diff options
author | nachoparker <nacho@ownyourbits.com> | 2017-12-17 01:11:01 +0300 |
---|---|---|
committer | nachoparker <nacho@ownyourbits.com> | 2017-12-17 01:14:20 +0300 |
commit | bd5cb8e2b38aea6672c1315c27c89b6442fa82cb (patch) | |
tree | 7060065044675265bd3d90f4935438c95e635315 | |
parent | f043feef9cc3533854b2c3cff81be2992e40497b (diff) |
security hardeningv0.41.11
-rw-r--r-- | changelog.md | 8 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/nc-init.sh | 11 | ||||
-rw-r--r-- | etc/nextcloudpi-config.d/nc-nextcloud.sh | 8 | ||||
-rw-r--r-- | lamp.sh | 2 | ||||
-rw-r--r-- | nextcloudpi.sh | 28 | ||||
-rwxr-xr-x | update.sh | 193 |
6 files changed, 93 insertions, 157 deletions
diff --git a/changelog.md b/changelog.md index 9b65492a..55f3a99a 100644 --- a/changelog.md +++ b/changelog.md @@ -1,9 +1,11 @@ -[v0.41.10](https://github.com/nextcloud/nextcloudpi/commit/72785d5) (2017-12-16) dnsmasq: added interface +[v0.41.11](https://github.com/nextcloud/nextcloudpi/commit/17af1ab) (2017-12-16) security hardening -[v0.41.9](https://github.com/nextcloud/nextcloudpi/commit/e4e205f) (2017-12-14) fix occ command without execute permissions +[v0.41.10](https://github.com/nextcloud/nextcloudpi/commit/330df57) (2017-12-16) dnsmasq: added interface -[v0.41.8](https://github.com/nextcloud/nextcloudpi/commit/26d6f66) (2017-12-13) Fixed configuration interoperability between nc-datadit and fail2ban. (#323) +[v0.41.9 ](https://github.com/nextcloud/nextcloudpi/commit/e4e205f) (2017-12-14) fix occ command without execute permissions + +[v0.41.8 ](https://github.com/nextcloud/nextcloudpi/commit/26d6f66) (2017-12-13) Fixed configuration interoperability between nc-datadit and fail2ban. (#323) [v0.41.7 ](https://github.com/nextcloud/nextcloudpi/commit/ce92a4f) (2017-12-12) replace ping to github.com to google.com diff --git a/etc/nextcloudpi-config.d/nc-init.sh b/etc/nextcloudpi-config.d/nc-init.sh index 61370ccd..1e04c48e 100644 --- a/etc/nextcloudpi-config.d/nc-init.sh +++ b/etc/nextcloudpi-config.d/nc-init.sh @@ -30,6 +30,10 @@ configure() { echo "Setting up a clean Nextcloud instance... wait until message 'NC init done'" + # checks + local REDISPASS=$( grep "^requirepass" /etc/redis/redis.conf | cut -d' ' -f2 ) + [[ "$REDISPASS" == "" ]] && { echo "redis server without a password. Abort"; return 1; } + ## RE-CREATE DATABASE TABLE echo "Setting up database..." @@ -91,14 +95,15 @@ EOF # redis cache sed -i '$d' config/config.php - cat >> config/config.php <<'EOF' - 'memcache.local' => '\OC\Memcache\Redis', - 'memcache.locking' => '\OC\Memcache\Redis', + cat >> config/config.php <<EOF + 'memcache.local' => '\\OC\\Memcache\\Redis', + 'memcache.locking' => '\\OC\\Memcache\\Redis', 'redis' => array ( 'host' => '/var/run/redis/redis.sock', 'port' => 0, 'timeout' => 0.0, + 'password' => '$REDISPASS', ), ); EOF diff --git a/etc/nextcloudpi-config.d/nc-nextcloud.sh b/etc/nextcloudpi-config.d/nc-nextcloud.sh index a943f23f..098c0337 100644 --- a/etc/nextcloudpi-config.d/nc-nextcloud.sh +++ b/etc/nextcloudpi-config.d/nc-nextcloud.sh @@ -44,6 +44,7 @@ install() $APTINSTALL -o "Dpkg::Options::=--force-confold" php-smbclient $APTINSTALL lbzip2 iputils-ping + # POSTFIX [[ "$ARMBIANBUILD" != 1 ]] && { $APTINSTALL postfix } || { @@ -53,15 +54,20 @@ install() sed -i '/Package: postfix/{n;d}' /var/lib/dpkg/status sed -i '/Package: postfix/a;Status: install ok installed|' /var/lib/dpkg/status } + sed -i 's|^smtpd_banner .