Allow port with ufw after ssh port change
This commit is contained in:
VirtuBox
14
CHANGELOG.md
14
CHANGELOG.md
@@ -8,15 +8,23 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|||||||
|
|
||||||
### v3.9.x - [Unreleased]
|
### v3.9.x - [Unreleased]
|
||||||
|
|
||||||
|
#### Added
|
||||||
|
|
||||||
|
- [SECURE] Allow new ssh port with UFW when running `wo secure --sshport`
|
||||||
|
|
||||||
|
#### Fixed
|
||||||
|
|
||||||
|
- [STACK] UFW setup after removing all stacks with `wo stack purge --all`
|
||||||
|
|
||||||
### v3.9.9 - 2019-09-24
|
### v3.9.9 - 2019-09-24
|
||||||
|
|
||||||
#### Added
|
#### Added
|
||||||
|
|
||||||
- [STACK] UFW now available as a stack with flag `--ufw`
|
- [STACK] UFW now available as a stack with flag `--ufw`
|
||||||
- [SECURE] `wo stack secure --ssh` to harden ssh security
|
- [SECURE] `wo secure --ssh` to harden ssh security
|
||||||
- [SECURE] `wo stack secure --sshport` to change ssh port
|
- [SECURE] `wo secure --sshport` to change ssh port
|
||||||
- [SITE] check domain DNS records before issuing a new certificate without DNS API
|
- [SITE] check domain DNS records before issuing a new certificate without DNS API
|
||||||
- [STACK] Acme challenge with DNS Alias mode [acme.sh wiki](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
|
- [STACK] Acme challenge with DNS Alias mode `--dnsalias=aliasdomain.tld` [acme.sh wiki](https://github.com/Neilpang/acme.sh/wiki/DNS-alias-mode)
|
||||||
|
|
||||||
#### Changed
|
#### Changed
|
||||||
|
|
||||||
|
|||||||
@@ -4,6 +4,7 @@ import os
|
|||||||
from cement.core import handler, hook
|
from cement.core import handler, hook
|
||||||
from cement.core.controller import CementBaseController, expose
|
from cement.core.controller import CementBaseController, expose
|
||||||
|
|
||||||
|
from wo.core.fileutils import WOFileUtils
|
||||||
from wo.core.git import WOGit
|
from wo.core.git import WOGit
|
||||||
from wo.core.logging import Log
|
from wo.core.logging import Log
|
||||||
from wo.core.random import RANDOM
|
from wo.core.random import RANDOM
|
||||||
@@ -165,6 +166,8 @@ class WOSecureController(CementBaseController):
|
|||||||
'Harden SSH security [y/N]')
|
'Harden SSH security [y/N]')
|
||||||
if start_secure != "Y" and start_secure != "y":
|
if start_secure != "Y" and start_secure != "y":
|
||||||
Log.error(self, "Not hardening SSH security")
|
Log.error(self, "Not hardening SSH security")
|
||||||
|
WOGit.add(self, ["/etc/ssh"],
|
||||||
|
msg="Adding SSH into Git")
|
||||||
Log.debug(self, "check if /etc/ssh/sshd_config exist")
|
Log.debug(self, "check if /etc/ssh/sshd_config exist")
|
||||||
if os.path.isfile('/etc/ssh/sshd_config'):
|
if os.path.isfile('/etc/ssh/sshd_config'):
|
||||||
Log.debug(self, "looking for the current ssh port")
|
Log.debug(self, "looking for the current ssh port")
|
||||||
@@ -213,8 +216,23 @@ class WOSecureController(CementBaseController):
|
|||||||
WOShellExec.cmd_exec(self, "sed -i \"s/Port.*/Port "
|
WOShellExec.cmd_exec(self, "sed -i \"s/Port.*/Port "
|
||||||
"{port}/\" /etc/ssh/sshd_config"
|
"{port}/\" /etc/ssh/sshd_config"
|
||||||
.format(port=pargs.user_input))
|
.format(port=pargs.user_input))
|
||||||
|
# allow new ssh port if ufw is enabled
|
||||||
|
if os.path.isfile('/etc/ufw/ufw.conf'):
|
||||||
|
# add rule for proftpd with UFW
|
||||||
|
if WOFileUtils.grepcheck(
|
||||||
|
self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
|
||||||
|
try:
|
||||||
|
WOShellExec.cmd_exec(
|
||||||
|
self, 'ufw limit {0}'.format(pargs.user_input))
|
||||||
|
WOShellExec.cmd_exec(
|
||||||
|
self, 'ufw reload')
|
||||||
|
except Exception as e:
|
||||||
|
Log.debug(self, "{0}".format(e))
|
||||||
|
Log.error(self, "Unable to add UFW rule")
|
||||||
|
# add ssh into git
|
||||||
WOGit.add(self, ["/etc/ssh"],
|
WOGit.add(self, ["/etc/ssh"],
|
||||||
msg="Adding changed SSH port into Git")
|
msg="Adding changed SSH port into Git")
|
||||||
|
# restart ssh service
|
||||||
if not WOService.restart_service(self, 'ssh'):
|
if not WOService.restart_service(self, 'ssh'):
|
||||||
Log.error(self, "service SSH restart failed.")
