Add Fail2ban support

[lapineige]

Problem

• Wallabag is not protected by fail2ban against brute force See #37

Solution

• Add fail2ban config.

The number of retry is set to 5, I think it allows users to make a reasonable number of errors while restricting brute force possibilities.

Warning : this PR will drop support for version older than 3.5, in particular Yunohost 2.7 (Debian 8).

PR Status

• [x] Code finished.
• [ ] Tested with Package_check.
• [x] Fix or enhancement tested.
• [ ] Upgrade from last version tested.
• [x] Can be reviewed and tested.

Validation

---

Minor decision

• Upgrade previous version :
• [x] Code review : Maniack C
• [x] Approval (LGTM) : Maniack C
• [x] Approval (LGTM) : JimboJoe
• CI succeeded :
  When the PR is marked as ready to merge, you have to wait for 3 days before really merging it.

[lapineige]

Changed the base branch to master, as it is an high priority issue, we can't wait for testing to be merged.

[lapineige]

I fixed the regex conf, at first I did not understand how to configure it correctly.

I tried a fresh install + removal, it works. Fail2ban seems to be active: after 5 failed login attempts, the login page doesn't load.

It's ready for review.

[maniackcrudelis]

Adding fail2ban is a good improvement, not a security issue needed to be quickly fixed.

[lapineige]

Users password are not protected right now, and it's the same as the SSO password, so it would be a lot better to prevent brute force attack. It's not a security flaw, but still pretty important.

[maniackcrudelis]

User passwords are protected by https. Brute force attack aren't prevented indeed and that's a pretty good improvement. Not a security issue.

[JimboJoe]

The CI job is failing... :thinking:

[lapineige]

Do you know why ? (where can I find the logs ?)

[JimboJoe]

Yep, you click on the build badge, then "last build", then "console output".

[lapineige]

This page ? https://yunohost.github.io/ci/

[maniackcrudelis]

There https://ci-apps-hq.yunohost.org/jenkins/job/wallabag2_ynh%20PR65/5/console

[lapineige]

Ok, only upgrade from this version fails…

I found the issue: I fixed the regex syntax in the install script, but not in the upgrade one Should be fixed now.

[JimboJoe]

Upgrade is stille failing on the CI.

Warning: yunohost.hook <lambda> - [3344.1] Job for fail2ban.service failed because the control process exited with error code.
Warning: yunohost.hook <lambda> - [3344.1] See "systemctl status fail2ban.service" and "journalctl -xe" for details.
Warning: yunohost.hook <lambda> - [3344.1] !!
Warning: yunohost.hook <lambda> - [3344.1]   wallabag2's script has encountered an error. Its execution was cancelled.
Warning: yunohost.hook <lambda> - [3344.1] !!
Warning: yunohost.hook <lambda> - [3344.1] ./upgrade: line 61: ynh_backup_after_failed_upgrade: command not found

[lapineige]

But we don't have the log for fail2ban… :(

[JimboJoe]

Isn't the problem reproducible with package_check in your environment?

[lapineige]

How do I use it ?

[JimboJoe]

As an app maintainer, you will love package_check! Have a look at the README, you can install it on your test server/VM. It's been developed mainly by @maniackcrudelis, and it's what produces the results of the CI.

[lapineige]

I don't have any VM or test server for that :/

[JimboJoe]

Then you'll be interested by this forum post :wink:

[lapineige]

Ok, I tried again on my main server (backup + remove old wallabag + install master + upgrade to this branch), the error is:

No file(s) found for glob /var/www/wallabag2/var/logs/prod.log

I fixed that in the install script, but not in the upgrade script :sweat_smile: I'll do it.

[JimboJoe]

By the way, more relevant link here to use the CI available for app packagers :wink:

[lapineige]

CI is succeeding right now.

Let's merge ?

[JimboJoe]

Can be merged in 3 days (if @maniackcrudelis confirms his code review after late changes)

[JimboJoe]

Can be merged in 3 days.

[lapineige]

Thanks @maniackcrudelis for the improvements :)