Add fail2ban

addons.sh

@@ -45,6 +45,8 @@ sed -i "s@^oneinstack_dir.*@oneinstack_dir=$(pwd)@" ./options.conf
 
 . ./include/redis.sh
 
+. ./include/python.sh
+
 # Check if user is root
 [ $(id -u) != '0' ] && { echo "${CFAILURE}Error: You must be root to run this script${CEND}"; exit 1; }
 
@@ -98,82 +100,8 @@ Uninstall_succ() {
 }
 
 Install_letsencrypt() {
-  if [ "${CentOS_RHEL_version}" == '7' ]; then
-    [ ! -e /etc/yum.repos.d/epel.repo ] && cat > /etc/yum.repos.d/epel.repo << EOF
-[epel]
-name=Extra Packages for Enterprise Linux 7 - \$basearch
-#baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=\$basearch
-failovermethod=priority
-enabled=1
-gpgcheck=0
-EOF
-  elif [ "${CentOS_RHEL_version}" == '6' ]; then
-    [ ! -e /etc/yum.repos.d/epel.repo ] && cat > /etc/yum.repos.d/epel.repo << EOF
-[epel]
-name=Extra Packages for Enterprise Linux 6 - \$basearch
-#baseurl=http://download.fedoraproject.org/pub/epel/6/\$basearch
-mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=\$basearch
-failovermethod=priority
-enabled=1
-gpgcheck=0
-EOF
-  fi
-
-  pushd ${oneinstack_dir}/src
-  if [ "${OS}" == "CentOS" ]; then
-    pkgList="gcc dialog augeas-libs openssl openssl-devel libffi-devel redhat-rpm-config ca-certificates python python-devel python-virtualenv python-tools python-pip"
-    for Package in ${pkgList}; do
-      yum -y install ${Package}
-    done
-  elif [[ "${OS}" =~ ^Ubuntu$|^Debian$ ]]; then
-    pkgList="python python-dev virtualenv python-virtualenv gcc dialog libaugeas0 augeas-lenses libssl-dev libffi-dev ca-certificates"
-    for Package in ${pkgList}; do
-      apt-get -y install $Package
-    done
-  fi
-  # Install Python
-  if [ ! -e "${python_install_dir}/bin/python" -a ! -e "${python_install_dir}/bin/python3" ] ;then
-    src_url=http://mirrors.linuxeye.com/oneinstack/src/Python-${python_version}.tgz && Download_src
-    tar xzf Python-${python_version}.tgz
-    pushd Python-${python_version}
-    ./configure --prefix=${python_install_dir}
-    make && make install
-    [ ! -e "${python_install_dir}/bin/python" -a -e "${python_install_dir}/bin/python3" ] && ln -s ${python_install_dir}/bin/python{3,}
-    popd
-    rm -rf Python-${python_version}
-  fi
-
-  if [ ! -e "${python_install_dir}/bin/easy_install" ] ;then
-    src_url=http://mirrors.linuxeye.com/oneinstack/src/setuptools-${setuptools_version}.zip && Download_src
-    unzip -q setuptools-${setuptools_version}.zip
-    pushd setuptools-${setuptools_version}
-    ${python_install_dir}/bin/python setup.py install
-    popd
-    rm -rf setuptools-${setuptools_version}
-  fi
-
-  if [ ! -e "${python_install_dir}/bin/pip" ] ;then
-    src_url=http://mirrors.linuxeye.com/oneinstack/src/pip-${pip_version}.tar.gz && Download_src
-    tar xzf pip-${pip_version}.tar.gz
-    pushd pip-${pip_version}
-    ${python_install_dir}/bin/python setup.py install
-    popd
-    rm -rf pip-${pip_version}
-  fi
-
-  if [ ! -e "/root/.pip/pip.conf" ] ;then
-    # get the IP information
-    PUBLIC_IPADDR=$(../include/get_public_ipaddr.py)
-    IPADDR_COUNTRY=$(../include/get_ipaddr_state.py $PUBLIC_IPADDR | awk '{print $1}')
-    if [ "$IPADDR_COUNTRY"x != "CN"x ]; then
-      [ ! -d "/root/.pip" ] && mkdir /root/.pip
-      echo -e "[global]\nindex-url = https://pypi.tuna.tsinghua.edu.cn/simple" > /root/.pip/pip.conf
-    fi
-  fi
-
+  [ ! -e "${python_install_dir}/bin/python" ] && Install_Python
   ${python_install_dir}/bin/pip install certbot
-  popd
   if [ -e "${python_install_dir}/bin/certbot" ]; then
     echo; echo "${CSUCCESS}Let's Encrypt client installed successfully! ${CEND}"
   else
@@ -189,6 +117,58 @@ Uninstall_letsencrypt() {
   echo; echo "${CMSG}Let's Encrypt client uninstall completed${CEND}";
 }
 
