free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
1308 Commits
5 Branches
Tree: 2cd4b1f84e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '2cd4b1f84e'
${ noResults }
freedombone/src/freedombone-sec

freedombone-sec 9.6KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Alters the security settings

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015 Bob Mottram <bob@robotics.uk.to>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

  26. # GNU General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU General Public License

  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. SSL_PROTOCOLS=

  32. SSL_CIPHERS=

  33. SSH_CIPHERS=

  34. SSH_MACS=

  35. SSH_KEX=

  36. SSH_HOST_KEY_ALGORITHMS=

  37. SSH_PASSWORDS=

  38. XMPP_CIPHERS=

  39. XMPP_ECC_CURVE=

  40. 

  41. WEBSITES_DIRECTORY='/etc/nginx/sites-available'

  42. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'

  43. SSH_CONFIG='/etc/ssh/sshd_config'

  44. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

  45. 

  46. MINIMUM_LENGTH=6

  47. 

  48. function get_protocols_from_website {

  49.   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  50.       return

  51.   fi

  52.   SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')

  53. }

  54. 

  55. function get_ciphers_from_website {

  56.   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  57.       return

  58.   fi

  59.   SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')

  60. }

  61. 

  62. function get_website_settings {

  63.   if [ ! -d $WEBSITES_DIRECTORY ]; then

  64.       return

  65.   fi

  66. 

  67.   cd $WEBSITES_DIRECTORY

  68.   for file in `dir -d *` ; do

  69.       get_protocols_from_website $file

  70.       if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then

  71.           get_ciphers_from_website $file

  72.           if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  73.               break

  74.           else

  75.               SSL_PROTOCOLS=""

  76.           fi

  77.       fi

  78.   done

  79. }

  80. 

  81. function get_imap_settings {

  82.   if [ ! -f $DOVECOT_CIPHERS ]; then

  83.       return

  84.   fi

  85.   # clear commented out cipher list

  86.   sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS

  87.   if [ $SSL_CIPHERS ]; then

  88.       return

  89.   fi

  90.   if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  91.       return

  92.   fi

  93.   SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')

  94. }

  95. 

  96. function get_xmpp_settings {

  97.   if [ ! -f $XMPP_CONFIG ]; then

  98.       return

  99.   fi

  100.   XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  101.   XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  102. }

  103. 

  104. function get_ssh_settings {

  105.   if [ -f $SSH_CONFIG ]; then

  106.       SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')

  107.       SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')

  108.       SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')

  109.       SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')

  110.   fi

  111.   if [ -f /etc/ssh/ssh_config ]; then

  112.       SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')

  113.       if [ ! $SSH_CIPHERS ]; then

  114.           SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')

  115.       fi

  116.       if [ ! $SSH_MACS ]; then

  117.           SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')

  118.       fi

  119.   fi

  120. }

  121. 

  122. function change_website_settings {

  123.   if [ ! "$SSL_PROTOCOLS" ]; then

  124.       return

  125.   fi

  126.   if [ ! $SSL_CIPHERS ]; then

  127.       return

  128.   fi

  129.   if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then

  130.       return

  131.   fi

  132.   if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  133.       return

  134.   fi

  135.   if [ ! -d $WEBSITES_DIRECTORY ]; then

  136.       return

  137.   fi

  138. 

  139.   cd $WEBSITES_DIRECTORY

  140.   for file in `dir -d *` ; do

  141.       sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  142.       sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  143.   done

  144.   service nginx restart

  145.   echo 'Web security settings changed'

  146. }

  147. 

  148. function change_imap_settings {

  149.   if [ ! -f $DOVECOT_CIPHERS ]; then

  150.       return

  151.   fi

  152.   if [ ! $SSL_CIPHERS ]; then

  153.       return

  154.   fi

  155.   if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  156.       return

  157.   fi

  158.   sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS

  159.   service dovecot restart

  160.   echo 'imap security settings changed'

  161. }

  162. 

  163. function change_ssh_settings {

  164.   if [ -f /etc/ssh/ssh_config ]; then

  165.       if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  166.           sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config

  167.           echo 'ssh client security settings changed'

  168.       fi

  169.   fi

  170.   if [ -f $SSH_CONFIG ]; then

  171.       if [ ! $SSH_CIPHERS ]; then

  172.           return

  173.       fi

  174.       if [ ! $SSH_MACS ]; then

  175.           return

  176.       fi

  177.       if [ ! $SSH_KEX ]; then

  178.           return

  179.       fi

  180.       if [ ! $SSH_PASSWORDS ]; then

  181.           return

  182.       fi

  183. 

