Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add UFW stack

Browse Source
This commit is contained in:
VirtuBox
2019-09-20 14:21:42 +02:00
parent bef95a0b75
commit 06a1e919da
5 changed files with 113 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/wo.8
View File

@@ -11,9 +11,9 @@ wo stack [ status | start | stop | reload | restart ] [--all | --nginx | --php |
.TP .TP
wo site [ list | info | show | enable | disable | edit | cd | show ] [ example.com ] wo site [ list | info | show | enable | disable | edit | cd | show ] [ example.com ]
.TP .TP
wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=subdomain/wildcard][--dns/--dns=dns_cf/dns_do]] wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=wildcard][--dns/--dns=dns_cf/dns_do]]
.TP .TP
wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/subdomain/renew/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]] wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]]
.TP .TP
wo site delete example.com [--db | --files | --all | --no-prompt | --force/-f ] wo site delete example.com [--db | --files | --all | --no-prompt | --force/-f ]
.TP .TP

8
install
View File

@@ -669,7 +669,7 @@ wo_backup_ee() {
} }
wo_backup_wo() { wo_backup_wo() {
/bin/tar -I pigz -cf "$WO_BACKUP_FILE" "$WO_NGINX" /etc/wo /var/lib/wo "$WO_LE" /bin/tar -I pigz -cf "$WO_BACKUP_FILE" /etc/nginx /etc/wo /var/lib/wo "$WO_LE"
return 0 return 0
} }
@@ -856,9 +856,9 @@ else
fi fi
_run wo_install_dep "Installing wo dependencies" _run wo_install_dep "Installing wo dependencies"
_run wo_timesync _run wo_timesync
if [ "$ufw" = "y" ]; then #if [ "$ufw" = "y" ]; then
_run wo_ufw_setup "Configuring UFW" # _run wo_ufw_setup "Configuring UFW"
fi #fi
# skip steps if travis # skip steps if travis
if [ -z "$wo_travis" ]; then if [ -z "$wo_travis" ]; then
_run wo_dist_upgrade _run wo_dist_upgrade

24
wo/cli/plugins/stack.py
View File

@@ -88,6 +88,8 @@ class WOStackController(CementBaseController):
dict(help='Install Fail2ban stack', action='store_true')), dict(help='Install Fail2ban stack', action='store_true')),
(['--clamav'], (['--clamav'],
dict(help='Install ClamAV stack', action='store_true')), dict(help='Install ClamAV stack', action='store_true')),
(['--ufw'],
dict(help='Install UFW stack', action='store_true')),
(['--sendmail'], (['--sendmail'],
dict(help='Install Sendmail stack', action='store_true')), dict(help='Install Sendmail stack', action='store_true')),
(['--utils'], (['--utils'],
@@ -129,11 +131,13 @@ class WOStackController(CementBaseController):
(not pargs.adminer) and (not pargs.utils) and (not pargs.adminer) and (not pargs.utils) and
(not pargs.redis) and (not pargs.proftpd) and (not pargs.redis) and (not pargs.proftpd) and
(not pargs.extplorer) and (not pargs.clamav) and (not pargs.extplorer) and (not pargs.clamav) and
(not pargs.ufw) and
(not pargs.phpredisadmin) and (not pargs.sendmail) and (not pargs.phpredisadmin) and (not pargs.sendmail) and
(not pargs.php73)): (not pargs.php73)):
pargs.web = True pargs.web = True
pargs.admin = True pargs.admin = True
pargs.fail2ban = True pargs.fail2ban = True
pargs.ufw = True
if pargs.all: if pargs.all:
pargs.web = True pargs.web = True
@@ -164,6 +168,7 @@ class WOStackController(CementBaseController):
if pargs.security: if pargs.security:
pargs.fail2ban = True pargs.fail2ban = True
pargs.clamav = True pargs.clamav = True
pargs.ufw = True
# Nginx # Nginx
if pargs.nginx: if pargs.nginx:
@@ -270,6 +275,11 @@ class WOStackController(CementBaseController):
Log.debug(self, "ClamAV already installed") Log.debug(self, "ClamAV already installed")
Log.info(self, "ClamAV already installed") Log.info(self, "ClamAV already installed")
# UFW
if pargs.ufw:
Log.debug(self, "Setting apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# sendmail # sendmail
if pargs.sendmail: if pargs.sendmail:
Log.debug(self, "Setting apt_packages variable for Sendmail") Log.debug(self, "Setting apt_packages variable for Sendmail")
@@ -518,6 +528,7 @@ class WOStackController(CementBaseController):
(not pargs.adminer) and (not pargs.utils) and (not pargs.adminer) and (not pargs.utils) and
(not pargs.redis) and (not pargs.proftpd) and (not pargs.redis) and (not pargs.proftpd) and
(not pargs.extplorer) and (not pargs.clamav) and (not pargs.extplorer) and (not pargs.clamav) and
(not pargs.ufw) and
(not pargs.phpredisadmin) and (not pargs.sendmail) and (not pargs.phpredisadmin) and (not pargs.sendmail) and
(not pargs.php73)): (not pargs.php73)):
pargs.web = True pargs.web = True
@@ -551,6 +562,7 @@ class WOStackController(CementBaseController):
if pargs.security: if pargs.security:
pargs.fail2ban = True pargs.fail2ban = True
pargs.clamav = True pargs.clamav = True
pargs.ufw = True
# NGINX # NGINX
if pargs.nginx: if pargs.nginx:
@@ -620,6 +632,11 @@ class WOStackController(CementBaseController):
Log.debug(self, "Remove apt_packages variable for ProFTPd") Log.debug(self, "Remove apt_packages variable for ProFTPd")
apt_packages = apt_packages + ["proftpd-basic"] apt_packages = apt_packages + ["proftpd-basic"]
# UFW
if pargs.ufw:
Log.debug(self, "Remove apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# WPCLI # WPCLI
if pargs.wpcli: if pargs.wpcli:
Log.debug(self, "Removing package variable of WPCLI ") Log.debug(self, "Removing package variable of WPCLI ")
@@ -739,6 +756,7 @@ class WOStackController(CementBaseController):
(not pargs.adminer) and (not pargs.utils) and (not pargs.adminer) and (not pargs.utils) and
(not pargs.redis) and (not pargs.proftpd) and (not pargs.redis) and (not pargs.proftpd) and
(not pargs.extplorer) and (not pargs.clamav) and (not pargs.extplorer) and (not pargs.clamav) and
(not pargs.ufw) and
(not pargs.phpredisadmin) and (not pargs.sendmail) and (not pargs.phpredisadmin) and (not pargs.sendmail) and
(not pargs.php73)): (not pargs.php73)):
pargs.web = True pargs.web = True
@@ -771,6 +789,7 @@ class WOStackController(CementBaseController):
if pargs.security: if pargs.security:
pargs.fail2ban = True pargs.fail2ban = True
pargs.clamav = True pargs.clamav = True
pargs.ufw = True
# NGINX # NGINX
if pargs.nginx: if pargs.nginx:
@@ -829,6 +848,11 @@ class WOStackController(CementBaseController):
if WOAptGet.is_installed(self, 'clamav'): if WOAptGet.is_installed(self, 'clamav'):
apt_packages = apt_packages + WOVariables.wo_clamav apt_packages = apt_packages + WOVariables.wo_clamav
# UFW
if pargs.ufw:
Log.debug(self, "Remove apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# sendmail # sendmail
if pargs.sendmail: if pargs.sendmail:
Log.debug(self, "Setting apt_packages variable for Sendmail") Log.debug(self, "Setting apt_packages variable for Sendmail")

