freedombone/src/freedombone-sec

760 lines
22 KiB
Plaintext
Raw Normal View History

2015-02-01 15:57:59 +01:00
#!/bin/bash
#
# .---. . .
# | | |
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
#
# Freedom in the Cloud
#
# Alters the security settings
#
# License
# =======
#
2016-01-02 22:58:27 +01:00
# Copyright (C) 2015-2016 Bob Mottram <bob@robotics.uk.to>
2015-02-01 15:57:59 +01:00
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
2015-11-27 12:42:16 +01:00
PROJECT_NAME='freedombone'
2015-11-27 17:52:23 +01:00
export TEXTDOMAIN=${PROJECT_NAME}-sec
2015-11-27 12:42:16 +01:00
export TEXTDOMAINDIR="/usr/share/locale"
2015-02-01 15:57:59 +01:00
SSL_PROTOCOLS=
SSL_CIPHERS=
SSH_CIPHERS=
SSH_MACS=
SSH_KEX=
SSH_HOST_KEY_ALGORITHMS=
2015-02-01 19:00:09 +01:00
SSH_PASSWORDS=
2015-02-01 15:57:59 +01:00
XMPP_CIPHERS=
XMPP_ECC_CURVE=
WEBSITES_DIRECTORY='/etc/nginx/sites-available'
DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
SSH_CONFIG='/etc/ssh/sshd_config'
XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
2015-02-01 15:57:59 +01:00
MINIMUM_LENGTH=6
2015-02-02 22:04:36 +01:00
IMPORT_FILE=
EXPORT_FILE=
2015-02-02 22:18:49 +01:00
CURRENT_DIR=$(pwd)
2015-08-15 14:34:59 +02:00
REGENERATE_SSH_HOST_KEYS="no"
REGENERATE_DH_KEYS="no"
2015-10-27 15:38:05 +01:00
DH_KEYLENGTH=2048
2015-12-05 15:17:20 +01:00
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
2015-08-15 14:34:59 +02:00
2015-02-01 15:57:59 +01:00
function get_protocols_from_website {
if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
return
fi
SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
2015-02-01 15:57:59 +01:00
}
function get_ciphers_from_website {
if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
return
fi
SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
2015-02-01 15:57:59 +01:00
}
function get_website_settings {
if [ ! -d $WEBSITES_DIRECTORY ]; then
return
fi
cd $WEBSITES_DIRECTORY
for file in `dir -d *` ; do
get_protocols_from_website $file
if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
get_ciphers_from_website $file
if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
break
else
SSL_PROTOCOLS=""
fi
fi
done
}
function get_imap_settings {
if [ ! -f $DOVECOT_CIPHERS ]; then
return
fi
# clear commented out cipher list
sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
if [ $SSL_CIPHERS ]; then
2015-02-01 15:57:59 +01:00
return
fi
if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
2015-02-01 15:57:59 +01:00
return
fi
SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
}
function get_xmpp_settings {
if [ ! -f $XMPP_CONFIG ]; then
return
fi
XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
}
function get_ssh_settings {
if [ -f $SSH_CONFIG ]; then
SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
2015-02-01 19:00:09 +01:00
SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
fi
if [ -f /etc/ssh/ssh_config ]; then
SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
if [ ! $SSH_CIPHERS ]; then
SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
fi
if [ ! $SSH_MACS ]; then
SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
fi
fi
}
2015-02-01 15:57:59 +01:00
function change_website_settings {
if [ ! "$SSL_PROTOCOLS" ]; then
2015-02-01 15:57:59 +01:00
return
fi
if [ ! $SSL_CIPHERS ]; then
return
fi
if [ ${#SSL_PROTOCOLS} -lt $MINIMUM_LENGTH ]; then
return
fi
if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
return
fi
if [ ! -d $WEBSITES_DIRECTORY ]; then
return
fi
cd $WEBSITES_DIRECTORY
for file in `dir -d *` ; do
sed -i "s|ssl_protocols .*|ssl_protocols $SSL_PROTOCOLS;|g" $WEBSITES_DIRECTORY/$file
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
done
service nginx restart
2015-11-27 16:29:43 +01:00
echo $'Web security settings changed'
2015-02-01 15:57:59 +01:00
}
function change_imap_settings {
if [ ! -f $DOVECOT_CIPHERS ]; then
