freedombone-sec 24KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Alters the security settings
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. PROJECT_NAME='freedombone'
  31. export TEXTDOMAIN=${PROJECT_NAME}-sec
  32. export TEXTDOMAINDIR="/usr/share/locale"
  33. SSL_PROTOCOLS=
  34. SSL_CIPHERS=
  35. SSH_CIPHERS=
  36. SSH_MACS=
  37. SSH_KEX=
  38. SSH_HOST_KEY_ALGORITHMS=
  39. SSH_PASSWORDS=
  40. XMPP_CIPHERS=
  41. XMPP_ECC_CURVE=
  42. WEBSITES_DIRECTORY='/etc/nginx/sites-available'
  43. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
  44. SSH_CONFIG='/etc/ssh/sshd_config'
  45. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
  46. MINIMUM_LENGTH=6
  47. IMPORT_FILE=
  48. EXPORT_FILE=
  49. CURRENT_DIR=$(pwd)
  50. REGENERATE_SSH_HOST_KEYS="no"
  51. REGENERATE_DH_KEYS="no"
  52. DH_KEYLENGTH=2048
  53. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
  54. function get_protocols_from_website {
  55. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  56. return
  57. fi
  58. SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
  59. }
  60. function get_ciphers_from_website {
  61. if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
  62. return
  63. fi
  64. SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
  65. }
  66. function get_website_settings {
  67. if [ ! -d $WEBSITES_DIRECTORY ]; then
  68. return
  69. fi
  70. cd $WEBSITES_DIRECTORY
  71. for file in `dir -d *` ; do
  72. get_protocols_from_website $file
  73. if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
  74. get_ciphers_from_website $file
  75. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  76. break
  77. else
  78. SSL_PROTOCOLS=""
  79. fi
  80. fi
  81. done
  82. }
  83. function get_imap_settings {
  84. if [ ! -f $DOVECOT_CIPHERS ]; then
  85. return
  86. fi
  87. # clear commented out cipher list
  88. sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
  89. if [ $SSL_CIPHERS ]; then
  90. return
  91. fi
  92. if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
  93. return
  94. fi
  95. SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
  96. }
  97. function get_xmpp_settings {
  98. if [ ! -f $XMPP_CONFIG ]; then
  99. return
  100. fi
  101. XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  102. XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  103. }
  104. function get_ssh_settings {
  105. if [ -f $SSH_CONFIG ]; then
  106. SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
  107. SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
  108. SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
  109. SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
  110. fi
  111. if [ -f /etc/ssh/ssh_config ]; then
  112. SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
  113. if [ ! $SSH_CIPHERS ]; then
  114. SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
  115. fi
  116. if [ ! $SSH_MACS ]; then
  117. SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
  118. fi
  119. fi
  120. }
  121. function change_website_settings {
  122. if [ ! "$SSL_PROTOCOLS" ]; then
  123. return
  124. fi
  125. if [ ! $SSL_CIPHERS ]; then
  126. return
  127. fi
  128. if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
  129. return
  130. fi
  131. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  132. return
  133. fi
  134. if [ ! -d $WEBSITES_DIRECTORY ]; then
  135. return
  136. fi
  137. cd $WEBSITES_DIRECTORY
  138. for file in `dir -d *` ; do
  139. sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  140. sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  141. done
  142. systemctl restart nginx
  143. echo $'Web security settings changed'
  144. }
  145. function change_imap_settings {
  146. if [ ! -f $DOVECOT_CIPHERS ]; then
  147. return
  148. fi
  149. if [ ! $SSL_CIPHERS ]; then
  150. return
  151. fi
  152. if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
  153. return
  154. fi
  155. sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
  156. sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
  157. systemctl restart dovecot
  158. echo $'imap security settings changed'
  159. }
  160. function change_ssh_settings {
  161. if [ -f /etc/ssh/ssh_config ]; then
  162. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  163. sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
  164. echo $'ssh client security settings changed'
  165. fi
  166. fi
  167. if [ -f $SSH_CONFIG ]; then
  168. if [ ! $SSH_CIPHERS ]; then
  169. return
  170. fi
  171. if [ ! $SSH_MACS ]; then
  172. return
  173. fi
  174. if [ ! $SSH_KEX ]; then
  175. return
  176. fi
  177. if [ ! $SSH_PASSWORDS ]; then
  178. return
  179. fi
  180. sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
  181. sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
  182. sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
  183. sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
  184. systemctl restart ssh
  185. echo $'ssh server security settings changed'
  186. fi
  187. }
  188. function change_xmpp_settings {
  189. if [ ! -f $XMPP_CONFIG ]; then
  190. return
  191. fi
  192. if [ ! $XMPP_CIPHERS ]; then
  193. return
  194. fi
  195. if [ ! $XMPP_ECC_CURVE ]; then
  196. return
  197. fi
  198. sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
  199. sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
  200. systemctl restart prosody
  201. echo $'xmpp security settings changed'
  202. }
  203. function interactive_setup {
  204. if [ $SSL_CIPHERS ]; then
  205. data=$(tempfile 2>/dev/null)
  206. trap "rm -f $data" 0 1 2 5 15
  207. dialog --backtitle $"Freedombone Security Configuration" \
  208. --form $"\nWeb/IMAP Ciphers:" 10 95 2 \
  209. $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
  210. $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
  211. 2> $data
  212. sel=$?
