free
/
freedombone
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
3380 Commits
5 Branches
Tree: b74c0907fe
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b74c0907fe'
${ noResults }
freedombone/src/freedombone-sec

freedombone-sec 24KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826 
  1. #!/bin/bash

  2. #

  3. # .---.                  .              .

  4. # |                      |              |

  5. # |--- .--. .-.  .-.  .-.|  .-. .--.--. |.-.  .-. .--.  .-.

  6. # |    |   (.-' (.-' (   | (   )|  |  | |   )(   )|  | (.-'

  7. # '    '     --'  --'  -' -  -' '  '   -' -'   -' '   -  --'

  8. #

  9. #                    Freedom in the Cloud

  10. #

  11. # Alters the security settings

  12. #

  13. # License

  14. # =======

  15. #

  16. # Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>

  17. #

  18. # This program is free software: you can redistribute it and/or modify

  19. # it under the terms of the GNU Affero General Public License as published by

  20. # the Free Software Foundation, either version 3 of the License, or

  21. # (at your option) any later version.

  22. #

  23. # This program is distributed in the hope that it will be useful,

  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of

  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

  26. # GNU Affero General Public License for more details.

  27. #

  28. # You should have received a copy of the GNU Affero General Public License

  29. # along with this program.  If not, see <http://www.gnu.org/licenses/>.

  30. 

  31. PROJECT_NAME='freedombone'

  32. 

  33. export TEXTDOMAIN=${PROJECT_NAME}-sec

  34. export TEXTDOMAINDIR="/usr/share/locale"

  35. 

  36. SSL_PROTOCOLS=

  37. SSL_CIPHERS=

  38. SSH_CIPHERS=

  39. SSH_MACS=

  40. SSH_KEX=

  41. SSH_HOST_KEY_ALGORITHMS=

  42. SSH_PASSWORDS=

  43. XMPP_CIPHERS=

  44. XMPP_ECC_CURVE=

  45. 

  46. WEBSITES_DIRECTORY='/etc/nginx/sites-available'

  47. DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'

  48. SSH_CONFIG='/etc/ssh/sshd_config'

  49. XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'

  50. 

  51. MINIMUM_LENGTH=6

  52. 

  53. IMPORT_FILE=

  54. EXPORT_FILE=

  55. 

  56. CURRENT_DIR=$(pwd)

  57. 

  58. REGENERATE_SSH_HOST_KEYS="no"

  59. REGENERATE_DH_KEYS="no"

  60. DH_KEYLENGTH=2048

  61. LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'

  62. 

  63. function get_protocols_from_website {

  64.   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  65.       return

  66.   fi

  67.   SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')

  68. }

  69. 

  70. function get_ciphers_from_website {

  71.   if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then

  72.       return

  73.   fi

  74.   SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')

  75. }

  76. 

  77. function get_website_settings {

  78.   if [ ! -d $WEBSITES_DIRECTORY ]; then

  79.       return

  80.   fi

  81. 

  82.   cd $WEBSITES_DIRECTORY

  83.   for file in `dir -d *` ; do

  84.       get_protocols_from_website $file

  85.       if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then

  86.           get_ciphers_from_website $file

  87.           if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  88.               break

  89.           else

  90.               SSL_PROTOCOLS=""

  91.           fi

  92.       fi

  93.   done

  94. }

  95. 

  96. function get_imap_settings {

  97.   if [ ! -f $DOVECOT_CIPHERS ]; then

  98.       return

  99.   fi

  100.   # clear commented out cipher list

  101.   sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS

  102.   if [ $SSL_CIPHERS ]; then

  103.       return

  104.   fi

  105.   if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then

  106.       return

  107.   fi

  108.   SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')

  109. }

  110. 

  111. function get_xmpp_settings {

  112.   if [ ! -f $XMPP_CONFIG ]; then

  113.       return

  114.   fi

  115.   XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  116.   XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  117. }

  118. 

