syslog integration and fail2ban improvement
This commit is contained in:
parent
cd19841ec3
commit
f30a06d943
|
@ -419,10 +419,11 @@ docker run ... -v /path/to/http/confs:/http-confs ... bunkerity/bunkerized-nginx
|
|||
```
|
||||
|
||||
# TODO
|
||||
- docker tags
|
||||
- Tutorials
|
||||
- Full documentation
|
||||
- logrotate
|
||||
- readme : custom errors
|
||||
- remove nginx on default error pages
|
||||
- nginx compile flags
|
||||
- Antibot with recaptcha v3
|
||||
- HSTS preload, HPKP
|
||||
- Web UI
|
||||
- Full documentation
|
||||
|
|
|
@ -61,8 +61,9 @@ http {
|
|||
# enable/disable sending nginx version
|
||||
server_tokens %SERVER_TOKENS%;
|
||||
|
||||
# where to write logs
|
||||
access_log /var/log/access.log;
|
||||
# write logs to local syslogd
|
||||
access_log syslog:server=unix:/dev/log,nohostname,facility=local0 combined;
|
||||
error_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=warn;
|
||||
|
||||
# server config
|
||||
include /etc/nginx/server.conf;
|
||||
|
|
|
@ -585,15 +585,15 @@ html_errors = On
|
|||
; Example:
|
||||
;error_log = php_errors.log
|
||||
; Log errors to syslog (Event Log on Windows).
|
||||
;error_log = syslog
|
||||
error_log = syslog
|
||||
|
||||
; The syslog ident is a string which is prepended to every message logged
|
||||
; to syslog. Only used when error_log is set to syslog.
|
||||
;syslog.ident = php
|
||||
syslog.ident = php
|
||||
|
||||
; The syslog facility is used to specify what type of program is logging
|
||||
; the message. Only used when error_log is set to syslog.
|
||||
;syslog.facility = user
|
||||
syslog.facility = local1
|
||||
|
||||
; Set this to disable filtering control characters (the default).
|
||||
; Some loggers only accept NVT-ASCII, others accept anything that's not
|
||||
|
@ -605,7 +605,7 @@ html_errors = On
|
|||
; all (all characters)
|
||||
; raw (like "all", but messages are not split at newlines)
|
||||
; http://php.net/syslog.filter
|
||||
;syslog.filter = ascii
|
||||
syslog.filter = ascii
|
||||
|
||||
;windows.show_crt_warning
|
||||
; Default value: 0
|
||||
|
|
|
@ -0,0 +1,2 @@
|
|||
local0.* /var/log/nginx.log
|
||||
local1.* /var/log/php.log
|
|
@ -38,6 +38,7 @@ function replace_in_file() {
|
|||
cp /opt/confs/*.conf /etc/nginx
|
||||
cp -r /opt/confs/owasp-crs /etc/nginx
|
||||
cp /opt/confs/php.ini /etc/php7/php.ini
|
||||
cp /opt/confs/syslog.conf /etc/syslog.conf
|
||||
|
||||
# remove cron jobs
|
||||
echo "" > /etc/crontabs/root
|
||||
|
@ -104,6 +105,8 @@ AUTH_BASIC_USER="${AUTH_BASIC_USER-changeme}"
|
|||
AUTH_BASIC_PASSWORD="${AUTH_BASIC_PASSWORD-changeme}"
|
||||
USE_HTTPS_CUSTOM="${USE_HTTPS_CUSTOM-no}"
|
||||
ROOT_FOLDER="${ROOT_FOLDER-/www}"
|
||||
SYSLOG_MAXSIZE="${SYSLOG_MAXSIZE-1000}"
|
||||
SYSLOG_KEEP="${SYSLOG_KEEP-10}"
|
||||
|
||||
# install additional modules if needed
|
||||
if [ "$ADDITIONAL_MODULES" != "" ] ; then
|
||||
|
@ -352,14 +355,14 @@ fi
|
|||
# fail2ban setup
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
echo "" > /etc/nginx/fail2ban-ip.conf
|
||||
rm -rf /etc/fail2ban/jail.d/*
|
||||
rm -rf /etc/fail2ban/jail.d/*.conf
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" "include /etc/nginx/fail2ban-ip.conf;"
|
||||
cp /opt/fail2ban/nginx-action.local /etc/fail2ban/action.d/nginx-action.local
|
||||
cp /opt/fail2ban/nginx-filter.local /etc/fail2ban/filter.d/nginx-filter.local
|
||||
cp /opt/fail2ban/jail.local /etc/fail2ban/jail.local
|
||||
replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
|
||||
cp /opt/fail2ban/nginx-jail.local /etc/fail2ban/jail.d/nginx-jail.local
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_BANTIME%" "$FAIL2BAN_BANTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_FINDTIME%" "$FAIL2BAN_FINDTIME"
|
||||
replace_in_file "/etc/fail2ban/jail.d/nginx-jail.local" "%FAIL2BAN_MAXRETRY%" "$FAIL2BAN_MAXRETRY"
|
||||
replace_in_file "/etc/fail2ban/filter.d/nginx-filter.local" "%FAIL2BAN_STATUS_CODES%" "$FAIL2BAN_STATUS_CODES"
|
||||
else
|
||||
replace_in_file "/etc/nginx/server.conf" "%USE_FAIL2BAN%" ""
|
||||
|
@ -367,8 +370,8 @@ fi
|
|||
|
||||
# clamav setup
|
||||
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] || [ "$USE_CLAMAV_SCAN" = "yes" ] ; then
|
||||
echo "[*] Updating clamav ..."
