Unistall Fail2ban

2026-04-05 20:03:48 +00:00 · 2026-03-28 17:01:08 +01:00
parent d628233982
commit d46c42d26b
5 changed files with 376 additions and 15 deletions
--- a/AppImage/components/notification-settings.tsx
+++ b/AppImage/components/notification-settings.tsx
@@ -998,7 +998,7 @@ export function NotificationSettings() {
      </CardHeader>

      <CardContent className="space-y-5">
-        {/* ── Service Status ── */}
+        {/* ─<EFBFBD><EFBFBD> Service Status ── */}
        {status && (
          <div className="flex items-center gap-3 p-3 rounded-lg bg-muted/50 border border-border">
            <div className={`h-2.5 w-2.5 rounded-full ${status.running ? "bg-green-500" : "bg-red-500"}`} />
--- a/AppImage/components/security.tsx
+++ b/AppImage/components/security.tsx
@@ -109,6 +109,10 @@ export function Security() {
  } | null>(null)
  const [showFail2banInstaller, setShowFail2banInstaller] = useState(false)
  const [showLynisInstaller, setShowLynisInstaller] = useState(false)
+  const [uninstallingFail2ban, setUninstallingFail2ban] = useState(false)
+  const [uninstallingLynis, setUninstallingLynis] = useState(false)
+  const [showFail2banUninstallConfirm, setShowFail2banUninstallConfirm] = useState(false)
+  const [showLynisUninstallConfirm, setShowLynisUninstallConfirm] = useState(false)

  // Lynis audit state
  interface LynisWarning { test_id: string; severity: string; description: string; solution: string; proxmox_context?: string; proxmox_expected?: boolean; proxmox_severity?: string }
@@ -251,6 +255,52 @@ export function Security() {
    }
  }

+  const handleUninstallFail2ban = async () => {
+    setUninstallingFail2ban(true)
+    setError("")
+    setSuccess("")
+    setShowFail2banUninstallConfirm(false)
+    try {
+      const data = await fetchApi("/api/security/fail2ban/uninstall", {
+        method: "POST",
+      })
+      if (data.success) {
+        setSuccess(data.message || "Fail2Ban has been uninstalled")
+        loadSecurityTools()
+        setF2bDetails(null)
+      } else {
+        setError(data.message || "Failed to uninstall Fail2Ban")
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to uninstall Fail2Ban")
+    } finally {
+      setUninstallingFail2ban(false)
+    }
+  }
+
+  const handleUninstallLynis = async () => {
+    setUninstallingLynis(true)
+    setError("")
+    setSuccess("")
+    setShowLynisUninstallConfirm(false)
+    try {
+      const data = await fetchApi("/api/security/lynis/uninstall", {
+        method: "POST",
+      })
+      if (data.success) {
+        setSuccess(data.message || "Lynis has been uninstalled")
+        loadSecurityTools()
+        setLynisReport(null)
+      } else {
+        setError(data.message || "Failed to uninstall Lynis")
+      }
+    } catch (err) {
+      setError(err instanceof Error ? err.message : "Failed to uninstall Lynis")
+    } finally {
+      setUninstallingLynis(false)
+    }
+  }
+
  const loadFail2banDetails = async () => {
    try {
      setF2bDetailsLoading(true)
@@ -2956,16 +3006,34 @@ ${(report.sections && report.sections.length > 0) ? `
              <Bug className="h-5 w-5 text-red-500" />
              <CardTitle>Fail2Ban</CardTitle>
            </div>
-            {fail2banInfo?.installed && fail2banInfo?.active && (
-              <Button
-                variant="ghost"
-                size="sm"
-                onClick={() => { loadFail2banDetails(); loadSecurityTools(); }}
-                className="h-7 px-2 text-xs text-muted-foreground hover:text-foreground"
-              >
-                <RefreshCw className="h-3 w-3 mr-1" />
-                Refresh
-              </Button>
+            {fail2banInfo?.installed && (
+              <div className="flex items-center gap-1">
+                {fail2banInfo?.active && (
+                  <Button
+                    variant="ghost"
+                    size="sm"
+                    onClick={() => { loadFail2banDetails(); loadSecurityTools(); }}
+                    className="h-7 px-2 text-xs text-muted-foreground hover:text-foreground"
+                  >
+                    <RefreshCw className="h-3 w-3 mr-1" />
+                    Refresh
+                  </Button>
+                )}
+                <Button
+                  variant="ghost"
+                  size="sm"
+                  onClick={() => setShowFail2banUninstallConfirm(true)}
+                  disabled={uninstallingFail2ban}
+                  className="h-7 px-2 text-xs text-muted-foreground hover:text-red-500"
+                  title="Uninstall Fail2Ban"
+                >
+                  {uninstallingFail2ban ? (
+                    <div className="animate-spin h-3 w-3 border-2 border-current border-t-transparent rounded-full" />
+                  ) : (
+                    <Trash2 className="h-3 w-3" />
+                  )}
+                </Button>
+              </div>
            )}
          </div>
          <CardDescription>
@@ -3417,9 +3485,27 @@ ${(report.sections && report.sections.length > 0) ? `
      {/* Lynis */}
      <Card>
        <CardHeader>
-          <div className="flex items-center gap-2">
-            <Search className="h-5 w-5 text-cyan-500" />
-            <CardTitle>Lynis Security Audit</CardTitle>
+          <div className="flex items-center justify-between">
+            <div className="flex items-center gap-2">
+              <Search className="h-5 w-5 text-cyan-500" />
+              <CardTitle>Lynis Security Audit</CardTitle>
+            </div>
+            {lynisInfo?.installed && (
+              <Button
+                variant="ghost"
+                size="sm"
+                onClick={() => setShowLynisUninstallConfirm(true)}
+                disabled={uninstallingLynis}
+                className="h-7 px-2 text-xs text-muted-foreground hover:text-red-500"
+                title="Uninstall Lynis"
+              >
+                {uninstallingLynis ? (
+                  <div className="animate-spin h-3 w-3 border-2 border-current border-t-transparent rounded-full" />
+                ) : (
+                  <Trash2 className="h-3 w-3" />
+                )}
+              </Button>
+            )}
          </div>
          <CardDescription>
            System security auditing tool that performs comprehensive security scans
@@ -4019,6 +4105,107 @@ ${(report.sections && report.sections.length > 0) ? `
        description="Installing Lynis security auditing tool from GitHub..."
      />

