diff --git a/CHANGELOG.md b/CHANGELOG.md index b222577..3c3d02e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,15 +8,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), ### v3.9.x - [Unreleased] +#### Added + +- [SECURE] Allow new ssh port with UFW when running `wo secure --sshport` + +#### Fixed + +- [STACK] UFW setup after removing all stacks with `wo stack purge --all` + ### v3.9.9 - 2019-09-24 #### Added - [STACK] UFW now available as a stack with flag `--ufw` -- [SECURE] `wo stack secure --ssh` to harden ssh security -- [SECURE] `wo stack secure --sshport` to change ssh port +- [SECURE] `wo secure --ssh` to harden ssh security +- [SECURE] `wo secure --sshport` to change ssh port - [SITE] check domain DNS records before issuing a new certificate without DNS API -- [STACK] Acme challenge with DNS Alias mode [acme.sh wiki](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode) +- [STACK] Acme challenge with DNS Alias mode `--dnsalias=aliasdomain.tld` [acme.sh wiki](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode) #### Changed diff --git a/wo/cli/plugins/secure.py b/wo/cli/plugins/secure.py index 89e4012..34ebaff 100644 --- a/wo/cli/plugins/secure.py +++ b/wo/cli/plugins/secure.py @@ -4,6 +4,7 @@ import os from cement.core import handler, hook from cement.core.controller import CementBaseController, expose +from wo.core.fileutils import WOFileUtils from wo.core.git import WOGit from wo.core.logging import Log from wo.core.random import RANDOM @@ -165,6 +166,8 @@ class WOSecureController(CementBaseController): 'Harden SSH security [y/N]') if start_secure != "Y" and start_secure != "y": Log.error(self, "Not hardening SSH security") + WOGit.add(self, ["/etc/ssh"], + msg="Adding SSH into Git") Log.debug(self, "check if /etc/ssh/sshd_config exist") if os.path.isfile('/etc/ssh/sshd_config'): Log.debug(self, "looking for the current ssh port") @@ -213,8 +216,23 @@ class WOSecureController(CementBaseController): WOShellExec.cmd_exec(self, "sed -i \"s/Port.*/Port " "{port}/\" /etc/ssh/sshd_config" .format(port=pargs.user_input)) + # allow new ssh port if ufw is enabled + if os.path.isfile('/etc/ufw/ufw.conf'): + # add rule for proftpd with UFW + if WOFileUtils.grepcheck( + self, '/etc/ufw/ufw.conf', 'ENABLED=yes'): + try: + WOShellExec.cmd_exec( + self, 'ufw limit {0}'.format(pargs.user_input)) + WOShellExec.cmd_exec( + self, 'ufw reload') + except Exception as e: + Log.debug(self, "{0}".format(e)) + Log.error(self, "Unable to add UFW rule") + # add ssh into git WOGit.add(self, ["/etc/ssh"], msg="Adding changed SSH port into Git") + # restart ssh service if not WOService.restart_service(self, 'ssh'): Log.error(self, "service SSH restart failed.") Log.info(self, "Successfully changed SSH port to {port}" diff --git a/wo/cli/plugins/stack.py b/wo/cli/plugins/stack.py index 32eab17..5e16aca 100644 --- a/wo/cli/plugins/stack.py +++ b/wo/cli/plugins/stack.py @@ -129,7 +129,6 @@ class WOStackController(CementBaseController): pargs.php73 = True pargs.redis = True pargs.proftpd = True - pargs.security = True if pargs.web: pargs.nginx = True @@ -152,7 +151,6 @@ class WOStackController(CementBaseController): if pargs.security: pargs.fail2ban = True pargs.clamav = True - pargs.ufw = True # Nginx if pargs.nginx: @@ -261,10 +259,8 @@ class WOStackController(CementBaseController): # UFW if pargs.ufw: - if not WOFileUtils.grep( - self, '/etc/ufw/ufw.conf', 'ENABLED=yes'): - Log.debug(self, "Setting apt_packages variable for UFW") - apt_packages = apt_packages + ["ufw"] + Log.debug(self, "Setting apt_packages variable for UFW") + apt_packages = apt_packages + ["ufw"] # sendmail if pargs.sendmail: @@ -521,7 +517,6 @@ class WOStackController(CementBaseController): (not pargs.php73)): pargs.web = True pargs.admin = True - pargs.security = True if pargs.all: pargs.web = True diff --git a/wo/cli/plugins/stack_pref.py b/wo/cli/plugins/stack_pref.py index f55f0da..9f04209 100644 --- a/wo/cli/plugins/stack_pref.py +++ b/wo/cli/plugins/stack_pref.py @@ -949,19 +949,20 @@ def post_pref(self, apt_packages, packages, upgrade=False): "Include /etc/proftpd/tls.conf") WOService.restart_service(self, 'proftpd') - # add rule for proftpd with UFW - if WOFileUtils.grepcheck( - self, '/etc/ufw/ufw.conf', 'ENABLED=yes'): - try: - WOShellExec.cmd_exec( - self, "ufw limit 21") - WOShellExec.cmd_exec( - self, "ufw allow 49000:50000/tcp") - WOShellExec.cmd_exec( - self, "ufw reload") - except CommandExecutionError as e: - Log.debug(self, "{0}".format(e)) - Log.error(self, "Unable to add UFW rule") + if os.path.isfile('/etc/ufw/ufw.conf'): + # add rule for proftpd with UFW + if WOFileUtils.grepcheck( + self, '/etc/ufw/ufw.conf', 'ENABLED=yes'): + try: + WOShellExec.cmd_exec( + self, "ufw limit 21") + WOShellExec.cmd_exec( + self, "ufw allow 49000:50000/tcp") + WOShellExec.cmd_exec( + self, "ufw reload") + except Exception as e: + Log.debug(self, "{0}".format(e)) + Log.error(self, "Unable to add UFW rules") if ((os.path.isfile("/etc/fail2ban/jail.d/custom.conf")) and (not WOFileUtils.grep(