freedombone-sec 32KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Alters the security settings
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. PROJECT_NAME='freedombone'
  31. export TEXTDOMAIN=${PROJECT_NAME}-sec
  32. export TEXTDOMAINDIR="/usr/share/locale"
  33. CONFIGURATION_FILE=$HOME/${PROJECT_NAME}.cfg
  34. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
  35. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
  36. for f in $UTILS_FILES
  37. do
  38. source $f
  39. done
  40. SSL_PROTOCOLS=
  41. SSL_CIPHERS=
  42. SSH_CIPHERS=
  43. SSH_MACS=
  44. SSH_KEX=
  45. SSH_HOST_KEY_ALGORITHMS=
  46. SSH_PASSWORDS=
  47. XMPP_CIPHERS=
  48. XMPP_ECC_CURVE=
  49. WEBSITES_DIRECTORY='/etc/nginx/sites-available'
  50. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
  51. SSH_CONFIG='/etc/ssh/sshd_config'
  52. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
  53. MINIMUM_LENGTH=6
  54. IMPORT_FILE=
  55. EXPORT_FILE=
  56. CURRENT_DIR=$(pwd)
  57. DH_KEYLENGTH=2048
  58. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  59. MY_USERNAME=
  60. function get_protocols_from_website {
  61. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  62. return
  63. fi
  64. SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
  65. }
  66. function get_ciphers_from_website {
  67. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  68. return
  69. fi
  70. SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
  71. }
  72. function get_imap_settings {
  73. if [ ! -f $DOVECOT_CIPHERS ]; then
  74. return
  75. fi
  76. # clear commented out cipher list
  77. sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  78. if [ $SSL_CIPHERS ]; then
  79. return
  80. fi
  81. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  82. return
  83. fi
  84. SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
  85. }
  86. function get_xmpp_settings {
  87. if [ ! -f $XMPP_CONFIG ]; then
  88. return
  89. fi
  90. XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  91. XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  92. }
  93. function get_ssh_settings {
  94. if [ -f $SSH_CONFIG ]; then
  95. SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  96. fi
  97. if [ -f /etc/ssh/ssh_config ]; then
  98. SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
  99. fi
  100. }
  101. function change_website_settings {
  102. if [ ! "$SSL_PROTOCOLS" ]; then
  103. return
  104. fi
  105. if [ ! $SSL_CIPHERS ]; then
  106. return
  107. fi
  108. if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
  109. return
  110. fi
  111. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  112. return
  113. fi
  114. if [ ! -d $WEBSITES_DIRECTORY ]; then
  115. return
  116. fi
  117. cd $WEBSITES_DIRECTORY
  118. for file in `dir -d *` ; do
  119. sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  120. sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  121. done
  122. systemctl restart nginx
  123. echo $'Web security settings changed'
  124. }
  125. function change_imap_settings {
  126. if [ ! -f $DOVECOT_CIPHERS ]; then
  127. return
  128. fi
  129. if [ ! $SSL_CIPHERS ]; then
  130. return
  131. fi
  132. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  133. return
  134. fi
  135. sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  136. sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  137. systemctl restart dovecot
  138. echo $'imap security settings changed'
  139. }
  140. function change_ssh_settings {
  141. if [ -f /etc/ssh/ssh_config ]; then
  142. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  143. sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
  144. echo $'ssh client security settings changed'
  145. fi
  146. fi
  147. if [ -f $SSH_CONFIG ]; then
  148. if [ ! $SSH_CIPHERS ]; then
  149. return
  150. fi
  151. if [ ! $SSH_MACS ]; then
  152. return
  153. fi
  154. if [ ! $SSH_KEX ]; then
  155. return
  156. fi
  157. if [ ! $SSH_PASSWORDS ]; then
  158. SSH_PASSWORDS='yes'
  159. fi
  160. sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
  161. sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
  162. sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
  163. sed -i "s|#PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  164. sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  165. systemctl restart ssh
  166. echo $'ssh server security settings changed'
  167. fi
  168. }
  169. function change_xmpp_settings {
  170. if [ ! -f $XMPP_CONFIG ]; then
  171. return
  172. fi
  173. if [ ! $XMPP_CIPHERS ]; then
  174. return
  175. fi
  176. if [ ! $XMPP_ECC_CURVE ]; then
  177. return
  178. fi
  179. sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  180. sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  181. systemctl restart prosody
  182. echo $'xmpp security settings changed'
  183. }
  184. function allow_ssh_passwords {
  185. dialog --title $"SSH Passwords" \
  186. --backtitle $"Freedombone Security Configuration" \
  187. --yesno $"\nAllow SSH login using passwords?" 7 60
  188. sel=$?
