Add security stack
This commit is contained in:
VirtuBox
@@ -18,7 +18,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|||||||
- Support for Debian 10 buster (testing - not ready for production)
|
- Support for Debian 10 buster (testing - not ready for production)
|
||||||
- Fail2ban with custom jails to secure WordPress & SSH
|
- Fail2ban with custom jails to secure WordPress & SSH
|
||||||
- Variable `keylength` in /etc/wo/wo.conf to define letsencrypt certificate keylenght
|
- Variable `keylength` in /etc/wo/wo.conf to define letsencrypt certificate keylenght
|
||||||
- ProFTPd stack
|
- ProFTPd stack with UFW & Fail2ban configuration
|
||||||
- Beta branch and command `wo update --beta` for beta releases
|
- Beta branch and command `wo update --beta` for beta releases
|
||||||
|
|
||||||
#### Fixed
|
#### Fixed
|
||||||
@@ -36,14 +36,14 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|||||||
|
|
||||||
#### Changed
|
#### Changed
|
||||||
|
|
||||||
- phpRedisAdmin is now installed with the stack "--admin"
|
- phpRedisAdmin is now installed with the stack `--admin`
|
||||||
- Remove memcached - not required anymore
|
- Remove memcached - not required anymore
|
||||||
|
|
||||||
#### Fixed
|
#### Fixed
|
||||||
|
|
||||||
- phpRedisAdmin installation
|
- phpRedisAdmin installation
|
||||||
- Duplicated locations /robots.txt after upgrade to v3.9.5.3
|
- Duplicated locations /robots.txt after upgrade to v3.9.5.3
|
||||||
- Let's Encrypt stack "wo site update --letsencrypt/--letsencrypt=off"
|
- Let's Encrypt stack `wo site update --letsencrypt/--letsencrypt=off`
|
||||||
- pt-query-advisor dead link
|
- pt-query-advisor dead link
|
||||||
- Netdata persistant configuration
|
- Netdata persistant configuration
|
||||||
|
|
||||||
@@ -92,7 +92,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|||||||
- Install script handle migration from EEv3
|
- Install script handle migration from EEv3
|
||||||
- load-balancing on unix socket for php-fpm
|
- load-balancing on unix socket for php-fpm
|
||||||
- stub_status vhost for metrics
|
- stub_status vhost for metrics
|
||||||
- "--letsencrypt=subdomain" option
|
- `--letsencrypt=subdomain` option
|
||||||
- opcache optimization for php-fpm
|
- opcache optimization for php-fpm
|
||||||
- EasyEngine configuration backup before migration
|
- EasyEngine configuration backup before migration
|
||||||
- EasyEngine configuration cleanup after migration
|
- EasyEngine configuration cleanup after migration
|
||||||
|
|||||||
@@ -50,6 +50,8 @@ class WOStackController(CementBaseController):
|
|||||||
dict(help='Install web stack', action='store_true')),
|
dict(help='Install web stack', action='store_true')),
|
||||||
(['--admin'],
|
(['--admin'],
|
||||||
dict(help='Install admin tools stack', action='store_true')),
|
dict(help='Install admin tools stack', action='store_true')),
|
||||||
|
(['--security'],
|
||||||
|
dict(help='Install security tools stack', action='store_true')),
|
||||||
(['--nginx'],
|
(['--nginx'],
|
||||||
dict(help='Install Nginx stack', action='store_true')),
|
dict(help='Install Nginx stack', action='store_true')),
|
||||||
(['--php'],
|
(['--php'],
|
||||||
@@ -1105,6 +1107,7 @@ class WOStackController(CementBaseController):
|
|||||||
msg="Adding Fail2ban into Git")
