#!/bin/bash
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:$PATH

: '
Copyright (C) 2022 - now  HaoZi Technology Co., Ltd.

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <https://www.gnu.org/licenses/>.
'

source <(curl -f -s --connect-timeout 10 --retry 3 https://dl.cdn.haozi.net/panel/public.sh)
if [ $? -ne 0 ]; then
    echo "下载 public.sh 失败，请检查网络或稍后重试。"
    echo "Download public.sh failed, please check the network or try again later."
    exit 1
fi

channel=${1}
version=${2}

if [ ${OS} == "rhel" ]; then
    dnf install -y fail2ban
elif [ ${OS} == "debian" ] || [ ${OS} == "ubuntu" ]; then
    apt-get install -y fail2ban
else
    error "不支持的操作系统"
fi

if [ "$?" != "0" ]; then
    error "fail2ban 安装失败"
fi

# 修改 fail2ban 配置文件
sed -i 's!# logtarget.*!logtarget = /var/log/fail2ban.log!' /etc/fail2ban/fail2ban.conf
sed -i 's!logtarget\s*=.*!logtarget = /var/log/fail2ban.log!' /etc/fail2ban/jail.conf
cat >/etc/fail2ban/jail.local <<EOF
[DEFAULT]
ignoreip = 127.0.0.1/8
bantime = 600
findtime = 300
maxretry = 5
banaction = firewallcmd-ipset
action = %(action_mwl)s

# ssh-START
[ssh]
enabled = true
filter = sshd
port = 22
maxretry = 5
findtime = 300
bantime = 86400
action = %(action_mwl)s
logpath = /var/log/secure
# ssh-END
EOF
# 替换端口
ssh=$(cat /etc/ssh/sshd_config | grep 'Port ' | awk '{print $2}')
if [ "${ssh}" == "" ]; then
    ssh="22"
fi
sed -i "s/port = 22/port = ${ssh}/g" /etc/fail2ban/jail.local

# Debian系的特殊处理
if [ ${OS} == "debian" ] || [ ${OS} == "ubuntu" ]; then
    sed -i "s/\/var\/log\/secure/\/var\/log\/auth.log/g" /etc/fail2ban/jail.local
fi

# 启动 fail2ban
systemctl daemon-reload
systemctl unmask fail2ban
systemctl enable --now fail2ban

panel-cli app write fail2ban ${channel} ${version}