return
fi
if [ ! $SSL_CIPHERS ]; then
return
fi
if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then
return
fi
sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
2015-03-24 14:30:01 +01:00
sed -i "s|ssl_protocols.*|ssl_protocols = '$SSL_PROTOCOLS'|g" $DOVECOT_CIPHERS
2015-02-01 15:57:59 +01:00
service dovecot restart
2015-11-27 16:29:43 +01:00
echo $'imap security settings changed'
}
function change_ssh_settings {
if [ -f /etc/ssh/ssh_config ]; then
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
2015-11-27 16:29:43 +01:00
echo $'ssh client security settings changed'
fi
fi
if [ -f $SSH_CONFIG ]; then
if [ ! $SSH_CIPHERS ]; then
return
fi
if [ ! $SSH_MACS ]; then
return
fi
if [ ! $SSH_KEX ]; then
return
fi
2015-02-01 19:00:09 +01:00
if [ ! $SSH_PASSWORDS ]; then
return
fi
sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
2015-02-01 19:00:09 +01:00
sed -i "s|PasswordAuthentication .*|PasswordAuthentication $SSH_PASSWORDS|g" $SSH_CONFIG
service ssh restart
2015-11-27 16:29:43 +01:00
echo $'ssh server security settings changed'
fi
}
function change_xmpp_settings {
if [ ! -f $XMPP_CONFIG ]; then
return
fi
if [ ! $XMPP_CIPHERS ]; then
return
fi
if [ ! $XMPP_ECC_CURVE ]; then
return
fi
sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
service prosody restart
2015-11-27 16:29:43 +01:00
echo $'xmpp security settings changed'
}
function interactive_setup {
if [ $SSL_CIPHERS ]; then
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nWeb/IMAP Ciphers:" 10 95 2 \
$"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
$"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
2> $data
sel=$?
case $sel in
1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
SSL_CIPHERS=$(cat $data | sed -n 2p)
;;
255) exit 0;;
esac
fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nSecure Shell Ciphers:" 13 95 4 \
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
$"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
2> $data
sel=$?
case $sel in
1) SSH_CIPHERS=$(cat $data | sed -n 1p)
SSH_MACS=$(cat $data | sed -n 2p)
SSH_KEX=$(cat $data | sed -n 3p)
SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
;;
255) exit 0;;
esac
else
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nSecure Shell Ciphers:" 11 95 3 \
$"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
$"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
$"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
2> $data
sel=$?
case $sel in
1) SSH_CIPHERS=$(cat $data | sed -n 1p)
SSH_MACS=$(cat $data | sed -n 2p)
SSH_KEX=$(cat $data | sed -n 3p)
;;
255) exit 0;;
esac
fi
2015-02-01 19:00:09 +01:00
if [[ $SSH_PASSWORDS == "yes" ]]; then
dialog --title $"SSH Passwords" \
--backtitle $"Freedombone Security Configuration" \
--yesno $"\nAllow SSH login using passwords?" 7 60
2015-02-01 19:00:09 +01:00
else
dialog --title $"SSH Passwords" \
--backtitle $"Freedombone Security Configuration" \
2015-02-01 19:00:09 +01:00
--defaultno \
--yesno $"\nAllow SSH login using passwords?" 7 60
2015-02-01 19:00:09 +01:00
fi
sel=$?
case $sel in
0) SSH_PASSWORDS="yes";;
1) SSH_PASSWORDS="no";;
255) exit 0;;
esac
if [ $XMPP_CIPHERS ]; then
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle $"Freedombone Security Configuration" \
--form $"\nXMPP Ciphers:" 10 95 2 \
$"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
$"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
2> $data
sel=$?
case $sel in
1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
;;
255) exit 0;;
esac
fi
dialog --title $"Final Confirmation" \
--backtitle $"Freedombone Security Configuration" \
--defaultno \
--yesno $"\nPlease confirm that you wish your security settings to be changed?\n\nWARNING: any mistakes made in the security settings could compromise your system, so be extra careful when answering 'yes'." 12 60
sel=$?
