From 20812cdb6f514e6651ad02c3c8a474d7ad112cdd Mon Sep 17 00:00:00 2001 From: Daniel Hansson Date: Tue, 21 Apr 2020 22:31:21 +0200 Subject: 20.04 (#1176) --- old/modsecurity.sh | 98 ++++++++++++++++++++++++++++++++++++++++ old/ntpdate.sh | 23 ++++++++++ old/spreedme.sh | 128 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 249 insertions(+) create mode 100644 old/modsecurity.sh create mode 100644 old/ntpdate.sh create mode 100644 old/spreedme.sh (limited to 'old') diff --git a/old/modsecurity.sh b/old/modsecurity.sh new file mode 100644 index 00000000..31ec00a0 --- /dev/null +++ b/old/modsecurity.sh @@ -0,0 +1,98 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +print_text_in_color "$ICyan" "Installing ModSecurity..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +root_check + +# Add modsecurity +apt update -q4 & spinner_loading +install_if_not libapache2-mod-security2 +install_if_not modsecurity-crs +mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf + +msg_box "WARNING WARNING WARNING WARNING WARNING WARNING: + +Do not enable active defence if you don't know what you're doing! +It will break OnlyOffice, and it may break other stuff as well in Nextcloud as it's +blocking access to files automatically. + +You can monitor the audit log by typing this command in your shell: +tail -f /var/log/apache2/modsec_audit.log + +You can disable it by typing this command in your shell: +sed -i 's/SecRuleEngine .*/SecRuleEngine DetectionOnly/g' /etc/modsecurity/modsecurity.conf + +YOU HAVE BEEN WARNED." +if [[ "yes" == $(ask_yes_or_no "Do you want to enable active defence?") ]] +then + sed -i 's|SecRuleEngine .*|SecRuleEngine on|g' /etc/modsecurity/modsecurity.conf +fi + +cat << MODSECWHITE > "/etc/modsecurity/whitelist.conf" + +# VIDEOS + SecRuleRemoveById 958291 # Range Header Checks + SecRuleRemoveById 981203 # Correlated Attack Attempt + + # PDF + SecRuleRemoveById 950109 # Check URL encodings + + # ADMIN (webdav) + SecRuleRemoveById 960024 # Repeatative Non-Word Chars (heuristic) + SecRuleRemoveById 981173 # SQL Injection Character Anomaly Usage + SecRuleRemoveById 981204 # Correlated Attack Attempt + SecRuleRemoveById 981243 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981245 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981246 # PHPIDS - Converted SQLI Filters + SecRuleRemoveById 981318 # String Termination/Statement Ending Injection Testing + SecRuleRemoveById 973332 # XSS Filters from IE + SecRuleRemoveById 973338 # XSS Filters - Category 3 + SecRuleRemoveById 981143 # CSRF Protections ( TODO edit LocationMatch filter ) + + # COMING BACK FROM OLD SESSION + SecRuleRemoveById 970903 # Microsoft Office document properties leakage + + # NOTES APP + SecRuleRemoveById 981401 # Content-Type Response Header is Missing and X-Content-Type-Options is either missing or not set to 'nosniff' + SecRuleRemoveById 200002 # Failed to parse request body + + # UPLOADS ( 20 MB max excluding file size ) + SecRequestBodyNoFilesLimit 20971520 + + # GENERAL + SecRuleRemoveById 960017 # Host header is a numeric IP address + + # SAMEORIGN + SecRuleRemoveById 911100 # fpm socket + + # REGISTERED WARNINGS, BUT DID NOT HAVE TO DISABLE THEM + #SecRuleRemoveById 981220 900046 981407 + #SecRuleRemoveById 981222 981405 981185 981184 + +MODSECWHITE + +# Don't log in Apache2 error.log, only in a seperate log (/var/log/apache2/modsec_audit.log) +check_command sed -i 's|SecDefaultAction "phase:1,log,auditlog,pass"|# SecDefaultAction "phase:1,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|SecDefaultAction "phase:2,log,auditlog,pass"|# SecDefaultAction "phase:2,log,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|# SecDefaultAction "phase:1,nolog,auditlog,pass"|SecDefaultAction "phase:1,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf +check_command sed -i 's|# SecDefaultAction "phase:2,nolog,auditlog,pass"|SecDefaultAction "phase:2,nolog,auditlog,pass"|g' /etc/modsecurity/crs/crs-setup.conf + +if [ -f /etc/modsecurity/whitelist.conf ] +then + print_text_in_color "$IGreen" "ModSecurity activated!" + restart_webserver +fi diff --git a/old/ntpdate.sh b/old/ntpdate.sh new file mode 100644 index 00000000..43645ef3 --- /dev/null +++ b/old/ntpdate.