  189. case $sel in
  190. 0) SSH_PASSWORDS="yes";;
  191. 1) SSH_PASSWORDS="no";;
  192. 255) exit 0;;
  193. esac
  194. }
  195. function interactive_setup {
  196. if [ $SSL_CIPHERS ]; then
  197. data=$(tempfile 2>/dev/null)
  198. trap "rm -f $data" 0 1 2 5 15
  199. dialog --backtitle $"Freedombone Security Configuration" \
  200. --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
  201. $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
  202. $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
  203. 2> $data
  204. sel=$?
  205. case $sel in
  206. 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
  207. SSL_CIPHERS=$(cat $data | sed -n 2p)
  208. ;;
  209. 255) exit 0;;
  210. esac
  211. fi
  212. data=$(tempfile 2>/dev/null)
  213. trap "rm -f $data" 0 1 2 5 15
  214. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  215. dialog --backtitle $"Freedombone Security Configuration" \
  216. --form $"\nSecure Shell Ciphers:" 13 95 4 \
  217. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  218. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  219. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  220. $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
  221. 2> $data
  222. sel=$?
  223. case $sel in
  224. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  225. SSH_MACS=$(cat $data | sed -n 2p)
  226. SSH_KEX=$(cat $data | sed -n 3p)
  227. SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
  228. ;;
  229. 255) exit 0;;
  230. esac
  231. else
  232. dialog --backtitle $"Freedombone Security Configuration" \
  233. --form $"\nSecure Shell Ciphers:" 11 95 3 \
  234. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  235. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  236. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  237. 2> $data
  238. sel=$?
  239. case $sel in
  240. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  241. SSH_MACS=$(cat $data | sed -n 2p)
  242. SSH_KEX=$(cat $data | sed -n 3p)
  243. ;;
  244. 255) exit 0;;
  245. esac
  246. fi
  247. if [ $XMPP_CIPHERS ]; then
  248. data=$(tempfile 2>/dev/null)
  249. trap "rm -f $data" 0 1 2 5 15
  250. dialog --backtitle $"Freedombone Security Configuration" \
  251. --form $"\nXMPP Ciphers:" 10 95 2 \
  252. $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
  253. $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
  254. 2> $data
  255. sel=$?
  256. case $sel in
  257. 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
  258. XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
  259. ;;
  260. 255) exit 0;;
  261. esac
  262. fi
  263. dialog --title $"Final Confirmation" \
  264. --backtitle $"Freedombone Security Configuration" \
  265. --defaultno \
  266. --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  267. sel=$?
  268. case $sel in
  269. 1) clear
  270. echo $'Exiting without changing security settings'
  271. exit 0;;
  272. 255) clear
  273. echo $'Exiting without changing security settings'
  274. exit 0;;
  275. esac
  276. clear
  277. }
  278. function send_monkeysphere_server_keys_to_users {
  279. monkeysphere_server_keys=$(monkeysphere-host show-key | grep $"OpenPGP fingerprint" | awk -F ' ' '{print $3}')
  280. for d in /home/*/ ; do
  281. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  282. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  283. if [ ! -d /home/$USERNAME/.monkeysphere ]; then
  284. mkdir /home/$USERNAME/.monkeysphere
  285. fi
  286. echo $monkeysphere_server_keys > /home/$USERNAME/.monkeysphere/server_keys
  287. chown -R $USERNAME:$USERNAME /home/$USERNAME/.monkeysphere
  288. fi
  289. done
  290. }
  291. function regenerate_ssh_host_keys {
  292. rm -f /etc/ssh/ssh_host_*
  293. dpkg-reconfigure openssh-server
  294. echo $'ssh host keys regenerated'
  295. # remove small moduli
  296. awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
  297. mv ~/moduli /etc/ssh/moduli
  298. echo $'ssh small moduli removed'
  299. # update monkeysphere
  300. DEFAULT_DOMAIN_NAME=
  301. read_config_param "DEFAULT_DOMAIN_NAME"
  302. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
  303. SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
  304. monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
  305. monkeysphere-host publish-key
  306. send_monkeysphere_server_keys_to_users
  307. echo $'updated monkeysphere ssh host key'
  308. systemctl restart ssh
  309. }
  310. function regenerate_dh_keys {
  311. if [ ! -d /etc/ssl/mycerts ]; then
  312. echo $'No dhparam certificates were found'
  313. return
  314. fi
  315. data=$(tempfile 2>/dev/null)
  316. trap "rm -f $data" 0 1 2 5 15
  317. dialog --backtitle "Freedombone Security Configuration" \
  318. --title "Diffie-Hellman key length" \
  319. --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
  320. 1 "2048 bits" off \
  321. 2 "3072 bits" on \
  322. 3 "4096 bits" off 2> $data
  323. sel=$?
