Add nextcloud and format configs

nemchik · web-flow · commit 302275f14bb0 · 2022-07-17T23:16:27.000Z
diff --git a/README.md b/README.md
@@ -92,17 +92,18 @@ services:
       - /path/to/gitea/gitea.log:/remotelogs/gitea/gitea.log:ro #optional
       - /path/to/homeassistant/home-assistant.log:/remotelogs/homeassistant/home-assistant.log:ro #optional
       - /path/to/lighttpd/error.log:/remotelogs/lighttpd/error.log:ro #optional
+      - /path/to/nextcloud/nextcloud.log:/remotelogs/nextcloud/nextcloud.log:ro #optional
       - /path/to/nginx/log:/remotelogs/nginx:ro #optional
-      - /path/to/nzbget/log:/remotelogs/nzbget:ro #optional
+      - /path/to/nzbget/nzbget.log:/remotelogs/nzbget/nzbget.log:ro #optional
       - /path/to/overseerr/overseerr.log:/remotelogs/overseerr/overseerr.log:ro #optional
       - /path/to/prowlarr/prowlarr.txt:/remotelogs/prowlarr/prowlarr.txt:ro #optional
       - /path/to/radarr/radarr.txt:/remotelogs/radarr/radarr.txt:ro #optional
       - /path/to/roundcube/errors:/remotelogs/roundcube/errors:ro #optional
-      - /path/to/sabnzbd/log:/remotelogs/sabnzbd:ro #optional
+      - /path/to/sabnzbd/sabnzbd.log:/remotelogs/sabnzbd/sabnzbd.log:ro #optional
       - /path/to/sonarr/sonarr.txt:/remotelogs/sonarr/sonarr.txt:ro #optional
       - /path/to/unificontroller/server.log:/remotelogs/unificontroller/server.log:ro #optional
       - /path/to/vaultwarden/vaultwarden.log:/remotelogs/vaultwarden/vaultwarden.log:ro #optional
-      - /path/to/vsftpd.log:/remotelogs/vsftpd.log:ro #optional
+      - /path/to/vsftpd/vsftpd.log:/remotelogs/vsftpd/vsftpd.log:ro #optional
     restart: unless-stopped
 ```
 
@@ -126,17 +127,18 @@ docker run -d \
   -v /path/to/gitea/gitea.log:/remotelogs/gitea/gitea.log:ro `#optional` \
   -v /path/to/homeassistant/home-assistant.log:/remotelogs/homeassistant/home-assistant.log:ro `#optional` \
   -v /path/to/lighttpd/error.log:/remotelogs/lighttpd/error.log:ro `#optional` \
+  -v /path/to/nextcloud/nextcloud.log:/remotelogs/nextcloud/nextcloud.log:ro `#optional` \
   -v /path/to/nginx/log:/remotelogs/nginx:ro `#optional` \
-  -v /path/to/nzbget/log:/remotelogs/nzbget:ro `#optional` \
+  -v /path/to/nzbget/nzbget.log:/remotelogs/nzbget/nzbget.log:ro `#optional` \
   -v /path/to/overseerr/overseerr.log:/remotelogs/overseerr/overseerr.log:ro `#optional` \
   -v /path/to/prowlarr/prowlarr.txt:/remotelogs/prowlarr/prowlarr.txt:ro `#optional` \
   -v /path/to/radarr/radarr.txt:/remotelogs/radarr/radarr.txt:ro `#optional` \
   -v /path/to/roundcube/errors:/remotelogs/roundcube/errors:ro `#optional` \
-  -v /path/to/sabnzbd/log:/remotelogs/sabnzbd:ro `#optional` \
+  -v /path/to/sabnzbd/sabnzbd.log:/remotelogs/sabnzbd/sabnzbd.log:ro `#optional` \
   -v /path/to/sonarr/sonarr.txt:/remotelogs/sonarr/sonarr.txt:ro `#optional` \
   -v /path/to/unificontroller/server.log:/remotelogs/unificontroller/server.log:ro `#optional` \
   -v /path/to/vaultwarden/vaultwarden.log:/remotelogs/vaultwarden/vaultwarden.log:ro `#optional` \
-  -v /path/to/vsftpd.log:/remotelogs/vsftpd.log:ro `#optional` \
+  -v /path/to/vsftpd/vsftpd.log:/remotelogs/vsftpd/vsftpd.log:ro `#optional` \
   --restart unless-stopped \
   lscr.io/linuxserver/fail2ban:latest
 ```
@@ -162,17 +164,18 @@ Container images are configured using parameters passed at runtime (such as thos
 | `-v /remotelogs/gitea/gitea.log:ro` | Path to gitea log file. Mounted as Read Only. |
 | `-v /remotelogs/homeassistant/home-assistant.log:ro` | Path to homeassistant log file. Mounted as Read Only. |
 | `-v /remotelogs/lighttpd/error.log:ro` | Path to lighttpd error log file. Mounted as Read Only. |
+| `-v /remotelogs/nextcloud/nextcloud.log:ro` | Path to nextcloud log file. Mounted as Read Only. |
 | `-v /remotelogs/nginx:ro` | Path to nginx log folder. Mounted as Read Only. |
-| `-v /remotelogs/nzbget:ro` | Path to nzbget log folder. Mounted as Read Only. |
+| `-v /remotelogs/nzbget/nzbget.log:ro` | Path to nzbget log file. Mounted as Read Only. |
 | `-v /remotelogs/overseerr/overseerr.log:ro` | Path to overseerr log file. Mounted as Read Only. |
 | `-v /remotelogs/prowlarr/prowlarr.txt:ro` | Path to prowlarr log file. Mounted as Read Only. |
 | `-v /remotelogs/radarr/radarr.txt:ro` | Path to radarr log file. Mounted as Read Only. |
 | `-v /remotelogs/roundcube/errors:ro` | Path to roundcube error log file. Mounted as Read Only. |
-| `-v /remotelogs/sabnzbd:ro` | Path to nzbget log folder. Mounted as Read Only. |
+| `-v /remotelogs/sabnzbd/sabnzbd.log:ro` | Path to sabnzbd log file. Mounted as Read Only. |
 | `-v /remotelogs/sonarr/sonarr.txt:ro` | Path to sonarr log file. Mounted as Read Only. |
 | `-v /remotelogs/unificontroller/server.log:ro` | Path to unificontroller server log file. Mounted as Read Only. |
 | `-v /remotelogs/vaultwarden/vaultwarden.log:ro` | Path to vaultwarden log file. Mounted as Read Only. |
-| `-v /remotelogs/vsftpd.log:ro` | Path to vsftpd log file. Mounted as Read Only. |
+| `-v /remotelogs/vsftpd/vsftpd.log:ro` | Path to vsftpd log file. Mounted as Read Only. |
 
