ AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
|
|||
USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
|
||||
ROOT_FOLDER="${ROOT_FOLDER-/www}"
|
||||
ROOT_SITE_SUBFOLDER="${ROOT_SITE_SUBFOLDER-}"
|
||||
LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
|
||||
LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
|
||||
LOGROTATE_CRON="${LOGROTATE_CRON-0 0 * * *}"
|
||||
DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
|
||||
USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
|
||||
WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
|
||||
|
|
|
@ -5,25 +5,13 @@
|
|||
|
||||
echo "[*] Starting bunkerized-nginx ..."
|
||||
|
||||
# execute custom scripts if it's a customized image
|
||||
for file in /entrypoint.d/* ; do
|
||||
[ -f "$file" ] && [ -x "$file" ] && "$file"
|
||||
done
|
||||
|
||||
# trap SIGTERM and SIGINT
|
||||
function trap_exit() {
|
||||
echo "[*] Catched stop operation"
|
||||
echo "[*] Stopping crond ..."
|
||||
pkill -TERM crond
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "[*] Stopping fail2ban"
|
||||
fail2ban-client stop > /dev/null
|
||||
fi
|
||||
echo "[*] Stopping nginx ..."
|
||||
/usr/sbin/nginx -s stop
|
||||
echo "[*] Stopping rsyslogd ..."
|
||||
pkill -TERM rsyslogd
|
||||
pkill -TERM tail
|
||||
}
|
||||
trap "trap_exit" TERM INT QUIT
|
||||
|
||||
|
@ -62,16 +50,10 @@ if [ ! -f "/opt/installed" ] ; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# logs config
|
||||
/opt/entrypoint/logs.sh
|
||||
|
||||
# lua config
|
||||
# TODO : move variables from /usr/local/lib/lua + multisite support ?
|
||||
/opt/entrypoint/lua.sh
|
||||
|
||||
# fail2ban config
|
||||
/opt/entrypoint/fail2ban.sh
|
||||
|
||||
# clamav config
|
||||
/opt/entrypoint/clamav.sh
|
||||
|
||||
|
@ -103,9 +85,6 @@ else
|
|||
echo "[*] Skipping configuration process"
|
||||
fi
|
||||
|
||||
# start rsyslogd
|
||||
rsyslogd -i /tmp/rsyslogd.pid
|
||||
|
||||
# start crond
|
||||
crond
|
||||
|
||||
|
@ -124,22 +103,13 @@ fi
|
|||
|
||||
# run nginx
|
||||
echo "[*] Running nginx ..."
|
||||
nginx
|
||||
if [ "$?" -eq 0 ] ; then
|
||||
echo "[*] nginx successfully started !"
|
||||
else
|
||||
echo "[!] nginx failed to start"
|
||||
fi
|
||||
|
||||
# list of log files to display
|
||||
LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/nginx/error.log /var/log/nginx/modsec_audit.log"
|
||||
|
||||
# start fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "[*] Running fail2ban ..."
|
||||
fail2ban-server > /dev/null
|
||||
LOGS="$LOGS /var/log/fail2ban.log"
|
||||
fi
|
||||
nginx &
|
||||
pid="$!"
|
||||
#if [ "$?" -eq 0 ] ; then
|
||||
# echo "[*] nginx successfully started !"
|
||||
#else
|
||||
# echo "[!] nginx failed to start"
|
||||
#fi
|
||||
|
||||
# autotest
|
||||
if [ "$1" == "test" ] ; then
|
||||
|
@ -152,9 +122,8 @@ if [ "$1" == "test" ] ; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
# display logs
|
||||
tail -F $LOGS &
|
||||
pid="$!"
|
||||
# wait for nginx
|
||||
wait "$pid"
|
||||
while [ -f "/tmp/nginx.pid" ] ; do
|
||||
wait "$pid"
|
||||
done
|
||||
|
|
|
@ -1,19 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. /opt/entrypoint/defaults.sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# fail2ban setup
|
||||
if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
|
||||
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
|
||||
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
|
||||
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
|
||||
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
|
||||
fi
|
|
@ -1,28 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# load default values
|
||||
. /opt/entrypoint/defaults.sh
|
||||
|
||||
# load some functions
|
||||
. /opt/entrypoint/utils.sh
|
||||
|
||||
# copy stub confs
|
||||
cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
|
||||
cat /opt/logs/logrotate.conf > /etc/logrotate.conf
|
||||
|
||||
# create empty logs
|
||||
touch /var/log/access.log
|
||||
touch /var/log/error.log
|
||||
touch /var/log/jobs.log
|
||||
|
||||
# setup logrotate
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
|
||||
replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
|
||||
echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
|
||||
|
||||
# setup rsyslog
|
||||
if [ "$REMOTE_SYSLOG" != "" ] ; then
|
||||
replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" "local0.* @${REMOTE_SYSLOG};rawFormat"
|
||||
else
|
||||
replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" ""
