From 0a5596c093f9ec953c53095e6e7211b4432e808c Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Tue, 20 Aug 2019 00:26:12 +0200 Subject: [PATCH] Add UFW --- CHANGELOG.md | 5 ++ install | 128 ++++++++++++++++++++++++++++++++++++--------------- 2 files changed, 95 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 30da45e..4fdc3cb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), - Additional settings to support mobile with WP-Rocket - Add the ability to block nginx configuration overwriting by adding a file .custom. Example with webp.conf -> `touch webp.conf.custom` - If there is a custom file, WordOps will write the configuration in a file named fileconf.conf.orig to let users implement possible changes +- UFW minimal configuration during install. Can be disabled with the flag `-w`, `--wufw` or `--without-ufw`. Example : `wget -qO wo wops.cc && sudo bash wo -w` + +#### Fixed + +- WordOps internal database creation on servers running with custom setup ### v3.9.8.1 - 2019-08-18 diff --git a/install b/install index e7b929c..1c82aab 100755 --- a/install +++ b/install @@ -77,6 +77,9 @@ while [ "$#" -gt 0 ]; do --purge | --uninstall) wo_purge="y" ;; + -w | --wufw | --without-ufw) + ufw="n" + ;; *) # positional args ;; esac @@ -148,7 +151,9 @@ if [ -x /usr/local/bin/ee ]; then elif [ -x /usr/local/bin/wo ]; then wo_upgrade=1 fi - +if [ -z "$ufw" ]; then + ufw="y" +fi ### # 1 - Checking linux distro ### @@ -211,11 +216,15 @@ wo_install_dep() { locale-gen en # enable unattended upgades - cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades + if [ ! -f /etc/apt/apt.conf.d/20auto-upgrades ]; then + cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades + fi # set default ntp pools - sed -e 's/^#NTP=/NTP=time.cloudflare.com 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf - # enable ntp - timedatectl set-ntp 1 + if ! grep -q "time.cloudflare.com" /etc/systemd/timesyncd.conf; then + sed -e 's/^#NTP=/NTP=time.cloudflare.com 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org 2.ubuntu.pool.ntp.org 3.ubuntu.pool.ntp.org/' -i /etc/systemd/timesyncd.conf + # enable ntp + timedatectl set-ntp 1 + fi } >> "$wo_install_log" 2>&1 @@ -318,14 +327,14 @@ wo_sync_db() { fi fi - done + wo_webroot="/var/www/$site" - wo_webroot="/var/www/$site" - - # Import the configuration into the WordOps SQLite database - echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db) + # Import the configuration into the WordOps SQLite database + echo "INSERT INTO sites (sitename, site_type, cache_type, site_path, is_enabled, is_ssl, storage_fs, storage_db) VALUES (\"$site\", \"$wo_site_current\", \"$wo_site_current_cache\", \"$wo_webroot\", \"$wo_site_status\", 0, 'ext4', 'mysql');" | sqlite3 /var/lib/wo/dbase.db + done + fi # echo "UPDATE sites SET php_version = REPLACE(php_version, '5.6', '7.2');" | sqlite3 /var/lib/wo/dbase.db @@ -401,9 +410,6 @@ wo_install_acme_sh() { /etc/letsencrypt/renewal/ # remove previous acme.sh folder rm -rf "$HOME/.acme.sh" - # create acme.sh.env file inlcuded in .bashrc to avoid error when logging in - mkdir -p "$HOME/.acme.sh" - echo '' > "$HOME/.acme.sh/acme.sh.env" # removing previous cronjob crontab -l | sed '/41 0 \* \* \* "\/root\/\.acme\.sh"\/acme.sh --cron --home "\/root\/\.acme\.sh" > \/dev\/null/d' | crontab - @@ -688,43 +694,73 @@ wo_uninstall() { wo_ufw_setup() { - CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') - + # get custom ssh port + if [ -f /etc/ssh/sshd_config ]; then + CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}') + fi + # install ufw if needed if [ ! -d /etc/ufw ]; then apt-get install ufw -y fi # define firewall rules - - ufw logging low - ufw default allow outgoing - ufw