Interactive security settings modification

This commit is contained in:
Bob Mottram 2015-02-01 17:17:28 +00:00
parent 689cea07f2
commit 22e24ed7c7
1 changed files with 157 additions and 8 deletions

View File

@ -39,9 +39,10 @@ SSH_HOST_KEY_ALGORITHMS=
XMPP_CIPHERS= XMPP_CIPHERS=
XMPP_ECC_CURVE= XMPP_ECC_CURVE=
WIKI_DOMAIN_NAME=
WEBSITES_DIRECTORY='/etc/nginx/sites-available' WEBSITES_DIRECTORY='/etc/nginx/sites-available'
DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf' DOVECOT_CIPHERS='/etc/dovecot/conf.d/10-ssl.conf'
SSH_CONFIG='/etc/ssh/sshd_config'
XMPP_CONFIG='/etc/prosody/conf.avail/xmpp.cfg.lua'
MINIMUM_LENGTH=6 MINIMUM_LENGTH=6
@ -49,14 +50,14 @@ function get_protocols_from_website {
if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
return return
fi fi
SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols' | awk -F "ssl_protocols" '{print $2}' | awk -F ';' '{print $1}') SSL_PROTOCOLS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_protocols ' | awk -F "ssl_protocols " '{print $2}' | awk -F ';' '{print $1}')
} }
function get_ciphers_from_website { function get_ciphers_from_website {
if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then if [ ! -f $WEBSITES_DIRECTORY/$1 ]; then
return return
fi fi
SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers' | awk -F "ssl_ciphers" '{print $2}' | awk -F "'" '{print $2}') SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
} }
function get_website_settings { function get_website_settings {
@ -84,17 +85,42 @@ function get_imap_settings {
fi fi
# clear commented out cipher list # clear commented out cipher list
sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS sed -i "s|#ssl_cipher_list.*||g" $DOVECOT_CIPHERS
if [ ! $SSL_CIPHERS ]; then if [ $SSL_CIPHERS ]; then
return return
fi fi
if [ ${#SSL_CIPHERS} -lt $MINIMUM_LENGTH ]; then if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
return return
fi fi
SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}') SSL_CIPHERS=$(cat $DOVECOT_CIPHERS | grep 'ssl_cipher_list' | awk -F '=' '{print $2}' | awk -F "'" '{print $2}')
} }
function get_xmpp_settings {
if [ ! -f $XMPP_CONFIG ]; then
return
fi
XMPP_CIPHERS=$(cat $XMPP_CONFIG | grep 'ciphers ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
XMPP_ECC_CURVE=$(cat $XMPP_CONFIG | grep 'curve ' | awk -F '=' '{print $2}' | awk -F '"' '{print $2}')
}
function get_ssh_settings {
if [ -f $SSH_CONFIG ]; then
SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
fi
if [ -f /etc/ssh/ssh_config ]; then
SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
if [ ! $SSH_CIPHERS ]; then
SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
fi
if [ ! $SSH_MACS ]; then
SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
fi
fi
}
function change_website_settings { function change_website_settings {
if [ ! $SSL_PROTOCOLS ]; then if [ ! "$SSL_PROTOCOLS" ]; then
return return
fi fi
if [ ! $SSL_CIPHERS ]; then if [ ! $SSL_CIPHERS ]; then
@ -116,6 +142,7 @@ function change_website_settings {
sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file sed -i "s|ssl_ciphers .*|ssl_ciphers '$SSL_CIPHERS';|g" $WEBSITES_DIRECTORY/$file
done done
service nginx restart service nginx restart
echo 'Web security settings changed'
} }
