From 95f2d372d8e47844d9f21e34d6dafe804dc19ef3 Mon Sep 17 00:00:00 2001
From: nbenedek <contact@nbenedek.me>
Date: Sat, 24 Sep 2022 17:43:22 +0200
Subject: [PATCH] matrix: Add fail2ban jail

Test:

- Setup Matrix on a VPS with a FQDN and a valid LE certificate, then add these
configs to fail2ban.

- On a production server apply the changes of MR !2296

- Setup the fail2ban filter and jail, then restart fail2ban

- Trying to log in unsuccessfully from FluffyChat leads to a 10 min ban

Result:

`sudo fail2ban-client status matrix-synapse-auth-freedombox` returns the
following output, but the server actually remains accessible in every way.

```
Status for the jail: matrix-synapse-auth-freedombox
|- Filter
|  |- Currently failed: 1
|  |- Total failed:     11
|  `- Journal matches:
`- Actions
   |- Currently banned: 1
   |- Total banned:     1
   `- Banned IP list:   MY IP
```
Signed-off-by: nbenedek <contact@nbenedek.me>
---
 .../data/etc/fail2ban/filter.d/matrix-auth-freedombox.conf | 7 +++++++
 .../data/etc/fail2ban/jail.d/matrix-auth-freedombox.conf   | 4 ++++
 2 files changed, 11 insertions(+)
 create mode 100644 plinth/modules/matrixsynapse/data/etc/fail2ban/filter.d/matrix-auth-freedombox.conf
 create mode 100644 plinth/modules/matrixsynapse/data/etc/fail2ban/jail.d/matrix-auth-freedombox.conf

diff --git a/plinth/modules/matrixsynapse/data/etc/fail2ban/filter.d/matrix-auth-freedombox.conf b/plinth/modules/matrixsynapse/data/etc/fail2ban/filter.d/matrix-auth-freedombox.conf
new file mode 100644
index 000000000..498135e3d
--- /dev/null
+++ b/plinth/modules/matrixsynapse/data/etc/fail2ban/filter.d/matrix-auth-freedombox.conf
@@ -0,0 +1,7 @@
+[INCLUDES]
+before = common.conf
+
+[Definition]
+_daemon = apache-access
+prefregex = %(__prefix_line)s
+failregex = \S+ <HOST> - \S+ \[[^\]]*\] "POST /_matrix/client/.*/login HTTP/\S+" 403
diff --git a/plinth/modules/matrixsynapse/data/etc/fail2ban/jail.d/matrix-auth-freedombox.conf b/plinth/modules/matrixsynapse/data/etc/fail2ban/jail.d/matrix-auth-freedombox.conf
new file mode 100644
index 000000000..3fb52a559
--- /dev/null
+++ b/plinth/modules/matrixsynapse/data/etc/fail2ban/jail.d/matrix-auth-freedombox.conf
@@ -0,0 +1,4 @@
+[matrix-auth-freedombox]
+enabled = true
+port = http,https
+journalmatch = SYSLOG_IDENTIFIER=apache-access