+Install_fail2ban() {
+  [ ! -e "${python_install_dir}/bin/python" ] && Install_Python
+  pushd ${oneinstack_dir}/src
+  src_url=http://mirrors.linuxeye.com/oneinstack/src/fail2ban-${fail2ban_version}.tar.gz && Download_src
+  tar xzf fail2ban-${fail2ban_version}.tar.gz
+  pushd fail2ban-${fail2ban_version}
+  ${python_install_dir}/bin/python setup.py install
+  /bin/cp /etc/fail2ban/jail.{conf,local}
+  sed -i 's@^# \[sshd\]@[sshd]@' /etc/fail2ban/jail.local
+  sed -i 's@^# enabled = true@enabled = true@' /etc/fail2ban/jail.local
+  if [ "${OS}" == "CentOS" ]; then
+    sed -i 's@%(sshd_log)s@/var/log/secure@' /etc/fail2ban/jail.local
+    /bin/cp files/redhat-initd /etc/init.d/fail2ban 
+    sed -i "s@^FAIL2BAN=.*@FAIL2BAN=${python_install_dir}/bin/fail2ban-client@" /etc/init.d/fail2ban
+    chmod +x /etc/init.d/fail2ban
+    chkconfig --add fail2ban
+    chkconfig fail2ban on
+  fi
+  if [[ "${OS}" =~ ^Ubuntu$|^Debian$ ]]; then
+    /bin/cp files/debian-initd /etc/init.d/fail2ban 
+    sed -i 's@2 3 4 5@3 4 5@' /etc/init.d/fail2ban
+    sed -i "s@^DAEMON=.*@DAEMON=${python_install_dir}/bin/\$NAME-client@" /etc/init.d/fail2ban
+    chmod +x /etc/init.d/fail2ban
+    update-rc.d fail2ban defaults
+  fi
+  cat > /etc/logrotate.d/fail2ban << EOF 
+/var/log/fail2ban.log {
+    missingok
+    notifempty
+    postrotate
+      ${python_install_dir}/bin/fail2ban-client flushlogs >/dev/null || true
+    endscript
+}
+EOF
+  kill -9 `ps -ef | grep fail2ban | grep -v grep | awk '{print $2}'`
+  /etc/init.d/fail2ban start
+  popd
+  if [ -e "${python_install_dir}/bin/fail2ban-python" ]; then
+    echo; echo "${CSUCCESS}fail2ban installed successfully! ${CEND}"
+  else
+    echo; echo "${CFAILURE}fail2ban install failed, Please try again! ${CEND}"
+  fi
+  popd
+}
+
+Uninstall_fail2ban() {
+  /etc/init.d/fail2ban stop
+  ${python_install_dir}/bin/pip uninstall -y fail2ban > /dev/null 2>&1
+  rm -rf /etc/init.d/fail2ban /etc/fail2ban /etc/logrotate.d/fail2ban /var/log/fail2ban.* /var/run/fail2ban 
+  echo; echo "${CMSG}fail2ban uninstall completed${CEND}";
+}
+
 ACTION_FUN() {
   while :; do
     echo
@@ -215,11 +195,12 @@ What Are You Doing?
 \t${CMSG}5${CEND}. Install/Uninstall memcached/memcache
 \t${CMSG}6${CEND}. Install/Uninstall Redis
 \t${CMSG}7${CEND}. Install/Uninstall Let's Encrypt client
+\t${CMSG}8${CEND}. Install/Uninstall fail2ban 
 \t${CMSG}q${CEND}. Exit
 "
   read -p "Please input the correct option: " Number
-  if [[ ! "${Number}" =~ ^[1-7,q]$ ]]; then
-    echo "${CFAILURE}input error! Please only input 1 ~ 7 and q${CEND}"
+  if [[ ! "${Number}" =~ ^[1-8,q]$ ]]; then
+    echo "${CFAILURE}input error! Please only input 1 ~ 8 and q${CEND}"
   else
     case "${Number}" in
       1)
@@ -472,6 +453,14 @@ What Are You Doing?
           Uninstall_letsencrypt
         fi
         ;;
+      8)
+        ACTION_FUN
+        if [ "${ACTION}" = '1' ]; then
+          Install_fail2ban
+        else
+          Uninstall_fail2ban
+        fi
+        ;;
       q)
       exit
       ;;

