Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 794835

Summary: www-apps/nextcloud: add fail2ban configuration files
Product: Gentoo Linux Reporter: A Schenck <galiven>
Component: Current packagesAssignee: Bernard Cafarelli <voyageur>
Status: UNCONFIRMED ---    
Severity: enhancement CC: flow, galiven, hydrapolic, polynomial-c, sam, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: fail2ban filter.d conf for nextcloud
fail2ban jail.d config for nextcloud

Description A Schenck 2021-06-07 21:22:38 UTC
Created attachment 714366 [details]
fail2ban filter.d conf for nextcloud

Upstream has a suggestion for fail2ban filter.d and jail.d configuration: https://docs.nextcloud.com/server/19/admin_manual/installation/harden_server.html#setup-fail2ban .  It was pretty easy to do myself but I didn't even think of it until randomly stumbling across it.  Would be kinda nice if it was just baked into the ebuild.  Maybe falls under the "small files" policy like systemd units?  Or a useflag would be simple enough, just annoying to remerge a giant package like nextcloud for a couple of conf files.
Comment 1 A Schenck 2021-06-07 21:23:02 UTC
Created attachment 714369 [details]
fail2ban jail.d config for nextcloud
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-07 21:55:57 UTC
I'd be happy with including these with fail2ban if we wanted to go in that direction under e.g. USE=contrib?
Comment 3 Tomáš Mózes 2021-06-08 16:35:14 UTC
Good idea, however the log path may probably differ based on where you install nextcloud:

logpath = /var/www/localhost/htdocs/nextcloud/data/nextcloud.log
Comment 4 A Schenck 2021-07-11 01:41:58 UTC
(In reply to Tomáš Mózes from comment #3)
> Good idea, however the log path may probably differ based on where you
> install nextcloud:
> 
> logpath = /var/www/localhost/htdocs/nextcloud/data/nextcloud.log

I guess I was imagining a 'has_version(fail2ban)' in pkg_postinst that would tell the user that a configuration was installed and they need to modify the logpath to work for their setup.  Alternately, a fail2ban USE flag which would gate whether these files were installed and the message in postinst.

fail2ban doesn't appear to be a USE flag anywhere else, so a 'contrib' flag doing the same would make sense too, it would just have to have a local use description.