 ## Environment variables from files (Docker secrets)
 
diff --git a/readme-vars.yml b/readme-vars.yml
@@ -45,17 +45,18 @@ opt_param_volumes:
   - { vol_path: "/remotelogs/gitea/gitea.log:ro", vol_host_path: "/path/to/gitea/gitea.log", desc: "Path to gitea log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/homeassistant/home-assistant.log:ro", vol_host_path: "/path/to/homeassistant/home-assistant.log", desc: "Path to homeassistant log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/lighttpd/error.log:ro", vol_host_path: "/path/to/lighttpd/error.log", desc: "Path to lighttpd error log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/nextcloud/nextcloud.log:ro", vol_host_path: "/path/to/nextcloud/nextcloud.log", desc: "Path to nextcloud log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/nginx:ro", vol_host_path: "/path/to/nginx/log", desc: "Path to nginx log folder. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/nzbget:ro", vol_host_path: "/path/to/nzbget/log", desc: "Path to nzbget log folder. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/nzbget/nzbget.log:ro", vol_host_path: "/path/to/nzbget/nzbget.log", desc: "Path to nzbget log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/overseerr/overseerr.log:ro", vol_host_path: "/path/to/overseerr/overseerr.log", desc: "Path to overseerr log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/prowlarr/prowlarr.txt:ro", vol_host_path: "/path/to/prowlarr/prowlarr.txt", desc: "Path to prowlarr log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/radarr/radarr.txt:ro", vol_host_path: "/path/to/radarr/radarr.txt", desc: "Path to radarr log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/roundcube/errors:ro", vol_host_path: "/path/to/roundcube/errors", desc: "Path to roundcube error log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/sabnzbd:ro", vol_host_path: "/path/to/sabnzbd/log", desc: "Path to nzbget log folder. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/sabnzbd/sabnzbd.log:ro", vol_host_path: "/path/to/sabnzbd/sabnzbd.log", desc: "Path to sabnzbd log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/sonarr/sonarr.txt:ro", vol_host_path: "/path/to/sonarr/sonarr.txt", desc: "Path to sonarr log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/unificontroller/server.log:ro", vol_host_path: "/path/to/unificontroller/server.log", desc: "Path to unificontroller server log file. Mounted as Read Only." }
   - { vol_path: "/remotelogs/vaultwarden/vaultwarden.log:ro", vol_host_path: "/path/to/vaultwarden/vaultwarden.log", desc: "Path to vaultwarden log file. Mounted as Read Only." }
-  - { vol_path: "/remotelogs/vsftpd.log:ro", vol_host_path: "/path/to/vsftpd.log", desc: "Path to vsftpd log file. Mounted as Read Only." }
+  - { vol_path: "/remotelogs/vsftpd/vsftpd.log:ro", vol_host_path: "/path/to/vsftpd/vsftpd.log", desc: "Path to vsftpd log file. Mounted as Read Only." }
 
