performance - rsyslog and fail2ban removing

2021-05-13 11:14:39 +02:00 · 2021-05-13 11:14:39 +02:00 · eb2d0d330d
parent 5bcbb38638
commit eb2d0d330d
13 changed files with 69 additions and 134 deletions
--- a/9
+++ b/9
@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
@ -14,7 +19,9 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua

 COPY prepare.sh /tmp/prepare.sh
-RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
+RUN chmod +x /tmp/prepare.sh && \
+    /tmp/prepare.sh && \
+    rm -f /tmp/prepare.sh

 # fix CVE-2021-20205
 RUN apk add "libjpeg-turbo>=2.1.0-r0"
--- a/9
+++ b/9
@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
@ -14,7 +19,9 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua

 COPY prepare.sh /tmp/prepare.sh
-RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
+RUN chmod +x /tmp/prepare.sh && \
+    /tmp/prepare.sh && \
+    rm -f /tmp/prepare.sh

 # fix CVE-2021-20205
 RUN apk add "libjpeg-turbo>=2.1.0-r0"
--- a/9
+++ b/9
@ -13,6 +13,11 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
@ -21,7 +26,9 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua

 COPY prepare.sh /tmp/prepare.sh
-RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
+RUN chmod +x /tmp/prepare.sh && \
+    /tmp/prepare.sh && \
+    rm -f /tmp/prepare.sh

 # fix CVE-2021-20205
 RUN apk add "libjpeg-turbo>=2.1.0-r0"
--- a/9
+++ b/9
@ -13,6 +13,11 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
@ -21,7 +26,9 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua

 COPY prepare.sh /tmp/prepare.sh
-RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
+RUN chmod +x /tmp/prepare.sh && \
+    /tmp/prepare.sh && \
+    rm -f /tmp/prepare.sh

 # fix CVE-2021-20205
 RUN apk add "libjpeg-turbo>=2.1.0-r0"
--- a/9
+++ b/9
@ -6,6 +6,11 @@ RUN chmod +x /tmp/compile.sh && \
    /tmp/compile.sh && \
    rm -rf /tmp/*

+COPY dependencies.sh /tmp/dependencies.sh
+RUN chmod +x /tmp/dependencies.sh && \
+    /tmp/dependencies.sh && \
+    rm -rf /tmp/dependencies.sh
+
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
@ -14,7 +19,9 @@ COPY logs/ /opt/logs
 COPY lua/ /opt/lua

 COPY prepare.sh /tmp/prepare.sh
-RUN chmod +x /tmp/prepare.sh && /tmp/prepare.sh && rm -f /tmp/prepare.sh
+RUN chmod +x /tmp/prepare.sh && \
+    /tmp/prepare.sh && \
+    rm -f /tmp/prepare.sh

 # fix CVE-2021-20205
 RUN apk add "libjpeg-turbo>=2.1.0-r0"
--- a/confs/global/nginx.conf
+++ b/confs/global/nginx.conf
@ -10,8 +10,8 @@ load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
 load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;

-# run as daemon
-daemon on;
+# run in foreground
+daemon off;

 # PID file
 pid /tmp/nginx.pid;
@ -52,8 +52,8 @@ http {

 	# write logs to local syslog
 	log_format logf '%LOG_FORMAT%';
-	access_log syslog:server=unix:/tmp/log,nohostname,facility=local0,severity=notice logf;
-	error_log syslog:server=unix:/tmp/log,nohostname,facility=local0 info;
+	access_log /var/log/access.log logf;
+	error_log /var/log/error.log info;

 	# temp paths
 	proxy_temp_path /tmp/proxy_temp;
--- a/dependencies.sh
+++ b/dependencies.sh
@ -0,0 +1,4 @@
+#!/bin/sh
+
+# install dependencies
+apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl clamav apache2-utils openssl lua libgd go jq mariadb-connector-c bash brotli
--- a/docs/security_tuning.md
+++ b/docs/security_tuning.md
@ -92,7 +92,7 @@ $ docker run -p 80:8080 \

 ## Bad behaviors detection

-TODO
+When attackers search for and/or exploit vulnerabilities they might generate some suspicious HTTP status codes that a "regular" user won't generate within a period of time. If we detect that kind of behavior we can ban the offending IP address and force the attacker to come with a new one.

