From e843b50fc8eee3a2f665b2611eeb20485ae11569 Mon Sep 17 00:00:00 2001 From: drizuid Date: Tue, 21 Dec 2021 14:40:37 -0500 Subject: [PATCH 01/21] replace ip6tables legacy with ip6tables-nft due to missing kernel module --- Dockerfile | 5 +++ Dockerfile.aarch64 | 5 +++ Dockerfile.armhf | 5 +++ Jenkinsfile | 88 ++++++++++++++++++++++++++-------------------- README.md | 2 ++ readme-vars.yml | 1 + 6 files changed, 68 insertions(+), 38 deletions(-) diff --git a/Dockerfile b/Dockerfile index ed391bf..37f1d0f 100755 --- a/Dockerfile +++ b/Dockerfile @@ -131,6 +131,11 @@ RUN \ certbot-plugin-gandi \ cryptography \ requests && \ + echo "**** correct ip6tables legacy issue ****" && \ + rm \ + /sbin/ip6tables && \ + ln -s \ + /sbin/ip6tables-nft /sbin/ip6tables && \ echo "**** remove unnecessary fail2ban filters ****" && \ rm \ /etc/fail2ban/jail.d/alpine-ssh.conf && \ diff --git a/Dockerfile.aarch64 b/Dockerfile.aarch64 index fd2d529..3d4ada6 100755 --- a/Dockerfile.aarch64 +++ b/Dockerfile.aarch64 @@ -131,6 +131,11 @@ RUN \ certbot-plugin-gandi \ cryptography \ requests && \ + echo "**** correct ip6tables legacy issue ****" && \ + rm \ + /sbin/ip6tables && \ + ln -s \ + /sbin/ip6tables-nft /sbin/ip6tables && \ echo "**** remove unnecessary fail2ban filters ****" && \ rm \ /etc/fail2ban/jail.d/alpine-ssh.conf && \ diff --git a/Dockerfile.armhf b/Dockerfile.armhf index a19a60c..7c504f6 100755 --- a/Dockerfile.armhf +++ b/Dockerfile.armhf @@ -130,6 +130,11 @@ RUN \ certbot-plugin-gandi \ cryptography \ requests && \ + echo "**** correct ip6tables legacy issue ****" && \ + rm \ + /sbin/ip6tables && \ + ln -s \ + /sbin/ip6tables-nft /sbin/ip6tables && \ echo "**** remove unnecessary fail2ban filters ****" && \ rm \ /etc/fail2ban/jail.d/alpine-ssh.conf && \ diff --git a/Jenkinsfile b/Jenkinsfile index 937dba0..505ffe9 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -118,12 +118,11 @@ pipeline { script: '''echo ${EXT_RELEASE} | sed 's/[~,%@+;:/]//g' ''', returnStdout: true).trim() - env.SEMVER = (new Date()).format('YYYY.MM.dd') - def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)$/ + def semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)\.(\d+)/ if (semver.find()) { env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" } else { - semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)$/ + semver = env.EXT_RELEASE_CLEAN =~ /(\d+)\.(\d+)(?:\.(\d+))?(.*)/ if (semver.find()) { if (semver[0][3]) { env.SEMVER = "${semver[0][1]}.${semver[0][2]}.${semver[0][3]}" @@ -133,7 +132,15 @@ pipeline { } } - println("SEMVER: ${env.SEMVER}") + if (env.SEMVER != null) { + if (BRANCH_NAME != "master" && BRANCH_NAME != "main") { + env.SEMVER = "${env.SEMVER}-${BRANCH_NAME}" + } + println("SEMVER: ${env.SEMVER}") + } else { + println("No SEMVER detected") + } + } } } @@ -402,10 +409,10 @@ pipeline { steps{ sh '''#! /bin/bash set -e - PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid') + PACKAGE_UUID=$(curl -X GET -H "Authorization: Bearer ${SCARF_TOKEN}" https://scarf.sh/api/v1/organizations/linuxserver-ci/packages | jq -r '.[] | select(.name=="linuxserver/swag") | .uuid') if [ -z "${PACKAGE_UUID}" ]; then echo "Adding package to Scarf.sh" - PACKAGE_UUID=$(curl -sX POST https://scarf.sh/api/v1/packages \ + curl -sX POST https://scarf.sh/api/v1/organizations/linuxserver-ci/packages \ -H "Authorization: Bearer ${SCARF_TOKEN}" \ -H "Content-Type: application/json" \ -d '{"name":"linuxserver/swag",\ @@ -413,22 +420,10 @@ pipeline { "libraryType":"docker",\ "website":"https://github.com/linuxserver/docker-swag",\ "backendUrl":"https://ghcr.io/linuxserver/swag",\ - "publicUrl":"https://lscr.io/linuxserver/swag"}' \ - | jq -r .uuid) + "publicUrl":"https://lscr.io/linuxserver/swag"}' || : else echo "Package already exists on Scarf.sh" fi - echo "Setting permissions on Scarf.sh for package ${PACKAGE_UUID}" - curl -X POST https://scarf.sh/api/v1/packages/${PACKAGE_UUID}/permissions \ - -H "Authorization: Bearer ${SCARF_TOKEN}" \ - -H "Content-Type: application/json" \ - -d '[{"userQuery":"Spad","permissionLevel":"admin"},\ - {"userQuery":"roxedus","permissionLevel":"admin"},\ - {"userQuery":"nemchik","permissionLevel":"admin"},\ - {"userQuery":"driz","permissionLevel":"admin"},\ - {"userQuery":"aptalca","permissionLevel":"admin"},\ - {"userQuery":"saarg","permissionLevel":"admin"},\ - {"userQuery":"Stark","permissionLevel":"admin"}]' ''' } } @@ -752,11 +747,15 @@ pipeline { docker tag ${IMAGE}:${META_TAG} ${PUSHIMAGE}:${META_TAG} docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:latest docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${EXT_RELEASE_TAG} - docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER} + if [ -n "${SEMVER}" ]; then + docker tag ${PUSHIMAGE}:${META_TAG} ${PUSHIMAGE}:${SEMVER} + fi docker push ${PUSHIMAGE}:latest docker push ${PUSHIMAGE}:${META_TAG} docker push ${PUSHIMAGE}:${EXT_RELEASE_TAG} - docker push ${PUSHIMAGE}:${SEMVER} + if [ -n "${SEMVER}" ]; then + docker push ${PUSHIMAGE}:${SEMVER} + fi done ''' } @@ -765,8 +764,10 @@ pipeline { docker rmi \ ${DELETEIMAGE}:${META_TAG} \ ${DELETEIMAGE}:${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:latest \ - ${DELETEIMAGE}:${SEMVER} || : + ${DELETEIMAGE}:latest || : + if [ -n "${SEMVER}" ]; then + docker rmi ${DELETEIMAGE}:${SEMVER} || : + fi done ''' } @@ -816,9 +817,11 @@ pipeline { docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} - docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER} - docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER} - docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + if [ -n "${SEMVER}" ]; then + docker tag ${MANIFESTIMAGE}:amd64-${META_TAG} ${MANIFESTIMAGE}:amd64-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm32v7-${META_TAG} ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker tag ${MANIFESTIMAGE}:arm64v8-${META_TAG} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi docker push ${MANIFESTIMAGE}:amd64-${META_TAG} docker push ${MANIFESTIMAGE}:arm32v7-${META_TAG} docker push ${MANIFESTIMAGE}:arm64v8-${META_TAG} @@ -828,9 +831,11 @@ pipeline { docker push ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} docker push ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} docker push ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} - docker push ${MANIFESTIMAGE}:amd64-${SEMVER} - docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER} - docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER} + if [ -n "${SEMVER}" ]; then + docker push ${MANIFESTIMAGE}:amd64-${SEMVER} + docker push ${MANIFESTIMAGE}:arm32v7-${SEMVER} + docker push ${MANIFESTIMAGE}:arm64v8-${SEMVER} + fi docker manifest push --purge ${MANIFESTIMAGE}:latest || : docker manifest create ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:amd64-latest ${MANIFESTIMAGE}:arm32v7-latest ${MANIFESTIMAGE}:arm64v8-latest docker manifest annotate ${MANIFESTIMAGE}:latest ${MANIFESTIMAGE}:arm32v7-latest --os linux --arch arm @@ -843,14 +848,18 @@ pipeline { docker manifest create ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:amd64-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm32v7-${EXT_RELEASE_TAG} --os linux --arch arm docker manifest annotate ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} ${MANIFESTIMAGE}:arm64v8-${EXT_RELEASE_TAG} --os linux --arch arm64 --variant v8 - docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || : - docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} - docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm - docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8 + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} || : + docker manifest create ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:amd64-${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm32v7-${SEMVER} --os linux --arch arm + docker manifest annotate ${MANIFESTIMAGE}:${SEMVER} ${MANIFESTIMAGE}:arm64v8-${SEMVER} --os linux --arch arm64 --variant v8 + fi docker manifest push --purge ${MANIFESTIMAGE}:latest docker manifest push --purge ${MANIFESTIMAGE}:${META_TAG} docker manifest push --purge ${MANIFESTIMAGE}:${EXT_RELEASE_TAG} - docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} + if [ -n "${SEMVER}" ]; then + docker manifest push --purge ${MANIFESTIMAGE}:${SEMVER} + fi done ''' } @@ -860,15 +869,18 @@ pipeline { ${DELETEIMAGE}:amd64-${META_TAG} \ ${DELETEIMAGE}:amd64-latest \ ${DELETEIMAGE}:amd64-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:amd64-${SEMVER} \ ${DELETEIMAGE}:arm32v7-${META_TAG} \ ${DELETEIMAGE}:arm32v7-latest \ ${DELETEIMAGE}:arm32v7-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:arm32v7-${SEMVER} \ ${DELETEIMAGE}:arm64v8-${META_TAG} \ ${DELETEIMAGE}:arm64v8-latest \ - ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} \ - ${DELETEIMAGE}:arm64v8-${SEMVER} || : + ${DELETEIMAGE}:arm64v8-${EXT_RELEASE_TAG} || : + if [ -n "${SEMVER}" ]; then + docker rmi \ + ${DELETEIMAGE}:amd64-${SEMVER} \ + ${DELETEIMAGE}:arm32v7-${SEMVER} \ + ${DELETEIMAGE}:arm64v8-${SEMVER} || : + fi done docker rmi \ ghcr.io/linuxserver/lsiodev-buildcache:arm32v7-${COMMIT_SHA}-${BUILD_NUMBER} \ diff --git a/README.md b/README.md index 3b1c3b0..4211f12 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,7 @@ Find us at: # [linuxserver/swag](https://github.com/linuxserver/docker-swag) +[![Scarf.io pulls](https://scarf.sh/installs-badge/linuxserver-ci/linuxserver%2Fswag?color=94398d&label-color=555555&logo-color=ffffff&style=for-the-badge&package-type=docker)](https://scarf.sh/gateway/linuxserver-ci/docker/linuxserver%2Fswag) [![GitHub Stars](https://img.shields.io/github/stars/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag) [![GitHub Release](https://img.shields.io/github/release/linuxserver/docker-swag.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&logo=github)](https://github.com/linuxserver/docker-swag/releases) [![GitHub Package Repository](https://img.shields.io/static/v1.svg?color=94398d&labelColor=555555&logoColor=ffffff&style=for-the-badge&label=linuxserver.io&message=GitHub%20Package&logo=github)](https://github.com/linuxserver/docker-swag/packages) @@ -329,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **21.12.21:** - Fixed issue with iptables not working as expected * **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind) * **22.11.21:** - Added support for Infomaniak DNS for certificate generation. * **20.11.21:** - Added support for dnspod validation. diff --git a/readme-vars.yml b/readme-vars.yml index 10af9f4..7a99215 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,6 +154,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" } - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" } - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." } - { date: "20.11.21:", desc: "Added support for dnspod validation." } From bedff470cfd040656baf5e988c275261601e05a1 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 30 Dec 2021 06:19:44 +0100 Subject: [PATCH 02/21] Bot Updating Package Versions --- package_versions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_versions.txt b/package_versions.txt