 # application setup block
 app_setup_block_enabled: true
diff --git a/root/defaults/fail2ban/filter.d/airsonic-auth.conf b/root/defaults/fail2ban/filter.d/airsonic-auth.conf
@@ -6,6 +6,7 @@ before = common.conf
 [Definition]
 
 failregex = ^.*: Login failed from \[<HOST>\]$
+
 ignoreregex =
 
 datepattern = {^LN-BEG}
diff --git a/root/defaults/fail2ban/filter.d/filebrowser-auth.conf b/root/defaults/fail2ban/filter.d/filebrowser-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*/api/login: 403 <HOST> \<nil\>.*$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/gitea-auth.conf b/root/defaults/fail2ban/filter.d/gitea-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>.*$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/homeassistant-auth.conf b/root/defaults/fail2ban/filter.d/homeassistant-auth.conf
@@ -7,5 +7,7 @@ before = common.conf
 
 failregex = ^%(__prefix_line)s.*\[homeassistant.components.http.ban\] Login attempt or request with invalid authentication from <HOST>.*$
 
+ignoreregex =
+
 [Init]
 datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S
diff --git a/root/defaults/fail2ban/filter.d/nextcloud-auth.conf b/root/defaults/fail2ban/filter.d/nextcloud-auth.conf
@@ -0,0 +1,13 @@
+# Fail2Ban filter configuration for nextcloud
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
diff --git a/root/defaults/fail2ban/filter.d/nginx-418.conf b/root/defaults/fail2ban/filter.d/nginx-418.conf
@@ -4,9 +4,11 @@
 # Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
 
 [INCLUDES]
+
 before = common.conf
 
 [Definition]
 
-failregex = ^<HOST>.*"(GET|POST).*" (418) .*$
+failregex = ^<HOST>.*"(GET|POST|HEAD).*" (418) .*$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf b/root/defaults/fail2ban/filter.d/nginx-unauthorized.conf
@@ -0,0 +1,10 @@
+# Fail2Ban filter configuration for nginx unauthorized
+
+[INCLUDES]
+before = common.conf
+
+[Definition]
+
+failregex = ^<HOST>.*"(GET|POST|HEAD).*" (401) .*$
+
+ignoreregex = .*(?i)plex.*
diff --git a/root/defaults/fail2ban/filter.d/nzbget-auth.conf b/root/defaults/fail2ban/filter.d/nzbget-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*WARNING	Request received on port .* from .* \(forwarded for: <HOST>.*\), but username .* or password invalid$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/overseerr-auth.conf b/root/defaults/fail2ban/filter.d/overseerr-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*\[info\]\[Auth\]\: Failed sign-in attempt.*"ip":"<HOST>".*$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/sabnzbd-auth.conf b/root/defaults/fail2ban/filter.d/sabnzbd-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*(Unsuccessful login attempt from|Refused connection( with hostname "<HOST>")? from:|(API Key missing|API Key incorrect|Authentication missing).* your 3rd party program:) (?:\(X-Forwarded-For: (<HOST>)(?:,[^']*)?\)|(<HOST>)) \[.*\]$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/servarr-auth.conf b/root/defaults/fail2ban/filter.d/servarr-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/unifi-controller-auth.conf b/root/defaults/fail2ban/filter.d/unifi-controller-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^(.*)Failed admin login for (.*) from <HOST>$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/unraid-webgui.conf b/root/defaults/fail2ban/filter.d/unraid-webgui.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*webGUI: Unsuccessful login user .* from <HOST>$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/filter.d/vaultwarden-auth.conf b/root/defaults/fail2ban/filter.d/vaultwarden-auth.conf
@@ -6,4 +6,5 @@ before = common.conf
 [Definition]
 
 failregex = ^.*(Username or password is incorrect\. Try again|Invalid admin token)\. IP: <HOST>.*$
+
 ignoreregex =
diff --git a/root/defaults/fail2ban/jail.d/filebrowser-auth.conf b/root/defaults/fail2ban/jail.d/filebrowser-auth.conf
@@ -1,6 +1,7 @@
 # Fail2Ban jail configuration for filebrowser
 # Requires modification to Filebrowsers settings
 # https://filebrowser.org/cli/filebrowser#options
+
 # Enabling logs
 
