mirror of https://github.com/WordOps/WordOps
Add UFW stack
This commit is contained in:
parent
bef95a0b75
commit
06a1e919da
|
@ -11,9 +11,9 @@ wo stack [ status | start | stop | reload | restart ] [--all | --nginx | --php |
|
|||
.TP
|
||||
wo site [ list | info | show | enable | disable | edit | cd | show ] [ example.com ]
|
||||
.TP
|
||||
wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=subdomain/wildcard][--dns/--dns=dns_cf/dns_do]]
|
||||
wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=wildcard][--dns/--dns=dns_cf/dns_do]]
|
||||
.TP
|
||||
wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/subdomain/renew/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]]
|
||||
wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]]
|
||||
.TP
|
||||
wo site delete example.com [--db | --files | --all | --no-prompt | --force/-f ]
|
||||
.TP
|
||||
|
|
8
install
8
install
|
@ -669,7 +669,7 @@ wo_backup_ee() {
|
|||
}
|
||||
|
||||
wo_backup_wo() {
|
||||
/bin/tar -I pigz -cf "$WO_BACKUP_FILE" "$WO_NGINX" /etc/wo /var/lib/wo "$WO_LE"
|
||||
/bin/tar -I pigz -cf "$WO_BACKUP_FILE" /etc/nginx /etc/wo /var/lib/wo "$WO_LE"
|
||||
return 0
|
||||
}
|
||||
|
||||
|
@ -856,9 +856,9 @@ else
|
|||
fi
|
||||
_run wo_install_dep "Installing wo dependencies"
|
||||
_run wo_timesync
|
||||
if [ "$ufw" = "y" ]; then
|
||||
_run wo_ufw_setup "Configuring UFW"
|
||||
fi
|
||||
#if [ "$ufw" = "y" ]; then
|
||||
# _run wo_ufw_setup "Configuring UFW"
|
||||
#fi
|
||||
# skip steps if travis
|
||||
if [ -z "$wo_travis" ]; then
|
||||
_run wo_dist_upgrade
|
||||
|
|
|
@ -88,6 +88,8 @@ class Meta:
|
|||
dict(help='Install Fail2ban stack', action='store_true')),
|
||||
(['--clamav'],
|
||||
dict(help='Install ClamAV stack', action='store_true')),
|
||||
(['--ufw'],
|
||||
dict(help='Install UFW stack', action='store_true')),
|
||||
(['--sendmail'],
|
||||
dict(help='Install Sendmail stack', action='store_true')),
|
||||
(['--utils'],
|
||||
|
@ -129,11 +131,13 @@ def install(self, packages=[], apt_packages=[], disp_msg=True):
|
|||
(not pargs.adminer) and (not pargs.utils) and
|
||||
(not pargs.redis) and (not pargs.proftpd) and
|
||||
(not pargs.extplorer) and (not pargs.clamav) and
|
||||
(not pargs.ufw) and
|
||||
(not pargs.phpredisadmin) and (not pargs.sendmail) and
|
||||
(not pargs.php73)):
|
||||
pargs.web = True
|
||||
pargs.admin = True
|
||||
pargs.fail2ban = True
|
||||
pargs.ufw = True
|
||||
|
||||
if pargs.all:
|
||||
pargs.web = True
|
||||
|
@ -164,6 +168,7 @@ def install(self, packages=[], apt_packages=[], disp_msg=True):
|
|||
if pargs.security:
|
||||
pargs.fail2ban = True
|
||||
pargs.clamav = True
|
||||
pargs.ufw = True
|
||||
|
||||
# Nginx
|
||||
if pargs.nginx:
|
||||
|
@ -270,6 +275,11 @@ def install(self, packages=[], apt_packages=[], disp_msg=True):
|
|||
Log.debug(self, "ClamAV already installed")
|
||||
Log.info(self, "ClamAV already installed")
|
||||
|
||||
# UFW
|
||||
if pargs.ufw:
|
||||
Log.debug(self, "Setting apt_packages variable for UFW")
|
||||
apt_packages = apt_packages + ["ufw"]
|
||||
|
||||
# sendmail
|
||||
if pargs.sendmail:
|
||||
Log.debug(self, "Setting apt_packages variable for Sendmail")
|
||||
|
@ -518,6 +528,7 @@ def remove(self):
|
|||
(not pargs.adminer) and (not pargs.utils) and
|
||||
(not pargs.redis) and (not pargs.proftpd) and
|
||||
(not pargs.extplorer) and (not pargs.clamav) and
|
||||
(not pargs.ufw) and
|
||||
(not pargs.phpredisadmin) and (not pargs.sendmail) and
|
||||
(not pargs.php73)):
|
||||
pargs.web = True
|
||||
|
@ -551,6 +562,7 @@ def remove(self):
|
|||
if pargs.security:
|
||||
pargs.fail2ban = True
|
||||
pargs.clamav = True
|
||||
pargs.ufw = True
|
||||
|
||||
# NGINX
|
||||
if pargs.nginx:
|
||||
|
@ -620,6 +632,11 @@ def remove(self):
|
|||
Log.debug(self, "Remove apt_packages variable for ProFTPd")
|
||||
apt_packages = apt_packages + ["proftpd-basic"]
|
||||
|
||||
# UFW
|
||||
if pargs.ufw:
|
||||