  184.       sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG

  185.       sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG

  186.       sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG

  187.       sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  188.       service ssh restart

  189.       echo 'ssh server security settings changed'

  190.   fi

  191. }

  192. 

  193. function change_xmpp_settings {

  194.   if [ ! -f $XMPP_CONFIG ]; then

  195.       return

  196.   fi

  197.   if [ ! $XMPP_CIPHERS ]; then

  198.       return

  199.   fi

  200.   if [ ! $XMPP_ECC_CURVE ]; then

  201.       return

  202.   fi

  203.   sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG

  204.   sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG

  205.   service prosody restart

  206.   echo 'xmpp security settings changed'

  207. }

  208. 

  209. function interactive_setup {

  210.   if [ $SSL_CIPHERS ]; then

  211.       data=$(tempfile 2>/dev/null)

  212.       trap "rm -f $data" 0 1 2 5 15

  213.       dialog --backtitle "Freedombone Security Configuration" \

  214.           --form "\nWeb/IMAP Ciphers:" 10 95 2 \

  215.           "Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \

  216.           "Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \

  217.           2> $data

  218.       sel=$?

  219.       case $sel in

  220.           1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)

  221.              SSL_CIPHERS=$(cat $data | sed -n 2p)

  222.              ;;

  223.           255) exit 0;;

  224.       esac

  225.   fi

  226. 

  227.   data=$(tempfile 2>/dev/null)

  228.   trap "rm -f $data" 0 1 2 5 15

  229.   if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  230.       dialog --backtitle "Freedombone Security Configuration" \

  231.         --form "\nSecure Shell Ciphers:" 13 95 4 \

  232.          "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  233.          "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  234.          "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  235.          "Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \

  236.          2> $data

  237.       sel=$?

  238.       case $sel in

  239.           1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  240.              SSH_MACS=$(cat $data | sed -n 2p)

  241.              SSH_KEX=$(cat $data | sed -n 3p)

  242.              SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)

  243.              ;;

  244.           255) exit 0;;

  245.       esac

  246.   else

  247.       dialog --backtitle "Freedombone Security Configuration" \

  248.         --form "\nSecure Shell Ciphers:" 11 95 3 \

  249.          "Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  250.          "MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  251.          "KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  252.          2> $data

  253.       sel=$?

  254.       case $sel in

  255.           1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  256.              SSH_MACS=$(cat $data | sed -n 2p)

  257.              SSH_KEX=$(cat $data | sed -n 3p)

  258.              ;;

  259.           255) exit 0;;

  260.       esac

  261.   fi

  262. 

  263.   if [[ $SSH_PASSWORDS == "yes" ]]; then

  264.       dialog --title "SSH Passwords" \

  265.           --backtitle "Freedombone Security Configuration" \

  266.           --yesno "\nAllow SSH login using passwords?" 7 60

  267.   else

  268.       dialog --title "SSH Passwords" \

  269.           --backtitle "Freedombone Security Configuration" \

  270.           --defaultno \

  271.           --yesno "\nAllow SSH login using passwords?" 7 60

  272.   fi

  273.   sel=$?

  274.   case $sel in

  275.       0) SSH_PASSWORDS="yes";;

  276.       1) SSH_PASSWORDS="no";;

  277.       255) exit 0;;

  278.   esac

  279. 

  280.   if [ $XMPP_CIPHERS ]; then

  281.       data=$(tempfile 2>/dev/null)

  282.       trap "rm -f $data" 0 1 2 5 15

  283.       dialog --backtitle "Freedombone Security Configuration" \

  284.           --form "\nXMPP Ciphers:" 10 95 2 \

  285.           "Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \

  286.           "ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \

  287.           2> $data

  288.       sel=$?

  289.       case $sel in

  290.           1) XMPP_CIPHERS=$(cat $data | sed -n 1p)

  291.              XMPP_ECC_CURVE=$(cat $data | sed -n 2p)

  292.              ;;

  293.           255) exit 0;;

  294.       esac

  295.   fi

  296. 

  297.   dialog --title "Final Confirmation" \

  298.       --backtitle "Freedombone Security Configuration" \

  299.       --defaultno \

  300.       --yesno "\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 7 60

  301.   sel=$?

  302.   case $sel in

  303.       1) echo 'Exiting without changing security settings'

  304.          exit 0;;

  305.       255) echo 'Exiting without changing security settings'

  306.            exit 0;;

  307.   esac

  308. 

  309.   clear

  310. }

  311. 

  312. get_website_settings

  313. get_imap_settings

  314. get_ssh_settings

  315. get_xmpp_settings

  316. interactive_setup

  317. change_website_settings

  318. change_imap_settings

  319. change_ssh_settings

  320. change_xmpp_settings

  321. exit 0