- Name of the jail has to be less than 29 characters for an iptables/nft chain
to be created.
- Make the regular expressions more specific to avoid matching incorrect fields
for <HOST>.
- Added journalmatch to improve performance by matching the regular expressions
against only specific journal entries.
Tests:
- Run setup.py, remove the old jail and filter files. Restart fail2ban and make
10 incorrect login attempts. The IP address gets banned for 10 minutes.
- Not run: Build new freedombox package and upgrade from older version to see
that old configuration files have been removed.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- I tested the changes with the VirtualBox image with a bridged network adapter.
After ten failed authentication attempts, my IP got blocked as expected.
- This setup uses apache's logs to filter the attempts. A wordpress
[plugin](https://wordpress.org/plugins/wp-fail2ban/) exists for redirecting the
logs to syslog, but that needs to be packaged.
Signed-off-by: nbenedek <contact@nbenedek.me>
[sunil: Drop logpath as logs are expected to go to journald]
[sunil: Update regex to match only failures and not successful logins]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Closes: #2244.
This patch disabled xmlrpc.php functionality entirely. For interacting with
WordPress using app, the new REST API functionality is recommended. However, for
the Pingback API XML-RPC is still a necessity. If this is an important feature
for FreedomBox users, we intend to re-enable XML-RPC functionality in WordPress.
Signed-off-by: nbenedek <contact@nbenedek.me>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
Based on work by Benedek Nagy at:
https://salsa.debian.org/freedombox-team/freedombox/-/merge_requests/2198
Tests:
- Install WordPress without this patch. Then switch to code with this patch.
Restart FreedomBox. WordPress setup should get executed and the setup version
should get incremented to 2. The configuration file should contain the include
line for freedombox-static.php. freedombox-static.php should be installed and
should contain the line for setting FS_METHOD to 'direct'.
- Uninstall WordPress and wipe everything. Install WordPress freshly using this
patch. The line to include freedombox-static.php should be present in the
default configuration file. freedombox-static.php should be installed and should
contain the line for setting FS_METHOD to 'direct'.
- Installing a new theme using a URL and setting the default theme to the new
theme should work.
- Installing a plugin and enabling it should work.
- Installing an older version of a plugin and then updating it should work.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This avoids attempting to run the service soon after FreedomBox is installed.
Tests:
- When old freedombox.deb is installed, the service is enabled. When upgraded to
newer .deb with the changes, the service is still enabled but no start attempt
is made by systemd.
- After installation of WordPress, the service is running as expected.
- On a fresh installation, WordPress service is working as expected.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This is now the preferred location in Debian. See:
https://lintian.debian.org/tags/systemd-service-in-odd-locationhttps://bugs.debian.org/992465https://bugs.debian.org/987989d70caa69c6https://lists.debian.org/debian-devel/2021/08/msg00275.html
Tests:
- Lintian no longer shows errors:
E: freedombox: systemd-service-in-odd-location lib/.../calibre-server-freedombox.service
- Comparing the old .deb and newly generated .deb with these changes. All the
systemd files show that they are moved from /lib to /usr/lib/systemd.
- After upgrading the deb from older version to a version these changes,
services installed by the package are available (tested after restart with
wordpress and claibre). Services tweaked by the package have the changed
configuration reflected as shown by systemctl show
{service-name}.service (tested after restart with quassel).
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Use php-fpm instead of using mod-php.
- Create database and setup permissions manually. Tables and initial data are
created during the initial setup process done by WordPress. Database upgrades
are handled by WordPress. Minor versions are upgraded automatically and major
version need user intervention.
- Backup/restore functionality including database.
- Install recommended extensions for performance.
- Setup and run cron jobs to ensure that scheduled publications are
completed (among other things). Service has systemd security features. Timer is
set to run every 10 minutes.
- Functional tests for adding/removing posts and backup/restore.
- Increase file upload size limit to 128MiB.
- A private mode (default) for keeping the setup process secure. Should be
disabled after first setup is completed. This uses a new approach using
file-based flag for different Apache configurations.
TODO:
- Find a nice way to allow WordPress to upload plugins/themes. Currently this
operation files and users are expected to manually scp the files to
/var/lib/wordpress/wp-content/{plugins,themes} directory.
Tests:
- Functional tests.
- Schedule publishing of a post. Notice that post got published.
- Test uploading a file larger than 2MiB.
- Test enabling permalinks. This leads to nicer looking URLs.
- Test adding images to posts/pages.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
