From 71f676e21d67a33c477b9cb48bb5394e64aed728 Mon Sep 17 00:00:00 2001 From: nachoparker Date: Mon, 18 Dec 2017 21:01:15 +0100 Subject: added UFW --- changelog.md | 4 +- etc/nextcloudpi-config.d/UFW.sh | 81 +++++++++++++++++++++++++++++++++++++++++ update.sh | 2 +- 3 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 etc/nextcloudpi-config.d/UFW.sh diff --git a/changelog.md b/changelog.md index 31529bdb..f6e7a042 100644 --- a/changelog.md +++ b/changelog.md @@ -1,5 +1,7 @@ -[v0.41.13](https://github.com/nextcloud/nextcloudpi/commit/4daac1b) (2017-12-17) security hardening part 3 +[v0.42.0](https://github.com/nextcloud/nextcloudpi/commit/9e11b7f) (2017-12-18) added UFW + +[v0.41.13](https://github.com/nextcloud/nextcloudpi/commit/d5e90a6) (2017-12-17) security hardening part 3 [v0.41.12](https://github.com/nextcloud/nextcloudpi/commit/672d233) (2017-12-17) security hardening part 2 diff --git a/etc/nextcloudpi-config.d/UFW.sh b/etc/nextcloudpi-config.d/UFW.sh new file mode 100644 index 00000000..25ccda0d --- /dev/null +++ b/etc/nextcloudpi-config.d/UFW.sh @@ -0,0 +1,81 @@ +#!/bin/bash + +# Uncomplicated Firewall +# +# Copyleft 2017 by Ignacio Nunez Hernanz +# GPL licensed (see end of file) * Use at your own risk! +# +# Usage: +# +# ./installer.sh UFW.sh () +# +# See installer.sh instructions for details +# +# More at https://ownyourbits.com/2017/02/13/nextcloud-ready-raspberry-pi-image/ +# + +ACTIVE_=no +HTTP_=80 +HTTPS_=443 +SSH_=22 +DESCRIPTION="Uncomplicated Firewall" + +INFO="Beware of blocking the SSH port you are using!" + +install() +{ + apt-get update + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends ufw + systemctl disable ufw +} + +configure() +{ + [[ "$ACTIVE_" != yes ]] && { + ufw --force reset + systemctl disable ufw + systemctl stop ufw + echo "UFW disabled" + return 0 + } + ufw --force enable + systemctl enable ufw + systemctl start ufw + + echo "# web server rules" + ufw allow $HTTP_/tcp + ufw allow $HTTPS_/tcp + ufw allow 4443/tcp + + echo "# SSH rules" + ufw allow $SSH_ + + echo "# DNS rules" + ufw allow dns + + echo "# SAMBA rules" + ufw allow samba + + echo "# NFS rules" + ufw allow nfs + + echo "# UFW enabled" +} + +# License +# +# This script is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This script is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this script; if not, write to the +# Free Software Foundation, Inc., 59 Temple Place, Suite 330, +# Boston, MA 02111-1307 USA + diff --git a/update.sh b/update.sh index 9e8e00f6..0c77f97c 100755 --- a/update.sh +++ b/update.sh @@ -175,7 +175,7 @@ net.ipv4.tcp_timestamps=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 EOF - sysctl -p /etc/sysctl.conf + sysctl -p /etc/sysctl.conf &>/dev/null # small tweaks cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local -- cgit v1.2.3