  119. function get_ssh_settings {

  120.   if [ -f $SSH_CONFIG ]; then

  121.       SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')

  122.       SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')

  123.       SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')

  124.       SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')

  125.   fi

  126.   if [ -f /etc/ssh/ssh_config ]; then

  127.       SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')

  128.       if [ ! $SSH_CIPHERS ]; then

  129.           SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')

  130.       fi

  131.       if [ ! $SSH_MACS ]; then

  132.           SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')

  133.       fi

  134.   fi

  135. }

  136. 

  137. function change_website_settings {

  138.   if [ ! "$SSL_PROTOCOLS" ]; then

  139.       return

  140.   fi

  141.   if [ ! $SSL_CIPHERS ]; then

  142.       return

  143.   fi

  144.   if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then

  145.       return

  146.   fi

  147.   if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  148.       return

  149.   fi

  150.   if [ ! -d $WEBSITES_DIRECTORY ]; then

  151.       return

  152.   fi

  153. 

  154.   cd $WEBSITES_DIRECTORY

  155.   for file in `dir -d *` ; do

  156.       sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  157.       sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  158.   done

  159.   systemctl restart nginx

  160.   echo $'Web security settings changed'

  161. }

  162. 

  163. function change_imap_settings {

  164.   if [ ! -f $DOVECOT_CIPHERS ]; then

  165.       return

  166.   fi

  167.   if [ ! $SSL_CIPHERS ]; then

  168.       return

  169.   fi

  170.   if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then

  171.       return

  172.   fi

  173.   sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS

  174.   sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS

  175.   systemctl restart dovecot

  176.   echo $'imap security settings changed'

  177. }

  178. 

  179. function change_ssh_settings {

  180.   if [ -f /etc/ssh/ssh_config ]; then

  181.       if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  182.           sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config

  183.           echo $'ssh client security settings changed'

  184.       fi

  185.   fi

  186.   if [ -f $SSH_CONFIG ]; then

  187.       if [ ! $SSH_CIPHERS ]; then

  188.           return

  189.       fi

  190.       if [ ! $SSH_MACS ]; then

  191.           return

  192.       fi

  193.       if [ ! $SSH_KEX ]; then

  194.           return

  195.       fi

  196.       if [ ! $SSH_PASSWORDS ]; then

  197.           return

  198.       fi

  199. 

  200.       sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG

  201.       sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG

  202.       sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG

  203.       sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG

  204.       systemctl restart ssh

  205.       echo $'ssh server security settings changed'

  206.   fi

  207. }

  208. 

  209. function change_xmpp_settings {

  210.   if [ ! -f $XMPP_CONFIG ]; then

  211.       return

  212.   fi

  213.   if [ ! $XMPP_CIPHERS ]; then

  214.       return

  215.   fi

  216.   if [ ! $XMPP_ECC_CURVE ]; then

  217.       return

  218.   fi

  219.   sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG

  220.   sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG

  221.   systemctl restart prosody

  222.   echo $'xmpp security settings changed'

  223. }

  224. 

  225. function interactive_setup {

  226.   if [ $SSL_CIPHERS ]; then

  227.       data=$(tempfile 2>/dev/null)

  228.       trap "rm -f $data" 0 1 2 5 15

  229.       dialog --backtitle $"Freedombone Security Configuration" \

  230.           --form $"\nWeb/IMAP Ciphers:" 10 95 2 \

  231.           $"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \

  232.           $"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \

  233.           2> $data

  234.       sel=$?

  235.       case $sel in

  236.           1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)

  237.              SSL_CIPHERS=$(cat $data | sed -n 2p)

  238.              ;;

  239.           255) exit 0;;

  240.       esac

  241.   fi

  242. 

  243.   data=$(tempfile 2>/dev/null)

  244.   trap "rm -f $data" 0 1 2 5 15

  245.   if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  246.       dialog --backtitle $"Freedombone Security Configuration" \

  247.         --form $"\nSecure Shell Ciphers:" 13 95 4 \

  248.          $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  249.          $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  250.          $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  251.          $"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \

  252.          2> $data

  253.       sel=$?

