Improve security settings command

This commit is contained in:
Bob Mottram 2016-10-30 09:56:32 +00:00
parent 691a815939
commit a3f2fe4539
1 changed files with 108 additions and 137 deletions

View File

@ -64,8 +64,6 @@ EXPORT_FILE=
CURRENT_DIR=$(pwd) CURRENT_DIR=$(pwd)
REGENERATE_SSH_HOST_KEYS="no"
REGENERATE_DH_KEYS="no"
DH_KEYLENGTH=2048 DH_KEYLENGTH=2048
LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
@ -85,25 +83,6 @@ function get_ciphers_from_website {
SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}') SSL_CIPHERS=$(cat $WEBSITES_DIRECTORY/$1 | grep 'ssl_ciphers ' | awk -F "ssl_ciphers " '{print $2}' | awk -F "'" '{print $2}')
} }
function get_website_settings {
if [ ! -d $WEBSITES_DIRECTORY ]; then
return
fi
cd $WEBSITES_DIRECTORY
for file in `dir -d *` ; do
get_protocols_from_website $file
if [ ${#SSL_PROTOCOLS} -gt $MINIMUM_LENGTH ]; then
get_ciphers_from_website $file
if [ ${#SSL_CIPHERS} -gt $MINIMUM_LENGTH ]; then
break
else
SSL_PROTOCOLS=""
fi
fi
done
}
function get_imap_settings { function get_imap_settings {
if [ ! -f $DOVECOT_CIPHERS ]; then if [ ! -f $DOVECOT_CIPHERS ]; then
return return
@ -129,19 +108,10 @@ function get_xmpp_settings {
function get_ssh_settings { function get_ssh_settings {
if [ -f $SSH_CONFIG ]; then if [ -f $SSH_CONFIG ]; then
SSH_CIPHERS=$(cat $SSH_CONFIG | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
SSH_MACS=$(cat $SSH_CONFIG | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
SSH_KEX=$(cat $SSH_CONFIG | grep 'KexAlgorithms ' | awk -F 'KexAlgorithms ' '{print $2}')
SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}') SSH_PASSWORDS=$(cat $SSH_CONFIG | grep 'PasswordAuthentication ' | awk -F 'PasswordAuthentication ' '{print $2}')
fi fi
if [ -f /etc/ssh/ssh_config ]; then if [ -f /etc/ssh/ssh_config ]; then
SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}') SSH_HOST_KEY_ALGORITHMS=$(cat /etc/ssh/ssh_config | grep 'HostKeyAlgorithms ' | awk -F 'HostKeyAlgorithms ' '{print $2}')
if [ ! $SSH_CIPHERS ]; then
SSH_CIPHERS=$(cat /etc/ssh/ssh_config | grep 'Ciphers ' | awk -F 'Ciphers ' '{print $2}')
fi
if [ ! $SSH_MACS ]; then
SSH_MACS=$(cat /etc/ssh/ssh_config | grep 'MACs ' | awk -F 'MACs ' '{print $2}')
fi
fi fi
} }
@ -353,55 +323,51 @@ function send_monkeysphere_server_keys_to_users {
} }
function regenerate_ssh_host_keys { function regenerate_ssh_host_keys {
if [[ $REGENERATE_SSH_HOST_KEYS == "yes" ]]; then rm -f /etc/ssh/ssh_host_*
rm -f /etc/ssh/ssh_host_* dpkg-reconfigure openssh-server
dpkg-reconfigure openssh-server echo $'ssh host keys regenerated'
echo $'ssh host keys regenerated' # remove small moduli
# remove small moduli awk '$5 > 2000' /etc/ssh/moduli > ~/moduli
awk '$5 > 2000' /etc/ssh/moduli > ~/moduli mv ~/moduli /etc/ssh/moduli
mv ~/moduli /etc/ssh/moduli echo $'ssh small moduli removed'
echo $'ssh small moduli removed' # update monkeysphere
# update monkeysphere DEFAULT_DOMAIN_NAME=
DEFAULT_DOMAIN_NAME= read_config_param "DEFAULT_DOMAIN_NAME"
read_config_param "DEFAULT_DOMAIN_NAME" monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$DEFAULT_DOMAIN_NAME SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}')
SSH_ONION_HOSTNAME=$(cat ${COMPLETION_FILE} | grep 'ssh onion domain' | awk -F ':' '{print $2}') monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME
monkeysphere-host import-key /etc/ssh/ssh_host_rsa_key ssh://$SSH_ONION_HOSTNAME monkeysphere-host publish-key
monkeysphere-host publish-key send_monkeysphere_server_keys_to_users
send_monkeysphere_server_keys_to_users echo $'updated monkeysphere ssh host key'
echo $'updated monkeysphere ssh host key' systemctl restart ssh
systemctl restart ssh
fi
} }
function regenerate_dh_keys { function regenerate_dh_keys {
if [[ $REGENERATE_DH_KEYS == "yes" ]]; then if [ ! -d /etc/ssl/mycerts ]; then
if [ ! -d /etc/ssl/mycerts ]; then echo $'No dhparam certificates were found'
echo $'No dhparam certificates were found' return
