virtubox
/
WordOps
mirror of https://github.com/WordOps/WordOps
1
0
Fork 0
Code Issues Releases Wiki Activity

Add UFW stack

This commit is contained in:
VirtuBox 2019-09-20 14:21:42 +02:00
parent bef95a0b75
commit 06a1e919da
Signed by: virtubox
GPG Key ID: 22EB296C97BAD476
5 changed files with 113 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/wo.8
View File

@ -11,9 +11,9 @@ wo stack [ status | start | stop | reload | restart ] [--all | --nginx | --php |
.TP
wo site [ list | info | show | enable | disable | edit | cd | show ] [ example.com ]
.TP
wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=subdomain/wildcard][--dns/--dns=dns_cf/dns_do]]
wo site create example.com [ --html | --php | --php73 | --mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis | --letsencrypt/-le/--letsencrypt=wildcard][--dns/--dns=dns_cf/dns_do]]
.TP
wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/subdomain/renew/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]]
wo site update example.com [ --php | --php73 |--mysql] [[--wp | --wpsubdir | --wpsubdomain ] [--wpsc | --wpfc | --wpredis ] [--password] [-le/--letsencrypt/--letsencrypt=on/off/wildcard/clean/purge] [--dns/--dns=dns_cf/dns_do]]
.TP
wo site delete example.com [--db | --files | --all | --no-prompt | --force/-f ]
.TP

8
install
View File

@ -669,7 +669,7 @@ wo_backup_ee() {
}
wo_backup_wo() {
/bin/tar -I pigz -cf "$WO_BACKUP_FILE" "$WO_NGINX" /etc/wo /var/lib/wo "$WO_LE"
/bin/tar -I pigz -cf "$WO_BACKUP_FILE" /etc/nginx /etc/wo /var/lib/wo "$WO_LE"
return 0
}
@ -856,9 +856,9 @@ else
fi
_run wo_install_dep "Installing wo dependencies"
_run wo_timesync
if [ "$ufw" = "y" ]; then
_run wo_ufw_setup "Configuring UFW"
fi
#if [ "$ufw" = "y" ]; then
# _run wo_ufw_setup "Configuring UFW"
#fi
# skip steps if travis
if [ -z "$wo_travis" ]; then
_run wo_dist_upgrade

24
wo/cli/plugins/stack.py
View File

@ -88,6 +88,8 @@ class Meta:
dict(help='Install Fail2ban stack', action='store_true')),
(['--clamav'],
dict(help='Install ClamAV stack', action='store_true')),
(['--ufw'],
dict(help='Install UFW stack', action='store_true')),
(['--sendmail'],
dict(help='Install Sendmail stack', action='store_true')),
(['--utils'],
@ -129,11 +131,13 @@ def install(self, packages=[], apt_packages=[], disp_msg=True):
(not pargs.adminer) and (not pargs.utils) and
(not pargs.redis) and (not pargs.proftpd) and
(not pargs.extplorer) and (not pargs.clamav) and
(not pargs.ufw) and
(not pargs.phpredisadmin) and (not pargs.sendmail) and
(not pargs.php73)):
pargs.web = True
pargs.admin = True
pargs.fail2ban = True
pargs.ufw = True
if pargs.all:
pargs.web = True
@ -164,6 +168,7 @@ def install(self, packages=[], apt_packages=[], disp_msg=True):
if pargs.security:
pargs.fail2ban = True
pargs.clamav = True
pargs.ufw = True
# Nginx
if pargs.nginx:
@ -270,6 +275,11 @@ def install(self, packages=[], apt_packages=[], disp_msg=True):
Log.debug(self, "ClamAV already installed")
Log.info(self, "ClamAV already installed")
# UFW
if pargs.ufw:
Log.debug(self, "Setting apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# sendmail
if pargs.sendmail:
Log.debug(self, "Setting apt_packages variable for Sendmail")
@ -518,6 +528,7 @@ def remove(self):
(not pargs.adminer) and (not pargs.utils) and
(not pargs.redis) and (not pargs.proftpd) and
(not pargs.extplorer) and (not pargs.clamav) and
(not pargs.ufw) and
(not pargs.phpredisadmin) and (not pargs.sendmail) and
(not pargs.php73)):
pargs.web = True
@ -551,6 +562,7 @@ def remove(self):
if pargs.security:
pargs.fail2ban = True
pargs.clamav = True
pargs.ufw = True
# NGINX
if pargs.nginx:
@ -620,6 +632,11 @@ def remove(self):
Log.debug(self, "Remove apt_packages variable for ProFTPd")
apt_packages = apt_packages + ["proftpd-basic"]
# UFW
if pargs.ufw:
Log.debug(self, "Remove apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# WPCLI
if pargs.wpcli:
Log.debug(self, "Removing package variable of WPCLI ")
@ -739,6 +756,7 @@ def purge(self):
(not pargs.adminer) and (not pargs.utils) and
(not pargs.redis) and (not pargs.proftpd) and
(not pargs.extplorer) and (not pargs.clamav) and
(not pargs.ufw) and
(not pargs.phpredisadmin) and (not pargs.sendmail) and
(not pargs.php73)):
pargs.web = True
@ -771,6 +789,7 @@ def purge(self):
if pargs.security:
pargs.fail2ban = True
pargs.clamav = True
pargs.ufw = True
# NGINX
if pargs.nginx:
@ -829,6 +848,11 @@ def purge(self):
if WOAptGet.is_installed(self, 'clamav'):
apt_packages = apt_packages + WOVariables.wo_clamav
# UFW
if pargs.ufw:
Log.debug(self, "Remove apt_packages variable for UFW")
apt_packages = apt_packages + ["ufw"]
# sendmail
if pargs.sendmail:
Log.debug(self, "Setting apt_packages variable for Sendmail")

