Allow port with ufw after ssh port change

CHANGELOG.md

@@ -8,15 +8,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 ### v3.9.x - [Unreleased]
 
+#### Added
+
+- [SECURE] Allow new ssh port with UFW when running `wo secure --sshport`
+
+#### Fixed
+
+- [STACK] UFW setup after removing all stacks with `wo stack purge --all`
+
 ### v3.9.9 - 2019-09-24
 
 #### Added
 
 - [STACK]  UFW now available as a stack with flag `--ufw`
-- [SECURE] `wo stack secure --ssh` to harden ssh security
-- [SECURE] `wo stack secure --sshport` to change ssh port
+- [SECURE] `wo secure --ssh` to harden ssh security
+- [SECURE] `wo secure --sshport` to change ssh port
 - [SITE] check domain DNS records before issuing a new certificate without DNS API
-- [STACK] Acme challenge with DNS Alias mode [acme.sh wiki](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
+- [STACK] Acme challenge with DNS Alias mode `--dnsalias=aliasdomain.tld` [acme.sh wiki](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
 
 #### Changed
 

wo/cli/plugins/secure.py

@@ -4,6 +4,7 @@ import os
 from cement.core import handler, hook
 from cement.core.controller import CementBaseController, expose
 
+from wo.core.fileutils import WOFileUtils
 from wo.core.git import WOGit
 from wo.core.logging import Log
 from wo.core.random import RANDOM
@@ -165,6 +166,8 @@ class WOSecureController(CementBaseController):
                                  'Harden SSH security [y/N]')
             if start_secure != "Y" and start_secure != "y":
                 Log.error(self, "Not hardening SSH security")
+        WOGit.add(self, ["/etc/ssh"],
+                      msg="Adding SSH into Git")
         Log.debug(self, "check if /etc/ssh/sshd_config exist")
         if os.path.isfile('/etc/ssh/sshd_config'):
             Log.debug(self, "looking for the current ssh port")
@@ -213,8 +216,23 @@ class WOSecureController(CementBaseController):
         WOShellExec.cmd_exec(self, "sed -i \"s/Port.*/Port "
                              "{port}/\" /etc/ssh/sshd_config"
                              .format(port=pargs.user_input))
+        # allow new ssh port if ufw is enabled
+        if os.path.isfile('/etc/ufw/ufw.conf'):
+            # add rule for proftpd with UFW
+            if WOFileUtils.grepcheck(
+                    self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
+                try:
+                    WOShellExec.cmd_exec(
+                        self, 'ufw limit {0}'.format(pargs.user_input))
+                    WOShellExec.cmd_exec(
+                        self, 'ufw reload')
+                except Exception as e:
+                    Log.debug(self, "{0}".format(e))
+                    Log.error(self, "Unable to add UFW rule")
+        # add ssh into git
         WOGit.add(self, ["/etc/ssh"],
                   msg="Adding changed SSH port into Git")
+        # restart ssh service
         if not WOService.restart_service(self, 'ssh'):
             Log.error(self, "service SSH restart failed.")
         Log.info(self, "Successfully changed SSH port to {port}"

wo/cli/plugins/stack.py

@@ -129,7 +129,6 @@ class WOStackController(CementBaseController):
                 pargs.php73 = True
                 pargs.redis = True
                 pargs.proftpd = True
-                pargs.security = True
 
             if pargs.web:
                 pargs.nginx = True
@@ -152,7 +151,6 @@ class WOStackController(CementBaseController):
             if pargs.security:
                 pargs.fail2ban = True
                 pargs.clamav = True
-                pargs.ufw = True
 
             # Nginx
             if pargs.nginx:
@@ -261,10 +259,8 @@ class WOStackController(CementBaseController):
 
             # UFW
             if pargs.ufw:
-                if not WOFileUtils.grep(
-                        self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
-                    Log.debug(self, "Setting apt_packages variable for UFW")
-                    apt_packages = apt_packages + ["ufw"]
+                Log.debug(self, "Setting apt_packages variable for UFW")
+                apt_packages = apt_packages + ["ufw"]
 
             # sendmail
             if pargs.sendmail:
@@ -521,7 +517,6 @@ class WOStackController(CementBaseController):
                 (not pargs.php73)):
             pargs.web = True
             pargs.admin = True
-            pargs.security = True
 
         if pargs.all:
             pargs.web = True

wo/cli/plugins/stack_pref.py

@@ -949,19 +949,20 @@ def post_pref(self, apt_packages, packages, upgrade=False):
                                       "Include /etc/proftpd/tls.conf")
             WOService.restart_service(self, 'proftpd')
 
-            # add rule for proftpd with UFW
-            if WOFileUtils.grepcheck(
-                    self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
-                try:
-                    WOShellExec.cmd_exec(
-                        self, "ufw limit 21")
-                    WOShellExec.cmd_exec(
-                        self, "ufw allow 49000:50000/tcp")
-                    WOShellExec.cmd_exec(
-                        self, "ufw reload")
-                except CommandExecutionError as e:
-                    Log.debug(self, "{0}".format(e))
-                    Log.error(self, "Unable to add UFW rule")
+            if os.path.isfile('/etc/ufw/ufw.conf'):
+                # add rule for proftpd with UFW
+                if WOFileUtils.grepcheck(
+                        self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
+                    try:
+                        WOShellExec.cmd_exec(
+                            self, "ufw limit 21")
+                        WOShellExec.cmd_exec(
+                            self, "ufw allow 49000:50000/tcp")
+                        WOShellExec.cmd_exec(
+                            self, "ufw reload")
+                    except Exception as e:
+                        Log.debug(self, "{0}".format(e))
+                        Log.error(self, "Unable to add UFW rules")
 
             if ((os.path.isfile("/etc/fail2ban/jail.d/custom.conf")) and
                 (not WOFileUtils.grep(