  213. case $sel in
  214. 1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
  215. SSL_CIPHERS=$(cat $data | sed -n 2p)
  216. ;;
  217. 255) exit 0;;
  218. esac
  219. fi
  220. data=$(tempfile 2>/dev/null)
  221. trap "rm -f $data" 0 1 2 5 15
  222. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  223. dialog --backtitle $"Freedombone Security Configuration" \
  224. --form $"\nSecure Shell Ciphers:" 13 95 4 \
  225. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  226. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  227. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  228. $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
  229. 2> $data
  230. sel=$?
  231. case $sel in
  232. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  233. SSH_MACS=$(cat $data | sed -n 2p)
  234. SSH_KEX=$(cat $data | sed -n 3p)
  235. SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
  236. ;;
  237. 255) exit 0;;
  238. esac
  239. else
  240. dialog --backtitle $"Freedombone Security Configuration" \
  241. --form $"\nSecure Shell Ciphers:" 11 95 3 \
  242. $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
  243. $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
  244. $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
  245. 2> $data
  246. sel=$?
  247. case $sel in
  248. 1) SSH_CIPHERS=$(cat $data | sed -n 1p)
  249. SSH_MACS=$(cat $data | sed -n 2p)
  250. SSH_KEX=$(cat $data | sed -n 3p)
  251. ;;
  252. 255) exit 0;;
  253. esac
  254. fi
  255. if [[ $SSH_PASSWORDS == "yes" ]]; then
  256. dialog --title $"SSH Passwords" \
  257. --backtitle $"Freedombone Security Configuration" \
  258. --yesno $"\nAllow SSH login using passwords?" 7 60
  259. else
  260. dialog --title $"SSH Passwords" \
  261. --backtitle $"Freedombone Security Configuration" \
  262. --defaultno \
  263. --yesno $"\nAllow SSH login using passwords?" 7 60
  264. fi
  265. sel=$?
  266. case $sel in
  267. 0) SSH_PASSWORDS="yes";;
  268. 1) SSH_PASSWORDS="no";;
  269. 255) exit 0;;
  270. esac
  271. if [ $XMPP_CIPHERS ]; then
  272. data=$(tempfile 2>/dev/null)
  273. trap "rm -f $data" 0 1 2 5 15
  274. dialog --backtitle $"Freedombone Security Configuration" \
  275. --form $"\nXMPP Ciphers:" 10 95 2 \
  276. $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
  277. $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
  278. 2> $data
  279. sel=$?
  280. case $sel in
  281. 1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
  282. XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
  283. ;;
  284. 255) exit 0;;
  285. esac
  286. fi
  287. dialog --title $"Final Confirmation" \
  288. --backtitle $"Freedombone Security Configuration" \
  289. --defaultno \
  290. --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
  291. sel=$?
  292. case $sel in
  293. 1) clear
  294. echo $'Exiting without changing security settings'
  295. exit 0;;
  296. 255) clear
  297. echo $'Exiting without changing security settings'
  298. exit 0;;
  299. esac
  300. clear
  301. }
  302. function regenerate_ssh_host_keys {
  303. if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
  304. rm -f /etc/ssh/ssh_host_*
  305. dpkg-reconfigure openssh-server
  306. echo $'ssh host keys regenerated'
  307. # remove small moduli
  308. awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
  309. mv ~/moduli /etc/ssh/moduli
  310. echo $'ssh small moduli removed'
  311. systemctl restart ssh
  312. fi
  313. }
  314. function regenerate_dh_keys {
  315. if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
  316. if [ ! -d /etc/ssl/mycerts ]; then
  317. echo $'No dhparam certificates were found'
  318. return
  319. fi
  320. data=$(tempfile 2>/dev/null)
  321. trap "rm -f $data" 0 1 2 5 15
  322. dialog --backtitle "Freedombone Security Configuration" \
  323. --title "Diffie-Hellman key length" \
  324. --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
  325. 1 "2048 bits" off \
  326. 2 "3072 bits" on \
  327. 3 "4096 bits" off 2> $data
  328. sel=$?