18
wo/cli/plugins/stack_pref.py
View File

@ -975,6 +975,24 @@ def post_pref(self, apt_packages, packages, upgrade=False):
msg="Adding ProFTPd into Git")
WOService.reload_service(self, 'proftpd')
if "ufw" in apt_packages:
# check if ufw is already enabled
if not WOFileUtils.grep(self,
'/etc/ufw/ufw.conf', 'ENABLED=yes'):
Log.wait(self, "Configuring UFW")
# check if ufw script is already created
if not os.path.isfile("/opt/ufw.sh"):
data = dict()
WOTemplate.render(self, '/opt/ufw.sh',
'ufw.mustache',
data, overwrite=False)
WOFileUtils.chmod(self, "/opt/ufw.sh", 0o700)
# setup ufw rules
WOShellExec.cmd_exec(self, "bash /opt/ufw.sh")
Log.valide(self, "Configuring UFW")
else:
Log.info(self, "UFW is already installed and enabled")
# Redis configuration
if "redis-server" in apt_packages:
if os.path.isfile("/etc/nginx/conf.d/upstream.conf"):

65
wo/cli/templates/ufw.mustache Normal file
View File

@ -0,0 +1,65 @@
#!/bin/bash
wo_ufw_setup() {
# get custom ssh port
if [ -f /etc/ssh/sshd_config ]; then
CURRENT_SSH_PORT=$(grep "Port" /etc/ssh/sshd_config | awk -F " " '{print $2}')
fi
# define firewall rules
if ! grep -q "LOGLEVEL=low" /etc/ufw/ufw.conf; then
ufw logging low
fi
if ! grep -q 'DEFAULT_OUTPUT_POLICY="ACCEPT"' /etc/default/ufw; then
ufw default allow outgoing
fi
if ! grep -q 'DEFAULT_INPUT_POLICY="DROP"' /etc/default/ufw; then
ufw default deny incoming
fi
if ! grep -q "\-\-dport 22 -j" /etc/ufw/user.rules; then
# default ssh port
ufw limit 22
fi
# custom ssh port
if [ "$CURRENT_SSH_PORT" != "22" ]; then
if ! grep -q "\-\-dport $CURRENT_SSH_PORT -j" /etc/ufw/user.rules; then
ufw limit "$CURRENT_SSH_PORT"
fi
fi
# nginx
if ! grep -q "\-\-dport 80 -j" /etc/ufw/user.rules; then
# http
ufw allow http
fi
if ! grep -q "\-\-dport 443 -j" /etc/ufw/user.rules; then
# https
ufw allow https
fi
# ntp
if ! grep -q "\-\-dport 123 -j" /etc/ufw/user.rules; then
ufw allow 123
fi
if ! grep -q "\-\-dport 22222 -j" /etc/ufw/user.rules; then
# wordops backend
ufw limit 22222
fi
# enable ufw
if [ -n "$CURRENT_SSH_PORT" ]; then
ufw --force enable
fi
# remove ufw from syslog
if [ -f /etc/rsyslog.d/20-ufw.conf ]; then
sed -i 's/\#\& stop/\& stop/' /etc/rsyslog.d/20-ufw.conf
service rsyslog restart
fi
}
if { wo_ufw_setup; }; then
exit 0
else
exit 1
fi