webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
bpfire/config/backup/backup.pl
Arne Fitzenreiter 36c16c71ed core183: replace https rsa key if it is too small 
new openssl need at least 2048 bit rsa keys for apache.
So if the existing is smaller a new 4096 bit key is generated.

fixes #13527

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
2024-01-18 18:02:10 +01:00

357 lines
10 KiB
Bash
Raw Permalink Blame History

#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
shopt -s nullglob
NOW="$(date "+%Y-%m-%d-%H:%M")"
list_addons() {
local file
for file in /var/ipfire/backup/addons/includes/*; do
if [ -f "${file}" ]; then
basename "${file}"
fi
done
return 0
}
process_includes() {
local include
for include in $@; do
local file
while read -r file; do
# Skip any empty line (which will include /)
[ -n "${file}" ] || continue
for file in /${file}; do
if [ -e "${file}" ]; then
echo "${file}"
fi
done
done < "${include}"
done | sort -u
}
make_backup() {
local filename="${1}"
shift
# Backup all addons first
local addon
for addon in $(list_addons); do
make_addon_backup "${addon}"
done
# Backup using global exclude/include definitions
tar cvfz "${filename}" -C / \
--exclude-from="/var/ipfire/backup/exclude" \
--exclude-from="/var/ipfire/backup/exclude.user" \
$(process_includes "/var/ipfire/backup/include") \
$(process_includes "/var/ipfire/backup/include.user") \
"$@"
return 0
}
restore_backup() {
local filename="${1}"
# Extract backup
if ! tar xvzpf "${filename}" -C / \
--exclude-from="/var/ipfire/backup/exclude" \
--exclude-from="/var/ipfire/backup/exclude.user"; then
echo "Could not extract backup" >&2
return 1
fi
# Restart syslogd, httpd and suricata in case we've just loaded old logs
apachectl -k graceful
/bin/kill -HUP `cat /var/run/suricata.pid 2> /dev/null` 2> /dev/null
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null
# remove wrong vnstat tag file
rm -f /var/log/vnstat/tag
# create dhcpcd user
groupadd -g 52 dhcpcd
useradd -c 'dhcpcd privsep user' \
-d /run/dhcpcd/chroot \
-g dhcpcd \
-s /bin/false \
-u 52 dhcpcd
# Run converters
# Outgoing Firewall
if [ -d "/var/ipfire/outgoing" ]; then
# Reset files
local file
for file in /var/ipfire/firewall/{config,outgoing} \
/var/ipfire/fwhosts/custom{hosts,groups,networks}; do
: > "${file}"
chown nobody:nobody "${file}"
done
# Run converter
convert-outgoingfw
# Remove old configuration
rm -rf "/var/ipfire/outgoing"
fi
# External Access
if [ -d "/var/ipfire/xtaccess" ]; then
: > /var/ipfire/firewall/config
chown nobody:nobody "/var/ipfire/firewall/config"
# Run converter
convert-xtaccess
# Remove old configuration
rm -rf "/var/ipfire/xtaccess"
fi
# DMZ Holes
if [ -d "/var/ipfire/dmzholes" ] || [ -d "/var/ipfire/portfw" ]; then
: > /var/ipfire/firewall/config
chown nobody:nobody "/var/ipfire/firewall/config"
# Run converter
convert-dmz
# Remove old configuration
rm -rf "/var/ipfire/dmzholes"
fi
# Port Forwardings
if [ -d "/var/ipfire/portfw" ]; then
# Run converter
convert-portfw
# Remove old configuration
rm -rf "/var/ipfire/portfw"
fi
# Convert location
convert-to-location
# Reload firewall
firewallctrl
# Snort to suricata converter.
if [ -d "/var/ipfire/snort" ]; then
# Run converter
convert-snort
# Remove old configuration directory.
rm -rf "/var/ipfire/snort"
fi
# IDS multiple providers converter.
if [ -e "/var/ipfire/suricata/rules-settings" ]; then
# Run the converter
convert-ids-multiple-providers
fi
# IDS backend converter.
if [ -e "/var/ipfire/suricata/oinkmaster.conf" ]; then
# Run the converter
convert-ids-backend-files
fi
# Convert DNS settings
convert-dns-settings
# move nobeeps if exist
[ -e "/var/ipfire/ppp/nobeeps" ] && mv /var/ipfire/ppp/nobeeps /var/ipfire/red/nobeeps
# Replace previously used OpenVPN Diffie-Hellman parameter by ffdhe4096
sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf /var/ipfire/ovpn/n2nconf/*/*.conf
