From 88586c8f8623150014acb4d82eb5b876dd511cf5 Mon Sep 17 00:00:00 2001 From: Christian Meis Date: Wed, 5 Jan 2022 13:32:15 +0100 Subject: [PATCH 1/6] Adjust RPM scriptlets to work on RHEL-flavour OSes, too. --- scripts/postinst.sh | 2 +- scripts/postrm.sh | 2 +- scripts/preinst.sh | 2 +- scripts/prerm.sh | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/postinst.sh b/scripts/postinst.sh index 4287e0ce..4e47ea66 100755 --- a/scripts/postinst.sh +++ b/scripts/postinst.sh @@ -6,7 +6,7 @@ set -e # # TODO: This is only tested on Debian. # -if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then +if ( [ "$1" = "configure" ] || [ "$1" = "1" ] ) && [ -d /run/systemd/system ]; then # Create ntfy user/group id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy chown ntfy.ntfy /var/cache/ntfy diff --git a/scripts/postrm.sh b/scripts/postrm.sh index f34f6534..10b2fd95 100755 --- a/scripts/postrm.sh +++ b/scripts/postrm.sh @@ -2,7 +2,7 @@ set -e # Delete the config if package is purged -if [ "$1" = "purge" ]; then +if [ "$1" = "purge" ] || [ "$1" = "0" ]; then id ntfy >/dev/null 2>&1 && userdel ntfy rm -f /etc/ntfy/server.yml /etc/ntfy/client.yml rmdir /etc/ntfy || true diff --git a/scripts/preinst.sh b/scripts/preinst.sh index d09528c4..6918a14e 100755 --- a/scripts/preinst.sh +++ b/scripts/preinst.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e -if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then +if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" = "1" ]; then # Migration of old to new config file name oldconfigfile="/etc/ntfy/config.yml" configfile="/etc/ntfy/server.yml" diff --git a/scripts/prerm.sh b/scripts/prerm.sh index f3668550..fc026191 100755 --- a/scripts/prerm.sh +++ b/scripts/prerm.sh @@ -2,7 +2,7 @@ set -e # Stop systemd service -if [ -d /run/systemd/system ] && [ "$1" = remove ]; then +if [ -d /run/systemd/system ] && ( [ "$1" = remove ] || [ "$1" = "0" ] ); then echo "Stopping ntfy.service ..." if [ -x /usr/bin/deb-systemd-invoke ]; then deb-systemd-invoke stop 'ntfy.service' >/dev/null || true From 523e037900c7312ac6a549c3cd9ef0887dbd7674 Mon Sep 17 00:00:00 2001 From: Christian Meis Date: Wed, 5 Jan 2022 14:43:25 +0100 Subject: [PATCH 2/6] Switch from parentheses to nested if statements for the RPM scriptlets. --- scripts/postinst.sh | 48 +++++++++++++++++++++++---------------------- scripts/prerm.sh | 14 +++++++------ 2 files changed, 33 insertions(+), 29 deletions(-) diff --git a/scripts/postinst.sh b/scripts/postinst.sh index 4e47ea66..1a3b2764 100755 --- a/scripts/postinst.sh +++ b/scripts/postinst.sh @@ -6,33 +6,34 @@ set -e # # TODO: This is only tested on Debian. # -if ( [ "$1" = "configure" ] || [ "$1" = "1" ] ) && [ -d /run/systemd/system ]; then - # Create ntfy user/group - id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy - chown ntfy.ntfy /var/cache/ntfy - chmod 700 /var/cache/ntfy +if [ "$1" = "configure" ] || [ "$1" = "1" ]; then + if [ -d /run/systemd/system ]; then + # Create ntfy user/group + id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy + chown ntfy.ntfy /var/cache/ntfy + chmod 700 /var/cache/ntfy - # Hack to change permissions on cache file - configfile="/etc/ntfy/server.yml" - if [ -f "$configfile" ]; then - cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: ["'"'"']?([^"'"'"']+)["'"'"']?/ && print $1')" # Oh my, see #47 - if [ -n "$cachefile" ]; then - chown ntfy.ntfy "$cachefile" || true - chmod 600 "$cachefile" || true + # Hack to change permissions on cache file + configfile="/etc/ntfy/server.yml" + if [ -f "$configfile" ]; then + cachefile="$(cat "$configfile" | perl -n -e'/^\s*cache-file: ["'"'"']?