 # -e 'FB_LOG'='/log/filebrowser.log'
diff --git a/root/defaults/fail2ban/jail.d/nextcloud-auth.conf b/root/defaults/fail2ban/jail.d/nextcloud-auth.conf
@@ -0,0 +1,16 @@
+# Fail2Ban jail configuration for nextcloud
+# Recommended modification to Nextcloud settings
+# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html#file
+
+# Set the following in config.php
+
+# "log_type" => "file",
+# "logfile" => "/config/log/nextcloud/nextcloud.log",
+
+[nextcloud-auth]
+
+enabled  = false
+chain    = DOCKER-USER
+port     = http,https
+filter   = nextcloud-auth
+logpath  = %(remote_logs)s/nextcloud/nextcloud.log
diff --git a/root/defaults/fail2ban/jail.d/nginx-badbots.conf b/root/defaults/fail2ban/jail.d/nginx-badbots.conf
@@ -1,4 +1,5 @@
 # Fail2Ban jail configuration for nginx badbots
+# Works OOTB with defaults
 
 [nginx-badbots]
 
diff --git a/root/defaults/fail2ban/jail.d/nginx-deny.conf b/root/defaults/fail2ban/jail.d/nginx-deny.conf
@@ -1,4 +1,5 @@
 # Fail2Ban jail configuration for nginx deny
+# Works OOTB with defaults
 
 [nginx-deny]
 
diff --git a/root/defaults/fail2ban/jail.d/nginx-unauthorized.conf b/root/defaults/fail2ban/jail.d/nginx-unauthorized.conf
@@ -0,0 +1,10 @@
+# Fail2Ban jail configuration for nginx unauthorized
+# Works OOTB with defaults
+
+[nginx-unauthorized]
+
+enabled  = false
+chain    = DOCKER-USER
+port     = http,https
+filter   = nginx-unauthorized
+logpath  = %(nginx_unauthorized_log)s
diff --git a/root/defaults/fail2ban/jail.d/nzbget-auth.conf b/root/defaults/fail2ban/jail.d/nzbget-auth.conf
@@ -7,4 +7,4 @@ enabled  = false
 chain    = DOCKER-USER
 port     = 6789
 filter   = nzbget-auth
-logpath  = %(remote_logs)s/nzbget/nzbget*.log
+logpath  = %(remote_logs)s/nzbget/nzbget.log
diff --git a/root/defaults/fail2ban/jail.d/overseerr-auth.conf b/root/defaults/fail2ban/jail.d/overseerr-auth.conf
@@ -2,6 +2,8 @@
 # Requires modification to Overseerrs settings
 # https://docs.overseerr.dev/extending-overseerr/fail2ban
 
+# If you are running Overseerr behind a reverse proxy, make sure that the Enable Proxy Support setting is enabled.
+
 [overseerr-auth]
 
 enabled  = false
diff --git a/root/defaults/fail2ban/jail.d/vaultwarden-auth.conf b/root/defaults/fail2ban/jail.d/vaultwarden-auth.conf
@@ -1,7 +1,10 @@
 # Fail2Ban jail configuration for vaultwarden
 # Requires modification to Vaultwardens settings
-# https://github.com/dani-garcia/vaultwarden/wiki/Fail2Ban-Setup
-# Enabling logging
+# https://github.com/dani-garcia/vaultwarden/wiki/Logging#logging-to-a-file
+
+# Specify the path to the log file with the LOG_FILE environment variable
+
+# -e LOG_FILE=/data/vaultwarden.log
 
 [vaultwarden-auth]
 
diff --git a/root/defaults/fail2ban/paths-lsio.conf b/root/defaults/fail2ban/paths-lsio.conf
@@ -22,5 +22,6 @@ exim_main_log            = %(remote_logs)s/exim/mainlog
 lighttpd_error_log       = %(remote_logs)s/lighttpd/error.log
 nginx_access_log         = %(remote_logs)s/nginx/*access.log
 nginx_error_log          = %(remote_logs)s/nginx/*error.log
+nginx_unauthorized_log   = %(remote_logs)s/nginx/*unauthorized.log
 roundcube_errors_log     = %(remote_logs)s/roundcube/errors
-vsftpd_log               = %(remote_logs)s/vsftpd.log
+vsftpd_log               = %(remote_logs)s/vsftpd/vsftpd.log