  329. case $sel in
  330. 1) exit 1;;
  331. 255) exit 1;;
  332. esac
  333. case $(cat $data) in
  334. 1) DH_KEYLENGTH=2048;;
  335. 2) DH_KEYLENGTH=3072;;
  336. 3) DH_KEYLENGTH=4096;;
  337. esac
  338. ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
  339. fi
  340. }
  341. function renew_startssl {
  342. renew_domain=
  343. data=$(tempfile 2>/dev/null)
  344. trap "rm -f $data" 0 1 2 5 15
  345. dialog --title $"Renew a StartSSL certificate" \
  346. --backtitle $"Freedombone Security Settings" \
  347. --inputbox $"Enter the domain name" 8 60 2>$data
  348. sel=$?
  349. case $sel in
  350. 0)
  351. renew_domain=$(<$data)
  352. ;;
  353. esac
  354. if [ ! $renew_domain ]; then
  355. return
  356. fi
  357. if [[ $renew_domain == "http"* ]]; then
  358. dialog --title $"Renew a StartSSL certificate" \
  359. --msgbox $"Don't include the https://" 6 40
  360. return
  361. fi
  362. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  363. dialog --title $"Renew a StartSSL certificate" \
  364. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  365. return
  366. fi
  367. if [[ $renew_domain != *"."* ]]; then
  368. dialog --title $"Renew a StartSSL certificate" \
  369. --msgbox $"Invalid domain name: $renew_domain" 6 40
  370. return
  371. fi
  372. ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
  373. exit 0
  374. }
  375. function renew_letsencrypt {
  376. renew_domain=
  377. data=$(tempfile 2>/dev/null)
  378. trap "rm -f $data" 0 1 2 5 15
  379. dialog --title $"Renew a Let's Encrypt certificate" \
  380. --backtitle $"Freedombone Security Settings" \
  381. --inputbox $"Enter the domain name" 8 60 2>$data
  382. sel=$?
  383. case $sel in
  384. 0)
  385. renew_domain=$(<$data)
  386. ;;
  387. esac
  388. if [ ! $renew_domain ]; then
  389. return
  390. fi
  391. if [[ $renew_domain == "http"* ]]; then
  392. dialog --title $"Renew a Let's Encrypt certificate" \
  393. --msgbox $"Don't include the https://" 6 40
  394. return
  395. fi
  396. if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
  397. dialog --title $"Renew a Let's Encrypt certificate" \
  398. --msgbox $"An existing certificate for $renew_domain was not found" 6 40
  399. return
  400. fi
  401. if [[ $renew_domain != *"."* ]]; then
  402. dialog --title $"Renew a Let's Encrypt certificate" \
  403. --msgbox $"Invalid domain name: $renew_domain" 6 40
  404. return
  405. fi
  406. ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
  407. exit 0
  408. }
  409. function create_letsencrypt {
  410. new_domain=
  411. data=$(tempfile 2>/dev/null)
  412. trap "rm -f $data" 0 1 2 5 15
  413. dialog --title $"Create a new Let's Encrypt certificate" \
  414. --backtitle $"Freedombone Security Settings" \
  415. --inputbox $"Enter the domain name" 8 60 2>$data
  416. sel=$?
