From a3f2fe45399ac00532e24aecfa8b8ab220a58c9a Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 30 Oct 2016 09:56:32 +0000 Subject: [PATCH] Improve security settings command --- src/freedombone-sec | 245 +++++++++++++++++++------------------------- 1 file changed, 108 insertions(+), 137 deletions(-) diff --git a/src/freedombone-sec b/src/freedombone-sec index e23356e8..868a43d2 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -64,8 +64,6 @@ EXPORT_FILE= CURRENT_DIR=$(pwd) -REGENERATE_SSH_HOST_KEYS="no" -REGENERATE_DH_KEYS="no" DH_KEYLENGTH=2048 LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' @@ -85,25 +83,6 @@ function get_ciphers_from_website { SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}') } -function get_website_settings { - if [ ! -d $WEBSITES_DIRECTORY ]; then - return - fi - - cd $WEBSITES_DIRECTORY - for file in `dir -d *` ; do - get_protocols_from_website $file - if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then - get_ciphers_from_website $file - if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then - break - else - SSL_PROTOCOLS="" - fi - fi - done -} - function get_imap_settings { if [ ! -f $DOVECOT_CIPHERS ]; then return @@ -129,19 +108,10 @@ function get_xmpp_settings { function get_ssh_settings { if [ -f $SSH_CONFIG ]; then - SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}') - SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}') - SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}') SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}') fi if [ -f /etc/ssh/ssh_config ]; then SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}') - if [ ! $SSH_CIPHERS ]; then - SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}') - fi - if [ ! $SSH_MACS ]; then - SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}') - fi fi } @@ -353,55 +323,51 @@ function send_monkeysphere_server_keys_to_users { } function regenerate_ssh_host_keys { - if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then - rm -f /etc/ssh/ssh_host_* - dpkg-reconfigure openssh-server - echo $'ssh host keys regenerated' - # remove small moduli - awk '$5 > 2000' /etc/ssh/moduli > ~/moduli - mv ~/moduli /etc/ssh/moduli - echo $'ssh small moduli removed' - # update monkeysphere - DEFAULT_DOMAIN_NAME= - read_config_param "DEFAULT_DOMAIN_NAME" - monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME - SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}') - monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME - monkeysphere-host publish-key - send_monkeysphere_server_keys_to_users - echo $'updated monkeysphere ssh host key' - systemctl restart ssh - fi + rm -f /etc/ssh/ssh_host_* + dpkg-reconfigure openssh-server + echo $'ssh host keys regenerated' + # remove small moduli + awk '$5 > 2000' /etc/ssh/moduli > ~/moduli + mv ~/moduli /etc/ssh/moduli + echo $'ssh small moduli removed' + # update monkeysphere + DEFAULT_DOMAIN_NAME= + read_config_param "DEFAULT_DOMAIN_NAME" + monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME + SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}') + monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME + monkeysphere-host publish-key + send_monkeysphere_server_keys_to_users + echo $'updated monkeysphere ssh host key' + systemctl restart ssh } function regenerate_dh_keys { - if [[ $REGENERATE_DH_KEYS == "yes" ]]; then - if [ ! -d /etc/ssl/mycerts ]; then - echo $'No dhparam certificates were found' - return - fi - - data=$(tempfile 2>/dev/null) - trap "rm -f $data" 0 1 2 5 15 - dialog --backtitle "Freedombone Security Configuration" \ - --title "Diffie-Hellman key length" \ - --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \ - 1 "2048 bits" off \ - 2 "3072 bits" on \ - 3 "4096 bits" off 2> $data - sel=$? - case $sel in - 1) exit 1;; - 255) exit 