|
msg="Adding Fail2ban into Git")
|
||||||
WOService.reload_service(self, 'fail2ban')
|
WOService.reload_service(self, 'fail2ban')
|
||||||
|
|
||||||
|
# Proftpd configuration
|
||||||
if set(["proftpd-basic"]).issubset(set(apt_packages)):
|
if set(["proftpd-basic"]).issubset(set(apt_packages)):
|
||||||
if os.path.isfile("/etc/proftpd/proftpd.conf"):
|
if os.path.isfile("/etc/proftpd/proftpd.conf"):
|
||||||
Log.debug(self, "Setting up Proftpd configuration")
|
Log.debug(self, "Setting up Proftpd configuration")
|
||||||
@@ -1124,13 +1127,19 @@ class WOStackController(CementBaseController):
|
|||||||
"PassivePorts "
|
"PassivePorts "
|
||||||
" "
|
" "
|
||||||
" 49000 50000")
|
" 49000 50000")
|
||||||
|
# add rule for proftpd with UFW
|
||||||
if WOAptGet.is_installed(self, 'ufw'):
|
if WOAptGet.is_installed(self, 'ufw'):
|
||||||
try:
|
try:
|
||||||
WOShellExec.cmd_exec(self, "ufw allow "
|
WOShellExec.cmd_exec(self, "ufw allow "
|
||||||
"49000:50000/tcp")
|
"49000:50000/tcp")
|
||||||
except CommandExecutionError as e:
|
except CommandExecutionError as e:
|
||||||
Log.error(self, "Unable to add UFW rules")
|
Log.error(self, "Unable to add UFW rule")
|
||||||
|
|
||||||
|
if os.path.isfile("/etc/fail2ban/jail.d/custom.conf"):
|
||||||
|
with open("/etc/fail2ban/jail.d/custom.conf",
|
||||||
|
encoding='utf-8', mode='a') as f2bproftpd:
|
||||||
|
f2bproftpd.write("\n\n[proftpd]\nenabled = true\n")
|
||||||
|
WOService.reload_service(self, 'fail2ban')
|
||||||
|
|
||||||
WOGit.add(self, ["/etc/proftpd"],
|
WOGit.add(self, ["/etc/proftpd"],
|
||||||
msg="Adding ProFTPd into Git")
|
msg="Adding ProFTPd into Git")
|
||||||
@@ -1453,12 +1462,14 @@ class WOStackController(CementBaseController):
|
|||||||
(not self.app.pargs.netdata) and
|
(not self.app.pargs.netdata) and
|
||||||
(not self.app.pargs.dashboard) and
|
(not self.app.pargs.dashboard) and
|
||||||
(not self.app.pargs.fail2ban) and
|
(not self.app.pargs.fail2ban) and
|
||||||
|
(not self.app.pargs.security) and
|
||||||
(not self.app.pargs.adminer) and (not self.app.pargs.utils) and
|
(not self.app.pargs.adminer) and (not self.app.pargs.utils) and
|
||||||
(not self.app.pargs.redis) and (not self.app.pargs.proftpd) and
|
(not self.app.pargs.redis) and (not self.app.pargs.proftpd) and
|
||||||
(not self.app.pargs.phpredisadmin) and
|
(not self.app.pargs.phpredisadmin) and
|
||||||
(not self.app.pargs.php73)):
|
(not self.app.pargs.php73)):
|
||||||
self.app.pargs.web = True
|
self.app.pargs.web = True
|
||||||
self.app.pargs.admin = True
|
self.app.pargs.admin = True
|
||||||
|
self.app.pargs.security = True
|
||||||
|
|
||||||
if self.app.pargs.all:
|
if self.app.pargs.all:
|
||||||
self.app.pargs.web = True
|
self.app.pargs.web = True
|
||||||
@@ -1484,6 +1495,8 @@ class WOStackController(CementBaseController):
|
|||||||
self.app.pargs.netdata = True
|
self.app.pargs.netdata = True
|
||||||
self.app.pargs.dashboard = True
|
self.app.pargs.dashboard = True
|
||||||
self.app.pargs.phpredisadmin = True
|
self.app.pargs.phpredisadmin = True
|
||||||
|
|
||||||
|
if self.app.pargs.security:
|
||||||
self.app.pargs.fail2ban = True
|
self.app.pargs.fail2ban = True
|
||||||
|
|
||||||
# Redis
|
# Redis
|
||||||
@@ -1785,10 +1798,12 @@ class WOStackController(CementBaseController):