include/check_sw.sh

@@ -26,10 +26,10 @@ installDepsDebian() {
   # Install needed packages
   case "${Debian_version}" in
     [6,7])
-      pkgList="gcc g++ make cmake autoconf libjpeg8 libjpeg8-dev libjpeg-dev libpng12-0 libpng12-dev libpng3 libfreetype6 libfreetype6-dev libxml2 libxml2-dev zlib1g zlib1g-dev libc6 libc6-dev libglib2.0-0 libglib2.0-dev bzip2 libzip-dev libbz2-1.0 libncurses5 libncurses5-dev libaio1 libaio-dev numactl libreadline-dev curl libcurl3 libcurl4-openssl-dev libcurl4-gnutls-dev e2fsprogs libkrb5-3 libkrb5-dev libltdl-dev libidn11 libidn11-dev openssl libssl-dev libtool libevent-dev bison re2c libsasl2-dev libxslt1-dev libicu-dev locales libcloog-ppl0 patch vim zip unzip tmux htop bc expect rsync git lsof lrzsz cron logrotate ntpdate libsqlite3-dev psmisc wget"
+      pkgList="gcc g++ make cmake autoconf libjpeg8 libjpeg8-dev libjpeg-dev libpng12-0 libpng12-dev libpng3 libfreetype6 libfreetype6-dev libxml2 libxml2-dev zlib1g zlib1g-dev libc6 libc6-dev libglib2.0-0 libglib2.0-dev bzip2 libzip-dev libbz2-1.0 libncurses5 libncurses5-dev libaio1 libaio-dev numactl libreadline-dev curl libcurl3 libcurl4-openssl-dev libcurl4-gnutls-dev e2fsprogs libkrb5-3 libkrb5-dev libltdl-dev libidn11 libidn11-dev openssl libssl-dev libtool libevent-dev bison re2c libsasl2-dev libxslt1-dev libicu-dev locales libcloog-ppl0 patch vim zip unzip tmux htop bc dc expect rsync git lsof lrzsz iptables rsyslog cron logrotate ntpdate libsqlite3-dev psmisc wget"
       ;;
     8)
-      pkgList="gcc g++ make cmake autoconf libjpeg8 libjpeg62-turbo-dev libjpeg-dev libpng12-0 libpng12-dev libpng3 libfreetype6 libfreetype6-dev libxml2 libxml2-dev zlib1g zlib1g-dev libc6 libc6-dev libglib2.0-0 libglib2.0-dev bzip2 libzip-dev libbz2-1.0 libncurses5 libncurses5-dev libaio1 libaio-dev numactl libreadline-dev curl libcurl3 libcurl4-openssl-dev libcurl4-gnutls-dev e2fsprogs libkrb5-3 libkrb5-dev libltdl-dev libidn11 libidn11-dev openssl libssl-dev libtool libevent-dev bison re2c libsasl2-dev libxslt1-dev libicu-dev locales libcloog-ppl0 patch vim zip unzip tmux htop bc expect rsync git lsof lrzsz cron logrotate ntpdate libsqlite3-dev psmisc wget"
+      pkgList="gcc g++ make cmake autoconf libjpeg8 libjpeg62-turbo-dev libjpeg-dev libpng12-0 libpng12-dev libpng3 libfreetype6 libfreetype6-dev libxml2 libxml2-dev zlib1g zlib1g-dev libc6 libc6-dev libglib2.0-0 libglib2.0-dev bzip2 libzip-dev libbz2-1.0 libncurses5 libncurses5-dev libaio1 libaio-dev numactl libreadline-dev curl libcurl3 libcurl4-openssl-dev libcurl4-gnutls-dev e2fsprogs libkrb5-3 libkrb5-dev libltdl-dev libidn11 libidn11-dev openssl libssl-dev libtool libevent-dev bison re2c libsasl2-dev libxslt1-dev libicu-dev locales libcloog-ppl0 patch vim zip unzip tmux htop bc dc expect rsync git lsof lrzsz iptables rsyslog cron logrotate ntpdate libsqlite3-dev psmisc wget"
       ;;
     *)
       echo "${CFAILURE}Your system Debian ${Debian_version} are not supported!${CEND}"
@@ -63,7 +63,7 @@ installDepsCentOS() {
   echo "${CMSG}Installing dependencies packages...${CEND}"
   yum check-update
   # Install needed packages
-  pkgList="deltarpm gcc gcc-c++ make cmake autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel libaio numactl-libs readline-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssl-devel libxslt-devel libicu-devel libevent-devel libtool libtool-ltdl bison gd-devel vim-enhanced pcre-devel zip unzip ntpdate sqlite-devel sysstat patch bc expect rsync git lsof lrzsz wget"
+  pkgList="deltarpm gcc gcc-c++ make cmake autoconf libjpeg libjpeg-devel libpng libpng-devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel libaio numactl-libs readline-devel curl curl-devel e2fsprogs e2fsprogs-devel krb5-devel libidn libidn-devel openssl openssl-devel libxslt-devel libicu-devel libevent-devel libtool libtool-ltdl bison gd-devel vim-enhanced pcre-devel zip unzip ntpdate sqlite-devel sysstat patch bc expect rsync rsyslog git lsof lrzsz wget"
   for Package in ${pkgList}; do
     yum -y install ${Package}
   done
@@ -95,7 +95,7 @@ installDepsUbuntu() {
   apt-get -y upgrade -o Dir::Etc::SourceList=/tmp/security.sources.list
 