*|smtpd_banner = $myhostname ESMTP|' /etc/postfix/main.cf + sed -i 's|^disable_vrfy_command .*|disable_vrfy_command = yes|' /etc/postfix/main.cf # REDIS $APTINSTALL redis-server php7.0-redis local REDIS_CONF=/etc/redis/redis.conf + local REDISPASS=$( openssl rand -base64 32 ) sed -i "s|# unixsocket .*|unixsocket /var/run/redis/redis.sock|" $REDIS_CONF sed -i "s|# unixsocketperm .*|unixsocketperm 770|" $REDIS_CONF + sed -i "s|# requirepass .*|requirepass $REDISPASS|" $REDIS_CONF + sed -i 's|# rename-command CONFIG ""|rename-command CONFIG ""|' $REDIS_CONF sed -i "s|^port.*|port 0|" $REDIS_CONF - echo "maxmemory ${REDIS_MEM}" >> $REDIS_CONF + echo "maxmemory $REDIS_MEM" >> $REDIS_CONF echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf usermod -a -G redis www-data @@ -37,7 +37,7 @@ install() # Randomize mariaDB password # Suggested by @enoch85 and taken from the nextcloud vm ( https://github.com/nextcloud/vm/blob/master/lib.sh#L46 ) - DBPASSWD=$(tr -dc "a-zA-Z0-9@#*=" < /dev/urandom | fold -w "$(shuf -i 30-35 -n 1)" | head -n 1) + DBPASSWD=$( openssl rand -base64 32 ) echo -e "[client]\npassword=$DBPASSWD" > /root/.my.cnf chmod 600 /root/.my.cnf diff --git a/nextcloudpi.sh b/nextcloudpi.sh index cf12719b..720153ed 100644 --- a/nextcloudpi.sh +++ b/nextcloudpi.sh @@ -199,6 +199,34 @@ EOF ## tag image echo "NextCloudPi_$( date "+%m-%d-%y" )" > /usr/local/etc/ncp-baseimage + + ## SSH hardening + sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config + sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config + sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|' /etc/ssh/sshd_config + sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config + sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config + sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config + sed -i 's|^#X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config + sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config + + ## kernel hardening + cat >> /etc/sysctl.conf <<EOF +sysctl fs.protected_hardlinks=1 +sysctl fs.protected_symlinks=1 +sysctl kernel.core_uses_pid=1 +sysctl kernel.dmesg_restrict=1 +sysctl kernel.kptr_restrict=2 +sysctl kernel.sysrq=0 +sysctl net.ipv4.conf.all.accept_redirects=0 +sysctl net.ipv4.conf.all.log_martians=1 +sysctl net.ipv4.conf.all.rp_filter=1 +sysctl net.ipv4.conf.all.send_redirects=0 +sysctl net.ipv4.conf.default.accept_redirects=0 +sysctl net.ipv4.conf.default.accept_source_route=0 +sysctl net.ipv4.conf.default.log_martians=1 +sysctl net.ipv4.tcp_timestamps=0 +EOF fi } @@ -115,155 +115,6 @@ done # only for image builds [[ ! -f /.ncp-image ]] && { - # log adjustment for wizard - test -f /home/www/ncp-launcher.sh && \ - cat > /home/www/ncp-launcher.sh <<'EOF' -#!