|
|||||||
(not self.app.pargs.adminer) and (not self.app.pargs.utils) and
|
(not self.app.pargs.adminer) and (not self.app.pargs.utils) and
|
||||||
(not self.app.pargs.composer) and (not self.app.pargs.netdata) and
|
(not self.app.pargs.composer) and (not self.app.pargs.netdata) and
|
||||||
(not self.app.pargs.fail2ban) and (not self.app.pargs.proftpd) and
|
(not self.app.pargs.fail2ban) and (not self.app.pargs.proftpd) and
|
||||||
|
(not self.app.pargs.security) and
|
||||||
(not self.app.pargs.all) and (not self.app.pargs.redis) and
|
(not self.app.pargs.all) and (not self.app.pargs.redis) and
|
||||||
(not self.app.pargs.phpredisadmin)):
|
(not self.app.pargs.phpredisadmin)):
|
||||||
self.app.pargs.web = True
|
self.app.pargs.web = True
|
||||||
self.app.pargs.admin = True
|
self.app.pargs.admin = True
|
||||||
|
self.app.pargs.security = True
|
||||||
|
|
||||||
if self.app.pargs.all:
|
if self.app.pargs.all:
|
||||||
self.app.pargs.web = True
|
self.app.pargs.web = True
|
||||||
@@ -1809,6 +1824,8 @@ class WOStackController(CementBaseController):
|
|||||||
self.app.pargs.netdata = True
|
self.app.pargs.netdata = True
|
||||||
self.app.pargs.dashboard = True
|
self.app.pargs.dashboard = True
|
||||||
self.app.pargs.phpredisadmin = True
|
self.app.pargs.phpredisadmin = True
|
||||||
|
|
||||||
|
if self.app.pargs.security:
|
||||||
self.app.pargs.fail2ban = True
|
self.app.pargs.fail2ban = True
|
||||||
|
|
||||||
# NGINX
|
# NGINX
|
||||||
@@ -1974,11 +1991,13 @@ class WOStackController(CementBaseController):
|
|||||||
(not self.app.pargs.wpcli) and (not self.app.pargs.phpmyadmin) and
|
(not self.app.pargs.wpcli) and (not self.app.pargs.phpmyadmin) and
|
||||||
(not self.app.pargs.adminer) and (not self.app.pargs.utils) and
|
(not self.app.pargs.adminer) and (not self.app.pargs.utils) and
|
||||||
(not self.app.pargs.composer) and (not self.app.pargs.netdata) and
|
(not self.app.pargs.composer) and (not self.app.pargs.netdata) and
|
||||||
(not self.app.pargs.fail2ban) and (not self.app.pargs.proftpd)
|
(not self.app.pargs.fail2ban) and (not self.app.pargs.proftpd) and
|
||||||
|
(not self.app.pargs.security) and
|
||||||
(not self.app.pargs.all) and (not self.app.pargs.redis) and
|
(not self.app.pargs.all) and (not self.app.pargs.redis) and
|
||||||
(not self.app.pargs.phpredisadmin)):
|
(not self.app.pargs.phpredisadmin)):
|
||||||
self.app.pargs.web = True
|
self.app.pargs.web = True
|
||||||
self.app.pargs.admin = True
|
self.app.pargs.admin = True
|
||||||
|
self.app.pargs.security = True
|
||||||
|
|
||||||
if self.app.pargs.all:
|
if self.app.pargs.all:
|
||||||
self.app.pargs.web = True
|
self.app.pargs.web = True
|
||||||
@@ -2000,6 +2019,8 @@ class WOStackController(CementBaseController):
|
|||||||
self.app.pargs.dashboard = True
|
self.app.pargs.dashboard = True
|
||||||
self.app.pargs.phpredisadmin = True
|
self.app.pargs.phpredisadmin = True
|
||||||
|
|
||||||
|
if self.app.pargs.security:
|
||||||
|
self.app.pargs.fail2ban = True
|
||||||
# NGINX
|
# NGINX
|
||||||
if self.app.pargs.nginx:
|
if self.app.pargs.nginx:
|
||||||
if WOAptGet.is_installed(self, 'nginx-custom'):
|
if WOAptGet.is_installed(self, 'nginx-custom'):
|
||||||
|
|||||||
Reference in New Issue
Block a user