Skip to content

Commit 1d8fccc

Browse files
author
Nicolas Pernoud
committed
chore: updated dependencies
feat: added fail2ban side container example
1 parent 5d8b2db commit 1d8fccc

File tree

16 files changed

+634
-454
lines changed

16 files changed

+634
-454
lines changed

README.md

Lines changed: 42 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ See [atrium.yaml](https://github.com/nicolaspernoud/atrium/blob/main/backend/atr
1919

2020
The `hostname` configuration can be overridden with the environment variable `MAIN_HOSTNAME`.
2121

22-
## DNS
22+
### DNS
2323

2424
Your DNS configuration should be as below :
2525
|Domain|Type|Target|
@@ -28,6 +28,47 @@ Your DNS configuration should be as below :
2828
|your.hostname|AAAA|Your machine IPv6|
2929
|\*.your.hostname|CNAME|your.hostname|
3030

31+
### Fail2ban
32+
33+
To block IPs that are trying to access files without authorization, you can use the provided fail2ban configuration, which runs in a Docker container.
34+
35+
#### Prerequisites
36+
37+
- Docker and Docker Compose must be installed on your system.
38+
39+
#### Installation & Configuration
40+
41+
1. **Navigate to the fail2ban directory:**
42+
43+
```bash
44+
cd scripts/fail2ban
45+
```
46+
47+
2. **Verify Configuration:**
48+
49+
- **Container:** Open `docker-compose.yml`. Alter the timezone and ensure the host side of the log volume mount (`/remotelogs/atrium`) points to your actual atrium log directory.
50+
```yaml
51+
environment:
52+
# ...
53+
- TZ=Europe/Paris # <- Alter the timezone to match the one of the server
54+
volumes:
55+
# ...
56+
- <path to atrium logs directory>:/remotelogs/atrium # <- Alter this path
57+
```
58+
- **Ignore IPs:** To prevent being locked out, add your own IP addresses to the `ignoreip` list in `jail.local`.
59+
```
60+
ignoreip = 127.0.0.1/8 ::1 YOUR.IP.HERE
61+
```
62+
63+
3. **Start the container:**
64+
65+
```bash
66+
./up.sh
67+
```
68+
69+
The fail2ban service will now monitor the atrium logs and automatically ban IPs that trigger the "FILE ACCESS DENIED" or the "AUTHENTICATION ERROR" rules.
70+
The new logs won't be added automatically, so use the reload.sh script a a crontab to load new log files : `crontab -e` => `10 * * * * /services/fail2ban/reload.sh >/dev/null 2>&1`
71+
3172
## Development
3273
3374
### Update main from development and set development to follow main