+      {/* Uninstall Confirmation Dialogs */}
+      {showFail2banUninstallConfirm && (
+        <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50">
+          <div className="bg-background border border-border rounded-lg p-6 max-w-md w-full mx-4 shadow-xl">
+            <div className="flex items-center gap-3 mb-4">
+              <div className="w-10 h-10 rounded-full bg-red-500/10 flex items-center justify-center">
+                <AlertTriangle className="h-5 w-5 text-red-500" />
+              </div>
+              <div>
+                <h3 className="font-semibold text-lg">Uninstall Fail2Ban?</h3>
+                <p className="text-sm text-muted-foreground">This action cannot be undone</p>
+              </div>
+            </div>
+            <p className="text-sm text-muted-foreground mb-6">
+              This will completely remove Fail2Ban and all its configuration, including:
+            </p>
+            <ul className="text-sm text-muted-foreground mb-6 list-disc list-inside space-y-1">
+              <li>SSH protection jail</li>
+              <li>Proxmox web interface protection</li>
+              <li>ProxMenux Monitor protection</li>
+              <li>All custom jail configurations</li>
+              <li>Auth logger services</li>
+            </ul>
+            <div className="flex justify-end gap-3">
+              <Button
+                variant="outline"
+                onClick={() => setShowFail2banUninstallConfirm(false)}
+              >
+                Cancel
+              </Button>
+              <Button
+                variant="destructive"
+                onClick={handleUninstallFail2ban}
+                disabled={uninstallingFail2ban}
+              >
+                {uninstallingFail2ban ? (
+                  <>
+                    <div className="animate-spin h-4 w-4 border-2 border-white border-t-transparent rounded-full mr-2" />
+                    Uninstalling...
+                  </>
+                ) : (
+                  <>
+                    <Trash2 className="h-4 w-4 mr-2" />
+                    Uninstall
+                  </>
+                )}
+              </Button>
+            </div>
+          </div>
+        </div>
+      )}
+
+      {showLynisUninstallConfirm && (
+        <div className="fixed inset-0 z-50 flex items-center justify-center bg-black/50">
+          <div className="bg-background border border-border rounded-lg p-6 max-w-md w-full mx-4 shadow-xl">
+            <div className="flex items-center gap-3 mb-4">
+              <div className="w-10 h-10 rounded-full bg-red-500/10 flex items-center justify-center">
+                <AlertTriangle className="h-5 w-5 text-red-500" />
+              </div>
+              <div>
+                <h3 className="font-semibold text-lg">Uninstall Lynis?</h3>
+                <p className="text-sm text-muted-foreground">This action cannot be undone</p>
+              </div>
+            </div>
+            <p className="text-sm text-muted-foreground mb-6">
+              This will completely remove Lynis and all audit data, including:
+            </p>
+            <ul className="text-sm text-muted-foreground mb-6 list-disc list-inside space-y-1">
+              <li>Lynis installation (/opt/lynis)</li>
+              <li>Wrapper script (/usr/local/bin/lynis)</li>
+              <li>All audit reports and logs</li>
+            </ul>
+            <div className="flex justify-end gap-3">
+              <Button
+                variant="outline"
+                onClick={() => setShowLynisUninstallConfirm(false)}
+              >
+                Cancel
+              </Button>
+              <Button
+                variant="destructive"
+                onClick={handleUninstallLynis}
+                disabled={uninstallingLynis}
+              >
+                {uninstallingLynis ? (
+                  <>
+                    <div className="animate-spin h-4 w-4 border-2 border-white border-t-transparent rounded-full mr-2" />
+                    Uninstalling...
+                  </>
+                ) : (
+                  <>
+                    <Trash2 className="h-4 w-4 mr-2" />
+                    Uninstall
+                  </>
+                )}
+              </Button>
+            </div>
+          </div>
+        </div>
+      )}
+
      <TwoFactorSetup
        open={show2FASetup}
        onClose={() => setShow2FASetup(false)}
--- a/AppImage/scripts/flask_notification_routes.py
+++ b/AppImage/scripts/flask_notification_routes.py
@@ -13,7 +13,7 @@ from flask import Blueprint, jsonify, request
 from notification_manager import notification_manager