return
fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--title "Diffie-Hellman key length" \
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
1 "2048 bits" off \
2 "3072 bits" on \
3 "4096 bits" off 2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
case $(cat $data) in
1) DH_KEYLENGTH=2048;;
2) DH_KEYLENGTH=3072;;
3) DH_KEYLENGTH=4096;;
esac
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
fi fi
data=$(tempfile 2>/dev/null)
trap "rm -f $data" 0 1 2 5 15
dialog --backtitle "Freedombone Security Configuration" \
--title "Diffie-Hellman key length" \
--radiolist "The smaller length is better suited to low power embedded systems:" 12 40 3 \
1 "2048 bits" off \
2 "3072 bits" on \
3 "4096 bits" off 2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
case $(cat $data) in
1) DH_KEYLENGTH=2048;;
2) DH_KEYLENGTH=3072;;
3) DH_KEYLENGTH=4096;;
esac
${PROJECT_NAME}-dhparam --recalc yes -l ${DH_KEYLENGTH}
} }
function renew_startssl { function renew_startssl {
@ -528,11 +494,6 @@ function create_letsencrypt {
} }
function update_ciphersuite { function update_ciphersuite {
read_config_param SSL_CIPHERS
read_config_param SSL_PROTOCOLS
read_config_param SSH_CIPHERS
read_config_param SSH_MACS
RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS" RECOMMENDED_SSL_CIPHERS="$SSL_CIPHERS"
if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then if [ ${#RECOMMENDED_SSL_CIPHERS} -lt 5 ]; then
return return
@ -714,50 +675,72 @@ function remove_pinning {
esac esac
} }
function housekeeping { function menu_security_settings {
cmd=(dialog --separate-output \ data=$(tempfile 2>/dev/null)
--backtitle "Freedombone Security Configuration" \ trap "rm -f $data" 0 1 2 5 15
--title "Housekeeping options" \ dialog --backtitle $"Freedombone Control Panel" \
--checklist "If you don't need to do any of these things then just press Enter:" 15 76 15) --title $"Security Settings" \
options=(1 "Regenerate ssh host keys" off --radiolist $"Choose an operation:" 15 76 15 \
2 "Regenerate Diffie-Hellman keys" off 1 $"Regenerate ssh host keys" off \
3 "Update cipersuite" off 2 $"Regenerate Diffie-Hellman keys" off \
4 "Create a new Let's Encrypt certificate" off 3 $"Update cipersuite" off \
5 "Renew Let's Encrypt certificate" off 4 $"Create a new Let's Encrypt certificate" off \
6 "Enable GPG based authentication (monkeysphere)" off 5 $"Renew Let's Encrypt certificate" off \
7 "Register a website with monkeysphere" off 6 $"Enable GPG based authentication (monkeysphere)" off \
8 "Go Back/Exit" on) 7 $"Register a website with monkeysphere" off \
choices=$("${cmd[@]}" "${options[@]}" 2>&1 >/dev/tty) 8 $"Go Back/Exit" on 2> $data
sel=$?
case $sel in
1) exit 1;;
255) exit 1;;
esac
clear clear
for choice in $choices
do read_config_param SSL_CIPHERS
case $choice in read_config_param SSL_PROTOCOLS
1) read_config_param SSH_CIPHERS
REGENERATE_SSH_HOST_KEYS="yes" read_config_param SSH_MACS
;; read_config_param SSH_KEX
2)
REGENERATE_DH_KEYS="yes" get_imap_settings
;; get_ssh_settings
3) get_xmpp_settings
update_ciphersuite import_settings
;; export_settings
4)
create_letsencrypt case $(cat $data) in
;; 1)
5) regenerate_ssh_host_keys
renew_letsencrypt ;;
;; 2)
6) regenerate_dh_keys
enable_monkeysphere ;;
;; 3)
7) interactive_setup
register_website update_ciphersuite
;; ;;
8) 4)
exit 0 create_letsencrypt
;; ;;
esac 5)
done renew_letsencrypt
;;
6)
enable_monkeysphere
;;
7)
register_website
;;
8)
exit 0
;;
esac
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
} }
function import_settings { function import_settings {
@ -1054,18 +1037,6 @@ do
shift shift
done done
housekeeping menu_security_settings
get_website_settings
get_imap_settings
get_ssh_settings
get_xmpp_settings
import_settings
export_settings
interactive_setup
change_website_settings
change_imap_settings
change_ssh_settings
change_xmpp_settings
regenerate_ssh_host_keys
regenerate_dh_keys
exit 0 exit 0