  254.       case $sel in

  255.           1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  256.              SSH_MACS=$(cat $data | sed -n 2p)

  257.              SSH_KEX=$(cat $data | sed -n 3p)

  258.              SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)

  259.              ;;

  260.           255) exit 0;;

  261.       esac

  262.   else

  263.       dialog --backtitle $"Freedombone Security Configuration" \

  264.         --form $"\nSecure Shell Ciphers:" 11 95 3 \

  265.          $"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \

  266.          $"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \

  267.          $"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \

  268.          2> $data

  269.       sel=$?

  270.       case $sel in

  271.           1) SSH_CIPHERS=$(cat $data | sed -n 1p)

  272.              SSH_MACS=$(cat $data | sed -n 2p)

  273.              SSH_KEX=$(cat $data | sed -n 3p)

  274.              ;;

  275.           255) exit 0;;

  276.       esac

  277.   fi

  278. 

  279.   if [[ $SSH_PASSWORDS == "yes" ]]; then

  280.       dialog --title $"SSH Passwords" \

  281.           --backtitle $"Freedombone Security Configuration" \

  282.           --yesno $"\nAllow SSH login using passwords?" 7 60

  283.   else

  284.       dialog --title $"SSH Passwords" \

  285.           --backtitle $"Freedombone Security Configuration" \

  286.           --defaultno \

  287.           --yesno $"\nAllow SSH login using passwords?" 7 60

  288.   fi

  289.   sel=$?

  290.   case $sel in

  291.       0) SSH_PASSWORDS="yes";;

  292.       1) SSH_PASSWORDS="no";;

  293.       255) exit 0;;

  294.   esac

  295. 

  296.   if [ $XMPP_CIPHERS ]; then

  297.       data=$(tempfile 2>/dev/null)

  298.       trap "rm -f $data" 0 1 2 5 15

  299.       dialog --backtitle $"Freedombone Security Configuration" \

  300.           --form $"\nXMPP Ciphers:" 10 95 2 \

  301.           $"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \

  302.           $"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \

  303.           2> $data

  304.       sel=$?

  305.       case $sel in

  306.           1) XMPP_CIPHERS=$(cat $data | sed -n 1p)

  307.              XMPP_ECC_CURVE=$(cat $data | sed -n 2p)

  308.              ;;

  309.           255) exit 0;;

  310.       esac

  311.   fi

  312. 

  313.   dialog --title $"Final Confirmation" \

  314.       --backtitle $"Freedombone Security Configuration" \

  315.       --defaultno \

  316.       --yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60

  317.   sel=$?

  318.   case $sel in

  319.       1) clear

  320.          echo $'Exiting without changing security settings'

  321.          exit 0;;

  322.       255) clear

  323.            echo $'Exiting without changing security settings'

  324.            exit 0;;

  325.   esac

  326. 

  327.   clear

  328. }

  329. 

  330. function regenerate_ssh_host_keys {

  331.   if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then

  332.       rm -f /etc/ssh/ssh_host_*

  333.       dpkg-reconfigure openssh-server

  334.       echo $'ssh host keys regenerated'

  335.       # remove small moduli

  336.       awk '$5 > 2000' /etc/ssh/moduli > ~/moduli

  337.       mv ~/moduli /etc/ssh/moduli

  338.       echo $'ssh small moduli removed'

  339.       systemctl restart ssh

  340.   fi

  341. }

  342. 

  343. function regenerate_dh_keys {

  344.   if [[ $REGENERATE_DH_KEYS == "yes" ]]; then

  345.       if [ ! -d /etc/ssl/mycerts ]; then

  346.           echo $'No dhparam certificates were found'

  347.           return

  348.       fi

  349. 

  350.       data=$(tempfile 2>/dev/null)

  351.       trap "rm -f $data" 0 1 2 5 15

  352.       dialog --backtitle "Freedombone Security Configuration" \

  353.              --title "Diffie-Hellman key length" \

  354.              --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \

  355.              1 "2048 bits" off \

  356.              2 "3072 bits" on \

  357.              3 "4096 bits" off 2> $data

  358.       sel=$?