default deny incoming - - # default ssh port - ufw allow 22 + if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then + ufw logging low + fi + if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then + ufw default allow outgoing + fi + if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then + ufw default deny incoming + fi + if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then + # default ssh port + ufw limit 22 + fi # custom ssh port if [ "$CURRENT_SSH_PORT" != "22" ]; then - ufw allow "$CURRENT_SSH_PORT" + if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then + ufw limit "$CURRENT_SSH_PORT" + fi fi - # dns - ufw allow 53 - # nginx - ufw allow http - ufw allow https + if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then + # http + ufw allow http + fi + if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then + # https + ufw allow https + fi # ntp - ufw allow 123 - - # wordops backend - ufw allow 22222 + if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then + ufw allow 123 + fi + if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then + # wordops backend + ufw limit 22222 + fi # enable ufw - echo "y" | ufw enable + if [ -n "$CURRENT_SSH_PORT" ]; then + if ! grep -q "ENABLED=yes" /etc/ufw/ufw.conf; then + ufw --force enable + else + ufw reload + fi + fi -} >> $wo_install_log + # remove ufw from syslog + if [ -f /etc/rsyslog.d/20-ufw.conf ]; then + sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf + service rsyslog restart + fi + +} \ + >> $wo_install_log ### # 4 - WO MAIN SETUP @@ -740,7 +776,7 @@ else # 1 - WO already installed if [ -x /usr/local/bin/wo ]; then if ! { - wo -v 2>&1 | grep $wo_version_new + wo -v 2>&1 | grep "$wo_version_new" } || [ "$wo_force_install" = "y" ]; then if [ -z "$wo_force_install" ]; then echo -e "Update WordOps to $wo_version_new (y/n): " && read -r WO_ANSWER @@ -755,10 +791,14 @@ else secure_wo_db | tee -ai $wo_install_log wo_lib_echo "Installing WordOps " | tee -ai $wo_install_log wo_clean | tee -ai $wo_install_log - if [ -f "$HOME/.gitconfig" ]; then - wo_install >> $wo_install_log 2>&1 + if [ "$wo_travis" = "y" ]; then + wo_install_travis | tee -ai $wo_install_log else - wo_install | tee -ai $wo_install_log + if [ -f "$HOME/.gitconfig" ]; then + wo_install >> $wo_install_log 2>&1 + else + wo_install | tee -ai $wo_install_log + fi fi if [ -z "$wo_preserve_config" ]; then if [ -n "$(command -v nginx)" ]; then @@ -773,6 +813,10 @@ else wo_lib_echo "Updating acme.sh" | tee -ai $wo_install_log wo_install_acme_sh | tee -ai $wo_install_log fi + if [ "$ufw" = "y" ]; then + wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log + wo_ufw_setup | tee -ai $wo_install_log + fi wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log wo_tweak_kernel | tee -ai $wo_install_log wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log @@ -814,6 +858,10 @@ else wo_update_latest | tee -ai $wo_install_log wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log wo_install_acme_sh | tee -ai $wo_install_log + if [ "$ufw" = "y" ]; then + wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log + wo_ufw_setup | tee -ai $wo_install_log + fi wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log wo_tweak_kernel | tee -ai $wo_install_log wo_lib_echo "Running post-install steps " | tee -ai $wo_install_log @@ -834,6 +882,10 @@ else else wo_install | tee -ai $wo_install_log fi + if [ "$ufw" = "y" ]; then + wo_lib_echo "Configuring UFW" | tee -ai $wo_install_log + wo_ufw_setup | tee -ai $wo_install_log + fi wo_lib_echo "Applying Kernel tweaks" | tee -ai $wo_install_log wo_tweak_kernel | tee -ai $wo_install_log wo_lib_echo "Installing acme.sh" | tee -ai $wo_install_log