index 42a4a9e..8f3889c 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -1,6 +1,6 @@ alpine-baselayout-3.2.0-r16 alpine-keys-2.4-r0 -apache2-utils-2.4.51-r0 +apache2-utils-2.4.52-r0 apk-tools-2.12.7-r0 apr-1.7.0-r0 apr-util-1.6.1-r7 From 251917b23fa2cbe14617e686d1bca78eb0e7331b Mon Sep 17 00:00:00 2001 From: quietsy Date: Sun, 9 Jan 2022 17:16:11 +0200 Subject: [PATCH 03/21] Added a fail2ban jail for nginx unauthorized --- README.md | 1 + readme-vars.yml | 1 + .../fail2ban/filter.d/nginx-unauthorized.conf | 7 +++++++ root/defaults/jail.local | 20 ++++++++++--------- root/defaults/nginx.conf | 9 ++++++++- 5 files changed, 28 insertions(+), 10 deletions(-) create mode 100644 root/defaults/fail2ban/filter.d/nginx-unauthorized.conf diff --git a/README.md b/README.md index 4211f12..936f1a2 100644 --- a/README.md +++ b/README.md @@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **09.01.22:** - Added a fail2ban jail for nginx unauthorized * **21.12.21:** - Fixed issue with iptables not working as expected * **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind) * **22.11.21:** - Added support for Infomaniak DNS for certificate generation. diff --git a/readme-vars.yml b/readme-vars.yml index 7a99215..a033ea4 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,6 +154,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" } - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" } - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" } - { date: "22.11.21:", desc: "Added support for Infomaniak DNS for certificate generation." } diff --git a/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf new file mode 100644 index 0000000..23709ad --- /dev/null +++ b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf @@ -0,0 +1,7 @@ +# A fail2ban filter for unauthorized log messages + +[Definition] + +failregex = ^.*"(GET|POST|HEAD).*" 401 .*$ + +ignoreregex = diff --git a/root/defaults/jail.local b/root/defaults/jail.local index 9b8673c..ebac564 100644 --- a/root/defaults/jail.local +++ b/root/defaults/jail.local @@ -1,10 +1,14 @@ -## Version 2020/05/10 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local +## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/jail.local # This is the custom version of the jail.conf for fail2ban # Feel free to modify this and add additional filters # Then you can drop the new filter conf files into the fail2ban-filters # folder and restart the container [DEFAULT] +# Prevents banning LAN subnets +ignoreip = 10.0.0.0/8 + 192.168.0.0/16 + 172.16.0.0/12 # Changes the default ban action from "iptables-multiport", which causes issues on some platforms, to "iptables-allports". banaction = iptables-allports @@ -21,37 +25,35 @@ maxretry = 5 [ssh] - enabled = false - [nginx-http-auth] - enabled = true filter = nginx-http-auth port = http,https logpath = /config/log/nginx/error.log - [nginx-badbots] - enabled = true port = http,https filter = nginx-badbots logpath = /config/log/nginx/access.log maxretry = 2 - [nginx-botsearch] - enabled = true port = http,https filter = nginx-botsearch logpath = /config/log/nginx/access.log [nginx-deny] - enabled = true port = http,https filter = nginx-deny logpath = /config/log/nginx/error.log + +[nginx-unauthorized] +enabled = true +port = http,https +filter = nginx-unauthorized +logpath = /config/log/nginx/unauthorized.log diff --git a/root/defaults/nginx.conf b/root/defaults/nginx.conf index ae21a63..c6a7504 100644 --- a/root/defaults/nginx.conf +++ b/root/defaults/nginx.conf @@ -1,4 +1,4 @@ -## Version 2021/04/27 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf +## Version 2022/01/09 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/nginx.conf user abc; @@ -55,6 +55,13 @@ http { '' close; } + # Saves unauthorized log messages to a separate log file + map $status $unauthorized { + default 0; + ~^401 1; + } + access_log /config/log/nginx/unauthorized.log combined if=$unauthorized; + # Sets the path, format, and configuration for a buffered log write. access_log /config/log/nginx/access.log; From 665eace79fea9a75811afee71fb12b7af5141431 Mon Sep 17 00:00:00 2001 From: quietsy Date: Tue, 11 Jan 2022 09:19:16 +0200 Subject: [PATCH 04/21] Ignore plex unauthorized requests --- root/defaults/fail2ban/filter.d/nginx-unauthorized.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf index 23709ad..fbe6988 100644 --- a/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf +++ b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf @@ -2,6 +2,6 @@ [Definition] -failregex = ^.*"(GET|POST|HEAD).*" 401 .*$ +failregex = ^(?!.*?(?i)plex).*"(GET|POST|HEAD).*" 401 .*$ ignoreregex = From 6fde2f5f8f8a5c58e443b48a17c6fe87b0897dc1 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 20 Jan 2022 06:19:07 +0100 Subject: [PATCH 05/21] Bot Updating Package Versions --- package_versions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_versions.txt b/package_versions.txt index 8f3889c..966f346 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -13,7 +13,7 @@ ca-certificates-20191127-r5 ca-certificates-bundle-20191127-r5 coreutils-8.32-r2 curl-7.79.1-r0 -expat-2.4.1-r0 +expat-2.4.3-r0 fail2ban-0.11.2-r0 freetype-2.10.4-r1 gdbm-1.19-r0 From 7d6b5e66c1150d53d6b83bfae8f93c1fda8ed90d Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 27 Jan 2022 06:19:02 +0100 Subject: [PATCH 06/21] Bot Updating Package Versions --- package_versions.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index 966f346..0598a47 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -9,8 +9,8 @@ bash-5.1.4-r0 brotli-libs-1.0.9-r5 busybox-1.33.1-r6 c-client-2007f-r11 -ca-certificates-20191127-r5 -ca-certificates-bundle-20191127-r5 +ca-certificates-20211220-r0 +ca-certificates-bundle-20211220-r0 coreutils-8.32-r2 curl-7.79.1-r0 expat-2.4.3-r0 From 7562a1c26a93e609b007b8d5e054cab6367b56c0 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 3 Feb 2022 06:18:15 +0100 Subject: [PATCH 07/21] Bot Updating Package Versions --- package_versions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_versions.txt b/package_versions.txt index 0598a47..3071508 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -85,7 +85,7 @@ libxslt-1.1.34-r1 libxt-1.2.1-r0 libzip-1.7.3-r2 linux-pam-1.5.1-r1 -logrotate-3.18.1-r0 +logrotate-3.18.1-r1 lz4-libs-1.9.3-r1 memcached-1.6.9-r0 mpdecimal-2.5.1-r1 From 274369c4bae0733c08866d77ce04ecbf29c9abf8 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Tue, 8 Feb 2022 19:58:44 +0100 Subject: [PATCH 08/21] Bot Updating Package Versions --- package_versions.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index 3071508..1816586 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -13,7 +13,7 @@ ca-certificates-20211220-r0 ca-certificates-bundle-20211220-r0 coreutils-8.32-r2 curl-7.79.1-r0 -expat-2.4.3-r0 +expat-2.4.4-r0 fail2ban-0.11.2-r0 freetype-2.10.4-r1 gdbm-1.19-r0 @@ -29,7 +29,7 @@ iptables-1.8.7-r1 libacl-2.2.53-r0 libassuan-2.5.5-r0 libattr-2.5.1-r0 -libblkid-2.37.2-r0 +libblkid-2.37.3-r0 libbsd-0.11.3-r0 libbz2-1.0.8-r1 libc-utils-0.7.2-r3 @@ -55,7 +55,7 @@ libmcrypt-2.5.8-r9 libmd-1.0.3-r0 libmemcached-libs-1.0.18-r4 libmnl-1.0.4-r1 -libmount-2.37.2-r0 +libmount-2.37.3-r0 libnftnl-libs-1.2.0-r0 libpng-1.6.37-r1 libpq-13.5-r0 @@ -72,7 +72,7 @@ libssl1.1-1.1.1l-r0 libstdc++-10.3.1_git20210424-r2 libtasn1-4.17.0-r0 libunistring-0.9.10-r1 -libuuid-2.37.2-r0 +libuuid-2.37.3-r0 libwebp-1.2.0-r2 libx11-1.7.2-r0 libxau-1.0.9-r0 From 7fb7364c96035680d8daf5dec17ce1ff99229692 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 17 Feb 2022 06:18:01 +0100 Subject: [PATCH 09/21] Bot Updating Package Versions --- package_versions.