# Update OpenVPN CRL
/etc/fcron.daily/openvpn-crl-updater
# Update OpenVPN N2N Client Configs
## Add providers legacy default line to n2n client config files
# Check if ovpnconfig exists and is not empty
if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
# Identify all n2n connections
for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
# Add the legacy option to all N2N client conf files if it does not already exist
if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
fi
fi
done
fi
#Update ovpnconfig to include pass or no-pass for old backup versions missing the entry
# Check if ovpnconfig exists and is not empty
if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
# Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig
# Make all N2N connections 'no-pass' since they do not use encryption
awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
# Evaluate roadwarrior connection names for *.p12 files
for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
# Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then
awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
fi
# Sort all encrypted roadwarriors out and set 'pass' in [43] index
if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error') ]]; then
awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
fi
done
fi
# Replace existing ovpnconfig with updated index
mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
# Set correct ownership
chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
# Generate new HTTPS RSA key if the existing is too small
KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
if [ $KEYSIZE \< 2048 ]; then
openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
chmod 600 /etc/httpd/server.key
sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
openssl req -new -key /etc/httpd/server.key \
-out /etc/httpd/server.csr &>/dev/null
openssl x509 -req -days 999999 -sha256 \
-in /etc/httpd/server.csr \
-signkey /etc/httpd/server.key \
-out /etc/httpd/server.crt &>/dev/null
fi
return 0
}
find_logfiles() {
local filelist=( /var/log/logwatch/* /var/log/messages* /var/log/*.log /var/log/**/*.log )
echo "${filelist[@]}"
}
make_addon_backup() {
local name="${1}"
shift
if [ ! -f "/var/ipfire/backup/addons/includes/${name}" ]; then
echo "${name} does not have any backup includes" >&2
return 1
fi
local filename="/var/ipfire/backup/addons/backup/${name}.ipf"
tar cvzf "${filename}" \
$(process_includes "/var/ipfire/backup/addons/includes/${name}")
}
restore_addon_backup() {
local name="${1}"
if [ -d "/tmp/${name}.ipf" ]; then
mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf"
fi
# Extract backup
if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then
echo "Could not extract backup" >&2
return 1
fi
}
main() {
local command="${1}"
shift
case "${command}" in
include)
local filename="${1}"
if [ -z "${filename}" ]; then
filename="/var/ipfire/backup/${NOW}.ipf"
fi
make_backup "${filename}" $(find_logfiles)
;;
exclude)
local filename="${1}"
if [ -z "${filename}" ]; then
filename="/var/ipfire/backup/${NOW}.ipf"
fi
make_backup "${filename}"
;;
restore)
local filename="${1}"
if [ -z "${filename}" ]; then
filename="/tmp/restore.ipf"
fi
restore_backup "${filename}"
;;
addonbackup)
make_addon_backup "$@"
;;
restoreaddon)
restore_addon_backup "${1/.ipf/}"
;;
iso)
# Desired backup filename
local filename="/var/ipfire/backup/${NOW}.ipf"
if make_backup "${filename}"; then
/usr/local/bin/backupiso "${NOW}"
fi
;;
makedirs)
mkdir -p /var/ipfire/backup/addons/{backup,includes}
;;
list)
process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user"
;;
/var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso)
unlink "${command}"
;;
*)
echo "${0}: [include|exclude|restore|addonbackup <addon>|restoreaddon <addon>|iso]" >&2
return 2
;;
esac
return $?
}
main "$@" || exit $?
Reference in New Issue View Git Blame Copy Permalink