update

2025-06-28 04:06:54 +00:00 · 2025-03-02 18:30:30 +01:00 · 2025-03-02 18:30:30 +01:00 · 55dd04ccdf
commit 55dd04ccdf
parent de90a631f5
1 changed files with 98 additions and 60 deletions
--- a/scripts/customizable_post_install.sh
+++ b/scripts/customizable_post_install.sh
@ -1244,65 +1244,63 @@ EOF
 install_fail2ban() {
-    msg_info2 "$(translate "Installing and configuring fail2ban to protect the web interface...")"
+    msg_info2 "$(translate "Installing and configuring Fail2Ban to protect the web interface...")"
-    # Install fail2ban
+#    
-    if ! dpkg -s fail2ban >/dev/null 2>&1; then
+#    if dpkg -l | grep -qw fail2ban; then
-        msg_info "$(translate "Installing fail2ban...")"
+#        msg_info "$(translate "Removing existing Fail2Ban installation...")"
-        if /usr/bin/env DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::='--force-confdef' install fail2ban > /dev/null 2>&1; then
+#        apt-get remove --purge -y fail2ban >/dev/null 2>&1
-            msg_ok "$(translate "fail2ban installed successfully")"
+#        rm -rf /etc/fail2ban /var/lib/fail2ban /var/run/fail2ban
-        else
+#        msg_ok "$(translate "Fail2Ban removed successfully")"
-            msg_error "$(translate "Failed to install fail2ban")"
+#    else
-            return 1
+#        msg_ok "$(translate "Fail2Ban was not installed")"
-        fi
+#    fi
    msg_info "$(translate "Installing Fail2Ban...")"
    apt-get update >/dev/null 2>&1 && apt-get install -y fail2ban >/dev/null 2>&1
    if [[ $? -eq 0 ]]; then
        msg_ok "$(translate "Fail2Ban installed successfully")"
    else
-        msg_ok "$(translate "fail2ban installed successfully")"
+        msg_error "$(translate "Failed to install Fail2Ban")"
        return 1
    fi
-    # Configure Proxmox filter
+   
-    msg_info "$(translate "Configuring Proxmox filter for fail2ban...")"
+    mkdir -p /etc/fail2ban/jail.d /etc/fail2ban/filter.d
-    local proxmox_filter="/etc/fail2ban/filter.d/proxmox.conf"
+
-    if [ ! -f "$proxmox_filter" ] || ! grep -q "pvedaemon\[.*authentication failure" "$proxmox_filter"; then
+   
-        cat <<EOF > "$proxmox_filter"
+    msg_info "$(translate "Configuring Proxmox filter...")"
    cat > /etc/fail2ban/filter.d/proxmox.conf << EOF
 [Definition]
 failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.*
 ignoreregex =
 EOF
-        msg_ok "$(translate "Proxmox filter configured")"
+    msg_ok "$(translate "Proxmox filter configured")"
    else
        msg_ok "$(translate "Proxmox filter configured")"
    fi
-    # Configure Proxmox jail
+  
-    msg_info "$(translate "Configuring Proxmox jail for fail2ban...")"
+    msg_info "$(translate "Configuring Proxmox jail...")"
-    local proxmox_jail="/etc/fail2ban/jail.d/proxmox.conf"
+    cat > /etc/fail2ban/jail.d/proxmox.conf << EOF
    if [ ! -f "$proxmox_jail" ] || ! grep -q "\[proxmox\]" "$proxmox_jail"; then
        cat <<EOF > "$proxmox_jail"
 [proxmox]
 enabled = true
 port = https,http,8006,8007
 filter = proxmox
 logpath = /var/log/daemon.log
 maxretry = 3
 # 1 hour
 bantime = 3600
 findtime = 600
 EOF
-        msg_ok "$(translate "Proxmox jail configured")"
+    msg_ok "$(translate "Proxmox jail configured")"
    else
        msg_ok "$(translate "Proxmox jail configured")"
    fi
-    # Configure general fail2ban settings
+  
-    msg_info "$(translate "Configuring general fail2ban settings...")"
+    msg_info "$(translate "Configuring general Fail2Ban settings...")"