  324. case $sel in
  325. 1) exit 1;;
  326. 255) exit 1;;
  327. esac
  328. case $(cat $data) in
  329. 1) DH_KEYLENGTH=2048;;
  330. 2) DH_KEYLENGTH=3072;;
  331. 3) DH_KEYLENGTH=4096;;
  332. esac
  333. ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
  334. }
  335. function renew_startssl {
  336. renew_domain=
  337. data=$(tempfile 2>/dev/null)
  338. trap "rm -f $data" 0 1 2 5 15
  339. dialog --title $"Renew a StartSSL certificate" \
  340. --backtitle $"Freedombone Security Settings" \
  341. --inputbox $"Enter the domain name" 8 60 2>$data
  342. sel=$?
  343. case $sel in
  344. 0)
  345. renew_domain=$(<$data)
  346. ;;
  347. esac
  348. if [ ! $renew_domain ]; then
  349. return
  350. fi
  351. if [[ $renew_domain == "http"* ]]; then
  352. dialog --title $"Renew a StartSSL certificate" \
  353. --msgbox $"Don't include the https://" 6 40
  354. return
  355. fi
  356. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  357. dialog --title $"Renew a StartSSL certificate" \
  358. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  359. return
  360. fi
  361. if [[ $renew_domain != *"."* ]]; then
  362. dialog --title $"Renew a StartSSL certificate" \
  363. --msgbox $"Invalid domain name: $renew_domain" 6 40
  364. return
  365. fi
  366. ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
  367. exit 0
  368. }
  369. function renew_letsencrypt {
  370. renew_domain=
  371. data=$(tempfile 2>/dev/null)
  372. trap "rm -f $data" 0 1 2 5 15
  373. dialog --title $"Renew a Let's Encrypt certificate" \
  374. --backtitle $"Freedombone Security Settings" \
  375. --inputbox $"Enter the domain name" 8 60 2>$data
  376. sel=$?
  377. case $sel in
  378. 0)
  379. renew_domain=$(<$data)
  380. ;;
  381. esac
  382. if [ ! $renew_domain ]; then
  383. return
  384. fi
  385. if [[ $renew_domain == "http"* ]]; then
  386. dialog --title $"Renew a Let's Encrypt certificate" \
  387. --msgbox $"Don't include the https://" 6 40
  388. return
  389. fi
  390. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  391. dialog --title $"Renew a Let's Encrypt certificate" \
  392. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  393. return
  394. fi
  395. if [[ $renew_domain != *"."* ]]; then
  396. dialog --title $"Renew a Let's Encrypt certificate" \
  397. --msgbox $"Invalid domain name: $renew_domain" 6 40
  398. return
  399. fi
  400. ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
  401. exit 0
  402. }
  403. function create_letsencrypt {
  404. new_domain=
  405. data=$(tempfile 2>/dev/null)
  406. trap "rm -f $data" 0 1 2 5 15
  407. dialog --title $"Create a new Let's Encrypt certificate" \
  408. --backtitle $"Freedombone Security Settings" \
  409. --inputbox $"Enter the domain name" 8 60 2>$data
  410. sel=$?