1;; - esac - case $(cat $data) in - 1) DH_KEYLENGTH=2048;; - 2) DH_KEYLENGTH=3072;; - 3) DH_KEYLENGTH=4096;; - esac - - ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH} + if [ ! -d /etc/ssl/mycerts ]; then + echo $'No dhparam certificates were found' + return fi + + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle "Freedombone Security Configuration" \ + --title "Diffie-Hellman key length" \ + --radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \ + 1 "2048 bits" off \ + 2 "3072 bits" on \ + 3 "4096 bits" off 2> $data + sel=$? + case $sel in + 1) exit 1;; + 255) exit 1;; + esac + case $(cat $data) in + 1) DH_KEYLENGTH=2048;; + 2) DH_KEYLENGTH=3072;; + 3) DH_KEYLENGTH=4096;; + esac + + ${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH} } function renew_startssl { @@ -528,11 +494,6 @@ function create_letsencrypt { } function update_ciphersuite { - read_config_param SSL_CIPHERS - read_config_param SSL_PROTOCOLS - read_config_param SSH_CIPHERS - read_config_param SSH_MACS - RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS" if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then return @@ -714,50 +675,72 @@ function remove_pinning { esac } -function housekeeping { - cmd=(dialog --separate-output \ - --backtitle "Freedombone Security Configuration" \ - --title "Housekeeping options" \ - --checklist "If you don't need to do any of these things then just press Enter:" 15 76 15) - options=(1 "Regenerate ssh host keys" off - 2 "Regenerate Diffie-Hellman keys" off - 3 "Update cipersuite" off - 4 "Create a new Let's Encrypt certificate" off - 5 "Renew Let's Encrypt certificate" off - 6 "Enable GPG based authentication (monkeysphere)" off - 7 "Register a website with monkeysphere" off - 8 "Go Back/Exit" on) - choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty) +function menu_security_settings { + data=$(tempfile 2>/dev/null) + trap "rm -f $data" 0 1 2 5 15 + dialog --backtitle $"Freedombone Control Panel" \ + --title $"Security Settings" \ + --radiolist $"Choose an operation:" 15 76 15 \ + 1 $"Regenerate ssh host keys" off \ + 2 $"Regenerate Diffie-Hellman keys" off \ + 3 $"Update cipersuite" off \ + 4 $"Create a new Let's Encrypt certificate" off \ + 5 $"Renew Let's Encrypt certificate" off \ + 6 $"Enable GPG based authentication (monkeysphere)" off \ + 7 $"Register a website with monkeysphere" off \ + 8 $"Go Back/Exit" on 2> $data + sel=$? + case $sel in + 1) exit 1;; + 255) exit 1;; + esac + clear - for choice in $choices - do - case $choice in - 1) - REGENERATE_SSH_HOST_KEYS="yes" - ;; - 2) - REGENERATE_DH_KEYS="yes" - ;; - 3) - update_ciphersuite - ;; - 4) - create_letsencrypt - ;; - 5) - renew_letsencrypt - ;; - 6) - enable_monkeysphere - ;; - 7) - register_website - ;; - 8) - exit 0 - ;; - esac - done + + read_config_param SSL_CIPHERS + read_config_param SSL_PROTOCOLS + read_config_param SSH_CIPHERS + read_config_param SSH_MACS + read_config_param SSH_KEX + + get_imap_settings + get_ssh_settings + get_xmpp_settings + import_settings + export_settings + + case $(cat $data) in + 1) + regenerate_ssh_host_keys + ;; + 2) + regenerate_dh_keys + ;; + 3) + interactive_setup + update_ciphersuite + ;; + 4) + create_letsencrypt + ;; + 5) + renew_letsencrypt + ;; + 6) + enable_monkeysphere + ;; + 7) + register_website + ;; + 8) + exit 0 + ;; + esac + + change_website_settings + change_imap_settings + change_ssh_settings + change_xmpp_settings } function import_settings { @@ -1054,18 +1037,6 @@ do shift done -housekeeping -get_website_settings -get_imap_settings -get_ssh_settings -get_xmpp_settings -import_settings -export_settings -interactive_setup -change_website_settings -change_imap_settings -change_ssh_settings -change_xmpp_settings -regenerate_ssh_host_keys -regenerate_dh_keys +menu_security_settings + exit 0