case $sel in
2015-02-02 20:18:13 +01:00
1) clear
2015-11-27 16:29:43 +01:00
echo $'Exiting without changing security settings'
exit 0;;
2015-02-02 20:18:13 +01:00
255) clear
2015-11-27 16:29:43 +01:00
echo $'Exiting without changing security settings'
exit 0;;
esac
clear
2015-02-01 15:57:59 +01:00
}
2015-08-15 14:34:59 +02:00
function regenerate_ssh_host_keys {
if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then
rm -f /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
2015-11-27 16:29:43 +01:00
echo $'ssh host keys regenerated'
2015-08-15 14:34:59 +02:00
# remove small moduli
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
mv ~/moduli /etc/ssh/moduli
2015-11-27 16:29:43 +01:00
echo $'ssh small moduli removed'
2015-08-15 14:34:59 +02:00
systemctl restart ssh
fi
}
function regenerate_dh_keys {
if [[ $REGENERATE_DH_KEYS == "yes" ]]; then
if [ ! -d /etc/ssl/mycerts ]; then
2015-11-27 16:29:43 +01:00
echo $'No dhparam certificates were found'
2015-08-15 14:34:59 +02:00
return
fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
2015-08-15 15:11:55 +02:00
--title "Diffie-Hellman key length" \
2015-08-16 10:30:57 +02:00
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
1 "2048 bits" off \
2 "3072 bits" on \
3 "4096 bits" off 2> $data
2015-08-15 14:34:59 +02:00
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
case $(cat $data) in
1) DH_KEYLENGTH=2048;;
2) DH_KEYLENGTH=3072;;
3) DH_KEYLENGTH=4096;;
2015-08-15 14:34:59 +02:00
esac
2015-12-05 15:17:20 +01:00
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
2015-08-15 14:34:59 +02:00
fi
}
2015-11-03 19:00:08 +01:00
function renew_startssl {
2015-11-04 11:10:18 +01:00
renew_domain=
2015-11-03 19:00:08 +01:00
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Renew a StartSSL certificate" \
--backtitle $"Freedombone Security Settings" \
--inputbox $"Enter the domain name" 8 60 2>$data
2015-11-03 19:00:08 +01:00
sel=$?
case $sel in
0)
renew_domain=$(<$data)
;;
esac
2015-11-04 11:10:18 +01:00
if [ ! $renew_domain ]; then
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
if [[ $renew_domain == "http"* ]]; then
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"Don't include the https://" 6 40
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
2015-11-27 12:42:16 +01:00
2015-11-04 11:10:18 +01:00
if [[ $renew_domain != *"."* ]]; then
dialog --title $"Renew a StartSSL certificate" \
--msgbox $"Invalid domain name: $renew_domain" 6 40
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
${PROJECT_NAME}-renew-cert -h $renew_domain -p startssl
2015-11-04 11:10:18 +01:00
exit 0
}
function renew_letsencrypt {
renew_domain=
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Renew a Let's Encrypt certificate" \
--backtitle $"Freedombone Security Settings" \
--inputbox $"Enter the domain name" 8 60 2>$data
2015-11-04 11:10:18 +01:00
sel=$?
case $sel in
0)
renew_domain=$(<$data)
;;
esac
if [ ! $renew_domain ]; then
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
if [[ $renew_domain == "http"* ]]; then
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"Don't include the https://" 6 40
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
if [ ! -f /etc/ssl/certs/${renew_domain}.dhparam ]; then
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"An existing certificate for $renew_domain was not found" 6 40
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
2015-11-27 12:42:16 +01:00
2015-11-04 11:10:18 +01:00
if [[ $renew_domain != *"."* ]]; then
dialog --title $"Renew a Let's Encrypt certificate" \
--msgbox $"Invalid domain name: $renew_domain" 6 40
2015-12-05 15:17:20 +01:00
return
2015-11-04 11:10:18 +01:00
fi
${PROJECT_NAME}-renew-cert -h $renew_domain -p 'letsencrypt'
2015-11-04 11:10:18 +01:00
2015-11-03 19:00:08 +01:00
exit 0
}
2015-12-05 15:17:20 +01:00
function create_letsencrypt {
new_domain=
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --title $"Create a new Let's Encrypt certificate" \
--backtitle $"Freedombone Security Settings" \
--inputbox $"Enter the domain name" 8 60 2>$data
sel=$?