-# ─── Webhook Hardening Helpers ──────────────────────────────────<EFBFBD><EFBFBD><EFBFBD>
+# ─── Webhook Hardening Helpers ───────────────────────────────────

 class WebhookRateLimiter:
    """Simple sliding-window rate limiter for the webhook endpoint."""
--- a/AppImage/scripts/flask_security_routes.py
+++ b/AppImage/scripts/flask_security_routes.py
@@ -308,6 +308,34 @@ def lynis_report_delete():
        return jsonify({"success": False, "message": str(e)}), 500


+# -------------------------------------------------------------------
+# Security Tools Uninstall
+# -------------------------------------------------------------------
+
+@security_bp.route('/api/security/fail2ban/uninstall', methods=['POST'])
+def fail2ban_uninstall():
+    """Uninstall Fail2Ban and clean up configuration"""
+    if not security_manager:
+        return jsonify({"success": False, "message": "Security manager not available"}), 500
+    try:
+        success, message = security_manager.uninstall_fail2ban()
+        return jsonify({"success": success, "message": message})
+    except Exception as e:
+        return jsonify({"success": False, "message": str(e)}), 500
+
+
+@security_bp.route('/api/security/lynis/uninstall', methods=['POST'])
+def lynis_uninstall():
+    """Uninstall Lynis and clean up files"""
+    if not security_manager:
+        return jsonify({"success": False, "message": "Security manager not available"}), 500
+    try:
+        success, message = security_manager.uninstall_lynis()
+        return jsonify({"success": success, "message": message})
+    except Exception as e:
+        return jsonify({"success": False, "message": str(e)}), 500
+
+
 # -------------------------------------------------------------------
 # Security Tools Detection
 # -------------------------------------------------------------------
--- a/AppImage/scripts/security_manager.py
+++ b/AppImage/scripts/security_manager.py
@@ -1984,3 +1984,149 @@ def parse_lynis_report():
    report["proxmox_context_applied"] = True