  411. case $sel in
  412. 0)
  413. new_domain=$(<$data)
  414. ;;
  415. esac
  416. if [ ! $new_domain ]; then
  417. return
  418. fi
  419. if [[ $new_domain == "http"* ]]; then
  420. dialog --title $"Create a new Let's Encrypt certificate" \
  421. --msgbox $"Don't include the https://" 6 40
  422. return
  423. fi
  424. if [[ $new_domain != *"."* ]]; then
  425. dialog --title $"Create a new Let's Encrypt certificate" \
  426. --msgbox $"Invalid domain name: $new_domain" 6 40
  427. return
  428. fi
  429. if [ ! -d /var/www/${new_domain} ]; then
  430. dialog --title $"Create a new Let's Encrypt certificate" \
  431. --msgbox $'Domain not found within /var/www' 6 40
  432. return
  433. fi
  434. ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
  435. exit 0
  436. }
  437. function update_ciphersuite {
  438. RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
  439. if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
  440. return
  441. fi
  442. RECOMMENDED_SSL_PROTOCOLS="$SSL_PROTOCOLS"
  443. if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
  444. return
  445. fi
  446. RECOMMENDED_SSH_CIPHERS="$SSH_CIPHERS"
  447. if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
  448. return
  449. fi
  450. RECOMMENDED_SSH_MACS="$SSH_MACS"
  451. if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
  452. return
  453. fi
  454. RECOMMENDED_SSH_KEX="$SSH_KEX"
  455. if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
  456. return
  457. fi
  458. cd $WEBSITES_DIRECTORY
  459. for file in `dir -d *` ; do
  460. sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  461. sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  462. done
  463. systemctl restart nginx
  464. write_config_param "SSL_PROTOCOLS" "$RECOMMENDED_SSL_PROTOCOLS"
  465. write_config_param "SSL_CIPHERS" "$RECOMMENDED_SSL_CIPHERS"
  466. sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
  467. sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
  468. sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
  469. systemctl restart ssh
  470. write_config_param "SSH_CIPHERS" "$RECOMMENDED_SSH_CIPHERS"
  471. write_config_param "SSH_MACS" "$RECOMMENDED_SSH_MACS"
  472. write_config_param "SSH_KEX" "$RECOMMENDED_SSH_KEX"
  473. dialog --title $"Update ciphersuite" \
  474. --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
  475. exit 0
  476. }
  477. function gpg_pubkey_from_email {
  478. key_owner_username=$1
  479. key_email_address=$2
  480. key_id=
  481. if [[ $key_owner_username != "root" ]]; then
  482. key_id=$(su -c "gpg --list-keys $key_email_address | grep 'pub '" - $key_owner_username | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  483. else
  484. key_id=$(gpg --list-keys $key_email_address | grep 'pub ' | awk -F ' ' '{print $2}' | awk -F '/' '{print $2}')
  485. fi
  486. echo $key_id
  487. }
  488. function enable_monkeysphere {
  489. monkey=
  490. dialog --title $"GPG based authentication" \
  491. --backtitle $"Freedombone Security Configuration" \
  492. --defaultno \
  493. --yesno $"\nEnable GPG based authentication with monkeysphere ?" 7 60
  494. sel=$?
  495. case $sel in
  496. 0) monkey='yes';;
  497. 255) exit 0;;
  498. esac
  499. if [ $monkey ]; then
  500. read_config_param "MY_USERNAME"
  501. if [ ! -f /home/$MY_USERNAME/.monkeysphere/authorized_user_ids ]; then
  502. dialog --title $"GPG based authentication" \
  503. --msgbox $"$MY_USERNAME does not currently have any ids within ~/.monkeysphere/authorized_user_ids" 6 40
  504. exit 0
  505. fi
  506. MY_GPG_PUBLIC_KEY_ID=$(gpg_pubkey_from_email "$MY_USERNAME" "$MY_USERNAME@$HOSTNAME")
  507. if [ ${#MY_GPG_PUBLIC_KEY_ID} -lt 4 ]; then
  508. echo $'monkeysphere unable to get GPG key ID for user $MY_USERNAME'