 ## Antibot challenge

--- a/entrypoint/defaults.sh
+++ b/entrypoint/defaults.sh
@ -91,9 +91,6 @@ AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
 USE_CUSTOM_HTTPS="${USE_CUSTOM_HTTPS-no}"
 ROOT_FOLDER="${ROOT_FOLDER-/www}"
 ROOT_SITE_SUBFOLDER="${ROOT_SITE_SUBFOLDER-}"
-LOGROTATE_MINSIZE="${LOGROTATE_MINSIZE-10M}"
-LOGROTATE_MAXAGE="${LOGROTATE_MAXAGE-7}"
-LOGROTATE_CRON="${LOGROTATE_CRON-0 0 * * *}"
 DNS_RESOLVERS="${DNS_RESOLVERS-127.0.0.11}"
 USE_WHITELIST_IP="${USE_WHITELIST_IP-yes}"
 WHITELIST_IP_LIST="${WHITELIST_IP_LIST-127.0.0.1 23.21.227.69 40.88.21.235 50.16.241.113 50.16.241.114 50.16.241.117 50.16.247.234 52.204.97.54 52.5.190.19 54.197.234.188 54.208.100.253 54.208.102.37 107.21.1.8}"
--- a/entrypoint/entrypoint.sh
+++ b/entrypoint/entrypoint.sh
@ -5,25 +5,13 @@

 echo "[*] Starting bunkerized-nginx ..."

-# execute custom scripts if it's a customized image
-for file in /entrypoint.d/* ; do
-    [ -f "$file" ] && [ -x "$file" ] && "$file"
-done
-
 # trap SIGTERM and SIGINT
 function trap_exit() {
 	echo "[*] Catched stop operation"
 	echo "[*] Stopping crond ..."
 	pkill -TERM crond
-	if [ "$USE_FAIL2BAN" = "yes" ] ; then
-		echo "[*] Stopping fail2ban"
-		fail2ban-client stop > /dev/null
-	fi
 	echo "[*] Stopping nginx ..."
 	/usr/sbin/nginx -s stop
-	echo "[*] Stopping rsyslogd ..."
-	pkill -TERM rsyslogd
-	pkill -TERM tail
 }
 trap "trap_exit" TERM INT QUIT

@ -62,16 +50,10 @@ if [ ! -f "/opt/installed" ] ; then
 		exit 1
 	fi

-	# logs config
-	/opt/entrypoint/logs.sh
-
 	# lua config
 	# TODO : move variables from /usr/local/lib/lua + multisite support ?
 	/opt/entrypoint/lua.sh

-	# fail2ban config
-	/opt/entrypoint/fail2ban.sh
-
 	# clamav config
 	/opt/entrypoint/clamav.sh

@ -103,9 +85,6 @@ else
 	echo "[*] Skipping configuration process"
 fi

-# start rsyslogd
-rsyslogd -i /tmp/rsyslogd.pid
-
 # start crond
 crond

@ -124,22 +103,13 @@ fi

 # run nginx
 echo "[*] Running nginx ..."
-nginx
-if [ "$?" -eq 0 ] ; then
-	echo "[*] nginx successfully started !"
-else
-	echo "[!] nginx failed to start"
-fi
-
-# list of log files to display
-LOGS="/var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/nginx/error.log /var/log/nginx/modsec_audit.log"
-
-# start fail2ban
-if [ "$USE_FAIL2BAN" = "yes" ] ; then
-	echo "[*] Running fail2ban ..."
-	fail2ban-server > /dev/null
-	LOGS="$LOGS /var/log/fail2ban.log"
-fi
+nginx &
+pid="$!"
+#if [ "$?" -eq 0 ] ; then
+#	echo "[*] nginx successfully started !"
+#else
+#	echo "[!] nginx failed to start"
+#fi