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +. <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +if network_ok +then + if is_this_installed ntpdate + then + ntpdate -s 1.se.pool.ntp.org + fi +fi +exit diff --git a/old/spreedme.sh b/old/spreedme.sh new file mode 100644 index 00000000..2d4ffde2 --- /dev/null +++ b/old/spreedme.sh @@ -0,0 +1,128 @@ +#!/bin/bash + +# T&M Hansson IT AB © - 2020, https://www.hanssonit.se/ + +# shellcheck disable=2034,2059 +true +# shellcheck source=lib.sh +NC_UPDATE=1 . <(curl -sL https://raw.githubusercontent.com/nextcloud/vm/master/lib.sh) +unset NC_UPDATE + +print_text_in_color "$ICyan" "Installing Spreed.ME..." + +# Check for errors + debug code and abort if something isn't right +# 1 = ON +# 0 = OFF +DEBUG=0 +debug_mode + +# Check if root +if ! is_root +then + printf "\n${Red}Sorry, you are not root.\n${Color_Off}You must type: ${ICyan}sudo ${Color_Off}bash %s/nextcloud_install_production.sh\n" "$SCRIPTS" + exit 1 +fi + +# Check if Nextcloud exists +root_check + +# Nextcloud 13 is required. +lowest_compatible_nc 13 + +# Install if missing +install_if_not apache2 +install_if_not snapd + +# Install Nextcloud Spreed.ME Snap +if [ -d "$SNAPDIR" ] +then + print_text_in_color "$ICyan" "Spreed.ME Snap already seems to be installed and will now be re-installed..." + snap remove spreedme + rm -rf "$SNAPDIR" + snap install --edge spreedme +else + snap install --edge spreedme +fi + +# Install and activate the Spreed.ME app +if [ -d "$NC_APPS_PATH/spreedme" ] +then + # Remove + occ_command app:disable spreedme + print_text_in_color "$ICyan" "Spreed.ME app already seems to be installed and will now be re-installed..." + rm -R "$NC_APPS_PATH/spreedme" + # Reinstall + occ_command app:install spreedme +else + occ_command app:install spreedme +fi +occ_command app:enable spreedme +chown -R www-data:www-data "$NC_APPS_PATH" + +# Generate secret keys +SHAREDSECRET=$(openssl rand -hex 32) +TEMPLINK=$(openssl rand -hex 32) +sed -i "s|sharedsecret_secret = .*|sharedsecret_secret = $SHAREDSECRET|g" "$SNAPDIR/current/server.conf" + +# Populate the else empty config file (uses database for content by default) +cp "$NCPATH/apps/spreedme/config/config.php.in" "$NCPATH/apps/spreedme/config/config.php" + +# Place the key in the NC app config +sed -i "s|.*SPREED_WEBRTC_SHAREDSECRET.*| const SPREED_WEBRTC_SHAREDSECRET = '$SHAREDSECRET';|g" "$NCPATH/apps/spreedme/config/config.php" + +# Allow to create temporary links +sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED.*|const OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true;|g" "$NCPATH/apps/spreedme/config/config.php" + +# Set temporary links hash +sed -i "s|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY.*|const OWNCLOUD_TEMPORARY_PASSWORD_SIGNING_KEY = '$TEMPLINK';|g" "$NCPATH/apps/spreedme/config/config.php" + + +# Enable Apache mods +a2enmod proxy \ + proxy_wstunnel \ + proxy_http \ + headers + +# Add config to vhost +VHOST=/etc/apache2/spreedme.conf +if [ ! -f $VHOST ] +then +cat << VHOST > "$VHOST" + + ProxyPass http://127.0.0.1:8080/webrtc + ProxyPassReverse /webrtc + + + + ProxyPass ws://127.0.0.1:8080/webrtc/ws + + + ProxyVia On + ProxyPreserveHost On + RequestHeader set X-Forwarded-Proto 'https' env=HTTPS + # RequestHeader set X-Forwarded-Proto 'https' # Use this if you are behind a (Nginx) reverse proxy with http backends +VHOST +fi + +if ! grep -Fxq "Include $VHOST" /etc/apache2/apache2.conf +then + sed -i "145i Include $VHOST" "/etc/apache2/apache2.conf" +fi + +# Restart services +restart_webserver +if ! systemctl restart snap.spreedme.spreed-webrtc.service +then +msg_box "Something is wrong, the installation did not finish correctly. + +Please report this to $ISSUES" + exit 1 +else +msg_box "Success! Spreed.ME is now installed and configured. + +You may have to change SPREED_WEBRTC_ORIGIN in: +(sudo nano) $NCPATH/apps/spreedme/config/config.php" + exit 0 +fi + +exit -- cgit v1.2.3