function change_imap_settings { function change_imap_settings {
@ -130,6 +157,122 @@ function change_imap_settings {
fi fi
sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS sed -i "s|ssl_cipher_list.*|ssl_cipher_list = '$SSL_CIPHERS'|g" $DOVECOT_CIPHERS
service dovecot restart service dovecot restart
echo 'imap security settings changed'
}
function change_ssh_settings {
if [ -f /etc/ssh/ssh_config ]; then
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
sed -i "s|HostKeyAlgorithms .*|HostKeyAlgorithms $SSH_HOST_KEY_ALGORITHMS|g" /etc/ssh/ssh_config
echo 'ssh client security settings changed'
fi
fi
if [ -f $SSH_CONFIG ]; then
if [ ! $SSH_CIPHERS ]; then
return
fi
if [ ! $SSH_MACS ]; then
return
fi
if [ ! $SSH_KEX ]; then
return
fi
sed -i "s|Ciphers .*|Ciphers $SSH_CIPHERS|g" $SSH_CONFIG
sed -i "s|MACs .*|MACs $SSH_MACS|g" $SSH_CONFIG
sed -i "s|KexAlgorithms .*|KexAlgorithms $SSH_KEX|g" $SSH_CONFIG
service ssh restart
echo 'ssh server security settings changed'
fi
}
function change_xmpp_settings {
if [ ! -f $XMPP_CONFIG ]; then
return
fi
if [ ! $XMPP_CIPHERS ]; then
return
fi
if [ ! $XMPP_ECC_CURVE ]; then
return
fi
sed -i "s|ciphers =.*|ciphers = \"$XMPP_CIPHERS\";|g" $XMPP_CONFIG
sed -i "s|curve =.*|curve = \"$XMPP_ECC_CURVE\";|g" $XMPP_CONFIG
service prosody restart
echo 'xmpp security settings changed'
}
function interactive_setup {
if [ $SSL_CIPHERS ]; then
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--form "\nWeb/IMAP Ciphers:" 10 95 2 \
"Protocols:" 1 1 "$SSL_PROTOCOLS" 1 15 90 90 \
"Ciphers:" 2 1 "$SSL_CIPHERS" 2 15 90 512 \
2> $data
sel=$?
case $sel in
1) SSL_PROTOCOLS=$(cat $data | sed -n 1p)
SSL_CIPHERS=$(cat $data | sed -n 2p)
;;
255) exit 0;;
esac
fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
if [ $SSH_HOST_KEY_ALGORITHMS ]; then
dialog --backtitle "Freedombone Security Configuration" \
--form "\nSecure Shell Ciphers:" 13 95 4 \
"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
"Host key algorithms:" 4 1 "$SSH_HOST_KEY_ALGORITHMS" 4 15 90 512 \
2> $data
sel=$?
case $sel in
1) SSH_CIPHERS=$(cat $data | sed -n 1p)
SSH_MACS=$(cat $data | sed -n 2p)
SSH_KEX=$(cat $data | sed -n 3p)
SSH_HOST_KEY_ALGORITHMS=$(cat $data | sed -n 4p)
;;
255) exit 0;;
esac
else
dialog --backtitle "Freedombone Security Configuration" \
--form "\nSecure Shell Ciphers:" 11 95 3 \
"Ciphers:" 1 1 "$SSH_CIPHERS" 1 15 90 512 \
"MACs:" 2 1 "$SSH_MACS" 2 15 90 512 \
"KEX:" 3 1 "$SSH_KEX" 3 15 90 512 \
2> $data
sel=$?
case $sel in
1) SSH_CIPHERS=$(cat $data | sed -n 1p)
SSH_MACS=$(cat $data | sed -n 2p)
SSH_KEX=$(cat $data | sed -n 3p)
;;
255) exit 0;;
esac
fi
if [ $XMPP_CIPHERS ]; then
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--form "\nXMPP Ciphers:" 10 95 2 \
"Ciphers:" 1 1 "$XMPP_CIPHERS" 1 15 90 512 \
"ECC Curve:" 2 1 "$XMPP_ECC_CURVE" 2 15 50 50 \
2> $data
sel=$?
case $sel in
1) XMPP_CIPHERS=$(cat $data | sed -n 1p)
XMPP_ECC_CURVE=$(cat $data | sed -n 2p)
;;
255) exit 0;;
esac
fi
clear
} }
while [[ $# > 1 ]] while [[ $# > 1 ]]
@ -153,6 +296,12 @@ shift
done done
get_website_settings get_website_settings
#change_website_settings get_imap_settings
#change_imap_settings get_ssh_settings
get_xmpp_settings
interactive_setup
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
exit 0 exit 0