 # autotest
 if [ "$1" == "test" ] ; then
@ -152,9 +122,8 @@ if [ "$1" == "test" ] ; then
 	exit 1
 fi

-# display logs
-tail -F $LOGS &
-pid="$!"
+# wait for nginx
+wait "$pid"
 while [ -f "/tmp/nginx.pid" ] ; do
 	wait "$pid"
 done
--- a/entrypoint/fail2ban.sh
+++ b/entrypoint/fail2ban.sh
@ -1,19 +0,0 @@
-#!/bin/bash
-
-# load default values
-. /opt/entrypoint/defaults.sh
-
-# load some functions
-. /opt/entrypoint/utils.sh
-
-# fail2ban setup
-if [ "$(has_value USE_FAIL2BAN yes)" != "" ] ; then
-	cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
-	cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
-	cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
-	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
-	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
-	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
-	replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_IGNOREIP%" "$FAIL2BAN_IGNOREIP"
-	replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
-fi
--- a/entrypoint/logs.sh
+++ b/entrypoint/logs.sh
@ -1,28 +0,0 @@
-#!/bin/bash
-
-# load default values
-. /opt/entrypoint/defaults.sh
-
-# load some functions
-. /opt/entrypoint/utils.sh
-
-# copy stub confs
-cat /opt/logs/rsyslog.conf > /etc/rsyslog.conf
-cat /opt/logs/logrotate.conf > /etc/logrotate.conf
-
-# create empty logs
-touch /var/log/access.log
-touch /var/log/error.log
-touch /var/log/jobs.log
-
-# setup logrotate
-replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE"
-replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"
-echo "$LOGROTATE_CRON /opt/scripts/logrotate.sh > /dev/null 2>&1" >> /etc/crontabs/nginx
-
-# setup rsyslog
-if [ "$REMOTE_SYSLOG" != "" ] ; then
-	replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" "local0.* @${REMOTE_SYSLOG};rawFormat"
-else
-	replace_in_file "/etc/rsyslog.conf" "%REMOTE_SYSLOG%" ""
-fi
--- a/prepare.sh
+++ b/prepare.sh
@ -1,11 +1,5 @@
 #!/bin/sh

-# install dependencies
-apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c bash brotli
-
-# temp fix ?
-chmod 644 /usr/lib/python3.8/site-packages/fail2ban-*/*
-
 # custom entrypoint
 mkdir /opt/entrypoint.d

@ -28,19 +22,21 @@ chmod -R 770 /etc/nginx
 # prepare /var/log
 rm -f /var/log/nginx/*
 chown root:nginx /var/log/nginx
-touch /var/log/nginx/error.log /var/log/nginx/modsec_audit.log /var/log/jobs.log
-chown nginx:nginx /var/log/nginx/*
 chmod -R 770 /var/log/nginx
-touch /var/log/access.log /var/log/error.log /var/log/jobs.log /var/log/fail2ban.log
-chown nginx:nginx /var/log/*.log
-chmod 770 /var/log/*.log
+ln -s /proc/1/fd/2 /var/log/nginx/error.log
+ln -s /proc/1/fd/2 /var/log/nginx/modsec_audit.log
+ln -s /proc/1/fd/1 /var/log/access.log
+ln -s /proc/1/fd/2 /var/log/error.log
+ln -s /proc/1/fd/1 /var/log/jobs.log
+ln -s /proc/1/fd/1 /var/log/fail2ban.log
+ln -s /proc/1/fd/1 /var/log/clamav.log
 mkdir /var/log/letsencrypt
 chown nginx:nginx /var/log/letsencrypt
 chmod 770 /var/log/letsencrypt
-touch /var/log/clamav.log
-chown root:nginx /var/log/clamav.log
-chmod 770 /var/log/clamav.log
-find /var/log -type f -exec chmod 0774 {} \;
+rm -rf /var/log/clamav/*
+chown root:nginx /var/log/clamav
+chmod 770 /var/log/clamav
+ln -s /proc/1/fd/1 /var/log/freshclam.log

 # prepare /acme-challenge
 mkdir /acme-challenge
@ -57,16 +53,6 @@ mkdir /var/lib/letsencrypt
 chown root:nginx /var/lib/letsencrypt
 chmod 770 /var/lib/letsencrypt

-# prepare /etc/fail2ban
-rm -rf /etc/fail2ban/jail.d/*.conf
-chown -R root:nginx /etc/fail2ban
-find /etc/fail2ban -type f -exec chmod 0760 {} \;
-find /etc/fail2ban -type d -exec chmod 0770 {} \;
-
-# prepare /var/run/fail2ban and /var/lib/fail2ban
-chown -R root:nginx /var/run/fail2ban /var/lib/fail2ban
-chmod -R 770 /var/run/fail2ban /var/lib/fail2ban
-
 # prepare /usr/local/lib/lua
 chown -R root:nginx /usr/local/lib/lua
 chmod 770 /usr/local/lib/lua
@ -79,20 +65,11 @@ mkdir /cache
 chown root:nginx /cache
 chmod 770 /cache

-# prepare misc files
-chown root:nginx /etc/rsyslog.conf /etc/logrotate.conf
-chmod 660 /etc/rsyslog.conf /etc/logrotate.conf
-chown root:nginx /etc/rsyslog.conf
-
 # prepare /etc/crontabs/nginx
 touch /etc/crontabs/nginx
 chown root:nginx /etc/crontabs/nginx
 chmod 660 /etc/crontabs/nginx

-# prepare /var/log/clamav
-chown root:nginx /var/log/clamav
-chmod 770 /var/log/clamav
-
 # prepare /var/lib/clamav
 chown root:nginx /var/lib/clamav
 chmod 770 /var/lib/clamav