  359.       case $sel in

  360.           1) exit 1;;

  361.           255) exit 1;;

  362.       esac

  363.       case $(cat $data) in

  364.           1) DH_KEYLENGTH=2048;;

  365.           2) DH_KEYLENGTH=3072;;

  366.           3) DH_KEYLENGTH=4096;;

  367.       esac

  368. 

  369.       ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}

  370.   fi

  371. }

  372. 

  373. function renew_startssl {

  374.   renew_domain=

  375.   data=$(tempfile 2>/dev/null)

  376.   trap "rm -f $data" 0 1 2 5 15

  377.   dialog --title $"Renew a StartSSL certificate" \

  378.          --backtitle $"Freedombone Security Settings" \

  379.          --inputbox $"Enter the domain name" 8 60 2>$data

  380.   sel=$?

  381.   case $sel in

  382.       0)

  383.           renew_domain=$(<$data)

  384.           ;;

  385.   esac

  386. 

  387.   if [ ! $renew_domain ]; then

  388.       return

  389.   fi

  390. 

  391.   if [[ $renew_domain == "http"* ]]; then

  392.       dialog --title $"Renew a StartSSL certificate" \

  393.              --msgbox $"Don't include the https://" 6 40

  394.       return

  395.   fi

  396. 

  397.   if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  398.       dialog --title $"Renew a StartSSL certificate" \

  399.              --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  400.       return

  401.   fi

  402. 

  403.   if [[ $renew_domain != *"."* ]]; then

  404.       dialog --title $"Renew a StartSSL certificate" \

  405.              --msgbox $"Invalid domain name: $renew_domain" 6 40

  406.       return

  407.   fi

  408. 

  409.   ${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl

  410. 

  411.   exit 0

  412. }

  413. 

  414. function renew_letsencrypt {

  415.   renew_domain=

  416.   data=$(tempfile 2>/dev/null)

  417.   trap "rm -f $data" 0 1 2 5 15

  418.   dialog --title $"Renew a Let's Encrypt certificate" \

  419.          --backtitle $"Freedombone Security Settings" \

  420.          --inputbox $"Enter the domain name" 8 60 2>$data

  421.   sel=$?

  422.   case $sel in

  423.       0)

  424.           renew_domain=$(<$data)

  425.           ;;

  426.   esac

  427. 

  428.   if [ ! $renew_domain ]; then

  429.       return

  430.   fi

  431. 

  432.   if [[ $renew_domain == "http"* ]]; then

  433.       dialog --title $"Renew a Let's Encrypt certificate" \

  434.              --msgbox $"Don't include the https://" 6 40

  435.       return

  436.   fi

  437. 

  438.   if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then

  439.       dialog --title $"Renew a Let's Encrypt certificate" \

  440.              --msgbox $"An existing certificate for $renew_domain was not found" 6 40

  441.       return

  442.   fi

  443. 

  444.   if [[ $renew_domain != *"."* ]]; then

  445.       dialog --title $"Renew a Let's Encrypt certificate" \

  446.              --msgbox $"Invalid domain name: $renew_domain" 6 40

  447.       return

  448.   fi

  449. 

  450.   ${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'

  451. 

  452.   exit 0

  453. }

  454. 

  455. function create_letsencrypt {

  456.   new_domain=

  457.   data=$(tempfile 2>/dev/null)

  458.   trap "rm -f $data" 0 1 2 5 15

  459.   dialog --title $"Create a new Let's Encrypt certificate" \

  460.          --backtitle $"Freedombone Security Settings" \

  461.          --inputbox $"Enter the domain name" 8 60 2>$data

  462.   sel=$?

  463.   case $sel in

  464.       0)

  465.           new_domain=$(<$data)

  466.           ;;

  467.   esac

  468. 

  469.   if [ ! $new_domain ]; then

  470.       return

  471.   fi

  472. 