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index 1816586..a061b11 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -29,7 +29,7 @@ iptables-1.8.7-r1 libacl-2.2.53-r0 libassuan-2.5.5-r0 libattr-2.5.1-r0 -libblkid-2.37.3-r0 +libblkid-2.37.4-r0 libbsd-0.11.3-r0 libbz2-1.0.8-r1 libc-utils-0.7.2-r3 @@ -55,10 +55,10 @@ libmcrypt-2.5.8-r9 libmd-1.0.3-r0 libmemcached-libs-1.0.18-r4 libmnl-1.0.4-r1 -libmount-2.37.3-r0 +libmount-2.37.4-r0 libnftnl-libs-1.2.0-r0 libpng-1.6.37-r1 -libpq-13.5-r0 +libpq-13.6-r0 libproc-3.3.17-r0 libressl3.3-libcrypto-3.3.3-r0 libressl3.3-libssl-3.3.3-r0 @@ -72,7 +72,7 @@ libssl1.1-1.1.1l-r0 libstdc++-10.3.1_git20210424-r2 libtasn1-4.17.0-r0 libunistring-0.9.10-r1 -libuuid-2.37.3-r0 +libuuid-2.37.4-r0 libwebp-1.2.0-r2 libx11-1.7.2-r0 libxau-1.0.9-r0 From 7c5005f9ada0c715999535a2735aee76d5fc2ae7 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 24 Feb 2022 06:18:30 +0100 Subject: [PATCH 10/21] Bot Updating Package Versions --- package_versions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_versions.txt b/package_versions.txt index a061b11..40254df 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -13,7 +13,7 @@ ca-certificates-20211220-r0 ca-certificates-bundle-20211220-r0 coreutils-8.32-r2 curl-7.79.1-r0 -expat-2.4.4-r0 +expat-2.4.5-r0 fail2ban-0.11.2-r0 freetype-2.10.4-r1 gdbm-1.19-r0 From 555b2837cba0886cf98960a9bc62bfcfe83f7505 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Wed, 2 Mar 2022 00:56:48 +0100 Subject: [PATCH 11/21] Bot Updating Package Versions --- package_versions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package_versions.txt b/package_versions.txt index 40254df..56c8ed3 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -13,7 +13,7 @@ ca-certificates-20211220-r0 ca-certificates-bundle-20211220-r0 coreutils-8.32-r2 curl-7.79.1-r0 -expat-2.4.5-r0 +expat-2.4.6-r0 fail2ban-0.11.2-r0 freetype-2.10.4-r1 gdbm-1.19-r0 From de3b43cb62090baf9bba48a5073b96dd03501900 Mon Sep 17 00:00:00 2001 From: EVOTk <45015615+EVOTk@users.noreply.github.com> Date: Wed, 9 Mar 2022 21:59:49 +0100 Subject: [PATCH 12/21] add nginx unauthorized in Using fail2ban section --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 936f1a2..c49dfd3 100644 --- a/README.md +++ b/README.md @@ -103,11 +103,12 @@ This will *ask* Google et al not to index and list your site. Be careful with th ### Using fail2ban -* This container includes fail2ban set up with 4 jails by default: +* This container includes fail2ban set up with 5 jails by default: 1. nginx-http-auth 2. nginx-badbots 3. nginx-botsearch 4. nginx-deny + 5. nginx-unauthorized * To enable or disable other jails, modify the file `/config/fail2ban/jail.local` * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`) * You can check which jails are active via `docker exec -it swag fail2ban-client status` From 1fbae23bcf65d3e516ec26fab3eae094b8f73350 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 10 Mar 2022 06:19:39 +0100 Subject: [PATCH 13/21] Bot Updating Package Versions --- package_versions.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index 56c8ed3..d377285 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -13,14 +13,14 @@ ca-certificates-20211220-r0 ca-certificates-bundle-20211220-r0 coreutils-8.32-r2 curl-7.79.1-r0 -expat-2.4.6-r0 +expat-2.4.7-r0 fail2ban-0.11.2-r0 freetype-2.10.4-r1 gdbm-1.19-r0 git-2.32.0-r0 git-perl-2.32.0-r0 glib-2.68.3-r0 -gmp-6.2.1-r0 +gmp-6.2.1-r1 gnupg-2.2.31-r0 gnutls-3.7.1-r0 icu-libs-67.1-r2 From a5389c3f409e5c56c10ed548985baedf15192c43 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Wed, 16 Mar 2022 21:57:12 +0100 Subject: [PATCH 14/21] Bot Updating Package Versions --- package_versions.