|
||||
freshclam > /dev/null 2>&1
|
||||
echo "[*] Updating clamav (in background) ..."
|
||||
freshclam > /dev/null 2>&1 &
|
||||
echo "0 0 * * * /usr/bin/freshclam > /dev/null 2>&1" >> /etc/crontabs/root
|
||||
fi
|
||||
if [ "$USE_CLAMAV_UPLOAD" = "yes" ] ; then
|
||||
|
@ -390,6 +393,9 @@ if [ "$WRITE_ACCESS" = "yes" ] ; then
|
|||
chmod g+w -R /www
|
||||
fi
|
||||
|
||||
# start syslogd
|
||||
syslogd -S -s "$SYSLOG_MAXSIZE" -b "$SYSLOG_KEEP"
|
||||
|
||||
# start PHP
|
||||
if [ "$USE_PHP" = "yes" ] ; then
|
||||
replace_in_file "/etc/php7/php-fpm.d/www.conf" "user = nobody" "user = nginx"
|
||||
|
@ -403,6 +409,12 @@ crond
|
|||
# start nginx
|
||||
echo "[*] Running nginx ..."
|
||||
/usr/sbin/nginx
|
||||
if [ ! -f "/var/log/nginx.log" ] ; then
|
||||
touch /var/log/nginx.log
|
||||
fi
|
||||
if [ ! -f "/var/log/php.log" ] && [ "$USE_PHP" = "yes" ] ; then
|
||||
touch /var/log/php.log
|
||||
fi
|
||||
|
||||
# start fail2ban
|
||||
if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
||||
|
@ -410,7 +422,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then
|
|||
fi
|
||||
|
||||
# display logs
|
||||
tail -f /var/log/access.log &
|
||||
if [ "$USE_PHP" = "yes" ] ; then
|
||||
tail -f /var/log/nginx.log /var/log/php.log &
|
||||
else
|
||||
tail -f /var/log/nginx.log &
|
||||
fi
|
||||
wait $!
|
||||
|
||||
# sigterm trapped
|
||||
|
|
|
@ -2,6 +2,6 @@
|
|||
before = common.conf
|
||||
|
||||
[Definition]
|
||||
failregex = <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
|
||||
failregex = .* nginx: <HOST> - .* \[.*\] ".*" (%FAIL2BAN_STATUS_CODES%) .* ".*" ".*"
|
||||
ignoreregex =
|
||||
datepattern = %%d/%%b/%%Y:%%H:%%M:%%S
|
||||
|
|
|
@ -1,9 +1,7 @@
|
|||
[DEFAULTS]
|
||||
[nginx-filter]
|
||||
bantime = %FAIL2BAN_BANTIME%
|
||||
findtime = %FAIL2BAN_FINDTIME%
|
||||
maxretry = %FAIL2BAN_MAXRETRY%
|
||||
|
||||
[nginx-filter]
|
||||
enabled = true
|
||||
action = nginx-action
|
||||
logpath = /var/log/access.log
|
||||
logpath = /var/log/nginx.log
|
Loading…
Reference in New Issue