|
||||
fi
|
45
prepare.sh
45
prepare.sh
|
@ -1,11 +1,5 @@
|
|||
#!/bin/sh
|
||||
|
||||
# install dependencies
|
||||
apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli
|
||||
|
||||
# temp fix ?
|
||||
chmod 644 /usr/lib/python3.8/site-packages/fail2ban-*/*
|
||||
|
||||
# custom entrypoint
|
||||
mkdir /opt/entrypoint.d
|
||||
|
||||
|
@ -28,19 +22,21 @@ chmod -R 770 /etc/nginx
|
|||
# prepare /var/log
|
||||
rm -f /var/log/nginx/*
|
||||
chown root:nginx /var/log/nginx
|
||||
touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log
|
||||
chown nginx:nginx /var/log/nginx/*
|
||||
chmod -R 770 /var/log/nginx
|
||||
touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log
|
||||
chown nginx:nginx /var/log/*.log
|
||||
chmod 770 /var/log/*.log
|
||||
ln -s /proc/1/fd/2 /var/log/nginx/error.log
|
||||
ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log
|
||||
ln -s /proc/1/fd/1 /var/log/access.log
|
||||
ln -s /proc/1/fd/2 /var/log/error.log
|
||||
ln -s /proc/1/fd/1 /var/log/jobs.log
|
||||
ln -s /proc/1/fd/1 /var/log/fail2ban.log
|
||||
ln -s /proc/1/fd/1 /var/log/clamav.log
|
||||
mkdir /var/log/letsencrypt
|
||||
chown nginx:nginx /var/log/letsencrypt
|
||||
chmod 770 /var/log/letsencrypt
|
||||
touch /var/log/clamav.log
|
||||
chown root:nginx /var/log/clamav.log
|
||||
chmod 770 /var/log/clamav.log
|
||||
find /var/log -type f -exec chmod 0774 {} \;
|
||||
rm -rf /var/log/clamav/*
|
||||
chown root:nginx /var/log/clamav
|
||||
chmod 770 /var/log/clamav
|
||||
ln -s /proc/1/fd/1 /var/log/freshclam.log
|
||||
|
||||
# prepare /acme-challenge
|
||||
mkdir /acme-challenge
|
||||
|
@ -57,16 +53,6 @@ mkdir /var/lib/letsencrypt
|
|||
chown root:nginx /var/lib/letsencrypt
|
||||
chmod 770 /var/lib/letsencrypt
|
||||
|
||||
# prepare /etc/fail2ban
|
||||
rm -rf /etc/fail2ban/jail.d/*.conf
|
||||
chown -R root:nginx /etc/fail2ban
|
||||
find /etc/fail2ban -type f -exec chmod 0760 {} \;
|
||||
find /etc/fail2ban -type d -exec chmod 0770 {} \;
|
||||
|
||||
# prepare /var/run/fail2ban and /var/lib/fail2ban
|
||||
chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban
|
||||
chmod -R 770 /var/run/fail2ban /var/lib/fail2ban
|
||||
|
||||
# prepare /usr/local/lib/lua
|
||||
chown -R root:nginx /usr/local/lib/lua
|
||||
chmod 770 /usr/local/lib/lua
|
||||
|
@ -79,20 +65,11 @@ mkdir /cache
|
|||
chown root:nginx /cache
|
||||
chmod 770 /cache
|
||||
|
||||
# prepare misc files
|
||||
chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf
|
||||
chmod 660 /etc/rsyslog.conf /etc/logrotate.conf
|
||||
chown root:nginx /etc/rsyslog.conf
|
||||
|
||||
# prepare /etc/crontabs/nginx
|
||||
touch /etc/crontabs/nginx
|
||||
chown root:nginx /etc/crontabs/nginx
|
||||
chmod 660 /etc/crontabs/nginx
|
||||
|
||||
# prepare /var/log/clamav
|
||||
chown root:nginx /var/log/clamav
|
||||
chmod 770 /var/log/clamav
|
||||
|
||||
# prepare /var/lib/clamav
|
||||
chown root:nginx /var/lib/clamav
|
||||
chmod 770 /var/lib/clamav
|
||||
|
|
Loading…
Reference in New Issue