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index d377285..416c483 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -34,7 +34,7 @@ libbsd-0.11.3-r0 libbz2-1.0.8-r1 libc-utils-0.7.2-r3 libcap-2.50-r0 -libcrypto1.1-1.1.1l-r0 +libcrypto1.1-1.1.1n-r0 libcurl-7.79.1-r0 libedit-20210216.3.1-r0 libevent-2.1.12-r2 @@ -68,7 +68,7 @@ libseccomp-2.5.1-r2 libsecret-0.20.4-r1 libsm-1.2.3-r0 libsodium-1.0.18-r0 -libssl1.1-1.1.1l-r0 +libssl1.1-1.1.1n-r0 libstdc++-10.3.1_git20210424-r2 libtasn1-4.17.0-r0 libunistring-0.9.10-r1 @@ -79,9 +79,9 @@ libxau-1.0.9-r0 libxcb-1.14-r2 libxdmcp-1.1.3-r0 libxext-1.3.4-r0 -libxml2-2.9.12-r1 +libxml2-2.9.13-r0 libxpm-3.5.13-r0 -libxslt-1.1.34-r1 +libxslt-1.1.35-r0 libxt-1.2.1-r0 libzip-1.7.3-r2 linux-pam-1.5.1-r1 From cf8cfd4241452561b15d008937f120d7825feff0 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Thu, 24 Mar 2022 06:19:17 +0100 Subject: [PATCH 15/21] Bot Updating Package Versions --- package_versions.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index 416c483..3bf85e0 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -1,6 +1,6 @@ alpine-baselayout-3.2.0-r16 alpine-keys-2.4-r0 -apache2-utils-2.4.52-r0 +apache2-utils-2.4.53-r0 apk-tools-2.12.7-r0 apr-1.7.0-r0 apr-util-1.6.1-r7 @@ -60,10 +60,10 @@ libnftnl-libs-1.2.0-r0 libpng-1.6.37-r1 libpq-13.6-r0 libproc-3.3.17-r0 -libressl3.3-libcrypto-3.3.3-r0 -libressl3.3-libssl-3.3.3-r0 +libressl3.3-libcrypto-3.3.6-r0 +libressl3.3-libssl-3.3.6-r0 libretls-3.3.3p1-r2 -libsasl-2.1.27-r12 +libsasl-2.1.28-r0 libseccomp-2.5.1-r2 libsecret-0.20.4-r1 libsm-1.2.3-r0 @@ -118,7 +118,7 @@ nginx-mod-stream-geoip2-1.20.2-r0 nginx-vim-1.20.2-r0 npth-1.6-r0 oniguruma-6.9.7.1-r0 -openssl-1.1.1l-r0 +openssl-1.1.1n-r0 p11-kit-0.23.22-r0 pcre-8.44-r0 pcre2-10.36-r0 From 2272c3037a642262009bd9b3db0b1f4fdec3273a Mon Sep 17 00:00:00 2001 From: EVOTk <45015615+EVOTk@users.noreply.github.com> Date: Fri, 25 Mar 2022 22:51:17 +0100 Subject: [PATCH 16/21] Update readme-vars.yml --- readme-vars.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/readme-vars.yml b/readme-vars.yml index a033ea4..398e48e 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -120,11 +120,12 @@ app_setup_block: | ### Using fail2ban - * This container includes fail2ban set up with 4 jails by default: + * This container includes fail2ban set up with 5 jails by default: 1. nginx-http-auth 2. nginx-badbots 3. nginx-botsearch 4. nginx-deny + 5. nginx-unauthorized * To enable or disable other jails, modify the file `/config/fail2ban/jail.local` * To modify filters and actions, instead of editing the `.conf` files, create `.local` files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. `.local` files will append whatever's in the `.conf` files (ie. `nginx-http-auth.conf` --> `nginx-http-auth.local`) * You can check which jails are active via `docker exec -it swag fail2ban-client status` From 5501308aed695ef3880423bef8a3e92529afc65f Mon Sep 17 00:00:00 2001 From: James Stewart Miller Date: Sat, 26 Mar 2022 20:46:39 +0000 Subject: [PATCH 17/21] Update 50-config create fail2ban unauthorized.log added code to test for existence of unauthorized.log and create it if not exists. /config/log/nginx/unauthorized.log is written to by addition of nginx-unauthorized jail in jail.local at (https://github.com/linuxserver/docker-swag/blob/master/root/defaults/jail.local) --- root/etc/cont-init.d/50-config | 2 ++ 1 file changed, 2 insertions(+) diff --git a/root/etc/cont-init.d/50-config