  473.   if [[ $new_domain == "http"* ]]; then

  474.       dialog --title $"Create a new Let's Encrypt certificate" \

  475.              --msgbox $"Don't include the https://" 6 40

  476.       return

  477.   fi

  478. 

  479.   if [[ $new_domain != *"."* ]]; then

  480.       dialog --title $"Create a new Let's Encrypt certificate" \

  481.              --msgbox $"Invalid domain name: $new_domain" 6 40

  482.       return

  483.   fi

  484. 

  485.   if [ ! -d /var/www/${new_domain} ]; then

  486.       dialog --title $"Create a new Let's Encrypt certificate" \

  487.              --msgbox $'Domain not found within /var/www' 6 40

  488.       return

  489.   fi

  490. 

  491.   ${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH

  492. 

  493.   exit 0

  494. }

  495. 

  496. function update_ciphersuite {

  497.     project_filename=/usr/local/bin/${PROJECT_NAME}

  498.     if [ ! -f $project_filename ]; then

  499.         project_filename=/usr/bin/${PROJECT_NAME}

  500.     fi

  501. 

  502.     RECOMMENDED_SSL_CIPHERS=$(cat $project_filename | grep 'SSL_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  503.     if [ ! "$RECOMMENDED_SSL_CIPHERS" ]; then

  504.         return

  505.     fi

  506.     if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then

  507.         return

  508.     fi

  509. 

  510.     RECOMMENDED_SSL_PROTOCOLS=$(cat $project_filename | grep 'SSL_PROTOCOLS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  511.     if [ ! "$RECOMMENDED_SSL_PROTOCOLS" ]; then

  512.         return

  513.     fi

  514.     if [ ${#RECOMMENDED_SSL_PROTOCOLS} -lt 5 ]; then

  515.         return

  516.     fi

  517. 

  518.     RECOMMENDED_SSH_CIPHERS=$(cat $project_filename | grep 'SSH_CIPHERS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  519.     if [ ! "$RECOMMENDED_SSH_CIPHERS" ]; then

  520.         return

  521.     fi

  522.     if [ ${#RECOMMENDED_SSH_CIPHERS} -lt 5 ]; then

  523.         return

  524.     fi

  525. 

  526.     RECOMMENDED_SSH_MACS=$(cat $project_filename | grep 'SSH_MACS=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  527.     if [ ! "$RECOMMENDED_SSH_MACS" ]; then

  528.         return

  529.     fi

  530.     if [ ${#RECOMMENDED_SSH_MACS} -lt 5 ]; then

  531.         return

  532.     fi

  533. 

  534.     RECOMMENDED_SSH_KEX=$(cat $project_filename | grep 'SSH_KEX=' | head -n 1 | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')

  535.     if [ ! "$RECOMMENDED_SSH_KEX" ]; then

  536.         return

  537.     fi

  538.     if [ ${#RECOMMENDED_SSH_KEX} -lt 5 ]; then

  539.         return

  540.     fi

  541. 

  542.     cd $WEBSITES_DIRECTORY

  543.     for file in `dir -d *` ; do

  544.         sed -i "s|ssl_protocols .*|ssl_protocols $RECOMMENDED_SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file

  545.         sed -i "s|ssl_ciphers .*|ssl_ciphers '$RECOMMENDED_SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file

  546.     done

  547.     systemctl restart nginx

  548. 

  549.     sed -i "s|Ciphers .*|Ciphers $RECOMMENDED_SSH_CIPHERS|g" $SSH_CONFIG

  550.     sed -i "s|MACs .*|MACs $RECOMMENDED_SSH_MACS|g" $SSH_CONFIG

  551.     sed -i "s|KexAlgorithms .*|KexAlgorithms $RECOMMENDED_SSH_KEX|g" $SSH_CONFIG

  552.     systemctl restart ssh

  553. 

  554.     dialog --title $"Update ciphersuite" \

  555.            --msgbox $"The ciphersuite has been updated to recommended versions" 6 40

  556.     exit 0

  557. }

  558. 

