From 0dd70db539b5bb800aff93f48cded0c90bb7d7be Mon Sep 17 00:00:00 2001 From: einhorn_b Date: Wed, 24 Jan 2024 18:15:33 +0100 Subject: [PATCH 1/2] fix not working fail2ban, add jails for nginx --- deployment/bare_metal/nginx/common/limit_requests.conf | 3 ++- deployment/hetzner_cloud/cloudConfig.yaml | 1 + deployment/hetzner_cloud/install.sh | 8 ++++++++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/deployment/bare_metal/nginx/common/limit_requests.conf b/deployment/bare_metal/nginx/common/limit_requests.conf index e9026ee81..c9501fd64 100644 --- a/deployment/bare_metal/nginx/common/limit_requests.conf +++ b/deployment/bare_metal/nginx/common/limit_requests.conf @@ -1,3 +1,4 @@ limit_req_zone $binary_remote_addr zone=frontend:20m rate=5r/s; limit_req_zone $binary_remote_addr zone=backend:25m rate=15r/s; -limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s; \ No newline at end of file +limit_req_zone $binary_remote_addr zone=api:5m rate=30r/s; +limit_conn_zone $binary_remote_addr zone=addr:10m; \ No newline at end of file diff --git a/deployment/hetzner_cloud/cloudConfig.yaml b/deployment/hetzner_cloud/cloudConfig.yaml index 86e7d5724..84658705f 100644 --- a/deployment/hetzner_cloud/cloudConfig.yaml +++ b/deployment/hetzner_cloud/cloudConfig.yaml @@ -9,6 +9,7 @@ users: packages: - fail2ban + - python3-systemd - ufw - git - mariadb-server diff --git a/deployment/hetzner_cloud/install.sh b/deployment/hetzner_cloud/install.sh index ee539370c..e9ed69e76 100755 --- a/deployment/hetzner_cloud/install.sh +++ b/deployment/hetzner_cloud/install.sh @@ -80,6 +80,14 @@ expect eof ") echo "$SECURE_MYSQL" +# Configure fail2ban, seems to not run out of the box on Debian 12 +echo -e "[sshd]\nbackend = systemd" | tee /etc/fail2ban/jail.d/sshd.conf +# enable nginx-limit-req filter to block also user which exceed nginx request limiter +echo -e "[nginx-limit-req]\nenabled = true\nlogpath = $SCRIPT_PATH/log/nginx-error.*.log" | tee /etc/fail2ban/jail.d/nginx-limit-req.conf +# enable nginx bad request filter +echo -e "[nginx-bad-request]\nenabled = true\nlogpath = $SCRIPT_PATH/log/nginx-error.*.log" | tee /etc/fail2ban/jail.d/nginx-bad-request.conf +systemctl restart fail2ban + # Configure nginx rm /etc/nginx/sites-enabled/default envsubst "$(env | sed -e 's/=.*//' -e 's/^/\$/g')" < $SCRIPT_PATH/nginx/sites-available/gradido.conf.template > $SCRIPT_PATH/nginx/sites-available/gradido.conf From 491c09f835c8cd700b97c9556adfba060128c6c5 Mon Sep 17 00:00:00 2001 From: einhorn_b Date: Wed, 24 Jan 2024 18:28:28 +0100 Subject: [PATCH 2/2] move definition of zones --- .../bare_metal/nginx/sites-available/gradido.conf.ssl.template | 3 ++- .../bare_metal/nginx/sites-available/gradido.conf.template | 3 ++- .../nginx/sites-available/update-page.conf.ssl.template | 2 +- .../bare_metal/nginx/sites-available/update-page.conf.template | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template index 822c326d0..d8ed50ba4 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.ssl.template @@ -1,3 +1,5 @@ +include /etc/nginx/common/limit_requests.conf; + server { if ($host = $COMMUNITY_HOST) { return 301 https://$host$request_uri; @@ -21,7 +23,6 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; - include /etc/nginx/common/limit_requests.conf; # protect from slow loris client_body_timeout 10s; diff --git a/deployment/bare_metal/nginx/sites-available/gradido.conf.template b/deployment/bare_metal/nginx/sites-available/gradido.conf.template index 1f673ee41..e0f382467 100644 --- a/deployment/bare_metal/nginx/sites-available/gradido.conf.template +++ b/deployment/bare_metal/nginx/sites-available/gradido.conf.template @@ -1,3 +1,5 @@ +include /etc/nginx/common/limit_requests.conf; + server { server_name $COMMUNITY_HOST; @@ -6,7 +8,6 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; - include /etc/nginx/common/limit_requests.conf; # protect from slow loris client_body_timeout 10s; diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template index ee7732230..fd41c333d 100644 --- a/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.ssl.template @@ -1,3 +1,4 @@ +include /etc/nginx/common/limit_requests.conf; server { if ($host = $COMMUNITY_HOST) { @@ -21,7 +22,6 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; - include /etc/nginx/common/limit_requests.conf; # protect from slow loris client_body_timeout 10s; diff --git a/deployment/bare_metal/nginx/sites-available/update-page.conf.template b/deployment/bare_metal/nginx/sites-available/update-page.conf.template index 38dfb2d02..be91abc88 100644 --- a/deployment/bare_metal/nginx/sites-available/update-page.conf.template +++ b/deployment/bare_metal/nginx/sites-available/update-page.conf.template @@ -1,3 +1,4 @@ +include /etc/nginx/common/limit_requests.conf; server { server_name $COMMUNITY_HOST; @@ -6,7 +7,6 @@ server { include /etc/nginx/common/protect.conf; include /etc/nginx/common/protect_add_header.conf; - include /etc/nginx/common/limit_requests.conf; # protect from slow loris client_body_timeout 10s;