Malin/WPIQ
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add wo secure --ssh

Browse Source
This commit is contained in:
VirtuBox
2019-09-23 12:11:15 +02:00
parent 5249479c89
commit 5abc051901
4 changed files with 97 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@@ -8,11 +8,17 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
### v3.9.x - [Unreleased] ### v3.9.x - [Unreleased]
#### Added
- [STACK] UFW as a STACK available with `--ufw`
#### Changed #### Changed
- [APP] WordOps dashboard updated to v1.2, shipped as a html file, it can be used without PHP stack - [APP] WordOps dashboard updated to v1.2, shipped as a html file, it can be used without PHP stack
- [STACK] Refactor Let's Encrypt with acme.sh - [STACK] Refactor Let's Encrypt with acme.sh
- [STACK] Log error improved with acme.sh depending on the acme challenge (DNS API or Webroot) - [STACK] Log error improved with acme.sh depending on the acme challenge (DNS API or Webroot)
- [INSTALL] Removed UFW setup from install script
- [APP] phpMyAdmin updated to v4.9.1
#### Fixed #### Fixed

2
config/bash_completion.d/wo_auto.rc
View File

@@ -74,7 +74,7 @@ _wo_complete()
# HANDLE EVERYTHING AFTER THE THIRD LEVEL NAMESPACE # HANDLE EVERYTHING AFTER THE THIRD LEVEL NAMESPACE
"install" | "purge" | "remove" ) "install" | "purge" | "remove" )
COMPREPLY=( $(compgen \ COMPREPLY=( $(compgen \
-W "--recommended --web --admin --security --nginx --php --php73 --mysql --wpcli --phpmyadmin --adminer --utils --redis --phpredisadmin --composer --netdata --fail2ban --dashboard --proftpd --clamav --mysqlclient --mysqltuner --extplorer --all --force" \ -W "--web --admin --security --nginx --php --php73 --mysql --wpcli --phpmyadmin --adminer --utils --redis --phpredisadmin --composer --netdata --fail2ban --dashboard --proftpd --clamav --mysqlclient --mysqltuner --extplorer --all --force" \
-- $cur) ) -- $cur) )
;; ;;
"upgrade" ) "upgrade" )

33
wo/cli/plugins/secure.py
View File

@@ -1,4 +1,5 @@
import getpass import getpass
import os
from cement.core import handler, hook from cement.core import handler, hook
from cement.core.controller import CementBaseController, expose from cement.core.controller import CementBaseController, expose
@@ -8,7 +9,9 @@ from wo.core.logging import Log
from wo.core.random import RANDOM from wo.core.random import RANDOM
from wo.core.services import WOService from wo.core.services import WOService
from wo.core.shellexec import WOShellExec from wo.core.shellexec import WOShellExec
from wo.core.template import WOTemplate
from wo.core.variables import WOVariables from wo.core.variables import WOVariables
from wo.core.services import WOService
def wo_secure_hook(app): def wo_secure_hook(app):
@@ -31,10 +34,10 @@ class WOSecureController(CementBaseController):
dict(help='set backend port', action='store_true')), dict(help='set backend port', action='store_true')),
(['--ip'], (['--ip'],
dict(help='set backend whitelisted ip', action='store_true')), dict(help='set backend whitelisted ip', action='store_true')),
(['--ssh-port'], dict( (['--sshport'], dict(
help='set custom ssh port', action='store_true')), help='set custom ssh port', action='store_true')),
(['--ssh-strict'], dict(help='harden ssh security', (['--ssh'], dict(
action='store_true')), help='harden ssh security', action='store_true')),
(['--ufw'], (['--ufw'],
dict(help='setup and configure ufw firewall', dict(help='setup and configure ufw firewall',
action='store_true')), action='store_true')),
@@ -53,6 +56,10 @@ class WOSecureController(CementBaseController):
self.secure_port() self.secure_port()
if pargs.ip: if pargs.ip:
self.secure_ip() self.secure_ip()
if pargs.sshport:
self.secure_ssh_port()
if pargs.ssh:
self.secure_ssh()
@expose(hide=True) @expose(hide=True)
def secure_auth(self): def secure_auth(self):
@@ -139,6 +146,26 @@ class WOSecureController(CementBaseController):
Log.info(self, "Successfully added IP address in acl.conf file") Log.info(self, "Successfully added IP address in acl.conf file")
@expose(hide=True)
def secure_ssh(self):
"""Harden ssh security"""
pargs = self.app.pargs
if pargs.user_input:
current_ssh_port = pargs.user_input
else:
if os.path.isfile('/etc/ssh/sshd_config'):
for line in open('/etc/ssh/sshd_config', encoding='utf-8'):
if 'Port' in line:
ssh_line = line.strip()
break
port = (ssh_line).split(' ')
current_ssh_port = port[1]
else:
Log.error(self, "SSH config file not found")
data = dict(sshport=current_ssh_port, allowpass='no')
WOTemplate.render(self, '/etc/ssh/sshd_config', 'sshd.mustache', data)
WOService.restart_service(self, 'ssh')
def load(app): def load(app):
handler.register(WOSecureController) handler.register(WOSecureController)