/bin/bash -DIR=/usr/local/etc/nextcloudpi-config.d -test -f $DIR/$1 || { echo "File not found"; exit 1; } -source /usr/local/etc/library.sh -cd $DIR -touch /run/ncp.log -chmod 640 /run/ncp.log -chown root:www-data /run/ncp.log -launch_script $1 &> /run/ncp.log -RET=$? - -# clean log for the next PHP backend call to start clean, -# but wait until everything from current execution is read -sleep 0.5 && echo "" > /run/ncp.log - -exit $RET -EOF - - # 2 days to avoid very big backups requests to timeout - test -f /etc/apache2/sites-available/ncp.conf && { - grep -q TimeOut /etc/apache2/sites-available/ncp.conf || \ - sed -i '/SSLCertificateKeyFile/aTimeOut 172800' /etc/apache2/sites-available/ncp.conf - } || echo "Warning. File /etc/apache2/sites-available/ncp.conf not found on your ncp." - - # relocate noip2 config - mkdir -p /usr/local/etc/noip2 - - # redis - REDIS_CONF=/etc/redis/redis.conf - sysctl vm.overcommit_memory=1 &>/dev/null - grep -q APCu /var/www/nextcloud/config/config.php && { - echo "installing redis..." - apt-get update - apt-get install -y --no-install-recommends redis-server php7.0-redis - - sed -i '/memcache/d' /var/www/nextcloud/config/config.php - sed -i '$d' /var/www/nextcloud/config/config.php - - cat >> /var/www/nextcloud/config/config.php <<'EOF' - 'memcache.local' => '\OC\Memcache\Redis', - 'memcache.locking' => '\OC\Memcache\Redis', - 'redis' => - array ( - 'host' => '/var/run/redis/redis.sock', - 'port' => 0, - 'timeout' => 0.0, - ), -); -EOF - - REDIS_MEM=3gb - sed -i "s|# unixsocket .*|unixsocket /var/run/redis/redis.sock|" $REDIS_CONF - sed -i "s|# unixsocketperm .*|unixsocketperm 770|" $REDIS_CONF - sed -i "s|port.*|port 0|" $REDIS_CONF - echo "maxmemory ${REDIS_MEM}" >> $REDIS_CONF - echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf - - sudo usermod -a -G redis www-data - - systemctl restart redis-server - systemctl enable redis-server - - # need to restart php - bash -c " sleep 3 - systemctl stop php7.0-fpm - systemctl stop mysqld - sleep 0.5 - systemctl start php7.0-fpm - systemctl start mysqld - " &>/dev/null & - } - sed -i 's|^logfile.*|logfile /var/log/redis/redis-server.log|' $REDIS_CONF - - # fix redis update bug - grep -q sock700 $REDIS_CONF && { - sed -i '/unixsocket/d' $REDIS_CONF - echo "unixsocket /var/run/redis/redis.sock" >> $REDIS_CONF - echo "unixsocketperm 770" >> $REDIS_CONF - systemctl restart redis-server - } - grep -q unixsocketperm $REDIS_CONF || echo unixsocketperm 770 >> $REDIS_CONF - -# fix unattended - NUSER=$( grep USER_ /usr/local/etc/nextcloudpi-config.d/nc-notify-updates.sh | head -1 | cut -f2 -d= ) - cat > /usr/local/bin/ncp-notify-unattended-upgrade <<EOF -#!/bin/bash - -LOGFILE=/var/log/unattended-upgrades/unattended-upgrades.log -STAMPFILE=/var/run/.ncp-notify-unattended-upgrades -VERFILE=/usr/local/etc/ncp-version - -test -e "\$LOGFILE" || { echo "\$LOGFILE not found"; exit 1; } - -# find lines with package updates -LINE=\$( grep "INFO Packages that will be upgraded:" "\$LOGFILE" ) - -[[ "\$LINE" == "" ]] && { echo "no new upgrades"; exit 0; } - -# extract package names -PKGS=\$( sed 's|^.