b/root/etc/cont-init.d/50-config index abe45b1..f003e3c 100644 --- a/root/etc/cont-init.d/50-config +++ b/root/etc/cont-init.d/50-config @@ -366,6 +366,8 @@ fi touch /config/log/nginx/error.log [[ ! -f /config/log/nginx/access.log ]] && \ touch /config/log/nginx/access.log +[[ ! -f /config/log/nginx/unauthorized.log ]] && \ + touch /config/log/nginx/unauthorized.log # permissions chown -R abc:abc \ From 9821740d65b5468627cd61b9db8323e70f7a11fb Mon Sep 17 00:00:00 2001 From: James Stewart Miller Date: Mon, 28 Mar 2022 21:57:19 +0100 Subject: [PATCH 18/21] Update readme-vars.yml added changelog --- readme-vars.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/readme-vars.yml b/readme-vars.yml index a033ea4..a6dcf01 100755 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -154,6 +154,7 @@ app_setup_nginx_reverse_proxy_block: "" # changelog changelogs: + - { date: "28.03.22:", desc: "created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config" } - { date: "09.01.22:", desc: "Added a fail2ban jail for nginx unauthorized" } - { date: "21.12.21:", desc: "Fixed issue with iptables not working as expected" } - { date: "30.11.21:", desc: "Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind)" } From 7eb8f7999ee8d6623046b365449538761a02c866 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Mon, 28 Mar 2022 16:35:42 -0500 Subject: [PATCH 19/21] Bot Updating Templated Files --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 936f1a2..694d081 100644 --- a/README.md +++ b/README.md @@ -330,6 +330,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64 ## Versions +* **28.03.22:** - created a logfile for fail2ban nginx-unauthorized in /etc/cont-init.d/50-config * **09.01.22:** - Added a fail2ban jail for nginx unauthorized * **21.12.21:** - Fixed issue with iptables not working as expected * **30.11.21:** - Move maxmind to a [new mod](https://github.com/linuxserver/docker-mods/tree/swag-maxmind) From b28eed1263ed7a175309f16377fab12ae14d8741 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Mon, 28 Mar 2022 16:40:46 -0500 Subject: [PATCH 20/21] Bot Updating Package Versions --- package_versions.txt | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index 3bf85e0..6d0b657 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -5,7 +5,7 @@ apk-tools-2.12.7-r0 apr-1.7.0-r0 apr-util-1.6.1-r7 argon2-libs-20190702-r1 -bash-5.1.4-r0 +bash-5.1.16-r0 brotli-libs-1.0.9-r5 busybox-1.33.1-r6 c-client-2007f-r11 @@ -62,7 +62,7 @@ libpq-13.6-r0 libproc-3.3.17-r0 libressl3.3-libcrypto-3.3.6-r0 libressl3.3-libssl-3.3.6-r0 -libretls-3.3.3p1-r2 +libretls-3.3.3p1-r3 libsasl-2.1.28-r0 libseccomp-2.5.1-r2 libsecret-0.20.4-r1 @@ -217,11 +217,11 @@ shadow-4.8.1-r0 skalibs-2.10.0.3-r0 sqlite-libs-3.35.5-r0 ssl_client-1.33.1-r6 -tzdata-2021e-r0 +tzdata-2022a-r0 unixodbc-2.3.9-r1 utmps-0.1.0.2-r0 whois-5.5.10-r0 xz-5.2.5-r0 xz-libs-5.2.5-r0 -zlib-1.2.11-r3 +zlib-1.2.12-r0 zstd-libs-1.4.9-r1 From a9e53d5fc89e272ad7110ba6a32a73c43efe6455 Mon Sep 17 00:00:00 2001 From: LinuxServer-CI Date: Tue, 5 Apr 2022 21:56:51 +0200 Subject: [PATCH 21/21] Bot Updating Package Versions --- package_versions.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package_versions.txt b/package_versions.txt index 6d0b657..db2145c 100755 --- a/package_versions.txt +++ b/package_versions.txt @@ -7,7 +7,7 @@ apr-util-1.6.1-r7 argon2-libs-20190702-r1 bash-5.1.16-r0 brotli-libs-1.0.9-r5 -busybox-1.33.1-r6 +busybox-1.33.1-r7 c-client-2007f-r11 ca-certificates-20211220-r0 ca-certificates-bundle-20211220-r0 @@ -216,7 +216,7 @@ scanelf-1.3.2-r0 shadow-4.8.1-r0 skalibs-2.10.0.3-r0 sqlite-libs-3.35.5-r0 -ssl_client-1.33.1-r6 +ssl_client-1.33.1-r7 tzdata-2022a-r0 unixodbc-2.3.9-r1 utmps-0.1.0.2-r0