|
Log.error(self, "service SSH restart failed.")
|
||||||
Log.info(self, "Successfully changed SSH port to {port}"
|
Log.info(self, "Successfully changed SSH port to {port}"
|
||||||
|
|||||||
@@ -129,7 +129,6 @@ class WOStackController(CementBaseController):
|
|||||||
pargs.php73 = True
|
pargs.php73 = True
|
||||||
pargs.redis = True
|
pargs.redis = True
|
||||||
pargs.proftpd = True
|
pargs.proftpd = True
|
||||||
pargs.security = True
|
|
||||||
|
|
||||||
if pargs.web:
|
if pargs.web:
|
||||||
pargs.nginx = True
|
pargs.nginx = True
|
||||||
@@ -152,7 +151,6 @@ class WOStackController(CementBaseController):
|
|||||||
if pargs.security:
|
if pargs.security:
|
||||||
pargs.fail2ban = True
|
pargs.fail2ban = True
|
||||||
pargs.clamav = True
|
pargs.clamav = True
|
||||||
pargs.ufw = True
|
|
||||||
|
|
||||||
# Nginx
|
# Nginx
|
||||||
if pargs.nginx:
|
if pargs.nginx:
|
||||||
@@ -261,10 +259,8 @@ class WOStackController(CementBaseController):
|
|||||||
|
|
||||||
# UFW
|
# UFW
|
||||||
if pargs.ufw:
|
if pargs.ufw:
|
||||||
if not WOFileUtils.grep(
|
Log.debug(self, "Setting apt_packages variable for UFW")
|
||||||
self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
|
apt_packages = apt_packages + ["ufw"]
|
||||||
Log.debug(self, "Setting apt_packages variable for UFW")
|
|
||||||
apt_packages = apt_packages + ["ufw"]
|
|
||||||
|
|
||||||
# sendmail
|
# sendmail
|
||||||
if pargs.sendmail:
|
if pargs.sendmail:
|
||||||
@@ -521,7 +517,6 @@ class WOStackController(CementBaseController):
|
|||||||
(not pargs.php73)):
|
(not pargs.php73)):
|
||||||
pargs.web = True
|
pargs.web = True
|
||||||
pargs.admin = True
|
pargs.admin = True
|
||||||
pargs.security = True
|
|
||||||
|
|
||||||
if pargs.all:
|
if pargs.all:
|
||||||
pargs.web = True
|
pargs.web = True
|
||||||
|
|||||||
@@ -949,19 +949,20 @@ def post_pref(self, apt_packages, packages, upgrade=False):
|
|||||||
"Include /etc/proftpd/tls.conf")
|
"Include /etc/proftpd/tls.conf")
|
||||||
WOService.restart_service(self, 'proftpd')
|
WOService.restart_service(self, 'proftpd')
|
||||||
|
|
||||||
# add rule for proftpd with UFW
|
if os.path.isfile('/etc/ufw/ufw.conf'):
|
||||||
if WOFileUtils.grepcheck(
|
# add rule for proftpd with UFW
|
||||||
self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
|
if WOFileUtils.grepcheck(
|
||||||
try:
|
self, '/etc/ufw/ufw.conf', 'ENABLED=yes'):
|
||||||
WOShellExec.cmd_exec(
|
try:
|
||||||
self, "ufw limit 21")
|
WOShellExec.cmd_exec(
|
||||||
WOShellExec.cmd_exec(
|
self, "ufw limit 21")
|
||||||
self, "ufw allow 49000:50000/tcp")
|
WOShellExec.cmd_exec(
|
||||||
WOShellExec.cmd_exec(
|
self, "ufw allow 49000:50000/tcp")
|
||||||
self, "ufw reload")
|
WOShellExec.cmd_exec(
|
||||||
except CommandExecutionError as e:
|
self, "ufw reload")
|
||||||
Log.debug(self, "{0}".format(e))
|
except Exception as e:
|
||||||
Log.error(self, "Unable to add UFW rule")
|
Log.debug(self, "{0}".format(e))
|
||||||
|
Log.error(self, "Unable to add UFW rules")
|
||||||
|
|
||||||
if ((os.path.isfile("/etc/fail2ban/jail.d/custom.conf")) and
|
if ((os.path.isfile("/etc/fail2ban/jail.d/custom.conf")) and
|
||||||
(not WOFileUtils.grep(
|
(not WOFileUtils.grep(
|
||||||
|
|||||||
Reference in New Issue
Block a user