From 938bc2791725128ca8935faf2ef5c632bbf93920 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Tue, 18 Oct 2022 12:59:15 +0200 Subject: [PATCH] Update sample for fail2ban --- dev/setup/fail2ban/filter.d/web-dolibarr-limitpublic.conf | 7 +++---- .../fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf | 7 +++---- .../fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf | 7 +++---- htdocs/admin/system/security.php | 7 ++++--- htdocs/langs/en_US/admin.lang | 4 +++- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/dev/setup/fail2ban/filter.d/web-dolibarr-limitpublic.conf b/dev/setup/fail2ban/filter.d/web-dolibarr-limitpublic.conf index 45b4a9b8084..2eedad18821 100644 --- a/dev/setup/fail2ban/filter.d/web-dolibarr-limitpublic.conf +++ b/dev/setup/fail2ban/filter.d/web-dolibarr-limitpublic.conf @@ -1,8 +1,7 @@ # Fail2Ban configuration file # -# Regexp to catch known spambots and software alike. Please verify -# that it is your intent to block IPs which were driven by -# above mentioned bots. +# Regexp to detect access on public pages so we can add mitigation on IP making too much +# access to your a Dolibarr instance. [Definition] @@ -11,7 +10,7 @@ # echo `date +'%Y-%m-%d %H:%M:%S'`" INFO 1.2.3.4 --- Access to GET /public/clicktodial/cidlookup.php" >> /mypath/documents/dolibarr.log # # then -# fail2ban-client status web-dol-passforgotten +# fail2ban-client status web-dolibarr-limitpublic # # To test rule file on a existing log file # fail2ban-regex /mypath/documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-limitpublic.conf diff --git a/dev/setup/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf b/dev/setup/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf index d5922909ba9..1e126c17693 100644 --- a/dev/setup/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf +++ b/dev/setup/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf @@ -1,8 +1,7 @@ # Fail2Ban configuration file # -# Regexp to catch known spambots and software alike. Please verify -# that it is your intent to block IPs which were driven by -# above mentioned bots. +# Regexp to detect try to check a couple login/password so we can add mitigation +# on IP making too much tries. [Definition] @@ -11,7 +10,7 @@ # echo `date +'%Y-%m-%d %H:%M:%S'`" INFO 1.2.3.4 functions_dolibarr::check_user_password_abcd Authentication KO" >> /mypath/documents/dolibarr.log # # then -# fail2ban-client status web-dol-bruteforce +# fail2ban-client status web-dolibarr-rulesbruteforce # # To test rule file on a existing log file # fail2ban-regex /mypath/documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-rulesbruteforce.conf diff --git a/dev/setup/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf b/dev/setup/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf index edc2ca68092..8cc20dd4be4 100644 --- a/dev/setup/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf +++ b/dev/setup/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf @@ -1,8 +1,7 @@ # Fail2Ban configuration file # -# Regexp to catch known spambots and software alike. Please verify -# that it is your intent to block IPs which were driven by -# above mentioned bots. +# Regexp to detect access on passwordforgotten.php page so we can add mitigation on IP making too much +# access to this Dolibarr page. [Definition] @@ -11,7 +10,7 @@ # echo `date +'%Y-%m-%d %H:%M:%S'`" INFO 1.2.3.4 --- Access to GET /passwordforgotten.php - action=buildnewpassword, massaction=" >> /mypath/documents/dolibarr.log # # then -# fail2ban-client status web-dol-passforgotten +# fail2ban-client status web-dolibarr-rulespassforgotten # # To test rule file on a existing log file # fail2ban-regex /mypath/documents/dolibarr.log /etc/fail2ban/filter.d/web-dolibarr-rulespassforgotten.conf diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index b0ea7571a2d..1ea81cd5dd3 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -570,9 +570,10 @@ print 'For a higher security, we also recommend to implement limits and mitigati print ''; print '
'; -print 'Login process -> This can be done using a fail2ban rule (see example into dev/setup)'."
"; -print DOL_URL_ROOT.'/passwordforgotten.php (see example into dev/setup)'."
"; -print DOL_URL_ROOT.'/public/* (see example into dev/setup)'."
"; +$urlexamplebase = 'https://github.com/Dolibarr/dolibarr/blob/develop/dev/setup/fail2ban/filter.d/'; +print '- Login process (see fail2ban example on GitHub)
'; +print '- '.DOL_URL_ROOT.'/passwordforgotten.php (see fail2ban example on GitHub)
'; +print '- '.DOL_URL_ROOT.'/public/* (see fail2ban example on GitHub)
'; diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index b26761b3a49..ba92fc4f8a1 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -2329,4 +2329,6 @@ HelpCssOnViewDesc=The Css used when viewing the field. HelpCssOnListDesc=The Css used when field is inside a list table.
Example: "tdoverflowmax200" RECEPTION_PDF_HIDE_ORDERED=Hide the quantity ordered on the generated documents for receptions MAIN_PDF_RECEPTION_DISPLAY_AMOUNT_HT=Show the price on the generated documents for receptions -WarningDisabled=Warning disabled \ No newline at end of file +WarningDisabled=Warning disabled +LimitsAndMitigation=Access limits and mitigation + \ No newline at end of file