   # Install needed packages
-  pkgList="gcc g++ make cmake autoconf libjpeg8 libjpeg8-dev libpng12-0 libpng12-dev libpng3 libfreetype6 libfreetype6-dev libxml2 libxml2-dev zlib1g zlib1g-dev libc6 libc6-dev libglib2.0-0 libglib2.0-dev bzip2 libzip-dev libbz2-1.0 libncurses5 libncurses5-dev libaio1 libaio-dev numactl libreadline-dev curl libcurl3 libcurl4-openssl-dev e2fsprogs libkrb5-3 libkrb5-dev libltdl-dev libidn11 libidn11-dev openssl libssl-dev libtool libevent-dev re2c libsasl2-dev libxslt1-dev libicu-dev libsqlite3-dev patch vim zip unzip tmux htop bc expect rsync git lsof lrzsz ntpdate wget"
+  pkgList="gcc g++ make cmake autoconf libjpeg8 libjpeg8-dev libpng12-0 libpng12-dev libpng3 libfreetype6 libfreetype6-dev libxml2 libxml2-dev zlib1g zlib1g-dev libc6 libc6-dev libglib2.0-0 libglib2.0-dev bzip2 libzip-dev libbz2-1.0 libncurses5 libncurses5-dev libaio1 libaio-dev numactl libreadline-dev curl libcurl3 libcurl4-openssl-dev e2fsprogs libkrb5-3 libkrb5-dev libltdl-dev libidn11 libidn11-dev openssl libssl-dev libtool libevent-dev re2c libsasl2-dev libxslt1-dev libicu-dev libsqlite3-dev patch vim zip unzip tmux htop bc dc expect iptables rsyslog rsync git lsof lrzsz ntpdate wget"
   for Package in ${pkgList}; do
     apt-get -y install ${Package} --force-yes
   done