Log.debug(self, "Remove apt_packages variable for UFW")
|
||||
apt_packages = apt_packages + ["ufw"]
|
||||
|
||||
# WPCLI
|
||||
if pargs.wpcli:
|
||||
Log.debug(self, "Removing package variable of WPCLI ")
|
||||
|
@ -739,6 +756,7 @@ def purge(self):
|
|||
(not pargs.adminer) and (not pargs.utils) and
|
||||
(not pargs.redis) and (not pargs.proftpd) and
|
||||
(not pargs.extplorer) and (not pargs.clamav) and
|
||||
(not pargs.ufw) and
|
||||
(not pargs.phpredisadmin) and (not pargs.sendmail) and
|
||||
(not pargs.php73)):
|
||||
pargs.web = True
|
||||
|
@ -771,6 +789,7 @@ def purge(self):
|
|||
if pargs.security:
|
||||
pargs.fail2ban = True
|
||||
pargs.clamav = True
|
||||
pargs.ufw = True
|
||||
|
||||
# NGINX
|
||||
if pargs.nginx:
|
||||
|
@ -829,6 +848,11 @@ def purge(self):
|
|||
if WOAptGet.is_installed(self, 'clamav'):
|
||||
apt_packages = apt_packages + WOVariables.wo_clamav
|
||||
|
||||
# UFW
|
||||
if pargs.ufw:
|
||||
Log.debug(self, "Remove apt_packages variable for UFW")
|
||||
apt_packages = apt_packages + ["ufw"]
|
||||
|
||||
# sendmail
|
||||
if pargs.sendmail:
|
||||
Log.debug(self, "Setting apt_packages variable for Sendmail")
|
||||
|
|
|
@ -975,6 +975,24 @@ def post_pref(self, apt_packages, packages, upgrade=False):
|
|||
msg="Adding ProFTPd into Git")
|
||||
WOService.reload_service(self, 'proftpd')
|
||||
|
||||
if "ufw" in apt_packages:
|
||||
# check if ufw is already enabled
|
||||
if not WOFileUtils.grep(self,
|
||||
'/etc/ufw/ufw.conf', 'ENABLED=yes'):
|
||||
Log.wait(self, "Configuring UFW")
|
||||
# check if ufw script is already created
|
||||
if not os.path.isfile("/opt/ufw.sh"):
|
||||
data = dict()
|
||||
WOTemplate.render(self, '/opt/ufw.sh',
|
||||
'ufw.mustache',
|
||||
data, overwrite=False)
|
||||
WOFileUtils.chmod(self, "/opt/ufw.sh", 0o700)
|
||||
# setup ufw rules
|
||||
WOShellExec.cmd_exec(self, "bash /opt/ufw.sh")
|
||||
Log.valide(self, "Configuring UFW")
|
||||
else:
|
||||
Log.info(self, "UFW is already installed and enabled")
|
||||
|
||||
# Redis configuration
|
||||
if "redis-server" in apt_packages:
|
||||
if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):
|
||||
|
|
|
@ -0,0 +1,65 @@
|
|||
#!/bin/bash
|
||||
|
||||
wo_ufw_setup() {
|
||||
# get custom ssh port
|
||||
if [ -f /etc/ssh/sshd_config ]; then
|
||||
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
|
||||
fi
|
||||
# define firewall rules
|
||||
if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
|
||||
ufw logging low
|
||||
fi
|
||||
if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
|
||||
ufw default allow outgoing
|
||||
fi
|
||||
if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
|
||||
ufw default deny incoming
|
||||
fi
|
||||
if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
|
||||
# default ssh port
|
||||
ufw limit 22
|
||||
fi
|
||||
|
||||
# custom ssh port
|
||||
if [ "$CURRENT_SSH_PORT" != "22" ]; then
|
||||
if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
|
||||
ufw limit "$CURRENT_SSH_PORT"
|
||||
fi
|
||||
fi
|
||||
|
||||
# nginx
|
||||
if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
|
||||
# http
|
||||
ufw allow http
|
||||
fi
|
||||
if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
|
||||
# https
|
||||
ufw allow https
|
||||
fi
|
||||
|
||||
# ntp
|
||||
if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
|
||||
ufw allow 123
|
||||
fi
|
||||
|
||||
if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
|
||||
# wordops backend
|
||||
ufw limit 22222
|
||||
fi
|
||||
# enable ufw
|
||||
if [ -n "$CURRENT_SSH_PORT" ]; then
|
||||
ufw --force enable
|
||||
fi
|
||||
|
||||
# remove ufw from syslog
|
||||
if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
|
||||
sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
|
||||
service rsyslog restart
|
||||
fi
|
||||
}
|
||||
|
||||
if { wo_ufw_setup; }; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
Loading…
Reference in New Issue