Merge changes from kiekerjan special

2026-03-15 17:37:22 +01:00 · 2021-04-11 20:45:24 +02:00
parent 12d0aee27a
commit daf5a62e83
11 changed files with 213 additions and 4 deletions
--- a/setup/geoipfilter.sh
+++ b/setup/geoipfilter.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+CONFIG_FILE=/etc/geoiplookup.conf
+GEOIPLOOKUP=/usr/local/bin/goiplookup
+
+# Check existence of configuration
+if [ -f "$CONFIG_FILE" ]; then
+    source $CONFIG_FILE
+    
+    # Check required variable exists and is non-empty
+    if [ -z "$ALLOW_COUNTRIES" ]; then
+    	echo "variable ALLOW_COUNTRIES is not set or empty. No countries are blocked."
+    	exit 0
+    fi
+else 
+    echo "Configuration $CONFIG_FILE does not exist. No countries are blocked."
+    exit 0
+fi
+
+# Check existence of binary 
+if [ ! -x "$GEOIPLOOKUP" ]; then
+    echo "Geoip lookup binary $GEOIPLOOKUP does not exist. No countries are blocked."
+    exit 0
+fi
+
+if [ $# -ne 1 -a $# -ne 2 ]; then
+  echo "Usage:  `basename $0` <ip>" 1>&2
+  exit 0 # return true in case of config issue
+fi
+
+COUNTRY=`$GEOIPLOOKUP $1 | awk -F ": " '{ print $2 }' | awk -F "," '{ print $1 }' | head -n 1`
+
+[[ $COUNTRY = "IP Address not found" || $ALLOW_COUNTRIES =~ $COUNTRY ]] && RESPONSE="ALLOW" || RESPONSE="DENY"
+
+logger "$RESPONSE geoipblocked connection from $1 ($COUNTRY) $2"
+
+if [ $RESPONSE = "ALLOW" ]
+then
+  exit 0
+else
+  exit 1
+fi
--- a/setup/geoiptoolssetup.sh
+++ b/setup/geoiptoolssetup.sh
@@ -0,0 +1,76 @@
+source setup/functions.sh
+
+echo Installing geoip packages...
+
+# Install some packages
+apt_install geoip-database-extra libgeoip1 libnginx-mod-http-geoip
+
+# geo ip filtering of ssh entries, based on https://www.axllent.org/docs/ssh-geoip/#disqus_thread
+
+# Install geo ip lookup tool
+gunzip -c tools/goiplookup.gz > /usr/local/bin/goiplookup
+chmod +x /usr/local/bin/goiplookup
+
+# check that geoipdb is older then 2 months, to not hit the server too often 
+if [[ ! -d /usr/share/GeoIP || ! -f /usr/share/GeoIP/GeoIP.dat || $(find "/usr/share/GeoIP/GeoIP.dat" -mtime +60 -print) ]]; then
+  echo updating goiplookup database
+  goiplookup db-update
+else
+  echo skipping goiplookup database update
+fi
+
+# Install geo ip filter script
+cp -f setup/geoipfilter.sh /usr/local/bin/
+
+# Install only if not yet exists, to keep user config
+if [ ! -f /etc/geoiplookup.conf ]; then
+    cp -f conf/geoiplookup.conf /etc/
+fi
+
+# Add sshd entries for hosts.deny and hosts.allow
+if grep -Fxq "sshd: ALL" /etc/hosts.deny
+then
+    echo hosts.deny already configured
+else
+    sed -i '/sshd: /d' /etc/hosts.deny
+    echo "sshd: ALL" >> /etc/hosts.deny
+fi
+
+if grep -Fxq "sshd: ALL: aclexec /usr/local/bin/geoipfilter.sh %a %s" /etc/hosts.allow
+then
+    echo hosts.allow already configured
+else
+    # Make sure all sshd lines are removed
+    sed -i '/sshd: /d' /etc/hosts.allow
+    echo "sshd: ALL: aclexec /usr/local/bin/geoipfilter.sh %a %s" >> /etc/hosts.allow
+fi
+
+# geo ip filtering of nginx access log, based on 
+# https://guides.wp-bullet.com/blocking-country-and-continent-with-nginx-geoip-on-ubuntu-18-04/
+
+## Install geo ip lookup files
+
+# Move old file away if it exists
+if [ -f "/usr/share/GeoIP/GeoIP.dat" ]; then
+    mv -f /usr/share/GeoIP/GeoIP.dat /usr/share/GeoIP/GeoIP.dat.bak
+fi
+
+hide_output wget -P /usr/share/GeoIP/ https://dl.miyuru.lk/geoip/maxmind/country/maxmind.dat.gz
+
+if [ -f "/usr/share/GeoIP/maxmind.dat.gz" ]; then
+    gunzip -c /usr/share/GeoIP/maxmind.dat.gz > /usr/share/GeoIP/GeoIP.dat
+else
+    echo Did not correctly download maxmind geoip database
+fi
+
+# If new file is not created, move the old file back
+if [ ! -f "/usr/share/GeoIP/GeoIP.dat" ]; then
+    echo GeoIP.dat was not created
+    
+    if [ -f "/usr/share/GeoIP/GeoIP.dat.bak" ]; then
+        mv /usr/share/GeoIP/GeoIP.dat.bak /usr/share/GeoIP/GeoIP.dat
+    fi
+fi
+
+# Restart nginx
+restart_service nginx
--- a/setup/start.sh
+++ b/setup/start.sh
@@ -118,6 +118,7 @@ source setup/nextcloud.sh
 #source setup/zpush.sh
 source setup/management.sh
 source setup/munin.sh
+source setup/geoiptoolssetup.sh
 source setup/additionals.sh

 # Wait for the management daemon to start...
--- a/setup/system.sh
+++ b/setup/system.sh
@@ -239,9 +239,6 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then
 	# Install `ufw` which provides a simple firewall configuration.
 	apt_install ufw

-	# Allow incoming connections to SSH.
-	ufw_limit ssh;
-
 	# ssh might be running on an alternate port. Use sshd -T to dump sshd's #NODOC
 	# settings, find the port it is supposedly running on, and open that port #NODOC
 	# too. #NODOC
@@ -251,8 +248,13 @@ if [ -z "${DISABLE_FIREWALL:-}" ]; then

 	echo Opening alternate SSH port $SSH_PORT. #NODOC
 	ufw_limit $SSH_PORT #NODOC
-
+		else
+			# Allow incoming connections to SSH.
+			ufw_limit ssh;
 	fi
+	else
+		# Allow incoming connections to SSH.
+		ufw_limit ssh;
 	fi

 	ufw --force enable;
--- a/setup/web.sh
+++ b/setup/web.sh
@@ -145,6 +145,15 @@ if [ ! -f $STORAGE_ROOT/www/default/index.html ]; then
 fi
 chown -R $STORAGE_USER $STORAGE_ROOT/www

+# Copy geoblock config file, but only if it does not exist to keep user config
+if [ ! -f /etc/nginx/conf.d/10-geoblock.conf ]; then
+    cp -f conf/nginx/conf.d/10-geoblock.conf /etc/nginx/conf.d/
+fi
+
+# touch logfiles that might not exist
+touch /var/log/nginx/geoipblock.log
+chown www-data /var/log/nginx/geoipblock.log
+
 # Start services.
 restart_service nginx
 restart_service php$(php_version)-fpm