From 06a1e919da1fbf5e81a1c82b6362f08b889e66a9 Mon Sep 17 00:00:00 2001
From: VirtuBox <thomas@virtubox.net>
Date: Fri, 20 Sep 2019 14:21:42 +0200
Subject: [PATCH] Add UFW stack

---
 docs/wo.8                     |  4 +--
 install                       |  8 ++---
 wo/cli/plugins/stack.py       | 24 +++++++++++++
 wo/cli/plugins/stack_pref.py  | 18 ++++++++++
 wo/cli/templates/ufw.mustache | 65 +++++++++++++++++++++++++++++++++++
 5 files changed, 113 insertions(+), 6 deletions(-)
 create mode 100644 wo/cli/templates/ufw.mustache

diff --git a/docs/wo.8 b/docs/wo.8
index 47b17f6..b6f23b7 100644
--- a/docs/wo.8
+++ b/docs/wo.8
@@ -11,9 +11,9 @@ wo stack [ status | start | stop | reload | restart ] [--all | --nginx | --php |
 .TP
 wo site [ list | info | show | enable | disable | edit | cd | show ] [ example.com ]
 .TP
-wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=subdomain/wildcard][--dns/--dns=dns_cf/dns_do]]
+wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=wildcard][--dns/--dns=dns_cf/dns_do]]
 .TP
-wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/subdomain/renew/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]]
+wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]]
 .TP
 wo site delete example.com [--db | --files | --all | --no-prompt | --force/-f ]
 .TP
diff --git a/install b/install
index b81a667..a1c2c0c 100755
--- a/install
+++ b/install
@@ -669,7 +669,7 @@ wo_backup_ee() {
 }
 
 wo_backup_wo() {
-    /bin/tar -I pigz -cf "$WO_BACKUP_FILE" "$WO_NGINX" /etc/wo /var/lib/wo "$WO_LE"
+    /bin/tar -I pigz -cf "$WO_BACKUP_FILE" /etc/nginx /etc/wo /var/lib/wo "$WO_LE"
     return 0
 }
 
@@ -856,9 +856,9 @@ else
     fi
     _run wo_install_dep "Installing wo dependencies"
     _run wo_timesync
-    if [ "$ufw" = "y" ]; then
-        _run wo_ufw_setup "Configuring UFW"
-    fi
+    #if [ "$ufw" = "y" ]; then
+        # _run wo_ufw_setup "Configuring UFW"
+    #fi
     # skip steps if travis
     if [ -z "$wo_travis" ]; then
         _run wo_dist_upgrade
diff --git a/wo/cli/plugins/stack.py b/wo/cli/plugins/stack.py
index 5f0b022..27da795 100644
--- a/wo/cli/plugins/stack.py
+++ b/wo/cli/plugins/stack.py
@@ -88,6 +88,8 @@ class WOStackController(CementBaseController):
                 dict(help='Install Fail2ban stack', action='store_true')),
             (['--clamav'],
                 dict(help='Install ClamAV stack', action='store_true')),
+            (['--ufw'],
+                dict(help='Install UFW stack', action='store_true')),
             (['--sendmail'],
                 dict(help='Install Sendmail stack', action='store_true')),
             (['--utils'],
@@ -129,11 +131,13 @@ class WOStackController(CementBaseController):
                 (not pargs.adminer) and (not pargs.utils) and
                 (not pargs.redis) and (not pargs.proftpd) and
                 (not pargs.extplorer) and (not pargs.clamav) and
+                (not pargs.ufw) and
                 (not pargs.phpredisadmin) and (not pargs.sendmail) and
                     (not pargs.php73)):
                 pargs.web = True
                 pargs.admin = True
                 pargs.fail2ban = True
+                pargs.ufw = True
 
             if pargs.all:
                 pargs.web = True
@@ -164,6 +168,7 @@ class WOStackController(CementBaseController):
             if pargs.security:
                 pargs.fail2ban = True
                 pargs.clamav = True
+                pargs.ufw = True
 
             # Nginx
             if pargs.nginx:
@@ -270,6 +275,11 @@ class WOStackController(CementBaseController):
                     Log.debug(self, "ClamAV already installed")
                     Log.info(self, "ClamAV already installed")
 
+            # UFW
+            if pargs.ufw:
+                Log.debug(self, "Setting apt_packages variable for UFW")
+                apt_packages = apt_packages + ["ufw"]
+
             # sendmail
             if pargs.sendmail:
                 Log.debug(self, "Setting apt_packages variable for Sendmail")
@@ -518,6 +528,7 @@ class WOStackController(CementBaseController):
                 (not pargs.adminer) and (not pargs.utils) and
                 (not pargs.redis) and (not pargs.proftpd) and
                 (not pargs.extplorer) and (not pargs.clamav) and
+                (not pargs.ufw) and
                 (not pargs.phpredisadmin) and (not pargs.sendmail) and
                 (not pargs.php73)):
             pargs.web = True
@@ -551,6 +562,7 @@ class WOStackController(CementBaseController):
         if pargs.security:
             pargs.fail2ban = True
             pargs.clamav = True
+            pargs.ufw = True
 