98
wo/cli/plugins/stack.py
View File

@@ -122,7 +122,6 @@ class WOStackController(CementBaseController):
pargs.web = True pargs.web = True
pargs.admin = True pargs.admin = True
pargs.fail2ban = True pargs.fail2ban = True
pargs.ufw = True
if pargs.all: if pargs.all:
pargs.web = True pargs.web = True
@@ -262,8 +261,10 @@ class WOStackController(CementBaseController):
# UFW # UFW
if pargs.ufw: if pargs.ufw:
Log.debug(self, "Setting apt_packages variable for UFW") if not WOFileUtils.grep(
apt_packages = apt_packages + ["ufw"] self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
Log.debug(self, "Setting apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# sendmail # sendmail
if pargs.sendmail: if pargs.sendmail:
@@ -579,14 +580,17 @@ class WOStackController(CementBaseController):
# REDIS # REDIS
if pargs.redis: if pargs.redis:
Log.debug(self, "Remove apt_packages variable of Redis") if WOAptGet.is_installed(self, 'redis-server'):
apt_packages = apt_packages + ["redis-server"] Log.debug(self, "Remove apt_packages variable of Redis")
apt_packages = apt_packages + ["redis-server"]
# MariaDB # MariaDB
if pargs.mysql: if pargs.mysql:
Log.debug(self, "Removing apt_packages variable of MySQL") if WOAptGet.is_installed(self, 'mariadb-server'):
apt_packages = apt_packages + ['mariadb-server', 'mysql-common', Log.debug(self, "Removing apt_packages variable of MySQL")
'mariadb-client'] apt_packages = apt_packages + ['mariadb-server',
'mysql-common',
'mariadb-client']
# mysqlclient # mysqlclient
if pargs.mysqlclient: if pargs.mysqlclient:
@@ -621,8 +625,9 @@ class WOStackController(CementBaseController):
# UFW # UFW
if pargs.ufw: if pargs.ufw:
Log.debug(self, "Remove apt_packages variable for UFW") if WOAptGet.is_installed(self, 'ufw'):
apt_packages = apt_packages + ["ufw"] Log.debug(self, "Remove apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# WPCLI # WPCLI
if pargs.wpcli: if pargs.wpcli:
@@ -632,18 +637,22 @@ class WOStackController(CementBaseController):
# PHPMYADMIN # PHPMYADMIN
if pargs.phpmyadmin: if pargs.phpmyadmin:
Log.debug(self, "Removing package of phpMyAdmin ") if os.path.isdir('{0}22222/htdocs/db/pma'
packages = packages + ['{0}22222/htdocs/db/pma' .format(WOVariables.wo_webroot)):
.format(WOVariables.wo_webroot)] Log.debug(self, "Removing package of phpMyAdmin ")
packages = packages + ['{0}22222/htdocs/db/pma'
.format(WOVariables.wo_webroot)]
# Composer # Composer
if pargs.composer: if pargs.composer:
Log.debug(self, "Removing package of Composer ") Log.debug(self, "Removing package of Composer ")
if os.path.isfile('/usr/local/bin/composer'): if os.path.isfile('/usr/local/bin/composer'):
packages = packages + ['/usr/local/bin/composer'] packages = packages + ['/usr/local/bin/composer']
# MySQLTuner
if pargs.mysqltuner: if pargs.mysqltuner:
Log.debug(self, "Removing packages for MySQLTuner ") if os.path.isfile(/usr/bin/mysqltuner):