([^"'"'"']+)["'"'"']?/ && print $1')" # Oh my, see #47 + if [ -n "$cachefile" ]; then + chown ntfy.ntfy "$cachefile" || true + chmod 600 "$cachefile" || true + fi fi - fi - # Restart services - systemctl --system daemon-reload >/dev/null || true - if systemctl is-active -q ntfy.service; then - echo "Restarting ntfy.service ..." - if [ -x /usr/bin/deb-systemd-invoke ]; then - deb-systemd-invoke try-restart ntfy.service >/dev/null || true - else - systemctl restart ntfy.service >/dev/null || true + # Restart services + systemctl --system daemon-reload >/dev/null || true + if systemctl is-active -q ntfy.service; then + echo "Restarting ntfy.service ..." + if [ -x /usr/bin/deb-systemd-invoke ]; then + deb-systemd-invoke try-restart ntfy.service >/dev/null || true + else + systemctl restart ntfy.service >/dev/null || true + fi fi - fi - if systemctl is-active -q ntfy-client.service; then + if systemctl is-active -q ntfy-client.service; then echo "Restarting ntfy-client.service ..." if [ -x /usr/bin/deb-systemd-invoke ]; then deb-systemd-invoke try-restart ntfy-client.service >/dev/null || true @@ -40,4 +41,5 @@ if ( [ "$1" = "configure" ] || [ "$1" = "1" ] ) && [ -d /run/systemd/system ]; t systemctl restart ntfy-client.service >/dev/null || true fi fi + fi fi diff --git a/scripts/prerm.sh b/scripts/prerm.sh index fc026191..f26af7a7 100755 --- a/scripts/prerm.sh +++ b/scripts/prerm.sh @@ -2,11 +2,13 @@ set -e # Stop systemd service -if [ -d /run/systemd/system ] && ( [ "$1" = remove ] || [ "$1" = "0" ] ); then - echo "Stopping ntfy.service ..." - if [ -x /usr/bin/deb-systemd-invoke ]; then - deb-systemd-invoke stop 'ntfy.service' >/dev/null || true - else - systemctl stop ntfy >/dev/null 2>&1 || true +if [ -d /run/systemd/system ]; then + if [ "$1" = remove ] || [ "$1" = "0" ]; then + echo "Stopping ntfy.service ..." + if [ -x /usr/bin/deb-systemd-invoke ]; then + deb-systemd-invoke stop 'ntfy.service' >/dev/null || true + else + systemctl stop ntfy >/dev/null 2>&1 || true + fi fi fi From 8f7b61291f6ac4786593a2a5aa2151bdcff8b669 Mon Sep 17 00:00:00 2001 From: Christian Meis Date: Wed, 5 Jan 2022 14:44:02 +0100 Subject: [PATCH 3/6] Add quotes --- scripts/prerm.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/prerm.sh b/scripts/prerm.sh index f26af7a7..91068180 100755 --- a/scripts/prerm.sh +++ b/scripts/prerm.sh @@ -3,7 +3,7 @@ set -e # Stop systemd service if [ -d /run/systemd/system ]; then - if [ "$1" = remove ] || [ "$1" = "0" ]; then + if [ "$1" = "remove" ] || [ "$1" = "0" ]; then echo "Stopping ntfy.service ..." if [ -x /usr/bin/deb-systemd-invoke ]; then deb-systemd-invoke stop 'ntfy.service' >/dev/null || true From 9b2ddabca9130d61d67fc41dc43fe0ea24075290 Mon Sep 17 00:00:00 2001 From: Christian Meis Date: Wed, 5 Jan 2022 15:47:24 +0100 Subject: [PATCH 4/6] Corrected RPM scriptlets to actually restart the systemd service on a package upgrade. --- scripts/postinst.sh | 2 +- scripts/preinst.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/postinst.sh b/scripts/postinst.sh index 1a3b2764..55752eaf 100755 --- a/scripts/postinst.sh +++ b/scripts/postinst.sh @@ -6,7 +6,7 @@ set -e # # TODO: This is only tested on Debian. # -if [ "$1" = "configure" ] || [ "$1" = "1" ]; then +if [ "$1" = "configure" ] || [ "$1" -gt 1 ]; then if [ -d /run/systemd/system ]; then # Create ntfy user/group id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy diff --git a/scripts/preinst.sh b/scripts/preinst.sh index 6918a14e..805cd2b3 100755 --- a/scripts/preinst.sh +++ b/scripts/preinst.