fix: create ssh jail file to fix and configure fail2ban (#67)

Author: jchiarulli

cmd/install.go

@@ -91,7 +91,10 @@ var installCmd = &cobra.Command{
 		// Step 2: Configure the firewall
 		network.ConfigureFirewall()
 
-		// Setp 3: Create relay user
+		// Step 3: Configure the intrusion detection system
+		network.ConfigureIntrusionDetection()
+
+		// Setp 4: Create relay user
 		spinner, _ := pterm.DefaultSpinner.Start(fmt.Sprintf("Checking if '%s' user exists...", relays.User))
 		if !users.UserExists(relays.User) {
 			spinner.UpdateText(fmt.Sprintf("Creating '%s' user...", relays.User))
@@ -102,118 +105,118 @@ var installCmd = &cobra.Command{
 		}
 
 		if selectedRelayOption == khatru_pyramid.RelayName {
-			// Step 4: Configure Nginx for HTTP
+			// Step 5: Configure Nginx for HTTP
 			khatru_pyramid.ConfigureNginxHttp(relayDomain)
 
-			// Step 5: Get SSL/TLS certificates
+			// Step 6: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 6: Configure Nginx for HTTPS
+				// Step 7: Configure Nginx for HTTPS
 				khatru_pyramid.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 7: Download and install the relay binary
+			// Step 8: Download and install the relay binary
 			khatru_pyramid.InstallRelayBinary(pubKey)
 
-			// Step 8: Set up the relay service
+			// Step 9: Set up the relay service
 			khatru_pyramid.SetupRelayService(relayDomain, pubKey, relayContact)
 
-			// Step 9: Show success messages
+			// Step 10: Show success messages
 			khatru_pyramid.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == nostr_rs_relay.RelayName {
-			// Step 4: Configure Nginx for HTTP
+			// Step 5: Configure Nginx for HTTP
 			nostr_rs_relay.ConfigureNginxHttp(relayDomain)
 
-			// Step 5: Get SSL/TLS certificates
+			// Step 6: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 6: Configure Nginx for HTTPS
+				// Step 7: Configure Nginx for HTTPS
 				nostr_rs_relay.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 7: Download and install the relay binary
+			// Step 8: Download and install the relay binary
 			nostr_rs_relay.InstallRelayBinary()
 
-			// Step 8: Set up the relay service
+			// Step 9: Set up the relay service
 			nostr_rs_relay.SetupRelayService(relayDomain, pubKey, relayContact, httpsEnabled)
 
-			// Step 9: Show success messages
+			// Step 10: Show success messages
 			nostr_rs_relay.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == strfry.RelayName {
-			// Step 4: Configure Nginx for HTTP
+			// Step 5: Configure Nginx for HTTP
 			strfry.ConfigureNginxHttp(relayDomain)
 
-			// Step 5: Get SSL/TLS certificates
+			// Step 6: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 6: Configure Nginx for HTTPS
+				// Step 7: Configure Nginx for HTTPS
 				strfry.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 7: Download and install the relay binary
+			// Step 8: Download and install the relay binary
 			strfry.InstallRelayBinary()
 
-			// Step 8: Set up the relay service
+			// Step 9: Set up the relay service
 			strfry.SetupRelayService(relayDomain, relayContact)
 
-			// Step 9: Show success messages
+			// Step 10: Show success messages
 			strfry.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == wot_relay.RelayName {
-			// Step 4: Configure Nginx for HTTP
+			// Step 5: Configure Nginx for HTTP
 			wot_relay.ConfigureNginxHttp(relayDomain)
 
-			// Step 5: Get SSL/TLS certificates
+			// Step 6: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 6: Configure Nginx for HTTPS
+				// Step 7: Configure Nginx for HTTPS
 				wot_relay.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 7: Download and install the relay binary
+			// Step 8: Download and install the relay binary
 			wot_relay.InstallRelayBinary()
 
-			// Step 8: Set up the relay service
+			// Step 9: Set up the relay service
 			wot_relay.SetupRelayService(relayDomain, pubKey, relayContact, httpsEnabled)
 
-			// Step 9: Show success messages
+			// Step 10: Show success messages
 			wot_relay.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == khatru29.RelayName {
-			// Step 4: Configure Nginx for HTTP
+			// Step 5: Configure Nginx for HTTP
 			khatru29.ConfigureNginxHttp(relayDomain)
 
-			// Step 5: Get SSL/TLS certificates
+			// Step 6: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 6: Configure Nginx for HTTPS
+				// Step 7: Configure Nginx for HTTPS
 				khatru29.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 7: Download and install the relay binary
+			// Step 8: Download and install the relay binary
 			khatru29.InstallRelayBinary()
 
