Update firewall-update.sh

2026-02-05 08:18:28 -06:00 · 2025-08-23 14:58:34 +02:00
parent dadf5a7963
commit 178dbd9116
1 changed files with 89 additions and 19 deletions
--- a/Backend/multi/firewall-update.sh
+++ b/Backend/multi/firewall-update.sh
@@ -7,6 +7,14 @@ BLOCKLIST_DIR="/opt/Fail2Ban-Report/archive/blocklists"
 LOGFILE="/var/log/Fail2Ban-Report.log"
 LOGGING=true  # Set to true to enable logging

+# Server credentials
+CLIENT_USER="MyClientName"
+CLIENT_PASS="MyPassword"
+CLIENT_UUID="MyUUID"
+UPDATE_URL="https://my.server.tld/Fail2Ban-Report/endpoint/update.php"
+DOWNLOAD_URL="https://my.server.tld/Fail2Ban-Report/endpoint/download.php"
+BACKSYNC_URL="https://my.server.tld/Fail2Ban-Report/endpoint/backsync.php"
+
 # --- Set PATH ---
 export PATH="/usr/sbin:/usr/bin:/sbin:/bin"

@@ -18,30 +26,61 @@ log() {
 }

 # --- Check prerequisites ---
-if ! command -v jq &>/dev/null; then
-  log "ERROR: jq is not installed."
-  exit 1
+for cmd in jq ufw curl; do
+  if ! command -v "$cmd" &>/dev/null; then
+    log "ERROR: $cmd is not installed."
+    exit 1
+  fi
+done
+
+# --- Step 0: Check for updates ---
+log "Checking for blocklist updates..."
+UPDATE_RESPONSE=$(curl -s -X POST "$UPDATE_URL" \
+  -F "username=$CLIENT_USER" \
+  -F "password=$CLIENT_PASS" \
+  -F "uuid=$CLIENT_UUID")
+
+HAS_UPDATES=$(echo "$UPDATE_RESPONSE" | jq -r '.updates // false')
+
+if [ "$HAS_UPDATES" = "true" ]; then
+  log "Updates available. Waiting 10 seconds before download..."
+  sleep 10
+
+  # --- Step 1: Download blocklists ---
+  log "Downloading updated blocklists..."
+  curl -s -X POST "$DOWNLOAD_URL" \
+    -F "username=$CLIENT_USER" \
+    -F "password=$CLIENT_PASS" \
+    -F "uuid=$CLIENT_UUID" \
+    -o "$BLOCKLIST_DIR/$(date +%Y%m%d)_blocklists.tar.gz"
+
+  if [ -s "$BLOCKLIST_DIR/$(date +%Y%m%d)_blocklists.tar.gz" ]; then
+    log "Extracting downloaded blocklists..."
+    tar -xzf "$BLOCKLIST_DIR/$(date +%Y%m%d)_blocklists.tar.gz" -C "$BLOCKLIST_DIR"
+    rm "$BLOCKLIST_DIR/$(date +%Y%m%d)_blocklists.tar.gz"
+  else
+    log "WARNING: Downloaded blocklists file is empty."
+  fi
+
+  # Small pause before applying firewall rules
+  sleep 5
+else
+  log "No blocklist updates available. Proceeding with local firewall update."
 fi

-if ! command -v ufw &>/dev/null; then
-  log "ERROR: ufw is not installed."
-  exit 1
-fi
-
-# --- Get currently blocked IPs from UFW ---
+# --- Step 2: Apply firewall rules (existing logic) ---
 TMP_BLOCKED="/tmp/current_ufw_blocklist.txt"
 ufw status numbered | grep "DENY IN" | awk '{print $3}' > "$TMP_BLOCKED" || true

-# --- Loop through all blocklist files ---
 for FILE in "$BLOCKLIST_DIR"/*.blocklist.json; do
-  [ -e "$FILE" ] || continue  # skip if no files match
+  [ -e "$FILE" ] || continue