    return report
+
+
+# -------------------------------------------------------------------
+# Uninstall Functions
+# -------------------------------------------------------------------
+
+def uninstall_fail2ban():
+    """
+    Uninstall Fail2Ban and clean up all configuration.
+    Returns (success, message).
+    """
+    try:
+        # Stop fail2ban service
+        _run_cmd(["systemctl", "stop", "fail2ban"], timeout=30)
+        _run_cmd(["systemctl", "disable", "fail2ban"], timeout=10)
+        
+        # Stop and remove auth logger services
+        _run_cmd(["systemctl", "stop", "proxmox-auth-logger.service"], timeout=10)
+        _run_cmd(["systemctl", "disable", "proxmox-auth-logger.service"], timeout=10)
+        _run_cmd(["systemctl", "stop", "ssh-auth-logger.service"], timeout=10)
+        _run_cmd(["systemctl", "disable", "ssh-auth-logger.service"], timeout=10)
+        
+        # Remove systemd service files
+        for svc_file in [
+            "/etc/systemd/system/proxmox-auth-logger.service",
+            "/etc/systemd/system/ssh-auth-logger.service",
+        ]:
+            if os.path.exists(svc_file):
+                os.remove(svc_file)
+        
+        _run_cmd(["systemctl", "daemon-reload"], timeout=10)
+        
+        # Remove log files created by auth loggers
+        for log_file in ["/var/log/proxmox-auth.log", "/var/log/ssh-auth.log"]:
+            if os.path.exists(log_file):
+                os.remove(log_file)
+        
+        # Purge fail2ban package
+        _run_cmd(["apt-get", "purge", "-y", "fail2ban"], timeout=120)
+        
+        # Remove configuration files
+        for cfg_file in [
+            "/etc/fail2ban/jail.d/proxmox.conf",
+            "/etc/fail2ban/jail.d/proxmenux.conf",
+            "/etc/fail2ban/filter.d/proxmox.conf",
+            "/etc/fail2ban/filter.d/proxmenux.conf",
+            "/etc/fail2ban/jail.local",
+        ]:
+            if os.path.exists(cfg_file):
+                os.remove(cfg_file)
+        
+        # Restore SSH MaxAuthTries if backup exists
+        base_dir = "/usr/local/share/proxmenux"
+        backup_file = os.path.join(base_dir, "sshd_maxauthtries_backup")
+        sshd_config = "/etc/ssh/sshd_config"
+        if os.path.exists(backup_file) and os.path.exists(sshd_config):
+            try:
+                with open(backup_file, 'r') as f:
+                    original_val = f.read().strip()
+                if original_val:
+                    with open(sshd_config, 'r') as f:
+                        content = f.read()
+                    import re
+                    content = re.sub(
+                        r'^MaxAuthTries.*$',
+                        f'MaxAuthTries {original_val}',
+                        content,
+                        flags=re.MULTILINE
+                    )
+                    with open(sshd_config, 'w') as f:
+                        f.write(content)
+                    _run_cmd(["systemctl", "reload", "sshd"], timeout=10)
+                os.remove(backup_file)
+            except Exception:
+                pass
+        
+        # Remove journald drop-in
+        journald_dropin = "/etc/systemd/journald.conf.d/proxmenux-loglevel.conf"
+        if os.path.exists(journald_dropin):
+            os.remove(journald_dropin)
+            _run_cmd(["systemctl", "restart", "systemd-journald"], timeout=30)
+        
+        # Update component status
+        components_file = os.path.join(base_dir, "components_status.json")
+        if os.path.exists(components_file):
+            try:
+                import json
+                with open(components_file, 'r') as f:
+                    components = json.load(f)
+                if "fail2ban" in components:
+                    components["fail2ban"]["status"] = "removed"
+                    components["fail2ban"]["version"] = ""
+                    with open(components_file, 'w') as f:
+                        json.dump(components, f, indent=2)
+            except Exception:
+                pass
+        
+        return True, "Fail2Ban has been uninstalled successfully"
+    except Exception as e:
+        return False, f"Error uninstalling Fail2Ban: {str(e)}"
+
+
+def uninstall_lynis():
+    """
+    Uninstall Lynis and clean up all files.
+    Returns (success, message).
+    """
+    try:
+        import shutil
+        
+        # Remove installation directory
+        if os.path.exists("/opt/lynis"):
+            shutil.rmtree("/opt/lynis")
+        
+        # Remove wrapper script
+        if os.path.exists("/usr/local/bin/lynis"):
+            os.remove("/usr/local/bin/lynis")
+        
+        # Remove report files
+        for report_file in [
+            "/var/log/lynis-report.dat",
+            "/var/log/lynis.log",
+            "/var/log/lynis-output.log",
+        ]:
+            if os.path.exists(report_file):
+                os.remove(report_file)
+        
+        # Update component status
+        base_dir = "/usr/local/share/proxmenux"
+        components_file = os.path.join(base_dir, "components_status.json")
+        if os.path.exists(components_file):
+            try:
+                import json
+                with open(components_file, 'r') as f:
+                    components = json.load(f)
+                if "lynis" in components:
+                    components["lynis"]["status"] = "removed"
+                    components["lynis"]["version"] = ""
+                    with open(components_file, 'w') as f:
+                        json.dump(components, f, indent=2)
+            except Exception:
+                pass
+        
+        return True, "Lynis has been uninstalled successfully"
+    except Exception as e:
+        return False, f"Error uninstalling Lynis: {str(e)}"