  559. function housekeeping {

  560.   cmd=(dialog --separate-output \

  561.               --backtitle "Freedombone Security Configuration" \

  562.               --title "Housekeeping options" \

  563.               --checklist "If you don't need to do any of these things then just press Enter:" 13 76 16)

  564.   options=(1 "Regenerate ssh host keys" off

  565.            2 "Regenerate Diffie-Hellman keys" off

  566.            3 "Renew a StartSSL certificate" off

  567.            4 "Update cipersuite" off

  568.            5 "Create a new Let's Encrypt certificate" off

  569.            6 "Renew Let's Encrypt certificate" off)

  570.   choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)

  571.   clear

  572.   for choice in $choices

  573.   do

  574.     case $choice in

  575.       1)

  576.         REGENERATE_SSH_HOST_KEYS="yes"

  577.         ;;

  578.       2)

  579.         REGENERATE_DH_KEYS="yes"

  580.         ;;

  581.       3)

  582.         renew_startssl

  583.         ;;

  584.       4)

  585.         update_ciphersuite

  586.         ;;

  587.       5)

  588.         create_letsencrypt

  589.         ;;

  590.       6)

  591.         renew_letsencrypt

  592.         ;;

  593.     esac

  594.   done

  595. }

  596. 

  597. function import_settings {

  598.   cd $CURRENT_DIR

  599. 

  600.   if [ ! $IMPORT_FILE ]; then

  601.       return

  602.   fi

  603. 

  604.   if [ ! -f $IMPORT_FILE ]; then

  605.       echo $"Import file $IMPORT_FILE not found"

  606.       exit 6393

  607.   fi

  608. 

  609.   if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then

  610.       TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')

  611.       if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  612.           SSL_PROTOCOLS=$TEMP_VALUE

  613.       fi

  614.   fi

  615.   if grep -q "SSL_CIPHERS" $IMPORT_FILE; then

  616.       TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  617.       if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  618.           SSL_CIPHERS=$TEMP_VALUE

  619.       fi

  620.   fi

  621.   if grep -q "SSH_CIPHERS" $IMPORT_FILE; then

  622.       TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  623.       if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  624.           SSH_CIPHERS=$TEMP_VALUE

  625.       fi

  626.   fi

  627.   if grep -q "SSH_MACS" $IMPORT_FILE; then

  628.       TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')

  629.       if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  630.           SSH_MACS=$TEMP_VALUE

  631.       fi

  632.   fi

  633.   if grep -q "SSH_KEX" $IMPORT_FILE; then

  634.       TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')

  635.       if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  636.           SSH_KEX=$TEMP_VALUE

  637.       fi

  638.   fi

  639.   if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then

  640.       TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')

  641.       if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  642.           SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE

  643.       fi

  644.   fi

  645.   if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then

  646.       TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')

  647.       if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then

  648.           SSH_PASSWORDS=$TEMP_VALUE

  649.       fi

  650.   fi

  651.   if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then

  652.       TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')

  653.       if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then

  654.           XMPP_CIPHERS=$TEMP_VALUE

  655.       fi

  656.   fi

  657.   if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then

  658.       TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')

  659.       if [ ${#TEMP_VALUE} -gt 3 ]; then

  660.           XMPP_ECC_CURVE=$TEMP_VALUE

  661.       fi

  662.   fi

  663. }

  664. 

  665. function export_settings {

  666.   if [ ! $EXPORT_FILE ]; then

  667.       return

  668.   fi

  669. 

  670.   cd $CURRENT_DIR

  671. 