case $sel in
0)
new_domain=$(<$data)
;;
esac
if [ ! $new_domain ]; then
return
fi
if [[ $new_domain == "http"* ]]; then
dialog --title $"Create a new Let's Encrypt certificate" \
--msgbox $"Don't include the https://" 6 40
return
fi
if [[ $new_domain != *"."* ]]; then
dialog --title $"Create a new Let's Encrypt certificate" \
--msgbox $"Invalid domain name: $new_domain" 6 40
return
fi
if [ ! -d /var/www/${new_domain} ]; then
dialog --title $"Create a new Let's Encrypt certificate" \
--msgbox $'Domain not found within /var/www' 6 40
return
fi
${PROJECT_NAME}-addcert -e $new_domain -s $LETSENCRYPT_SERVER --dhkey $DH_KEYLENGTH
exit 0
}
2015-08-15 14:34:59 +02:00
function housekeeping {
cmd=(dialog --separate-output \
--backtitle "Freedombone Security Configuration" \
2015-08-15 15:11:55 +02:00
--title "Housekeeping options" \
2015-12-05 15:17:20 +01:00
--checklist "If you don't need to do any of these things then just press Enter:" 13 76 16)
2015-08-15 14:34:59 +02:00
options=(1 "Regenerate ssh host keys" off
2015-11-03 19:00:08 +01:00
2 "Regenerate Diffie-Hellman keys" off
3 "Renew a StartSSL certificate" off
2015-12-05 15:17:20 +01:00
4 "Create a new Let's Encrypt certificate" off
5 "Renew Let's Encrypt certificate" off)
2015-08-15 14:34:59 +02:00
choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty)
clear
for choice in $choices
do
case $choice in
1)
REGENERATE_SSH_HOST_KEYS="yes"
;;
2)
REGENERATE_DH_KEYS="yes"
;;
2015-11-03 19:00:08 +01:00
3)
renew_startssl
;;
2015-11-04 11:10:18 +01:00
4)
2015-12-05 15:17:20 +01:00
create_letsencrypt
;;
5)
2015-11-04 11:10:18 +01:00
renew_letsencrypt
;;
2015-08-15 14:34:59 +02:00
esac
done
}
2015-02-02 22:04:36 +01:00
function import_settings {
2015-02-02 22:18:49 +01:00
cd $CURRENT_DIR
2015-02-02 22:04:36 +01:00
if [ ! $IMPORT_FILE ]; then
return
fi
if [ ! -f $IMPORT_FILE ]; then
2015-11-27 16:29:43 +01:00
echo $"Import file $IMPORT_FILE not found"
2015-02-02 22:04:36 +01:00
exit 6393
fi
if grep -q "SSL_PROTOCOLS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSL_PROTOCOLS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSL_PROTOCOLS=$TEMP_VALUE
fi
fi
if grep -q "SSL_CIPHERS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSL_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSL_CIPHERS=$TEMP_VALUE
fi
fi
if grep -q "SSH_CIPHERS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_CIPHERS=$TEMP_VALUE
fi
fi
if grep -q "SSH_MACS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_MACS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_MACS=$TEMP_VALUE
fi
fi
if grep -q "SSH_KEX" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_KEX" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_KEX=$TEMP_VALUE
fi
fi
if grep -q "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_HOST_KEY_ALGORITHMS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
SSH_HOST_KEY_ALGORITHMS=$TEMP_VALUE
fi
fi
if grep -q "SSH_PASSWORDS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "SSH_PASSWORDS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [[ $TEMP_VALUE == "yes" || $TEMP_VALUE == "no" ]]; then
SSH_PASSWORDS=$TEMP_VALUE
fi
fi
if grep -q "XMPP_CIPHERS" $IMPORT_FILE; then
TEMP_VALUE=$(grep "XMPP_CIPHERS" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt $MINIMUM_LENGTH ]; then
XMPP_CIPHERS=$TEMP_VALUE
fi
fi
if grep -q "XMPP_ECC_CURVE" $IMPORT_FILE; then
TEMP_VALUE=$(grep "XMPP_ECC_CURVE" $IMPORT_FILE | awk -F '=' '{print $2}')
if [ ${#TEMP_VALUE} -gt 3 ]; then
XMPP_ECC_CURVE=$TEMP_VALUE
fi
fi
}
function export_settings {
if [ ! $EXPORT_FILE ]; then
return
fi
2015-02-02 22:18:49 +01:00
cd $CURRENT_DIR
2015-02-02 22:04:36 +01:00
if [ ! -f $EXPORT_FILE ]; then
2015-02-02 22:15:11 +01:00
if [ "$SSL_PROTOCOLS" ]; then
2015-02-02 22:04:36 +01:00
echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
fi
if [ $SSL_CIPHERS ]; then
echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
fi
if [ $SSH_CIPHERS ]; then
echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
fi
if [ $SSH_MACS ]; then
echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
fi
if [ $SSH_KEX ]; then
echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
fi
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
fi
if [ $SSH_PASSWORDS ]; then
echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
fi
if [ $XMPP_CIPHERS ]; then
echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
fi
if [ $XMPP_ECC_CURVE ]; then
echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
fi
2015-02-02 22:13:27 +01:00
echo "Security settings exported to $EXPORT_FILE"
exit 0
2015-02-02 22:04:36 +01:00
fi
2015-02-02 22:15:11 +01:00
if [ "$SSL_PROTOCOLS" ]; then
2015-02-02 22:04:36 +01:00
if grep -q "SSL_PROTOCOLS" $EXPORT_FILE; then
sed -i "s|SSL_PROTOCOLS=.*|SSL_PROTOCOLS=$SSL_PROTOCOLS|g" $EXPORT_FILE
else
echo "SSL_PROTOCOLS=$SSL_PROTOCOLS" >> $EXPORT_FILE
fi
fi
if [ $SSL_CIPHERS ]; then
if grep -q "SSL_CIPHERS" $EXPORT_FILE; then
sed -i "s|SSL_CIPHERS=.*|SSL_CIPHERS=$SSL_CIPHERS|g" $EXPORT_FILE
else
echo "SSL_CIPHERS=$SSL_CIPHERS" >> $EXPORT_FILE
fi
fi
if [ $SSH_CIPHERS ]; then
if grep -q "SSH_CIPHERS" $EXPORT_FILE; then
sed -i "s|SSH_CIPHERS=.*|SSH_CIPHERS=$SSH_CIPHERS|g" $EXPORT_FILE
else
echo "SSH_CIPHERS=$SSH_CIPHERS" >> $EXPORT_FILE
fi
fi
if [ $SSH_MACS ]; then
if grep -q "SSH_MACS" $EXPORT_FILE; then
sed -i "s|SSH_MACS=.*|SSH_MACS=$SSH_MACS|g" $EXPORT_FILE
else
echo "SSH_MACS=$SSH_MACS" >> $EXPORT_FILE
fi
fi
if [ $SSH_KEX ]; then
if grep -q "SSH_KEX" $EXPORT_FILE; then
sed -i "s|SSH_KEX=.*|SSH_KEX=$SSH_KEX|g" $EXPORT_FILE
else
echo "SSH_KEX=$SSH_KEX" >> $EXPORT_FILE
fi
fi
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
if grep -q "SSH_HOST_KEY_ALGORITHMS" $EXPORT_FILE; then
sed -i "s|SSH_HOST_KEY_ALGORITHMS=.*|SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS|g" $EXPORT_FILE
else
echo "SSH_HOST_KEY_ALGORITHMS=$SSH_HOST_KEY_ALGORITHMS" >> $EXPORT_FILE
fi
fi
if [ $SSH_PASSWORDS ]; then
if grep -q "SSH_PASSWORDS" $EXPORT_FILE; then
sed -i "s|SSH_PASSWORDS=.*|SSH_PASSWORDS=$SSH_PASSWORDS|g" $EXPORT_FILE
else
echo "SSH_PASSWORDS=$SSH_PASSWORDS" >> $EXPORT_FILE
fi
fi
if [ $XMPP_CIPHERS ]; then
if grep -q "XMPP_CIPHERS" $EXPORT_FILE; then
sed -i "s|XMPP_CIPHERS=.*|XMPP_CIPHERS=$XMPP_CIPHERS|g" $EXPORT_FILE
else
echo "XMPP_CIPHERS=$XMPP_CIPHERS" >> $EXPORT_FILE
fi
fi
if [ $XMPP_ECC_CURVE ]; then
if grep -q "XMPP_ECC_CURVE" $EXPORT_FILE; then
sed -i "s|XMPP_ECC_CURVE=.*|XMPP_ECC_CURVE=$XMPP_ECC_CURVE|g" $EXPORT_FILE
else
echo "XMPP_ECC_CURVE=$XMPP_ECC_CURVE" >> $EXPORT_FILE
fi
fi
2015-11-27 16:29:43 +01:00
echo $"Security settings exported to $EXPORT_FILE"
2015-02-02 22:04:36 +01:00
exit 0
}
function show_help {
echo ''
2015-11-27 16:29:43 +01:00
echo "${PROJECT_NAME}-sec"
2015-02-02 22:04:36 +01:00
echo ''
2015-11-27 16:29:43 +01:00
echo $'Alters the security settings'
2015-02-02 22:04:36 +01:00
echo ''
echo ''
2015-11-27 16:29:43 +01:00
echo $' -h --help Show help'
echo $' -e --export Export security settings to a file'
echo $' -i --import Import security settings from a file'
2015-02-02 22:04:36 +01:00
echo ''
exit 0
}
# Get the commandline options
while [[ $# > 1 ]]
do
key="$1"
case $key in
-h|--help)
show_help
;;
# Export settings
-e|--export)
shift
EXPORT_FILE="$1"
;;
# Export settings
-i|--import)
shift
IMPORT_FILE="$1"
;;
*)
# unknown option
;;
esac
shift
done
2015-08-15 14:34:59 +02:00
housekeeping
2015-02-01 15:57:59 +01:00
get_website_settings
get_imap_settings
get_ssh_settings
get_xmpp_settings
2015-02-02 22:04:36 +01:00
import_settings
export_settings
interactive_setup
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
2015-08-15 14:34:59 +02:00
regenerate_ssh_host_keys
regenerate_dh_keys
2015-02-01 15:57:59 +01:00
exit 0