diff --git a/requirements.txt b/requirements.txt index 1736603..9a33f07 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,11 +1,11 @@ cement==2.10.12 pystache>=0.5.4 pynginxconfig>=0.3.4 -PyMySQL>=0.9.3 -psutil>=5.6.7 +PyMySQL>=0.10.0 +psutil>=5.7.2 sh>=1.12.14 -SQLAlchemy>=1.3.11 -requests>=2.22.0 +SQLAlchemy>=1.3.18 +requests>=2.24.0 distro>=1.4.0 -argcomplete>=1.10.3 -colorlog>=4.0.2 \ No newline at end of file +argcomplete>=1.12.0 +colorlog>=4.2.1 \ No newline at end of file diff --git a/setup.py b/setup.py index 83fd867..9a12f35 100644 --- a/setup.py +++ b/setup.py @@ -64,14 +64,14 @@ setup(name='wordops', 'cement == 2.10.12', 'pystache >= 0.5.4', 'pynginxconfig >= 0.3.4', - 'PyMySQL >= 0.9.3', - 'psutil >= 5.6.7', + 'PyMySQL >= 0.10.0', + 'psutil >= 5.7.2', 'sh >= 1.12.14', - 'SQLAlchemy >= 1.3.11', - 'requests >= 2.22.0', + 'SQLAlchemy >= 1.3.18', + 'requests >= 2.24.0', 'distro >= 1.4.0', - 'argcomplete >= 1.10.3', - 'colorlog >= 4.0.2', + 'argcomplete >= 1.12.0', + 'colorlog >= 4.2.1', ], extras_require={ # Optional 'testing': ['nose', 'coverage'], diff --git a/tests/travis.sh b/tests/travis.sh index 6d0d4fc..8ac410b 100644 --- a/tests/travis.sh +++ b/tests/travis.sh @@ -15,11 +15,11 @@ export LANG='en_US.UTF-8' export LC_ALL='C.UTF-8' if [ -z "$1" ]; then -{ - apt-get -qq purge mysql* graphviz* redis* php73-* php-* - apt-get install -qq git python3-setuptools python3-dev python3-apt ccze tree - sudo apt-get -qq autoremove --purge -} > /dev/null 2>&1 + { + apt-get -qq purge mysql* graphviz* redis* php73-* php-* + apt-get install -qq git python3-setuptools python3-dev python3-apt ccze tree + sudo apt-get -qq autoremove --purge + } >/dev/null 2>&1 fi exit_script() { @@ -349,3 +349,18 @@ for stack in $stack_purge; do fi done + +echo -e "${CGREEN}#############################################${CEND}" +echo -e ' wo stack fail2ban ' +echo -e "${CGREEN}#############################################${CEND}" +if { + wo stack install --fail2ban +} >>/var/log/wo/test.log; then + echo -ne " purging $stack [${CGREEN}OK${CEND}]\\r" + echo -ne '\n' +else + echo -e " purging $stack [${CRED}FAIL${CEND}]" + echo -ne '\n' + exit_script + +fi diff --git a/wo/cli/plugins/stack_pref.py b/wo/cli/plugins/stack_pref.py index f93b84d..78c6d81 100644 --- a/wo/cli/plugins/stack_pref.py +++ b/wo/cli/plugins/stack_pref.py @@ -1042,12 +1042,13 @@ def post_pref(self, apt_packages, packages, upgrade=False): WOGit.add(self, ["/etc/fail2ban"], msg="Adding Fail2ban into Git") Log.info(self, "Configuring Fail2Ban") - data = dict(release=WOVar.wo_version) + nginxf2b = bool(os.path.exists('/var/log/nginx')) + data = dict(release=WOVar.wo_version, nginx=nginxf2b) WOTemplate.deploy( self, '/etc/fail2ban/jail.d/custom.conf', 'fail2ban.mustache', - data, overwrite=False) + data, overwrite=True) WOTemplate.deploy( self, '/etc/fail2ban/filter.d/wo-wordpress.conf', @@ -1059,7 +1060,7 @@ def post_pref(self, apt_packages, packages, upgrade=False): 'fail2ban-forbidden.mustache', data, overwrite=False) - if not WOService.reload_service(self, 'fail2ban'): + if not WOShellExec.cmd_exec(self, 'fail2ban-client reload'): WOGit.rollback( self, ['/etc/fail2ban'], msg="Rollback f2b config") WOService.restart_service(self, 'fail2ban') diff --git a/wo/cli/templates/fail2ban.mustache b/wo/cli/templates/fail2ban.mustache index 6d918cd..908a4f4 100644 --- a/wo/cli/templates/fail2ban.mustache +++ b/wo/cli/templates/fail2ban.mustache @@ -4,7 +4,7 @@ ignoreip = 127.0.0.1/8 ::1 [recidive] enabled = true -[nginx-http-auth] +{{#nginx}}[nginx-http-auth] enabled = true logpath = /var/log/nginx/*error*.log @@ -23,4 +23,4 @@ maxretry = 5 enabled = true filter = nginx-forbidden action = iptables-multiport[name="nginx-forbidden", port="http,https"] -logpath = /var/log/nginx/*error*.log +logpath = /var/log/nginx/*error*.log{{/nginx}} \ No newline at end of file diff --git a/wo/cli/templates/proftpd-tls.mustache b/wo/cli/templates/proftpd-tls.mustache index 6e3f9cf..928df55 100644 --- a/wo/cli/templates/proftpd-tls.mustache +++ b/wo/cli/templates/proftpd-tls.mustache @@ -1,12 +1,20 @@ -TLSEngine on -TLSLog /var/log/proftpd/tls.log -TLSProtocol TLSv1.2 -TLSCipherSuite AES256+EECDH:AES256+EDH -TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired -TLSRSACertificateFile /etc/proftpd/ssl/proftpd.crt -TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key + +TLSEngine on +TLSRequired on +TLSLog /var/log/proftpd/tls.log + +# intermediate configuration from ssl-config.mozilla.org +TLSProtocol TLSv1.2 TLSv1.3 +TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 +TLSServerCipherPreference off +TLSessionTickets off +TLSOptions NoCertRequest AllowClientRenegotiations NoSessionReuseRequired + +TLSRSACertificateFile /etc/proftpd/ssl/proftpd.crt +TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key + TLSVerifyClient off -TLSRequired on RequireValidShell no + \ No newline at end of file diff --git a/wo/cli/templates/sshd.mustache b/wo/cli/templates/sshd.mustache index 5c5383b..6803b51 100644 --- a/wo/cli/templates/sshd.mustache +++ b/wo/cli/templates/sshd.mustache @@ -28,7 +28,7 @@ ChallengeResponseAuthentication no UsePAM yes X11Forwarding yes -#PrintMotd no +PrintMotd yes # Allow client to pass locale environment variables AcceptEnv LANG LC_*