packages = packages + ['/usr/bin/mysqltuner'] Log.debug(self, "Removing packages for MySQLTuner ")
packages = packages + ['/usr/bin/mysqltuner']
# PHPREDISADMIN # PHPREDISADMIN
if pargs.phpredisadmin: if pargs.phpredisadmin:
@@ -655,9 +664,11 @@ class WOStackController(CementBaseController):
.format(WOVariables.wo_webroot)] .format(WOVariables.wo_webroot)]
# ADMINER # ADMINER
if pargs.adminer: if pargs.adminer:
Log.debug(self, "Removing package variable of Adminer ") if os.path.isdir('{0}22222/htdocs/db/adminer'
packages = packages + ['{0}22222/htdocs/db/adminer' .format(WOVariables.wo_webroot)):
.format(WOVariables.wo_webroot)] Log.debug(self, "Removing package variable of Adminer ")
packages = packages + ['{0}22222/htdocs/db/adminer'
.format(WOVariables.wo_webroot)]
if pargs.utils: if pargs.utils:
Log.debug(self, "Removing package variable of utils ") Log.debug(self, "Removing package variable of utils ")
packages = packages + ['{0}22222/htdocs/php/webgrind/' packages = packages + ['{0}22222/htdocs/php/webgrind/'
@@ -677,11 +688,17 @@ class WOStackController(CementBaseController):
packages = packages + ['/var/lib/wo/tmp/kickstart.sh'] packages = packages + ['/var/lib/wo/tmp/kickstart.sh']
if pargs.dashboard: if pargs.dashboard:
Log.debug(self, "Removing Wo-Dashboard") if (os.path.isfile('{0}22222/htdocs/index.php'
packages = packages + ['{0}22222/htdocs/assets' .format(WOVariables.wo_webroot)) or
.format(WOVariables.wo_webroot), os.path.isfile('{0}22222/htdocs/index.html'
'{0}22222/htdocs/index.php' .format(WOVariables.wo_webroot))):
.format(WOVariables.wo_webroot)] Log.debug(self, "Removing Wo-Dashboard")
packages = packages + ['{0}22222/htdocs/assets'
.format(WOVariables.wo_webroot),
'{0}22222/htdocs/index.php'
.format(WOVariables.wo_webroot),
'{0}22222/htdocs/index.html'
.format(WOVariables.wo_webroot)]
if (packages) or (apt_packages): if (packages) or (apt_packages):
if (not pargs.force): if (not pargs.force):
@@ -693,10 +710,10 @@ class WOStackController(CementBaseController):
if start_remove != "Y" and start_remove != "y": if start_remove != "Y" and start_remove != "y":
Log.error(self, "Not starting stack removal") Log.error(self, "Not starting stack removal")
if (set(["nginx-custom"]).issubset(set(apt_packages))): if 'nginx-custom' in apt_packages:
WOService.stop_service(self, 'nginx') WOService.stop_service(self, 'nginx')
if (set(["mariadb-server"]).issubset(set(apt_packages))): if 'mariadb-server' in apt_packages:
WOMysql.backupAll(self) WOMysql.backupAll(self)
WOService.stop_service(self, 'mysql') WOService.stop_service(self, 'mysql')
@@ -814,7 +831,6 @@ class WOStackController(CementBaseController):
else: else:
Log.info(self, "Redis is not installed") Log.info(self, "Redis is not installed")
# MariaDB # MariaDB
if pargs.mysql: if pargs.mysql:
if WOAptGet.is_installed(self, 'mariadb-server'): if WOAptGet.is_installed(self, 'mariadb-server'):
@@ -840,8 +856,8 @@ class WOStackController(CementBaseController):
# ClamAV # ClamAV
if pargs.clamav: if pargs.clamav:
Log.debug(self, "Add ClamAV to apt_packages list")
if WOAptGet.is_installed(self, 'clamav'): if WOAptGet.is_installed(self, 'clamav'):
Log.debug(self, "Add ClamAV to apt_packages list")
apt_packages = apt_packages + WOVariables.wo_clamav apt_packages = apt_packages + WOVariables.wo_clamav
# UFW # UFW
@@ -864,25 +880,29 @@ class WOStackController(CementBaseController):
# WP-CLI # WP-CLI
if pargs.wpcli: if pargs.wpcli:
Log.debug(self, "Purge package variable WPCLI")
if os.path.isfile('/usr/local/bin/wp'): if os.path.isfile('/usr/local/bin/wp'):
Log.debug(self, "Purge package variable WPCLI")
packages = packages + ['/usr/local/bin/wp'] packages = packages + ['/usr/local/bin/wp']
# PHPMYADMIN # PHPMYADMIN
if pargs.phpmyadmin: if pargs.phpmyadmin:
packages = packages + ['{0}22222/htdocs/db/pma'. if os.path.isdir('{0}22222/htdocs/db/pma'
format(WOVariables.wo_webroot)] .format(WOVariables.wo_webroot)):
Log.debug(self, "Purge package variable phpMyAdmin") Log.debug(self, "Removing package of phpMyAdmin ")
packages = packages + ['{0}22222/htdocs/db/pma'
.format(WOVariables.wo_webroot)]
# Composer # Composer
if pargs.composer: if pargs.composer:
Log.debug(self, "Removing package variable of Composer ")
if os.path.isfile('/usr/local/bin/composer'): if os.path.isfile('/usr/local/bin/composer'):
Log.debug(self, "Removing package variable of Composer ")
packages = packages + ['/usr/local/bin/composer'] packages = packages + ['/usr/local/bin/composer']
# MySQLTuner
if pargs.mysqltuner: if pargs.mysqltuner:
Log.debug(self, "Removing packages for MySQLTuner ") if os.path.isfile(/usr/bin/mysqltuner):
packages = packages + ['/usr/bin/mysqltuner'] Log.debug(self, "Removing packages for MySQLTuner ")
packages = packages + ['/usr/bin/mysqltuner']
# PHPREDISADMIN # PHPREDISADMIN
if pargs.phpredisadmin: if pargs.phpredisadmin:
@@ -892,11 +912,13 @@ class WOStackController(CementBaseController):
packages = packages + ['{0}22222/htdocs/' packages = packages + ['{0}22222/htdocs/'
'cache/redis' 'cache/redis'
.format(WOVariables.wo_webroot)] .format(WOVariables.wo_webroot)]
# Adminer # ADMINER
if pargs.adminer: if pargs.adminer:
Log.debug(self, "Purge package variable Adminer") if os.path.isdir('{0}22222/htdocs/db/adminer'
packages = packages + ['{0}22222/htdocs/db/adminer' .format(WOVariables.wo_webroot)):
.format(WOVariables.wo_webroot)] Log.debug(self, "Removing package variable of Adminer ")
packages = packages + ['{0}22222/htdocs/db/adminer'
.format(WOVariables.wo_webroot)]
# utils # utils
if pargs.utils: if pargs.utils:
Log.debug(self, "Purge package variable utils") Log.debug(self, "Purge package variable utils")