include/init_CentOS.sh

@@ -153,6 +153,7 @@ fi
 
 FW_PORT_FLAG=$(grep -ow "dport ${SSH_PORT}" /etc/sysconfig/iptables)
 [ -z "${FW_PORT_FLAG}" -a "${SSH_PORT}" != "22" ] && sed -i "s@dport 22 -j ACCEPT@&\n-A INPUT -p tcp -m state --state NEW -m tcp --dport ${SSH_PORT} -j ACCEPT@" /etc/sysconfig/iptables
+service rsyslog restart
 service iptables restart
 service sshd restart
 

include/init_Debian.sh

@@ -128,6 +128,7 @@ cat > /etc/network/if-pre-up.d/iptables << EOF
 /sbin/iptables-restore < /etc/iptables.up.rules
 EOF
 chmod +x /etc/network/if-pre-up.d/iptables
+service rsyslog restart
 service ssh restart
 
 . /etc/profile

include/init_Ubuntu.sh

@@ -131,6 +131,7 @@ cat > /etc/network/if-pre-up.d/iptables << EOF
 /sbin/iptables-restore < /etc/iptables.up.rules
 EOF
 chmod +x /etc/network/if-pre-up.d/iptables
+service rsyslog restart
 service ssh restart
 
 . /etc/profile

include/openssl.sh

@@ -16,7 +16,7 @@ Install_openSSL102() {
     pushd openssl-${openssl_version}
     ./config --prefix=${openssl_install_dir} -fPIC shared zlib-dynamic
     make -j ${THREAD} && make install
-    popd;popd
+    popd
     if [ -f "${openssl_install_dir}/lib/libcrypto.a" ]; then
       echo "${CSUCCESS}openssl-1.0.2 module installed successfully! ${CEND}"
       rm -rf openssl-${openssl_version}
@@ -24,6 +24,7 @@ Install_openSSL102() {
       echo "${CFAILURE}openssl-1.0.2 install failed, Please contact the author! ${CEND}"
       kill -9 $$
     fi
+    popd
   fi
 }
 
@@ -34,7 +35,7 @@ Install_openSSL100() {
     pushd openssl-1.0.0s
     ./config --prefix=/usr/local/openssl100s -fPIC shared zlib-dynamic
     make -j ${THREAD} && make install
-    popd;popd
+    popd
     if [ -f "/usr/local/openssl100s/lib/libcrypto.a" ]; then
       echo "${CSUCCESS}openssl-1.0.0s module installed successfully! ${CEND}"
       rm -rf openssl-1.0.0s
@@ -42,5 +43,6 @@ Install_openSSL100() {
       echo "${CFAILURE}openssl-1.0.0s install failed, Please contact the author! ${CEND}"
       kill -9 $$
     fi
+    popd
   fi
 }