  JAIL_NAME=$(basename "$FILE" .blocklist.json)
  LOCKFILE="/tmp/${JAIL_NAME}.blocklist.lock"

  log "Processing blocklist: $FILE"

-  # === Acquire lock ===
+  # Acquire lock
  exec {lock_fd}>"$LOCKFILE"
  if ! flock -x "$lock_fd"; then
    log "ERROR: Could not acquire lock for $JAIL_NAME"
@@ -54,7 +93,7 @@ for FILE in "$BLOCKLIST_DIR"/*.blocklist.json; do

  blocked_success=()

-  # --- BLOCK: Collect all new IPs and block them ---
+  # BLOCK active IPs
  for ip in "${active_ips[@]}"; do
    if ! grep -qw "$ip" "$TMP_BLOCKED"; then
      log "Blocking IP: $ip"
@@ -66,13 +105,13 @@ for FILE in "$BLOCKLIST_DIR"/*.blocklist.json; do
    fi
  done

-  # Reload UFW once after all block actions
+  # Reload UFW if needed
  if ((${#blocked_success[@]} > 0)); then
    log "Reloading UFW after block actions"
    ufw reload
  fi

-  # --- UNBLOCK: Process each inactive IP individually ---
+  # UNBLOCK inactive IPs
  for ip in "${inactive_ips[@]}"; do
    mapfile -t rules < <(ufw status numbered | grep "$ip" | grep "DENY IN" | tac)
    for rule in "${rules[@]}"; do
@@ -84,7 +123,7 @@ for FILE in "$BLOCKLIST_DIR"/*.blocklist.json; do
    done
  done

-  # --- JSON Update: pending=false for blocked_success, remove inactive entries ---
+  # Update JSON: pending=false for blocked_success, remove inactive
  tmp_file=$(mktemp)
  BLOCK_JSON=$(printf '%s\n' "${blocked_success[@]:-}" | jq -R . | jq -s .)
  jq --argjson ips "$BLOCK_JSON" '
@@ -94,15 +133,46 @@ for FILE in "$BLOCKLIST_DIR"/*.blocklist.json; do
    | map(select(.active != false))
  ' "$FILE" > "$tmp_file" && mv "$tmp_file" "$FILE"

-  # Set ownership and permissions
  chown www-data:www-data "$FILE"
  chmod 644 "$FILE"

-  # === Release lock ===
+  # Release lock
  flock -u "$lock_fd"
  exec {lock_fd}>&-
 done

-log "All blocklists processed successfully."
+log "Firewall rules applied successfully."

+# --- Step 3: Backsync updated blocklists ---
+if [ "$HAS_UPDATES" = "true" ]; then
+  log "Uploading updated blocklists to server (backsync)..."
+  for FILE in "$BLOCKLIST_DIR"/*.blocklist.json; do
+    [ -e "$FILE" ] || continue
+
+    response=$(curl -s -w "\n%{http_code}" -X POST "$BACKSYNC_URL" \
+      -F "username=$CLIENT_USER" \
+      -F "password=$CLIENT_PASS" \
+      -F "uuid=$CLIENT_UUID" \
+      -F "file=@$FILE" || true)
+
+    http_code=$(tail -n1 <<< "$response")
+    body=$(sed '$d' <<< "$response")
+
+    if [ "$http_code" -ne 200 ]; then
+      log "ERROR: Upload failed for $FILE (HTTP $http_code)"
+      continue
+    fi
+
+    success=$(echo "$body" | jq -r '.success // empty')
+    if [ "$success" != "true" ]; then
+      message=$(echo "$body" | jq -r '.message // empty')
+      log "ERROR: Server rejected blocklist $FILE: $message"
+      continue
+    fi
+
+    log "Backsync succeeded for $FILE"
+  done
+fi
+
+log "Blocklist update workflow completed successfully."
 exit 0