diff --git a/Dockerfile b/Dockerfile index 142c3b4..5402106 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY crowdsec/install.sh /tmp/install.sh +RUN chmod +x /tmp/install.sh && \ + /tmp/install.sh && \ + rm -rf /tmp/* + COPY entrypoint.sh /opt/entrypoint.sh COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua +COPY crowdsec/ /opt/crowdsec -RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ +RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ diff --git a/Dockerfile-amd64 b/Dockerfile-amd64 index 7c6c405..988ef74 100644 --- a/Dockerfile-amd64 +++ b/Dockerfile-amd64 @@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY crowdsec/install.sh /tmp/install.sh +RUN chmod +x /tmp/install.sh && \ + /tmp/install.sh && \ + rm -rf /tmp/* + COPY entrypoint.sh /opt/entrypoint.sh COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua +COPY crowdsec/ /opt/crowdsec -RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ +RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ diff --git a/Dockerfile-arm32v7 b/Dockerfile-arm32v7 index 384e370..0c4a531 100644 --- a/Dockerfile-arm32v7 +++ b/Dockerfile-arm32v7 @@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY crowdsec/install.sh /tmp/install.sh +RUN chmod +x /tmp/install.sh && \ + /tmp/install.sh && \ + rm -rf /tmp/* + COPY entrypoint.sh /opt/entrypoint.sh COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua +COPY crowdsec/ /opt/crowdsec -RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ +RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ diff --git a/Dockerfile-arm64v8 b/Dockerfile-arm64v8 index d4d3200..0386ea4 100644 --- a/Dockerfile-arm64v8 +++ b/Dockerfile-arm64v8 @@ -13,14 +13,20 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY crowdsec/install.sh /tmp/install.sh +RUN chmod +x /tmp/install.sh && \ + /tmp/install.sh && \ + rm -rf /tmp/* + COPY entrypoint.sh /opt/entrypoint.sh COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua +COPY crowdsec/ /opt/crowdsec -RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ +RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ diff --git a/Dockerfile-i386 b/Dockerfile-i386 index 28a1a11..c37c024 100644 --- a/Dockerfile-i386 +++ b/Dockerfile-i386 @@ -6,14 +6,20 @@ RUN chmod +x /tmp/compile.sh && \ /tmp/compile.sh && \ rm -rf /tmp/* +COPY crowdsec/install.sh /tmp/install.sh +RUN chmod +x /tmp/install.sh && \ + /tmp/install.sh && \ + rm -rf /tmp/* + COPY entrypoint.sh /opt/entrypoint.sh COPY confs/ /opt/confs COPY scripts/ /opt/scripts COPY fail2ban/ /opt/fail2ban COPY logs/ /opt/logs COPY lua/ /opt/lua +COPY crowdsec/ /opt/crowdsec -RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd && \ +RUN apk --no-cache add certbot libstdc++ libmaxminddb geoip pcre yajl fail2ban clamav apache2-utils rsyslog openssl lua libgd go jq mariadb-connector-c && \ chmod +x /opt/entrypoint.sh /opt/scripts/* && \ mkdir /opt/entrypoint.d && \ rm -f /var/log/nginx/* && \ diff --git a/confs/crowdsec.conf b/confs/crowdsec.conf new file mode 100644 index 0000000..9551e2e --- /dev/null +++ b/confs/crowdsec.conf @@ -0,0 +1,9 @@ +init_by_lua_block { + local cs = require "crowdsec.CrowdSec" + local ok, err = cs.init("/usr/local/lib/lua/crowdsec/crowdsec.conf") + if ok == nil then + ngx.log(ngx.ERR, "[Crowdsec] " .. err) + error() + end + ngx.log(ngx.ERR, "[Crowdsec] Initialisation done") +} diff --git a/confs/main-lua.conf b/confs/main-lua.conf index 77c4343..78bd5ec 100644 --- a/confs/main-lua.conf +++ b/confs/main-lua.conf @@ -8,6 +8,7 @@ local use_whitelist_reverse = %USE_WHITELIST_REVERSE% local use_blacklist_ip = %USE_BLACKLIST_IP% local use_blacklist_reverse = %USE_BLACKLIST_REVERSE% local use_dnsbl = %USE_DNSBL% +local use_crowdsec = %USE_CROWDSEC% local use_antibot_cookie = %USE_ANTIBOT_COOKIE% local use_antibot_javascript = %USE_ANTIBOT_JAVASCRIPT% local use_antibot_captcha = %USE_ANTIBOT_CAPTCHA% @@ -81,6 +82,18 @@ if use_dnsbl and not dnsbl.cached() then end end +-- check if IP is in CrowdSec DB +if use_crowdsec then + local ok, err = require "crowdsec.CrowdSec".allowIp(ngx.var.remote_addr) + if ok == nil then + ngx.log(ngx.ERR, "[Crowdsec] " .. err) + end + if not ok then + ngx.log(ngx.ERR, "[Crowdsec] denied '" .. ngx.var.remote_addr .. "'") + ngx.exit(ngx.HTTP_FORBIDDEN) + end +end + -- cookie check if use_antibot_cookie then if not cookie.is_set("uri") then diff --git