include/python.sh

@@ -0,0 +1,87 @@
+#!/bin/bash
+# Author:  yeho <lj2007331 AT gmail.com>
+# BLOG:  https://blog.linuxeye.com
+#
+# Notes: OneinStack for CentOS/RadHat 5+ Debian 6+ and Ubuntu 12+
+#
+# Project home page:
+#       https://oneinstack.com
+#       https://github.com/lj2007331/oneinstack
+
+Install_Python() {
+  pushd ${oneinstack_dir}/src
+  if [ "${CentOS_RHEL_version}" == '7' ]; then
+    [ ! -e /etc/yum.repos.d/epel.repo ] && cat > /etc/yum.repos.d/epel.repo << EOF
+[epel]
+name=Extra Packages for Enterprise Linux 7 - \$basearch
+#baseurl=http://download.fedoraproject.org/pub/epel/7/\$basearch
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=\$basearch
+failovermethod=priority
+enabled=1
+gpgcheck=0
+EOF
+  elif [ "${CentOS_RHEL_version}" == '6' ]; then
+    [ ! -e /etc/yum.repos.d/epel.repo ] && cat > /etc/yum.repos.d/epel.repo << EOF
+[epel]
+name=Extra Packages for Enterprise Linux 6 - \$basearch
+#baseurl=http://download.fedoraproject.org/pub/epel/6/\$basearch
+mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=\$basearch
+failovermethod=priority
+enabled=1
+gpgcheck=0
+EOF
+  fi
+
+  if [ "${OS}" == "CentOS" ]; then
+    pkgList="gcc dialog augeas-libs openssl openssl-devel libffi-devel redhat-rpm-config ca-certificates"
+    for Package in ${pkgList}; do
+      yum -y install ${Package}
+    done
+  elif [[ "${OS}" =~ ^Ubuntu$|^Debian$ ]]; then
+    pkgList="gcc dialog libaugeas0 augeas-lenses libssl-dev libffi-dev ca-certificates"
+    for Package in ${pkgList}; do
+      apt-get -y install $Package
+    done
+  fi
+
+  # Install Python
+  if [ ! -e "${python_install_dir}/bin/python" -a ! -e "${python_install_dir}/bin/python3" ] ;then
+    src_url=http://mirrors.linuxeye.com/oneinstack/src/Python-${python_version}.tgz && Download_src
+    tar xzf Python-${python_version}.tgz
+    pushd Python-${python_version}
+    ./configure --prefix=${python_install_dir}
+    make && make install
+    [ ! -e "${python_install_dir}/bin/python" -a -e "${python_install_dir}/bin/python3" ] && ln -s ${python_install_dir}/bin/python{3,}
+    popd
+    rm -rf Python-${python_version}
+  fi
+
+  if [ ! -e "${python_install_dir}/bin/easy_install" ] ;then
+    src_url=http://mirrors.linuxeye.com/oneinstack/src/setuptools-${setuptools_version}.zip && Download_src
+    unzip -q setuptools-${setuptools_version}.zip
+    pushd setuptools-${setuptools_version}
+    ${python_install_dir}/bin/python setup.py install
+    popd
+    rm -rf setuptools-${setuptools_version}
+  fi
+
+  if [ ! -e "${python_install_dir}/bin/pip" ] ;then
+    src_url=http://mirrors.linuxeye.com/oneinstack/src/pip-${pip_version}.tar.gz && Download_src
+    tar xzf pip-${pip_version}.tar.gz
+    pushd pip-${pip_version}
+    ${python_install_dir}/bin/python setup.py install
+    popd
+    rm -rf pip-${pip_version}
+  fi
+
+  if [ ! -e "/root/.pip/pip.conf" ] ;then
+    # get the IP information
+    PUBLIC_IPADDR=$(../include/get_public_ipaddr.py)
+    IPADDR_COUNTRY=$(../include/get_ipaddr_state.py $PUBLIC_IPADDR | awk '{print $1}')
+    if [ "$IPADDR_COUNTRY"x != "CN"x ]; then
+      [ ! -d "/root/.pip" ] && mkdir /root/.pip
+      echo -e "[global]\nindex-url = https://pypi.tuna.tsinghua.edu.cn/simple" > /root/.pip/pip.conf
+    fi
+  fi
+  popd
+}

versions.txt

@@ -29,7 +29,7 @@ percona57_version=5.7.17-11
 percona56_version=5.6.35-80.0
 percona55_version=5.5.54-38.6
 
-alisql56_version=5.6.32-3
+alisql56_version=5.6.32-4
 
 # JDK
 jdk18_version=1.8.0_121
@@ -48,7 +48,7 @@ zendopcache_version=7.0.5
 xcache_version=3.2.0
 apcu_version=4.0.11
 apcu_for_php7_version=5.1.8
-ImageMagick_version=6.9.7-6
+ImageMagick_version=6.9.7-9
 imagick_version=3.4.3
 imagick_for_php53_version=3.3.0
 GraphicsMagick_version=1.3.25
@@ -92,3 +92,4 @@ bison_version=2.7.1
 python_version=2.7.13
 setuptools_version=32.0.0
 pip_version=9.0.1
+fail2ban_version=0.9.6