         # NGINX
         if pargs.nginx:
@@ -620,6 +632,11 @@ class WOStackController(CementBaseController):
                 Log.debug(self, "Remove apt_packages variable for ProFTPd")
                 apt_packages = apt_packages + ["proftpd-basic"]
 
+        # UFW
+        if pargs.ufw:
+            Log.debug(self, "Remove apt_packages variable for UFW")
+            apt_packages = apt_packages + ["ufw"]
+
         # WPCLI
         if pargs.wpcli:
             Log.debug(self, "Removing package variable of WPCLI ")
@@ -739,6 +756,7 @@ class WOStackController(CementBaseController):
                 (not pargs.adminer) and (not pargs.utils) and
                 (not pargs.redis) and (not pargs.proftpd) and
                 (not pargs.extplorer) and (not pargs.clamav) and
+                (not pargs.ufw) and
                 (not pargs.phpredisadmin) and (not pargs.sendmail) and
                 (not pargs.php73)):
             pargs.web = True
@@ -771,6 +789,7 @@ class WOStackController(CementBaseController):
         if pargs.security:
             pargs.fail2ban = True
             pargs.clamav = True
+            pargs.ufw = True
 
         # NGINX
         if pargs.nginx:
@@ -829,6 +848,11 @@ class WOStackController(CementBaseController):
             if WOAptGet.is_installed(self, 'clamav'):
                 apt_packages = apt_packages + WOVariables.wo_clamav
 
+        # UFW
+        if pargs.ufw:
+            Log.debug(self, "Remove apt_packages variable for UFW")
+            apt_packages = apt_packages + ["ufw"]
+
         # sendmail
         if pargs.sendmail:
             Log.debug(self, "Setting apt_packages variable for Sendmail")
diff --git a/wo/cli/plugins/stack_pref.py b/wo/cli/plugins/stack_pref.py
index 3aa4c24..1d05be8 100644
--- a/wo/cli/plugins/stack_pref.py
+++ b/wo/cli/plugins/stack_pref.py
@@ -975,6 +975,24 @@ def post_pref(self, apt_packages, packages, upgrade=False):
                       msg="Adding ProFTPd into Git")
             WOService.reload_service(self, 'proftpd')
 
+        if "ufw" in apt_packages:
+            # check if ufw is already enabled
+            if not WOFileUtils.grep(self,
+                                    '/etc/ufw/ufw.conf', 'ENABLED=yes'):
+                Log.wait(self, "Configuring UFW")
+                # check if ufw script is already created
+                if not os.path.isfile("/opt/ufw.sh"):
+                    data = dict()
+                    WOTemplate.render(self, '/opt/ufw.sh',
+                                      'ufw.mustache',
+                                      data, overwrite=False)
+                    WOFileUtils.chmod(self, "/opt/ufw.sh", 0o700)
+                # setup ufw rules
+                WOShellExec.cmd_exec(self, "bash /opt/ufw.sh")
+                Log.valide(self, "Configuring UFW")
+            else:
+                Log.info(self, "UFW is already installed and enabled")
+
         # Redis configuration
         if "redis-server" in apt_packages:
             if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):
diff --git a/wo/cli/templates/ufw.mustache b/wo/cli/templates/ufw.mustache
new file mode 100644
index 0000000..aa8d344
--- /dev/null
+++ b/wo/cli/templates/ufw.mustache
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+wo_ufw_setup() {
+    # get custom ssh port
+    if [ -f /etc/ssh/sshd_config ]; then
+        CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
+    fi
+    # define firewall rules
+    if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
+        ufw logging low
+    fi
+    if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
+        ufw default allow outgoing
+    fi
+    if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
+        ufw default deny incoming
+    fi
+    if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
+        # default ssh port
+        ufw limit 22
+    fi
+
+    # custom ssh port
+    if [ "$CURRENT_SSH_PORT" != "22" ]; then
+        if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
+            ufw limit "$CURRENT_SSH_PORT"
+        fi
+    fi
+
+    # nginx
+    if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
+        # http
+        ufw allow http
+    fi
+    if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
+        # https
+        ufw allow https
+    fi
+
+    # ntp
+    if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
+        ufw allow 123
+    fi
+
+    if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
+        # wordops backend
+        ufw limit 22222
+    fi
+    # enable ufw
+    if [ -n "$CURRENT_SSH_PORT" ]; then
+        ufw --force enable
+    fi
+
+    # remove ufw from syslog
+    if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
+        sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
+        service rsyslog restart
+    fi
+}
+
+if { wo_ufw_setup; }; then
+    exit 0
+else
+    exit 1
+fi