  672.   if [ ! -f $EXPORT_FILE ]; then

  673.       if [ "$SSL_PROTOCOLS" ]; then

  674.           echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  675.       fi

  676.       if [ $SSL_CIPHERS ]; then

  677.           echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  678.       fi

  679.       if [ $SSH_CIPHERS ]; then

  680.           echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  681.       fi

  682.       if [ $SSH_MACS ]; then

  683.           echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  684.       fi

  685.       if [ $SSH_KEX ]; then

  686.           echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  687.       fi

  688.       if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  689.           echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  690.       fi

  691.       if [ $SSH_PASSWORDS ]; then

  692.           echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  693.       fi

  694.       if [ $XMPP_CIPHERS ]; then

  695.           echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  696.       fi

  697.       if [ $XMPP_ECC_CURVE ]; then

  698.           echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  699.       fi

  700.       echo "Security settings exported to $EXPORT_FILE"

  701.       exit 0

  702.   fi

  703. 

  704.   if [ "$SSL_PROTOCOLS" ]; then

  705.       if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then

  706.           sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE

  707.       else

  708.           echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE

  709.       fi

  710.   fi

  711.   if [ $SSL_CIPHERS ]; then

  712.       if grep -q "SSL_CIPHERS" $EXPORT_FILE; then

  713.           sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE

  714.       else

  715.           echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE

  716.       fi

  717.   fi

  718.   if [ $SSH_CIPHERS ]; then

  719.       if grep -q "SSH_CIPHERS" $EXPORT_FILE; then

  720.           sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE

  721.       else

  722.           echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE

  723.       fi

  724.   fi

  725.   if [ $SSH_MACS ]; then

  726.       if grep -q "SSH_MACS" $EXPORT_FILE; then

  727.           sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE

  728.       else

  729.           echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE

  730.       fi

  731.   fi

  732.   if [ $SSH_KEX ]; then

  733.       if grep -q "SSH_KEX" $EXPORT_FILE; then

  734.           sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE

  735.       else

  736.           echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE

  737.       fi

  738.   fi

  739.   if [ $SSH_HOST_KEY_ALGORITHMS ]; then

  740.       if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then

  741.           sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE

  742.       else

  743.           echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE

  744.       fi

  745.   fi

  746.   if [ $SSH_PASSWORDS ]; then

  747.       if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then

  748.           sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE

  749.       else

  750.           echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE

  751.       fi

  752.   fi

  753.   if [ $XMPP_CIPHERS ]; then

  754.       if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then

  755.           sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE

  756.       else

  757.           echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE

  758.       fi

  759.   fi

  760.   if [ $XMPP_ECC_CURVE ]; then

  761.       if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then

  762.           sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE

  763.       else

  764.           echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE

  765.       fi

  766.   fi

  767.   echo $"Security settings exported to $EXPORT_FILE"

  768.   exit 0

  769. }

  770. 

  771. function show_help {

  772.   echo ''

  773.   echo "${PROJECT_NAME}-sec"

  774.   echo ''

  775.   echo $'Alters the security settings'

  776.   echo ''

  777.   echo ''

  778.   echo $'  -h --help             Show help'

  779.   echo $'  -e --export           Export security settings to a file'

  780.   echo $'  -i --import           Import security settings from a file'

  781.   echo ''

  782.   exit 0

  783. }

  784. 

  785. 

  786. # Get the commandline options

  787. while [[ $# > 1 ]]

  788. do

  789. key="$1"

  790. 

  791. case $key in

  792.     -h|--help)

  793.     show_help

  794.     ;;

  795.     # Export settings

  796.     -e|--export)

  797.     shift

  798.     EXPORT_FILE="$1"

  799.     ;;

  800.     # Export settings

  801.     -i|--import)

  802.     shift

  803.     IMPORT_FILE="$1"

  804.     ;;

  805.     *)

  806.     # unknown option

  807.     ;;

  808. esac

  809. shift

  810. done

  811. 

  812. housekeeping

  813. get_website_settings

  814. get_imap_settings

  815. get_ssh_settings

  816. get_xmpp_settings

  817. import_settings

  818. export_settings

  819. interactive_setup

  820. change_website_settings

  821. change_imap_settings

  822. change_ssh_settings

  823. change_xmpp_settings

  824. regenerate_ssh_host_keys

  825. regenerate_dh_keys

  826. exit 0