a/confs/nginx.conf b/confs/nginx.conf index e642d0b..4ad0e59 100644 --- a/confs/nginx.conf +++ b/confs/nginx.conf @@ -90,6 +90,9 @@ http { %BLACKLIST_IP_CACHE% %BLACKLIST_REVERSE_CACHE% %DNSBL_CACHE% + + # crowdsec init + %USE_CROWDSEC% # shared memory zone for limit_req %LIMIT_REQ_ZONE% diff --git a/crowdsec/acquis.yaml b/crowdsec/acquis.yaml new file mode 100644 index 0000000..1238e66 --- /dev/null +++ b/crowdsec/acquis.yaml @@ -0,0 +1,6 @@ +filenames: + - /var/log/access.log + - /var/log/error.log +labels: + type: nginx +--- diff --git a/crowdsec/install.sh b/crowdsec/install.sh new file mode 100644 index 0000000..6de9886 --- /dev/null +++ b/crowdsec/install.sh @@ -0,0 +1,63 @@ +#!/bin/sh + +function git_secure_clone() { + repo="$1" + commit="$2" + folder=$(echo "$repo" | sed -E "s@https://github.com/.*/(.*)\.git@\1@") + git clone "$repo" + cd "$folder" + git checkout "${commit}^{commit}" + if [ $? -ne 0 ] ; then + echo "[!] Commit hash $commit is absent from repository $repo !" + exit 1 + fi + cd .. +} + +NTASK=$(nproc) + +# install build dependencies +apk add --no-cache --virtual build git bash lua-dev mariadb-dev sqlite-dev gettext make go jq + +# build and install crowdsec +cd /tmp +git_secure_clone https://github.com/crowdsecurity/crowdsec.git 2fdf7624da381af605baa46f319f2ed3015807e4 +cd crowdsec +make -j $NTASK build +./wizard.sh --bininstall +sed -i 's/^machine_id:.*//' /etc/crowdsec/config/api.yaml +sed -i 's/^password:.*//' /etc/crowdsec/config/api.yaml + +# install nginx collection +cscli update +cscli install collection crowdsecurity/nginx +sed -i "s/^filter:.*$/filter: \"evt.Line.Labels.type == 'nginx'\"/" /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml +sed -i 's/apply_on: message/apply_on: Line.Raw/g' /etc/crowdsec/config/parsers/s01-parse/nginx-logs.yaml + +# build and install luasql +cd /tmp +git_secure_clone https://github.com/keplerproject/luasql.git 22d4a911f35cf851af9db71124e3998d96fb3fa1 +cd luasql +make -j $NTASK sqlite3 mysql +mkdir /usr/local/lib/lua/5.1/luasql +cp src/*.so /usr/local/lib/lua/5.1/luasql + +# install lualogging +cd /tmp +git_secure_clone https://github.com/Neopallium/lualogging.git cadc4e8fd652be07a65b121a3e024838db330c15 +cd lualogging +cp -r src/* /usr/local/lib/lua + +# install cs-lua-lib +cd /tmp +git_secure_clone https://github.com/crowdsecurity/cs-lua-lib.git 97e55a555a8f6d46c1c2032825a4578090283301 +cd cs-lua-lib +mkdir /usr/local/lib/lua/crowdsec +cp lib/*.lua /usr/local/lib/lua/crowdsec +cp template.conf /usr/local/lib/lua/crowdsec/crowdsec.conf +rm /usr/local/lib/lua/crowdsec/lrucache.lua +sed -i 's/require "lrucache"/require "resty.lrucache"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua +sed -i 's/require "config"/require "crowdsec.config"/' /usr/local/lib/lua/crowdsec/CrowdSec.lua + +# remove build dependencies +apk del build diff --git a/entrypoint.sh b/entrypoint.sh index efd134e..73dc81e 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -143,6 +143,7 @@ ANTIBOT_URI="${ANTIBOT_URI-/challenge}" USE_ANTIBOT="${USE_ANTIBOT-no}" ANTIBOT_RECAPTCHA_SCORE="${ANTIBOT_RECAPTCHA_SCORE-0.7}" ANTIBOT_SESSION_SECRET="${ANTIBOT_SESSION_SECRET-random}" +USE_CROWDSEC="${USE_CROWDSEC-no}" # install additional modules if needed if [ "$ADDITIONAL_MODULES" != "" ] ; then @@ -567,6 +568,19 @@ if [ "$USE_CLAMAV_SCAN" = "yes" ] ; then fi fi +# CrowdSec setup +if [ "$USE_CROWDSEC" = "yes" ] ; then + replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "include /etc/nginx/crowdsec.conf;" + replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "true" + cp /opt/crowdsec/acquis.yaml /etc/crowdsec/config/acquis.yaml + cscli api register >> /etc/crowdsec/config/api.yaml + cscli api pull + echo "0 0 * * * /usr/local/bin/cscli api pull > /dev/null 2>&1" >> /etc/crontabs/root +else + replace_in_file "/etc/nginx/nginx.conf" "%USE_CROWDSEC%" "" + replace_in_file "/etc/nginx/main-lua.conf" "%USE_CROWDSEC%" "false" +fi + # edit access if needed if [ "$WRITE_ACCESS" = "yes" ] ; then chown -R root:nginx /www @@ -604,6 +618,11 @@ if [ "$USE_FAIL2BAN" = "yes" ] ; then fail2ban-server > /dev/null fi +# start crowdsec +if [ "$USE_CROWDSEC" = "yes" ] ; then + crowdsec +fi + # setup logrotate replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MAXAGE%" "$LOGROTATE_MAXAGE" replace_in_file "/etc/logrotate.conf" "%LOGROTATE_MINSIZE%" "$LOGROTATE_MINSIZE"