  417. case $sel in
  418. 0)
  419. new_domain=$(<$data)
  420. ;;
  421. esac
  422. if [ ! $new_domain ]; then
  423. return
  424. fi
  425. if [[ $new_domain == "http"* ]]; then
  426. dialog --title $"Create a new Let's Encrypt certificate" \
  427. --msgbox $"Don't include the https://" 6 40
  428. return
  429. fi
  430. if [[ $new_domain != *"."* ]]; then
  431. dialog --title $"Create a new Let's Encrypt certificate" \
  432. --msgbox $"Invalid domain name: $new_domain" 6 40
  433. return
  434. fi
  435. if [ ! -d /var/www/${new_domain} ]; then
  436. dialog --title $"Create a new Let's Encrypt certificate" \
  437. --msgbox $'Domain not found within /var/www' 6 40
  438. return
  439. fi
  440. ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
  441. exit 0
  442. }
  443. function update_ciphersuite {
  444. project_filename=/usr/local/bin/${PROJECT_NAME}
  445. if [ ! -f $project_filename ]; then
  446. project_filename=/usr/bin/${PROJECT_NAME}
  447. fi
  448. RECOMMENDED_SSL_CIPHERS=$(cat $project_filename | grep 'SSL_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  449. if [ ! "$RECOMMENDED_SSL_CIPHERS" ]; then
  450. return
  451. fi
  452. if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
  453. return
  454. fi
  455. RECOMMENDED_SSL_PROTOCOLS=$(cat $project_filename | grep 'SSL_PROTOCOLS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  456. if [ ! "$RECOMMENDED_SSL_PROTOCOLS" ]; then
  457. return
  458. fi
  459. if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then
  460. return
  461. fi
  462. RECOMMENDED_SSH_CIPHERS=$(cat $project_filename | grep 'SSH_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  463. if [ ! "$RECOMMENDED_SSH_CIPHERS" ]; then
  464. return
  465. fi
  466. if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then
  467. return
  468. fi
  469. RECOMMENDED_SSH_MACS=$(cat $project_filename | grep 'SSH_MACS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  470. if [ ! "$RECOMMENDED_SSH_MACS" ]; then
  471. return
  472. fi
  473. if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then
  474. return
  475. fi
  476. RECOMMENDED_SSH_KEX=$(cat $project_filename | grep 'SSH_KEX=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
  477. if [ ! "$RECOMMENDED_SSH_KEX" ]; then
  478. return
  479. fi
  480. if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then
  481. return
  482. fi
  483. cd $WEBSITES_DIRECTORY
  484. for file in `dir -d *` ; do
  485. sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
  486. sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
  487. done
  488. systemctl restart nginx
  489. sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG
  490. sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG
  491. sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG
  492. systemctl restart ssh
  493. dialog --title $"Update ciphersuite" \
  494. --msgbox $"The ciphersuite has been updated to recommended versions" 6 40
  495. exit 0
  496. }
  497. function housekeeping {
  498. cmd=(dialog --separate-output \
  499. --backtitle "Freedombone Security Configuration" \
  500. --title "Housekeeping options" \
  501. --checklist "If you don't need to do any of these things then just press Enter:" 13 76 16)
  502. options=(1 "Regenerate ssh host keys" off
  503. 2 "Regenerate Diffie-Hellman keys" off
  504. 3 "Renew a StartSSL certificate" off
  505. 4 "Update cipersuite" off
  506. 5 "Create a new Let's Encrypt certificate" off
  507. 6 "Renew Let's Encrypt certificate" off)
  508. choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
  509. clear
  510. for choice in $choices
  511. do
  512. case $choice in
  513. 1)
  514. REGENERATE_SSH_HOST_KEYS="yes"
  515. ;;
  516. 2)
  517. REGENERATE_DH_KEYS="yes"
  518. ;;
  519. 3)
  520. renew_startssl
  521. ;;
  522. 4)
  523. update_ciphersuite
  524. ;;
  525. 5)
  526. create_letsencrypt
  527. ;;
  528. 6)
  529. renew_letsencrypt
  530. ;;
  531. esac
  532. done
  533. }
  534. function import_settings {
  535. cd $CURRENT_DIR
  536. if [ ! $IMPORT_FILE ]; then
  537. return
  538. fi
  539. if [ ! -f $IMPORT_FILE ]; then
  540. echo $"Import file $IMPORT_FILE not found"
  541. exit 6393
  542. fi
  543. if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
  544. TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
  545. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  546. SSL_PROTOCOLS=$TEMP_VALUE
  547. fi
  548. fi
  549. if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
  550. TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  551. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  552. SSL_CIPHERS=$TEMP_VALUE
  553. fi
  554. fi
  555. if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
  556. TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  557. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  558. SSH_CIPHERS=$TEMP_VALUE
  559. fi
  560. fi
  561. if grep -q "SSH_MACS" $IMPORT_FILE; then
  562. TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
  563. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  564. SSH_MACS=$TEMP_VALUE
  565. fi
  566. fi
  567. if grep -q "SSH_KEX" $IMPORT_FILE; then
  568. TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
  569. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  570. SSH_KEX=$TEMP_VALUE
  571. fi
  572. fi
  573. if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
  574. TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