-    local jail_local="/etc/fail2ban/jail.local"
+    cat > /etc/fail2ban/jail.local << EOF
    if [ ! -f "$jail_local" ] || ! grep -q "\[DEFAULT\]" "$jail_local"; then
        cat <<EOF > "$jail_local"
 [DEFAULT]
 ignoreip = 127.0.0.1
 bantime = 86400
 maxretry = 2
 findtime = 1800
 [ssh-iptables]
 enabled = true
 filter = sshd
@ -1312,42 +1310,82 @@ maxretry = 2
 findtime = 3600
 bantime = 32400
 EOF
-        msg_ok "$(translate "General fail2ban settings configured")"
+    msg_ok "$(translate "General Fail2Ban settings configured")"
-    else
+
-        msg_ok "$(translate "General fail2ban settings configured")"
+    
    msg_info "$(translate "Stopping Fail2Ban service...")"
    systemctl stop fail2ban >/dev/null 2>&1
    msg_ok "$(translate "Fail2Ban service stopped")"
    msg_info "$(translate "Ensuring authentication logs exist...")"
    touch /var/log/auth.log /var/log/daemon.log
    chown root:adm /var/log/auth.log /var/log/daemon.log
    chmod 640 /var/log/auth.log /var/log/daemon.log
    msg_ok "$(translate "Authentication logs verified")"
    if [[ ! -f /var/log/auth.log && -f /var/log/secure ]]; then
        msg_warn "$(translate "Using /var/log/secure instead of /var/log/auth.log")"
        sed -i 's|logpath = /var/log/auth.log|logpath = /var/log/secure|' /etc/fail2ban/jail.local
    fi
-    # Enable fail2ban service
+   
-    msg_info "$(translate "Enabling fail2ban service...")"
+    msg_info "$(translate "Ensuring Fail2Ban runtime directory exists...")"
-    if systemctl is-enabled fail2ban >/dev/null 2>&1; then
+    mkdir -p /var/run/fail2ban
-        msg_ok "$(translate "fail2ban service enabled")"
+    chown root:root /var/run/fail2ban
    chmod 755 /var/run/fail2ban
    msg_ok "$(translate "Fail2Ban runtime directory verified")"
    msg_info "$(translate "Removing old Fail2Ban database (if exists)...")"
    rm -f /var/lib/fail2ban/fail2ban.sqlite3
    msg_ok "$(translate "Fail2Ban database reset")"
    msg_info "$(translate "Reloading systemd and restarting Fail2Ban...")"
    systemctl daemon-reload
    systemctl enable fail2ban >/dev/null 2>&1
    systemctl restart fail2ban >/dev/null 2>&1
    msg_ok "$(translate "Fail2Ban service restarted")"
    sleep 3
    msg_info "$(translate "Checking Fail2Ban service status...")"
    if systemctl is-active --quiet fail2ban; then
        msg_ok "$(translate "Fail2Ban is running correctly")"
    else
-        if systemctl enable fail2ban > /dev/null 2>&1; then
+        msg_error "$(translate "Fail2Ban is NOT running! Checking logs...")"
-            msg_ok "$(translate "fail2ban service enabled")"
+        journalctl -u fail2ban --no-pager -n 20
-        else
+       
            msg_error "$(translate "Failed to enable fail2ban service")"
            return 1
        fi
    fi
-    # Test fail2ban configuration
+ 
-    msg_info "$(translate "Testing fail2ban configuration...")"
+    msg_info "$(translate "Checking Fail2Ban socket...")"
-    if fail2ban-regex /var/log/daemon.log /etc/fail2ban/filter.d/proxmox.conf > /dev/null 2>&1; then
+    if [ -S /var/run/fail2ban/fail2ban.sock ]; then
-        msg_ok "$(translate "fail2ban configuration test passed")"
+        msg_ok "$(translate "Fail2Ban socket exists!")"
    else
-        msg_warn "$(translate "fail2ban configuration test failed. Please check the configuration manually.")"
+        msg_warn "$(translate "Warning: Fail2Ban socket does not exist!")"
    fi
-    # Restart fail2ban to apply changes
+    
-    msg_info "$(translate "Restarting fail2ban service...")"
+    msg_info "$(translate "Testing fail2ban-client...")"
-    if systemctl restart fail2ban > /dev/null 2>&1; then
+    if fail2ban-client ping >/dev/null 2>&1; then
-        msg_ok "$(translate "fail2ban service restarted successfully")"
+        msg_ok "$(translate "fail2ban-client successfully communicated with the server")"
    else
-        msg_error "$(translate "Failed to restart fail2ban service")"
+        msg_error "$(translate "fail2ban-client could not communicate with the server")"
-        return 1
+       
    fi
-    msg_success "$(translate "fail2ban installation and configuration completed")"
+    
    msg_info "$(translate "Displaying Fail2Ban status...")"
    fail2ban-client status >/dev/null 2>&1
    msg_ok "$(translate "Fail2Ban status displayed")"
    msg_success "$(translate "Fail2Ban installation and configuration completed successfully!")"
 }