  509. exit 52825
  510. fi
  511. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  512. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile /var/lib/monkeysphere/authorized_keys/%u|g' /etc/ssh/sshd_config
  513. monkeysphere-authentication update-users
  514. # The admin user is the identity certifier
  515. fpr=$(gpg --with-colons --fingerprint $MY_GPG_PUBLIC_KEY_ID | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  516. monkeysphere-authentication add-identity-certifier $fpr
  517. monkeysphere-host publish-key
  518. send_monkeysphere_server_keys_to_users
  519. else
  520. sed -i 's|#AuthorizedKeysFile|AuthorizedKeysFile|g' /etc/ssh/sshd_config
  521. sed -i 's|AuthorizedKeysFile.*|AuthorizedKeysFile %h/.ssh/authorized_keys|g' /etc/ssh/sshd_config
  522. fi
  523. systemctl restart ssh
  524. if [ $monkey ]; then
  525. dialog --title $"GPG based authentication" \
  526. --msgbox $"GPG based authentication was enabled" 6 40
  527. else
  528. dialog --title $"GPG based authentication" \
  529. --msgbox $"GPG based authentication was disabled" 6 40
  530. fi
  531. exit 0
  532. }
  533. function register_website {
  534. domain="$1"
  535. if [[ ${domain} == *".local" ]]; then
  536. echo $"Can't register local domains"
  537. return
  538. fi
  539. if [ ! -f /etc/ssl/private/${domain}.key ]; then
  540. echo $"No SSL/TLS private key found for ${domain}"
  541. return
  542. fi
  543. if [ ! -f /etc/nginx/sites-available/${domain} ]; then
  544. echo $"No virtual host found for ${domain}"
  545. return
  546. fi
  547. monkeysphere-host import-key /etc/ssl/private/${domain}.key https://${domain}
  548. monkeysphere-host publish-key
  549. echo "0"
  550. }
  551. function register_website_interactive {
  552. data=$(tempfile 2>/dev/null)
  553. trap "rm -f $data" 0 1 2 5 15
  554. dialog --title $"Register a website with monkeysphere" \
  555. --backtitle $"Freedombone Security Settings" \
  556. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  557. sel=$?
  558. case $sel in
  559. 0)
  560. domain=$(<$data)
  561. register_website "$domain"
  562. if [ ! "$?" = "0" ]; then
  563. dialog --title $"Register a website with monkeysphere" \
  564. --msgbox "$?" 6 40
  565. else
  566. dialog --title $"Register a website with monkeysphere" \
  567. --msgbox $"$domain has been registered" 6 40
  568. fi
  569. ;;
  570. esac
  571. }
  572. function pin_all_tls_certs {
  573. ${PROJECT_NAME}-pin-cert all
  574. }
  575. function remove_pinning {
  576. data=$(tempfile 2>/dev/null)
  577. trap "rm -f $data" 0 1 2 5 15
  578. dialog --title $"Remove pinning for a domain" \
  579. --backtitle $"Freedombone Security Settings" \
  580. --inputbox $"Enter the website domain name (without https://)" 8 60 2>$data
  581. sel=$?
  582. case $sel in
  583. 0)
  584. domain=$(<$data)
  585. ${PROJECT_NAME}-pin-cert "$domain" remove
  586. if [ ! "$?" = "0" ]; then
  587. dialog --title $"Removed pinning from $domain" \
  588. --msgbox "$?" 6 40
  589. fi
  590. ;;
  591. esac
  592. }
  593. function menu_security_settings {
  594. data=$(tempfile 2>/dev/null)
  595. trap "rm -f $data" 0 1 2 5 15
  596. dialog --backtitle $"Freedombone Control Panel" \
  597. --title $"Security Settings" \
  598. --radiolist $"Choose an operation:" 16 76 16 \
  599. 1 $"Regenerate ssh host keys" off \
  600. 2 $"Regenerate Diffie-Hellman keys" off \
  601. 3 $"Update cipersuite" off \
  602. 4 $"Create a new Let's Encrypt certificate" off \
  603. 5 $"Renew Let's Encrypt certificate" off \
  604. 6 $"Enable GPG based authentication (monkeysphere)" off \
  605. 7 $"Register a website with monkeysphere" off \
  606. 8 $"Allow ssh login with passwords" off \
  607. 9 $"Go Back/Exit" on 2> $data
  608. sel=$?
