From ad4ce6a371d45c8ac90772074263e1a3cdc8ac29 Mon Sep 17 00:00:00 2001
From: Konano <nanoapezlk@gmail.com>
Date: Sat, 22 Jul 2023 16:07:08 +0800
Subject: [PATCH] add configure_fail2ban

---
 files/jail.local | 24 ++++++++++++++++++++++++
 init_root.sh     | 14 ++++++++++++++
 init_sudo.sh     | 14 ++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 files/jail.local

diff --git a/files/jail.local b/files/jail.local
new file mode 100644
index 0000000..7c1b6f6
--- /dev/null
+++ b/files/jail.local
@@ -0,0 +1,24 @@
+[DEFAULT]
+# Ban hosts for one hour:
+ignoreip = 127.0.0.1/8
+bantime  = 86400
+findtime = 600
+maxretry = 10
+# Override /etc/fail2ban/jail.d/00-firewalld.conf:
+# if you use iptables firewall use this one
+# banaction = iptables-multiport
+# if you use firewalld firewall use this one
+# banaction = firewallcmd-ipset
+# action    = %(action_mwl)s
+
+[sshd-22]
+enabled = true
+filter  = sshd
+port    = 22
+# action  = %(action_mwl)s
+# logpath = /var/log/secure
+
+[sshd-2263]
+enabled = true
+filter  = sshd
+port    = 2263
diff --git a/init_root.sh b/init_root.sh
index 4f9c32c..dc96771 100755
--- a/init_root.sh
+++ b/init_root.sh
@@ -175,6 +175,19 @@ configure_timedate() {
     fi
 }
 
+configure_fail2ban() {
+    read -p "要配置 fail2ban 吗？[Y]: " response
+
+    if [[ $response =~ ^[Yy]$ ]]; then
+        apt install fail2ban
+        mkdir -p /etc/fail2ban
+        cp $scriptdir/files/jail.local /etc/fail2ban/jail.local
+        systemctl start fail2ban
+        systemctl enable fail2ban
+        fail2ban-client status sshd
+    fi
+}
+
 if [[ $EUID -ne 0 ]]; then
     echo "This script must be run as root."
     exit 1
@@ -192,3 +205,4 @@ configure_tmux
 configure_iptables
 # configure_hostname
 configure_timedate
+configure_fail2ban
diff --git a/init_sudo.sh b/init_sudo.sh
index a20878c..1a15283 100755
--- a/init_sudo.sh
+++ b/init_sudo.sh
@@ -175,6 +175,19 @@ configure_timedate() {
     fi
 }
 
+configure_fail2ban() {
+    read -p "要配置 fail2ban 吗？[Y]: " response
+
+    if [[ $response =~ ^[Yy]$ ]]; then
+        sudo apt install fail2ban
+        sudo mkdir -p /etc/fail2ban
+        sudo cp $scriptdir/files/jail.local /etc/fail2ban/jail.local
+        sudo systemctl start fail2ban
+        sudo systemctl enable fail2ban
+        sudo fail2ban-client status sshd
+    fi
+}
+
 if [[ $EUID -eq 0 ]]; then
     echo "This script should not be run as root."
     exit 1
@@ -192,3 +205,4 @@ configure_tmux
 configure_iptables
 # configure_hostname
 configure_timedate
+configure_fail2ban