Devuan: update all install scripts from debian (#390)

* devuan: pull fail2ban updates from debian installer * devuan: merge updates to postgresql.sh from debian * devuan: pull updated resources/backup scripts from debian * devuan: merge and update php installer scripts * devuan: merged changes to reset_admin_password.sh from debian * devuan: fix release name typo for chimaera * devuan: merge iptables changes from debian * devuan: merge nginx changes from debian * devuan: merge letsencrypt.sh from debian * devuan: merge main install scripts and config from debian * devuan: simplify sngrep install, its in all maintained releases * devuan: merge main install script updates from debian * devuan: finish.sh: use /usr/sbin/service for restart * devuan: postgresql.sh: fix syntax error * devuan: update and unify sysvinit setup there is no sysvinit package available from freeswitch, usethe same init and defaults file for package and source install * devuan: add equvalent debian releasesto environment.sh * devuan: merge changes to switch* from debian * devuan: switch: use os_codenam_debian to add repos * devuan: olny stop ufw if it was installed * devuan: update config.sh defaults * devuan: remove systemd-specifics from switch package installation * devuan: install postgres before freeswitch * devuan: removed libyuv-dev installation, embedded in freeswitch * devuan: fix failing move of freeswitch music * devuan: removed another libyuv-dev installation, embedded in freeswitch * devuan: revert freeswitch script dir setting in /etc/default * devuan: Enable mod_av for the install. (#389) * devuan: merge improved nginx ssl settings (#388)
2022-04-19 03:37:02 +02:00
parent d3974e1584
commit 9f550a3c42
37 changed files with 1188 additions and 712 deletions
--- a/devuan/resources/fail2ban/auth-challenge-ip.conf
+++ b/devuan/resources/fail2ban/auth-challenge-ip.conf
@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#[WARNING] sofia_reg.c:1792 SIP auth challenge (INVITE) on sofia profile 'internal' for [+972592277524@xxx.xxx.xxx.xxx] from ip 209.160.120.12 
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth challenge \((INVITE|REGISTER)\) on sofia profile \'.*\' for \[.*@\d+.\d+.\d+.\d+\] from ip <HOST>
+
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
--- a/devuan/resources/fail2ban/freeswitch-acl.conf
+++ b/devuan/resources/fail2ban/freeswitch-acl.conf
@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#2021-02-03 16:27:57.292697 [WARNING] sofia_reg.c:2353 IP 62.210.78.91 Rejected by register acl "domains"
+failregex = \[WARNING\] sofia_reg.c:\d+ IP <HOST> Rejected by register acl
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
--- a/devuan/resources/fail2ban/freeswitch-404.conf
+++ b/devuan/resources/fail2ban/freeswitch-404.conf
--- a/devuan/resources/fail2ban/fusionpbx-mac.conf
+++ b/devuan/resources/fail2ban/fusionpbx-mac.conf
@@ -0,0 +1,20 @@
+# Fail2Ban configuration file
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+#Oct  9 02:56:16 m1 fusionpbx-provision[28628]: [10.0.0.1] invalid mac address 000000000000
+failregex = \[<HOST>\] invalid mac address 
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =
--- a/devuan/resources/fail2ban/jail.local
+++ b/devuan/resources/fail2ban/jail.local
@@ -1,80 +1,97 @@
-[freeswitch-udp]
+[ssh]
 enabled  = true
-port     = 5060,5061,5080,5081
+port     = 22
+protocol = ssh
+filter   = sshd
+logpath  = /var/log/auth.log
+action   = iptables-allports[name=sshd, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 86400
+
+[freeswitch]
+enabled  = true
+port     = 5060:5091
 protocol = all
 filter   = freeswitch
 logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-multiport[name=freeswitch-udp, port="5060,5061,5080,5081", protocol=udp]
-maxretry = 5
-findtime = 600
-bantime  = 600
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch, protocol=all]
+maxretry = 10
+findtime = 60
+bantime  = 3600
 #          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed

-[freeswitch-tcp]
+[freeswitch-acl]
 enabled  = true
-port     = 5060,5061,5080,5081
+port     = 5060:5091
 protocol = all
-filter   = freeswitch
+filter   = freeswitch-acl
 logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-multiport[name=freeswitch-tcp, port="5060,5061,5080,5081", protocol=tcp]
-maxretry = 5
-findtime = 600
-bantime  = 600
-#          sendmail-whois[name=FreeSwitch, dest=root, sender=fail2ban@example.org] #no smtp server installed
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch-acl, protocol=all]
+maxretry = 900
+findtime = 60
+bantime  = 86400

-[freeswitch-ip-tcp]
+[freeswitch-ip]
 enabled  = false
-port     = 5060,5061,5080,5081
+port     = 5060:5091
 protocol = all
 filter   = freeswitch-ip
 logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-multiport[name=freeswitch-ip-tcp, port="5060,5061,5080,5081", protocol=tcp]
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=freeswitch-ip, protocol=all]
 maxretry = 1
-findtime = 30
+findtime = 60
 bantime  = 86400