*Packages that will be upgraded: ||' <<< "\$LINE" | tr '\\n' ' ' ) - -# mark lines as read -sed -i 's|INFO Packages that will be upgraded:|INFO Packages that will be upgraded :|' \$LOGFILE - -echo -e "Packages automatically upgraded: \$PKGS\\n" - -# notify -sudo -u www-data php /var/www/nextcloud/occ notification:generate \ - $NUSER "NextCloudPi Unattended Upgrades" \ - -l "Packages automatically upgraded \$PKGS" -EOF - chmod +x /usr/local/bin/ncp-notify-unattended-upgrade - - # fix modsecurity uploads - sed -i 's|^SecRequestBodyLimit .*|#SecRequestBodyLimit 13107200|' /etc/modsecurity/modsecurity.conf - - # fix ramlogs - [[ $( grep "^ACTIVE_" /usr/local/etc/nextcloudpi-config.d/nc-ramlogs.sh | cut -f2 -d'=' ) == "yes" ]] && { - mkdir -p /usr/lib/systemd/system - cat > /usr/lib/systemd/system/ramlogs.service <<'EOF' -[Unit] -Description=Populate ramlogs dir -Requires=network.target -Before=redis-server apache2 mysqld - -[Service] -ExecStart=/bin/bash /usr/local/bin/ramlog-dirs.sh - -[Install] -WantedBy=multi-user.target -EOF - - cat > /usr/local/bin/ramlog-dirs.sh <<'EOF' -#!/bin/bash -mkdir -p /var/log/myslq -chown mysql /var/log/mysql - -mkdir -p /var/log/apache2 -chown apache2 /var/log/apache2 - -mkdir -p /var/log/redis -chown redis /var/log/redis -EOF - systemctl enable ramlogs - } - # fix automount in latest images test -f /etc/udev/rules.d/90-qemu.rules && { rm -f /etc/udev/rules.d/90-qemu.rules @@ -276,6 +127,50 @@ EOF apt-get update apt-get install -y --no-install-recommends btrfs-tools } + + # harden security + + ## harden redis + REDIS_CONF=/etc/redis/redis.conf + REDISPASS=$( grep "^requirepass" /etc/redis/redis.conf | cut -d' ' -f2 ) + [[ "$REDISPASS" == "" ]] && REDISPASS=$( openssl rand -base64 32 ) + sed -i 's|# rename-command CONFIG ""|rename-command CONFIG ""|' $REDIS_CONF + sed -i "s|# requirepass .*|requirepass $REDISPASS|" $REDIS_CONF + + grep -q "'password'" /var/www/nextcloud/config/config.php || \ + sed -i "/timeout/a'password' => '$REDISPASS'," /var/www/nextcloud/config/config.php + + ## harden postfix + sed -i 's|^smtpd_banner .*|smtpd_banner = $myhostname ESMTP|' /etc/postfix/main.cf + sed -i 's|^disable_vrfy_command .*|disable_vrfy_command = yes|' /etc/postfix/main.cf + + ## harden SSH + sed -i 's|^#AllowTcpForwarding .*|AllowTcpForwarding no|' /etc/ssh/sshd_config + sed -i 's|^#ClientAliveCountMax .*|ClientAliveCountMax 2|' /etc/ssh/sshd_config + sed -i 's|^#MaxAuthTries .*|MaxAuthTries 2|' /etc/ssh/sshd_config + sed -i 's|^#MaxSessions .*|MaxSessions 2|' /etc/ssh/sshd_config + sed -i 's|^#PermitRootLogin .*|PermitRootLogin no|' /etc/ssh/sshd_config + sed -i 's|^#TCPKeepAlive .*|TCPKeepAlive no|' /etc/ssh/sshd_config + sed -i 's|^#X11Forwarding .*|X11Forwarding no|' /etc/ssh/sshd_config + sed -i 's|^#AllowAgentForwarding .*|AllowAgentForwarding no|' /etc/ssh/sshd_config + + ## harden kernel + grep -q protected_hardlinks=1 /etc/sysctl.conf || cat >> /etc/sysctl.conf <<EOF +fs.protected_hardlinks=1 +fs.protected_symlinks=1 +kernel.core_uses_pid=1 +kernel.dmesg_restrict=1 +kernel.kptr_restrict=2 +kernel.sysrq=0 +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.all.log_martians=1 +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.default.accept_source_route=0 +net.ipv4.conf.default.log_martians=1 +net.ipv4.tcp_timestamps=0 +EOF } exit 0 |