  609. case $sel in
  610. 1) exit 1;;
  611. 255) exit 1;;
  612. esac
  613. clear
  614. read_config_param SSL_CIPHERS
  615. read_config_param SSL_PROTOCOLS
  616. read_config_param SSH_CIPHERS
  617. read_config_param SSH_MACS
  618. read_config_param SSH_KEX
  619. get_imap_settings
  620. get_ssh_settings
  621. get_xmpp_settings
  622. import_settings
  623. export_settings
  624. case $(cat $data) in
  625. 1)
  626. regenerate_ssh_host_keys
  627. ;;
  628. 2)
  629. regenerate_dh_keys
  630. ;;
  631. 3)
  632. interactive_setup
  633. update_ciphersuite
  634. ;;
  635. 4)
  636. create_letsencrypt
  637. ;;
  638. 5)
  639. renew_letsencrypt
  640. ;;
  641. 6)
  642. enable_monkeysphere
  643. ;;
  644. 7)
  645. register_website
  646. ;;
  647. 8)
  648. allow_ssh_passwords
  649. change_ssh_settings
  650. exit 0
  651. ;;
  652. 9)
  653. exit 0
  654. ;;
  655. esac
  656. change_website_settings
  657. change_imap_settings
  658. change_ssh_settings
  659. change_xmpp_settings
  660. }
  661. function import_settings {
  662. cd $CURRENT_DIR
  663. if [ ! $IMPORT_FILE ]; then
  664. return
  665. fi
  666. if [ ! -f $IMPORT_FILE ]; then
  667. echo $"Import file $IMPORT_FILE not found"
  668. exit 6393
  669. fi
  670. if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
  671. TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
  672. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  673. SSL_PROTOCOLS=$TEMP_VALUE
  674. fi
  675. fi
  676. if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
  677. TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  678. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  679. SSL_CIPHERS=$TEMP_VALUE
  680. fi
  681. fi
  682. if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
  683. TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  684. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  685. SSH_CIPHERS=$TEMP_VALUE
  686. fi
  687. fi
  688. if grep -q "SSH_MACS" $IMPORT_FILE; then
  689. TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
  690. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  691. SSH_MACS=$TEMP_VALUE
  692. fi
  693. fi
  694. if grep -q "SSH_KEX" $IMPORT_FILE; then
  695. TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
  696. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  697. SSH_KEX=$TEMP_VALUE
  698. fi
  699. fi
  700. if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
  701. TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
  702. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  703. SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
  704. fi
  705. fi
  706. if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
  707. TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
  708. if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
  709. SSH_PASSWORDS=$TEMP_VALUE
  710. fi
  711. fi
  712. if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
  713. TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  714. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  715. XMPP_CIPHERS=$TEMP_VALUE
  716. fi
  717. fi
  718. if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
  719. TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
  720. if [ ${#TEMP_VALUE} -gt 3 ]; then
  721. XMPP_ECC_CURVE=$TEMP_VALUE
  722. fi
  723. fi
  724. }
  725. function export_settings {
  726. if [ ! $EXPORT_FILE ]; then
  727. return
  728. fi
  729. cd $CURRENT_DIR
  730. if [ ! -f $EXPORT_FILE ]; then
  731. if [ "$SSL_PROTOCOLS" ]; then
  732. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  733. fi
  734. if [ $SSL_CIPHERS ]; then
  735. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  736. fi
  737. if [ $SSH_CIPHERS ]; then
  738. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  739. fi
  740. if [ $SSH_MACS ]; then
  741. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  742. fi
  743. if [ $SSH_KEX ]; then
  744. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  745. fi
  746. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  747. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  748. fi
  749. if [ $SSH_PASSWORDS ]; then
  750. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  751. fi
  752. if [ $XMPP_CIPHERS ]; then
  753. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  754. fi
  755. if [ $XMPP_ECC_CURVE ]; then
  756. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  757. fi
  758. echo "Security settings exported to $EXPORT_FILE"
  759. exit 0
  760. fi
  761. if [ "$SSL_PROTOCOLS" ]; then
  762. if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
  763. sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
  764. else
  765. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  766. fi
  767. fi
  768. if [ $SSL_CIPHERS ]; then
  769. if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
  770. sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
  771. else
  772. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  773. fi
  774. fi