  575. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  576. SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
  577. fi
  578. fi
  579. if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
  580. TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
  581. if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
  582. SSH_PASSWORDS=$TEMP_VALUE
  583. fi
  584. fi
  585. if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
  586. TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
  587. if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
  588. XMPP_CIPHERS=$TEMP_VALUE
  589. fi
  590. fi
  591. if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
  592. TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
  593. if [ ${#TEMP_VALUE} -gt 3 ]; then
  594. XMPP_ECC_CURVE=$TEMP_VALUE
  595. fi
  596. fi
  597. }
  598. function export_settings {
  599. if [ ! $EXPORT_FILE ]; then
  600. return
  601. fi
  602. cd $CURRENT_DIR
  603. if [ ! -f $EXPORT_FILE ]; then
  604. if [ "$SSL_PROTOCOLS" ]; then
  605. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  606. fi
  607. if [ $SSL_CIPHERS ]; then
  608. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  609. fi
  610. if [ $SSH_CIPHERS ]; then
  611. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  612. fi
  613. if [ $SSH_MACS ]; then
  614. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  615. fi
  616. if [ $SSH_KEX ]; then
  617. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  618. fi
  619. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  620. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  621. fi
  622. if [ $SSH_PASSWORDS ]; then
  623. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  624. fi
  625. if [ $XMPP_CIPHERS ]; then
  626. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  627. fi
  628. if [ $XMPP_ECC_CURVE ]; then
  629. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  630. fi
  631. echo "Security settings exported to $EXPORT_FILE"
  632. exit 0
  633. fi
  634. if [ "$SSL_PROTOCOLS" ]; then
  635. if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
  636. sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
  637. else
  638. echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
  639. fi
  640. fi
  641. if [ $SSL_CIPHERS ]; then
  642. if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
  643. sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
  644. else
  645. echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
  646. fi
  647. fi
  648. if [ $SSH_CIPHERS ]; then
  649. if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
  650. sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
  651. else
  652. echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
  653. fi
  654. fi
  655. if [ $SSH_MACS ]; then
  656. if grep -q "SSH_MACS" $EXPORT_FILE; then
  657. sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
  658. else
  659. echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
  660. fi
  661. fi
  662. if [ $SSH_KEX ]; then
  663. if grep -q "SSH_KEX" $EXPORT_FILE; then
  664. sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
  665. else
  666. echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
  667. fi
  668. fi
  669. if [ $SSH_HOST_KEY_ALGORITHMS ]; then
  670. if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
  671. sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
  672. else
  673. echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
  674. fi
  675. fi
  676. if [ $SSH_PASSWORDS ]; then
  677. if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
  678. sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
  679. else
  680. echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
  681. fi
  682. fi
  683. if [ $XMPP_CIPHERS ]; then
  684. if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
  685. sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
  686. else
  687. echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
  688. fi
  689. fi
  690. if [ $XMPP_ECC_CURVE ]; then
  691. if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
  692. sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
  693. else
  694. echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
  695. fi
  696. fi
  697. echo $"Security settings exported to $EXPORT_FILE"
  698. exit 0
  699. }
  700. function show_help {
  701. echo ''
  702. echo "${PROJECT_NAME}-sec"
  703. echo ''
  704. echo $'Alters the security settings'
  705. echo ''
  706. echo ''
  707. echo $' -h --help Show help'
  708. echo $' -e --export Export security settings to a file'
  709. echo $' -i --import Import security settings from a file'
  710. echo ''
  711. exit 0
  712. }
  713. # Get the commandline options
  714. while [[ $# > 1 ]]
  715. do
  716. key="$1"
  717. case $key in
  718. -h|--help)
  719. show_help
  720. ;;
  721. # Export settings
  722. -e|--export)
  723. shift
  724. EXPORT_FILE="$1"
  725. ;;
  726. # Export settings
  727. -i|--import)
  728. shift
  729. IMPORT_FILE="$1"
  730. ;;
  731. *)
  732. # unknown option
  733. ;;
  734. esac
  735. shift
  736. done
  737. housekeeping
  738. get_website_settings
  739. get_imap_settings
  740. get_ssh_settings
  741. get_xmpp_settings
  742. import_settings
  743. export_settings
  744. interactive_setup
  745. change_website_settings
  746. change_imap_settings
  747. change_ssh_settings
  748. change_xmpp_settings
  749. regenerate_ssh_host_keys
  750. regenerate_dh_keys
  751. exit 0