diff --git a/docs/config.md b/docs/config.md index 90e63e19..5316d01f 100644 --- a/docs/config.md +++ b/docs/config.md @@ -345,6 +345,7 @@ to maintain the client connection and the connection to ntfy. worker_connections 40500; } ``` + === "/etc/systemd/system/nginx.service.d/override.conf" ``` # Allow 40,000 proxy connections (2x of the desired ntfy connection count; @@ -353,6 +354,50 @@ to maintain the client connection and the connection to ntfy. LimitNOFILE=40500 ``` +### Banning bad actors (fail2ban) +If you put stuff on the Internet, bad actors will try to break them or break in. [fail2ban](https://www.fail2ban.org/) +and nginx's [ngx_http_limit_req_module module](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) can be used +to ban client IPs if they misbehave. This is on top of the [rate limiting](#rate-limiting) inside the ntfy server. + +Here's an example for how ntfy.sh is configured, following the instructions from two tutorials ([here](https://easyengine.io/tutorials/nginx/fail2ban/) +and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/)): + +=== "/etc/nginx/nginx.conf" + ``` + http { + limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + } + ``` + +=== "/etc/nginx/sites-enabled/ntfy.sh" + ``` + # For each server/location block + server { + location / { + limit_req zone=one burst=1000 nodelay; + } + } + ``` + +=== "/etc/fail2ban/filter.d/nginx-req-limit.conf" + ``` + [Definition] + failregex = limiting requests, excess:.* by zone.*client: + ignoreregex = + ``` + +=== "/etc/fail2ban/jail.local" + ``` + [nginx-req-limit] + enabled = true + filter = nginx-req-limit + action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] + logpath = /var/log/nginx/error.log + findtime = 600 + bantime = 7200 + maxretry = 10 + ``` + ## Config options Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment diff --git a/scripts/postinst.sh b/scripts/postinst.sh index 4287e0ce..04cc91e5 100755 --- a/scripts/postinst.sh +++ b/scripts/postinst.sh @@ -6,33 +6,34 @@ set -e # # TODO: This is only tested on Debian. # -if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then - # Create ntfy user/group - id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy - chown ntfy.ntfy /var/cache/ntfy - chmod 700 /var/cache/ntfy +if [ "$1" = "configure" ] || [ "$1" -ge 1 ]; then + if [ -d /run/systemd/system ]; then + # Create ntfy user/group + id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy + chown ntfy.ntfy /var/cache/ntfy + chmod 700 /var/cache/ntfy - # Hack to change permissions on cache file - configfile="/etc/ntfy/server.yml" - if [ -f "$configfile" ]; then - cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: ["'"'"']?([^"'"'"']+)["'"'"']?/ && print $1')" # Oh my, see #47 - if [ -n "$cachefile" ]; then - chown ntfy.ntfy "$cachefile" || true - chmod 600 "$cachefile" || true + # Hack to change permissions on cache file + configfile="/etc/ntfy/server.yml" + if [ -f "$configfile" ]; then + cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: ["'"'"']?([^"'"'"']+)["'"'"']?/ && print $1')" # Oh my, see #47 + if [ -n "$cachefile" ]; then + chown ntfy.ntfy "$cachefile" || true + chmod 600 "$cachefile" || true + fi fi - fi - # Restart services - systemctl --system daemon-reload >/dev/null || true - if systemctl is-active -q ntfy.service; then - echo "Restarting ntfy.service ..." - if [ -x /usr/bin/deb-systemd-invoke ]; then - deb-systemd-invoke try-restart ntfy.service >/dev/null || true - else - systemctl restart ntfy.service >/dev/null || true + # Restart services + systemctl --system daemon-reload >/dev/null || true + if systemctl is-active -q ntfy.service; then + echo "Restarting ntfy.service ..." + if [ -x /usr/bin/deb-systemd-invoke ]; then + deb-systemd-invoke try-restart ntfy.service >/dev/null || true + else + systemctl restart ntfy.service >/dev/null || true + fi fi - fi - if systemctl is-active -q ntfy-client.service; then + if systemctl is-active -q ntfy-client.service; then echo "Restarting ntfy-client.service ..." if [ -x /usr/bin/deb-systemd-invoke ]; then deb-systemd-invoke try-restart ntfy-client.service >/dev/null || true @@ -40,4 +41,5 @@ if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then systemctl restart ntfy-client.service >/dev/null || true fi fi + fi fi diff --git a/scripts/postrm.sh b/scripts/postrm.sh index f34f6534..10b2fd95 100755 --- a/scripts/postrm.sh +++ b/scripts/postrm.sh @@ -2,7 +2,7 @@ set -e # Delete the config if package is purged -if [ "$1" = "purge" ]; then +if [ "$1" = "purge" ] || [ "$1" = "0" ]; then id ntfy >/dev/null 2>&1 && userdel ntfy rm -f /etc/ntfy/server.yml /etc/ntfy/client.yml rmdir /etc/ntfy || true diff --git a/scripts/preinst.sh b/scripts/preinst.sh index d09528c4..1a40f1a7 100755 --- a/scripts/preinst.sh +++ b/scripts/preinst.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e -if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then +if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" -ge 1 ]; then # Migration of old to new config file name oldconfigfile="/etc/ntfy/config.yml" configfile="/etc/ntfy/server.yml" diff --git a/scripts/prerm.sh b/scripts/prerm.sh index f3668550..91068180 100755 --- a/scripts/prerm.sh +++ b/scripts/prerm.sh @@ -2,11 +2,13 @@ set -e # Stop systemd service -if [ -d /run/systemd/system ] && [ "$1" = remove ]; then - echo "Stopping ntfy.service ..." - if [ -x /usr/bin/deb-systemd-invoke ]; then - deb-systemd-invoke stop 'ntfy.service' >/dev/null || true - else - systemctl stop ntfy >/dev/null 2>&1 || true +if [ -d /run/systemd/system ]; then + if [ "$1" = "remove" ] || [ "$1" = "0" ]; then + echo "Stopping ntfy.service ..." + if [ -x /usr/bin/deb-systemd-invoke ]; then + deb-systemd-invoke stop 'ntfy.service' >/dev/null || true + else + systemctl stop ntfy >/dev/null 2>&1 || true + fi fi fi