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e -if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" = "1" ]; then +if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" -gt 1 ]; then # Migration of old to new config file name oldconfigfile="/etc/ntfy/config.yml" configfile="/etc/ntfy/server.yml" From 814690e66b48d362d4295204427df0279771d622 Mon Sep 17 00:00:00 2001 From: Christian Meis Date: Wed, 5 Jan 2022 16:00:27 +0100 Subject: [PATCH 5/6] One more correction to RPM scriptlets --- scripts/postinst.sh | 2 +- scripts/preinst.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/postinst.sh b/scripts/postinst.sh index 55752eaf..04cc91e5 100755 --- a/scripts/postinst.sh +++ b/scripts/postinst.sh @@ -6,7 +6,7 @@ set -e # # TODO: This is only tested on Debian. # -if [ "$1" = "configure" ] || [ "$1" -gt 1 ]; then +if [ "$1" = "configure" ] || [ "$1" -ge 1 ]; then if [ -d /run/systemd/system ]; then # Create ntfy user/group id ntfy >/dev/null 2>&1 || useradd --system --no-create-home ntfy diff --git a/scripts/preinst.sh b/scripts/preinst.sh index 805cd2b3..1a40f1a7 100755 --- a/scripts/preinst.sh +++ b/scripts/preinst.sh @@ -1,7 +1,7 @@ #!/bin/sh set -e -if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" -gt 1 ]; then +if [ "$1" = "install" ] || [ "$1" = "upgrade" ] || [ "$1" -ge 1 ]; then # Migration of old to new config file name oldconfigfile="/etc/ntfy/config.yml" configfile="/etc/ntfy/server.yml" From f397456703e93c4837695ebfbb196c9e3e6b2b87 Mon Sep 17 00:00:00 2001 From: Philipp Heckel Date: Thu, 6 Jan 2022 15:03:07 +0100 Subject: [PATCH 6/6] fail2ban docs --- docs/config.md | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/docs/config.md b/docs/config.md index 90e63e19..5316d01f 100644 --- a/docs/config.md +++ b/docs/config.md @@ -345,6 +345,7 @@ to maintain the client connection and the connection to ntfy. worker_connections 40500; } ``` + === "/etc/systemd/system/nginx.service.d/override.conf" ``` # Allow 40,000 proxy connections (2x of the desired ntfy connection count; @@ -353,6 +354,50 @@ to maintain the client connection and the connection to ntfy. LimitNOFILE=40500 ``` +### Banning bad actors (fail2ban) +If you put stuff on the Internet, bad actors will try to break them or break in. [fail2ban](https://www.fail2ban.org/) +and nginx's [ngx_http_limit_req_module module](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html) can be used +to ban client IPs if they misbehave. This is on top of the [rate limiting](#rate-limiting) inside the ntfy server. + +Here's an example for how ntfy.sh is configured, following the instructions from two tutorials ([here](https://easyengine.io/tutorials/nginx/fail2ban/) +and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/)): + +=== "/etc/nginx/nginx.conf" + ``` + http { + limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; + } + ``` + +=== "/etc/nginx/sites-enabled/ntfy.sh" + ``` + # For each server/location block + server { + location / { + limit_req zone=one burst=1000 nodelay; + } + } + ``` + +=== "/etc/fail2ban/filter.d/nginx-req-limit.conf" + ``` + [Definition] + failregex = limiting requests, excess:.* by zone.*client: + ignoreregex = + ``` + +=== "/etc/fail2ban/jail.local" + ``` + [nginx-req-limit] + enabled = true + filter = nginx-req-limit + action = iptables-multiport[name=ReqLimit, port="http,https", protocol=tcp] + logpath = /var/log/nginx/error.log + findtime = 600 + bantime = 7200 + maxretry = 10 + ``` + ## Config options Each config option can be set in the config file `/etc/ntfy/server.yml` (e.g. `listen-http: :80`) or as a CLI option (e.g. `--listen-http :80`. Here's a list of all available options. Alternatively, you can set an environment