backend/Cargo.toml

Lines changed: 16 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,10 @@ argon2 = { features = ["alloc", "password-hash"], default-features = false, vers
1616
async_zip = { features = ["deflate", "tokio"], default-features = false, version = "0.0.18" }
1717
async-stream = "0.3.6"
1818
async-walkdir = "2.1.0"
19-
aws-lc-rs = { version = "1.14.1", default-features = false, features = ["bindgen"] }
20-
axum = { version = "0.8.6", features = ["http2", "json", "query", "tokio"], default-features = false }
21-
axum-extra = { version = "0.10.3", features = ["cookie-private", "typed-header"], default-features = false }
22-
axum-server = { version = "0.7.2", default-features = false, features = ["tls-rustls"] }
19+
aws-lc-rs = { version = "1.15.0", default-features = false, features = ["bindgen"] }
20+
axum = { version = "0.8.7", features = ["http2", "json", "query", "tokio"], default-features = false }
21+
axum-extra = { version = "0.12.2", features = ["cookie-private", "typed-header"], default-features = false }
22+
axum-server = { version = "0.7.3", default-features = false, features = ["tls-rustls"] }
2323
base64ct = { version = "1.8.0", features = ["alloc"] }
2424
chacha20poly1305 = { version = "0.10.1", features = ["stream"], default-features = false }
2525
chrono = { default-features = false, version = "0.4.42" }
@@ -29,30 +29,30 @@ futures-util = { default-features = false, version = "0.3.31" }
2929
headers = "0.4.1"
3030
http = "1.3.1"
3131
http-body-util = "0.1.3"
32-
hyper = { version = "1.7.0", default-features = false }
32+
hyper = { version = "1.8.1", default-features = false }
3333
hyper-hickory = { version = "0.8.0", default-features = false, features = ["system-config", "tokio"] }
3434
hyper-rustls = { version = "0.27.7", features = ["aws-lc-rs", "http1", "http2", "tls12", "webpki-tokio"], default-features = false }
35-
hyper-util = { version = "0.1.17", features = ["client-legacy", "http1", "tokio"], default-features = false }
36-
jsonwebtoken = { version = "10", features = ["aws_lc_rs"], default-features = false }
35+
hyper-util = { version = "0.1.18", features = ["client-legacy", "http1", "tokio"], default-features = false }
36+
jsonwebtoken = { version = "10.2.0", features = ["aws_lc_rs"], default-features = false }
3737
maxminddb = "0.26.0"
3838
mime_guess = { default-features = false, version = "2.0.5" }
3939
oauth2 = { version = "5.0.0", default-features = false }
4040
percent-encoding = { default-features = false, version = "2.3.2" }
41-
quick-xml = "0.38.3"
41+
quick-xml = "0.38.4"
4242
rand = { default-features = false, version = "0.9.2", features = ["os_rng"] }
4343
rcgen = { version = "0.14.5", default-features = false, optional = true, features = ["aws_lc_rs", "crypto", "pem"] }
44-
rustls = { default-features = false, version = "0.23.32", features = ["aws_lc_rs"] }
44+
rustls = { default-features = false, version = "0.23.35", features = ["aws_lc_rs"] }
4545
rustls-acme = { version = "0.14.1", features = ["aws-lc-rs", "axum", "webpki-roots"], default-features = false }
46-
rustls-pki-types = { version = "1.12.0" }
46+
rustls-pki-types = { version = "1.13.0" }
4747
serde = { version = "1.0.228", default-features = false }
4848
serde_json = { default-features = false, version = "1.0.145" }
4949
serde_yaml_ng = "0.10.0"
5050
sha2 = { default-features = false, version = "0.10.9" }
5151
sysinfo = { default-features = false, version = "0.37.2", features = ["disk", "system"] }
5252
time = { default-features = false, version = "0.3.44" }
53-
tokio = { version = "1.47.1", features = ["full"], default-features = false }
53+
tokio = { version = "1.48.0", features = ["full"], default-features = false }
5454
tokio-stream = { version = "0.1.17", default-features = false }
55-
tokio-util = { version = "0.7.16", default-features = false }
55+
tokio-util = { version = "0.7.17", default-features = false }
5656
tower = { default-features = false, version = "0.5.2", features = ["util"] }
5757
tower-http = { version = "0.6.6", features = ["fs"], default-features = false }
5858
tower-service = "0.3.3"
@@ -68,10 +68,10 @@ default = ["self_signed"]
6868
self_signed = ["dep:rcgen"]
6969

7070
[dev-dependencies]
71-
async-tungstenite = { version = "0.31.0", features = ["tokio-runtime"] }
72-
reqwest = { version = "0.12.23", default-features = false, features = ["cookies", "json", "native-tls", "stream"] }
71+
async-tungstenite = { version = "0.32.0", features = ["tokio-runtime"] }
72+
reqwest = { version = "0.12.24", default-features = false, features = ["cookies", "json", "native-tls", "stream"] }
7373
tempfile = "3.23.0"
74-
tungstenite = "0.27.0"
74+
tungstenite = "0.28.0"
7575

7676
[profile.release_optimized]
7777
inherits = "release"
@@ -150,6 +150,7 @@ todo = "warn"
150150
trait_duplication_in_bounds = "warn"
151151
undocumented_unsafe_blocks = "warn"
152152
unimplemented = "warn"
153+
unneeded_field_pattern = "warn"
153154
unnested_or_patterns = "warn"
154155
unused_async = "warn"
155156
unused_self = "warn"

0 commit comments

Comments
 (0)