  775. if [ $SSH_CIPHERS ]; then
  776. if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
  777. sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
  778. else
  779. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  780. fi
  781. fi
  782. if [ $SSH_MACS ]; then
  783. if grep -q "SSH_MACS" $EXPORT_FILE; then
  784. sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
  785. else
  786. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  787. fi
  788. fi
  789. if [ $SSH_KEX ]; then
  790. if grep -q "SSH_KEX" $EXPORT_FILE; then
  791. sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
  792. else
  793. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  794. fi
  795. fi
  796. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  797. if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
  798. sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
  799. else
  800. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  801. fi
  802. fi
  803. if [ $SSH_PASSWORDS ]; then
  804. if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
  805. sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
  806. else
  807. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  808. fi
  809. fi
  810. if [ $XMPP_CIPHERS ]; then
  811. if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
  812. sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
  813. else
  814. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  815. fi
  816. fi
  817. if [ $XMPP_ECC_CURVE ]; then
  818. if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
  819. sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
  820. else
  821. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  822. fi
  823. fi
  824. echo $"Security settings exported to $EXPORT_FILE"
  825. exit 0
  826. }
  827. function refresh_gpg_keys {
  828. for d in /home/*/ ; do
  829. USERNAME=$(echo "$d" | awk -F '/' '{print $3}')
  830. if [[ $(is_valid_user "$USERNAME") == "1" ]]; then
  831. su -c 'gpg --refresh-keys' - $USERNAME
  832. fi
  833. done
  834. exit 0
  835. }
  836. function monkeysphere_sign_server_keys {
  837. server_keys_file=/home/$USER/.monkeysphere/server_keys
  838. if [ ! -f $server_keys_file ]; then
  839. exit 0
  840. fi
  841. keys_signed=
  842. while read line; do
  843. echo $line
  844. if [ ${#line} -gt 2 ]; then
  845. fpr=$(gpg --with-colons --fingerprint "$line" | grep fpr | head -n 1 | awk -F ':' '{print $10}')
  846. if [ ${#fpr} -gt 2 ]; then
  847. gpg --sign-key $fpr
  848. if [ "$?" = "0" ]; then
  849. gpg --update-trustdb
  850. keys_signed=1
  851. fi
  852. fi
  853. fi
  854. done <$server_keys_file
  855. if [ $keys_signed ]; then
  856. rm $server_keys_file
  857. fi
  858. exit 0
  859. }
  860. function htmly_hash {
  861. # produces a hash corresponding to a htmly password
  862. pass="$1"
  863. HTMLYHASH_FILENAME=/usr/bin/htmlyhash
  864. echo '<?php' > $HTMLYHASH_FILENAME
  865. echo 'parse_str(implode("&", array_slice($argv, 1)), $_GET);' >> $HTMLYHASH_FILENAME
  866. echo '$password = $_GET["password"];' >> $HTMLYHASH_FILENAME
  867. echo '$hash = password_hash($password, PASSWORD_BCRYPT);' >> $HTMLYHASH_FILENAME
  868. echo 'if (password_verify($password, $hash)) {' >> $HTMLYHASH_FILENAME
  869. echo ' echo $hash;' >> $HTMLYHASH_FILENAME
  870. echo '}' >> $HTMLYHASH_FILENAME
  871. echo '?>' >> $HTMLYHASH_FILENAME
  872. php $HTMLYHASH_FILENAME password="$pass"
  873. }
  874. function show_help {
  875. echo ''
  876. echo "${PROJECT_NAME}-sec"
  877. echo ''
  878. echo $'Alters the security settings'
  879. echo ''
  880. echo ''
  881. echo $' -h --help Show help'
  882. echo $' -e --export Export security settings to a file'
  883. echo $' -i --import Import security settings from a file'
  884. echo $' -r --refresh Refresh GPG keys for all users'
  885. echo $' -s --sign Sign monkeysphere server keys'
  886. echo $' --register [domain] Register a https domain with monkeysphere'
  887. echo $' -b --htmlyhash [password] Returns the hash of a password for a htmly blog'
  888. echo ''
  889. exit 0
  890. }
  891. # Get the commandline options
  892. while [[ $# > 1 ]]
  893. do
  894. key="$1"
  895. case $key in
  896. -h|--help)
  897. show_help
  898. ;;
  899. # Export settings
  900. -e|--export)
  901. shift
  902. EXPORT_FILE="$1"
  903. ;;
  904. # Export settings
  905. -i|--import)
  906. shift
  907. IMPORT_FILE="$1"
  908. ;;
  909. # Refresh GPG keys
  910. -r|--refresh)
  911. shift
  912. refresh_gpg_keys
  913. ;;
  914. # register a website
  915. --register|--reg|--site)
  916. shift
  917. register_website "$1"
  918. ;;
  919. # user signs monkeysphere server keys
  920. -s|--sign)
  921. shift
  922. monkeysphere_sign_server_keys
  923. ;;
  924. # get a hash of the given htmly password
  925. -b|--htmlyhash)
  926. shift
  927. htmly_hash "$1"
  928. exit 0
  929. ;;
  930. *)
  931. # unknown option
  932. ;;
  933. esac
  934. shift
  935. done
  936. menu_security_settings
  937. exit 0