Merge pull request #308 from WordOps/updating-configuration

Several bug fixes
2020-08-20 13:50:14 +02:00
parent 21e7619822 f0cbc77602
commit dce6b111b0
7 changed files with 55 additions and 31 deletions
--- a/wo/cli/plugins/stack_pref.py
+++ b/wo/cli/plugins/stack_pref.py
@@ -1042,12 +1042,13 @@ def post_pref(self, apt_packages, packages, upgrade=False):
                WOGit.add(self, ["/etc/fail2ban"],
                          msg="Adding Fail2ban into Git")
                Log.info(self, "Configuring Fail2Ban")
-                data = dict(release=WOVar.wo_version)
+                nginxf2b = bool(os.path.exists('/var/log/nginx'))
+                data = dict(release=WOVar.wo_version, nginx=nginxf2b)
                WOTemplate.deploy(
                    self,
                    '/etc/fail2ban/jail.d/custom.conf',
                    'fail2ban.mustache',
-                    data, overwrite=False)
+                    data, overwrite=True)
                WOTemplate.deploy(
                    self,
                    '/etc/fail2ban/filter.d/wo-wordpress.conf',
@@ -1059,7 +1060,7 @@ def post_pref(self, apt_packages, packages, upgrade=False):
                    'fail2ban-forbidden.mustache',
                    data, overwrite=False)

-                if not WOService.reload_service(self, 'fail2ban'):
+                if not WOShellExec.cmd_exec(self, 'fail2ban-client reload'):
                    WOGit.rollback(
                        self, ['/etc/fail2ban'], msg="Rollback f2b config")
                    WOService.restart_service(self, 'fail2ban')
--- a/wo/cli/templates/fail2ban.mustache
+++ b/wo/cli/templates/fail2ban.mustache
@@ -4,7 +4,7 @@ ignoreip = 127.0.0.1/8 ::1
 [recidive]
 enabled = true

-[nginx-http-auth]
+{{#nginx}}[nginx-http-auth]
 enabled   = true
 logpath = /var/log/nginx/*error*.log

@@ -23,4 +23,4 @@ maxretry = 5
 enabled = true
 filter = nginx-forbidden
 action = iptables-multiport[name="nginx-forbidden", port="http,https"]
-logpath = /var/log/nginx/*error*.log
+logpath = /var/log/nginx/*error*.log{{/nginx}}
--- a/wo/cli/templates/proftpd-tls.mustache
+++ b/wo/cli/templates/proftpd-tls.mustache
@@ -1,12 +1,20 @@
 <IfModule mod_tls.c>
-TLSEngine                  on
-TLSLog                     /var/log/proftpd/tls.log
-TLSProtocol TLSv1.2
-TLSCipherSuite AES256+EECDH:AES256+EDH
-TLSOptions                 NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
-TLSRSACertificateFile      /etc/proftpd/ssl/proftpd.crt
-TLSRSACertificateKeyFile   /etc/proftpd/ssl/proftpd.key
+
+TLSEngine                     on
+TLSRequired                   on
+TLSLog                        /var/log/proftpd/tls.log
+
+# intermediate configuration from ssl-config.mozilla.org
+TLSProtocol                   TLSv1.2 TLSv1.3
+TLSCipherSuite                ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+TLSServerCipherPreference     off
+TLSessionTickets              off
+TLSOptions                    NoCertRequest AllowClientRenegotiations NoSessionReuseRequired
+
+TLSRSACertificateFile         /etc/proftpd/ssl/proftpd.crt
+TLSRSACertificateKeyFile      /etc/proftpd/ssl/proftpd.key
+
 TLSVerifyClient            off
-TLSRequired                on
 RequireValidShell          no
+
 </IfModule>
--- a/wo/cli/templates/sshd.mustache
+++ b/wo/cli/templates/sshd.mustache
@@ -28,7 +28,7 @@ ChallengeResponseAuthentication no
 UsePAM yes
 X11Forwarding yes

-#PrintMotd no
+PrintMotd yes

 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*