From abdf28004c2ae5c44f8ac0e0efc22ca1d42d33ed Mon Sep 17 00:00:00 2001
From: James Blair <mail@jamesblair.net>
Date: Wed, 8 Jan 2020 15:23:04 +1300
Subject: [PATCH] Added fail2ban setup to post-install.txt.

---
 post-install.txt | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/post-install.txt b/post-install.txt
index c91bf62..b25cb1d 100755
--- a/post-install.txt
+++ b/post-install.txt
@@ -5,3 +5,44 @@ if [ "${PIPESTATUS[0]}" -eq 0 ]; then
 else
    echo "FAILED !"
 fi
+
+echo "Restarting ssh daemon..."
+eval chroot /rootfs /user/bin/systemctl restart ssh 2>&1 | output_filter
+if [ "${PIPESTATUS[0]}" -eq 0 ]; then
+   echo "OK"
+else
+   echo "FAILED !"
+fi
+
+echo "Ensure fail2ban service is enabled..."
+eval chroot /rootfs /user/bin/systemctl enable fail2ban 2>&1 | output_filter
+if [ "${PIPESTATUS[0]}" -eq 0 ]; then
+   echo "OK"
+else
+   echo "FAILED !"
+fi
+
+echo "Configure fail2ban ssh jail..."
+eval chroot /rootfs /user/bin/touch /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo '[ssh]' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'enabled=true' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'port=2122' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'filter=sshd' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'logpath=/var/log/auth.log' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'bantime=1800' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'banaction=iptables-allports' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'findtime=900' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+eval chroot /rootfs /user/bin/echo 'maxretry=3' >> /etc/fail2ban/jail.local 2>&1 | output_filter
+if [ "${PIPESTATUS[0]}" -eq 0 ]; then
+   echo "OK"
+else
+   echo "FAILED !"
+fi
+
+echo "Restart fail2ban service..."
+eval chroot /rootfs /user/bin/systemctl restart fail2ban 2>&1 | output_filter
+if [ "${PIPESTATUS[0]}" -eq 0 ]; then
+   echo "OK"
+else
+   echo "FAILED !"
+fi