-[freeswitch-ip-udp]
+[auth-challenge-ip]
 enabled  = false
-port     = 5060,5061,5080,5081
+port     = 5060:5091
 protocol = all
-filter   = freeswitch-ip
+filter   = auth-challenge-ip
 logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-multiport[name=freeswitch-ip-udp, port="5060,5061,5080,5081", protocol=udp]
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=auth-challenge-ip, protocol=all]
 maxretry = 1
-findtime = 30
+findtime = 60
 bantime  = 86400

-[freeswitch-dos-udp]
-enabled  = true
-port     = 5060,5061,5080,5081
-protocol = all
-filter   = freeswitch-dos
-logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-multiport[name=freeswitch-dos-udp, port="5060,5061,5080,5081", protocol=udp]
-maxretry = 50
-findtime = 30
-bantime  = 6000
-
-[freeswitch-dos-tcp]
-enabled  = true
-port     = 5060,5061,5080,5081
-protocol = all
-filter   = freeswitch-dos
-logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-multiport[name=freeswitch-dos-tcp, port="5060,5061,5080,5081", protocol=tcp]
-maxretry = 50
-findtime = 30
-bantime  = 6000
-
-[freeswitch-404]
+[sip-auth-challenge]
 enabled  = false
-port     = 5060,5061,5080,5081
+port     = 5060:5091
 protocol = all
-filter   = freeswitch-404
+filter   = sip-auth-challenge
 logpath  = /var/log/freeswitch/freeswitch.log
-action   = iptables-allports[name=freeswitch-404, protocol=all]
-maxretry = 3
-findtime = 300
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=sip-auth-challenge, protocol=all]
+maxretry = 100
+findtime = 60
+bantime  = 7200
+
+[sip-auth-failure]
+enabled  = true
+port     = 5060:5091
+protocol = all
+filter   = sip-auth-failure
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=sip-auth-failure, protocol=all]
+maxretry = 6
+findtime = 60
+bantime  = 7200
+
+[fusionpbx-404]
+enabled  = false
+port     = 5060:5091
+protocol = all
+filter   = fusionpbx-404
+logpath  = /var/log/freeswitch/freeswitch.log
+#logpath  = /usr/local/freeswitch/log/freeswitch.log
+action   = iptables-allports[name=fusionpbx-404, protocol=all]
+maxretry = 6
+findtime = 60
 bantime  = 86400

 [fusionpbx]
@@ -83,11 +100,23 @@ port     = 80,443
 protocol = tcp
 filter   = fusionpbx
 logpath  = /var/log/auth.log
-action   = iptables-multiport[name=fusionpbx, port="http,https", protocol=tcp]
+action   = iptables-allports[name=fusionpbx, protocol=all]
 #          sendmail-whois[name=fusionpbx, dest=root, sender=fail2ban@example.org] #no smtp server installed
+maxretry = 20
+findtime = 60
+bantime  = 3600
+
+[fusionpbx-mac]
+enabled  = true
+port     = 80,443
+protocol = tcp
+filter   = fusionpbx-mac
+logpath  = /var/log/syslog
+action   = iptables-allports[name=fusionpbx-mac, protocol=all]
+#          sendmail-whois[name=fusionpbx-mac, dest=root, sender=fail2ban@example.org] #no smtp server installed
 maxretry = 10
-findtime = 600
-bantime  = 600
+findtime = 60
+bantime  = 86400

 [nginx-404]
 enabled  = true
@@ -95,19 +124,20 @@ port     = 80,443
 protocol = tcp
 filter   = nginx-404
 logpath  = /var/log/nginx/access*.log
+action   = iptables-allports[name=nginx-404, protocol=all]
 bantime  = 3600
 findtime = 60
-maxretry = 120
+maxretry = 300

 [nginx-dos]
 # Based on apache-badbots but a simple IP check (any IP requesting more than
 # 300 pages in 60 seconds, or 5p/s average, is suspicious)
-# Block for two full days.
 enabled  = true
 port     = 80,443
 protocol = tcp
 filter   = nginx-dos
 logpath  = /var/log/nginx/access*.log
+action   = iptables-allports[name=nginx-dos, protocol=all]
 findtime = 60
 bantime  = 86400
-maxretry = 300
+maxretry = 800
--- a/devuan/resources/fail2ban/sip-auth-challenge.conf
+++ b/devuan/resources/fail2ban/sip-auth-challenge.conf
--- a/devuan/resources/fail2ban/sip-auth-failure.conf
+++ b/devuan/resources/fail2ban/sip-auth-failure.conf
@@ -0,0 +1,21 @@
+# Fail2Ban configuration file
+#
+# Author: soapee01
+#
+
+[Definition]
+
+# Option:  failregex
+# Notes.:  regex to match the password failures messages in the logfile. The
+#          host must be matched by a group named "host". The tag "<HOST>" can
+#          be used for standard IP/hostname matching and is only an alias for
+#          (?:::f{4,6}:)?(?P<host>[\w\-.^_]+)
+# Values:  TEXT
+#
+failregex = \[WARNING\] sofia_reg.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'.*\' for \[.*\] from ip <HOST>
+
+# Option:  ignoreregex
+# Notes.:  regex to ignore. If this regex matches, the line is ignored.
+# Values:  TEXT
+#
+ignoreregex =