-			// Step 8: Set up the relay service
+			// Step 9: Set up the relay service
 			khatru29.SetupRelayService(relayDomain, privKey, relayContact)
 
-			// Step 9: Show success messages
+			// Step 10: Show success messages
 			khatru29.SuccessMessages(relayDomain, httpsEnabled)
 		} else if selectedRelayOption == strfry29.RelayName {
-			// Step 4: Configure Nginx for HTTP
+			// Step 5: Configure Nginx for HTTP
 			strfry29.ConfigureNginxHttp(relayDomain)
 
-			// Step 5: Get SSL/TLS certificates
+			// Step 6: Get SSL/TLS certificates
 			httpsEnabled := network.GetCertificates(relayDomain)
 			if httpsEnabled {
-				// Step 6: Configure Nginx for HTTPS
+				// Step 7: Configure Nginx for HTTPS
 				strfry29.ConfigureNginxHttps(relayDomain)
 			}
 
-			// Step 7: Download and install the relay binary
+			// Step 8: Download and install the relay binary
 			strfry29.InstallRelayBinary()
 
-			// Step 8: Set up the relay service
+			// Step 9: Set up the relay service
 			strfry29.SetupRelayService(relayDomain, privKey, relayContact)
 
-			// Step 9: Show success messages
+			// Step 10: Show success messages
 			strfry29.SuccessMessages(relayDomain, httpsEnabled)
 		}
 

pkg/network/constants.go

@@ -1,5 +1,15 @@
 package network
 
+const SSHJailFilePath = "/etc/fail2ban/jail.d/sshd.local"
+const SSHJailFileTemplate = `[sshd]
+enabled = true
+port = 22
+findtime = 5m
+bantime = 2h
+maxentry = 3
+ignoreip = 127.0.0.1/8 ::1
+backend = systemd
+`
 const CertificateDirPath = "/etc/letsencrypt/live"
 const FullchainFile = "fullchain.pem"
 const PrivkeyFile = "privkey.pem"

pkg/network/intrusion_detection.go

@@ -0,0 +1,32 @@
+package network
+
+import (
+	"fmt"
+	"github.com/nodetec/rwz/pkg/utils/files"
+	"github.com/nodetec/rwz/pkg/utils/network"
+	"github.com/pterm/pterm"
+	"os"
+	"os/exec"
+)
+
+// Function to configure the intrusion detection system
+func ConfigureIntrusionDetection() {
+	spinner, _ := pterm.DefaultSpinner.Start("Configuring intrusion detection system...")
+
+	// Check if the SSH jail file exists and remove it if it does
+	files.RemoveFile(SSHJailFilePath)
+
+	// Create the SSH jail file
+	spinner.UpdateText("Creating SSH jail file...")
+	network.CreateJailFile(SSHJailFilePath, SSHJailFileTemplate)
+
+	// Restart the intrusion detection system to apply the changes
+	err := exec.Command("systemctl", "restart", "fail2ban").Run()
+	if err != nil {
+		pterm.Println()
+		pterm.Error.Println(fmt.Sprintf("Failed to restart intrusion detection system: %v", err))
+		os.Exit(1)
+	}
+
+	spinner.Success("Intrusion detection system configured successfully.")
+}

pkg/utils/network/utils.go

@@ -1,5 +1,12 @@
 package network
 
+import (
+	"fmt"
+	"github.com/pterm/pterm"
+	"os"
+	"text/template"
+)
+
 // Function to determine http scheme being used
 func HTTPEnabled(httpsEnabled bool) string {
 	if httpsEnabled {
@@ -15,3 +22,28 @@ func WSEnabled(httpsEnabled bool) string {
 	}
 	return "ws"
 }
+
+// Function to create jail files for the intrusion detection system
+func CreateJailFile(jailFilePath, jailTemplate string) {
+	jailFile, err := os.Create(jailFilePath)
+	if err != nil {
+		pterm.Println()
+		pterm.Error.Println(fmt.Sprintf("Failed to create jail file: %v", err))
+		os.Exit(1)
+	}
+	defer jailFile.Close()
+
+	jailTmpl, err := template.New("jail").Parse(jailTemplate)
+	if err != nil {
+		pterm.Println()
+		pterm.Error.Println(fmt.Sprintf("Failed to parse jail template: %v", err))
+		os.Exit(1)
+	}
+
+	err = jailTmpl.Execute(jailFile, struct{}{})
+	if err != nil {
+		pterm.Println()
+		pterm.Error.Println(fmt.Sprintf("Failed to execute jail template: %v", err))
+		os.Exit(1)
+	}
+}