18
wo/cli/plugins/stack_pref.py
View File

@@ -975,6 +975,24 @@ def post_pref(self, apt_packages, packages, upgrade=False):
msg="Adding ProFTPd into Git") msg="Adding ProFTPd into Git")
WOService.reload_service(self, 'proftpd') WOService.reload_service(self, 'proftpd')
if "ufw" in apt_packages:
# check if ufw is already enabled
if not WOFileUtils.grep(self,
'/etc/ufw/ufw.conf', 'ENABLED=yes'):
Log.wait(self, "Configuring UFW")
# check if ufw script is already created
if not os.path.isfile("/opt/ufw.sh"):
data = dict()
WOTemplate.render(self, '/opt/ufw.sh',
'ufw.mustache',
data, overwrite=False)
WOFileUtils.chmod(self, "/opt/ufw.sh", 0o700)
# setup ufw rules
WOShellExec.cmd_exec(self, "bash /opt/ufw.sh")
Log.valide(self, "Configuring UFW")
else:
Log.info(self, "UFW is already installed and enabled")
# Redis configuration # Redis configuration
if "redis-server" in apt_packages: if "redis-server" in apt_packages:
if os.path.isfile("/etc/nginx/conf.d/upstream.conf"): if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):

65
wo/cli/templates/ufw.mustache Normal file
View File

@@ -0,0 +1,65 @@
#!/bin/bash
wo_ufw_setup() {
# get custom ssh port
if [ -f /etc/ssh/sshd_config ]; then
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
fi
# define firewall rules
if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
ufw logging low
fi
if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
ufw default allow outgoing
fi
if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
ufw default deny incoming
fi
if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
# default ssh port
ufw limit 22
fi
# custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ]; then
if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
ufw limit "$CURRENT_SSH_PORT"
fi
fi
# nginx
if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
# http
ufw allow http
fi
if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
# https
ufw allow https
fi
# ntp
if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
ufw allow 123
fi
if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
# wordops backend
ufw limit 22222
fi
# enable ufw
if [ -n "$CURRENT_SSH_PORT" ]; then
ufw --force enable
fi
# remove ufw from syslog
if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
service rsyslog restart
fi
}
if { wo_ufw_setup; }; then
exit 0
else
exit 1
fi