webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-11 11:35:54 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
90ea6fac35ac12a6fea9163ac71da166370856fe
bpfire/config/backup/backup.pl
Adolf Belka c790899f73 backup.pl: Fixes bug#13404 - Clear out OpenVPN certs before doing restore 
- Existing situation is if four new client connections are created and then it is decided
   to restore to an earlier stage the new certficates will be in the certs directory but
   not usable from the WUI page as they are no longer shown in the client connection table
   as that now shows the ones from the restored backup.
- This patch clears the /var/ipfire/ovpn/certs/ directory before restoring the contents
   of the backup so that the certs directory only holds what was in the backup.

Fixes: Bug#13404
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2024-02-28 16:40:53 +00:00

361 lines
10 KiB
Bash
Raw Blame History

#!/bin/bash
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2022 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
shopt -s nullglob
NOW="$(date "+%Y-%m-%d-%H:%M")"
list_addons() {
local file
for file in /var/ipfire/backup/addons/includes/*; do
if [ -f "${file}" ]; then
basename "${file}"
fi
done
return 0
}
process_includes() {
local include
for include in $@; do
local file
while read -r file; do
# Skip any empty line (which will include /)
[ -n "${file}" ] || continue
for file in /${file}; do
if [ -e "${file}" ]; then
echo "${file}"
fi
done
done < "${include}"
done | sort -u
}
make_backup() {
local filename="${1}"
shift
# Backup all addons first
local addon
for addon in $(list_addons); do
make_addon_backup "${addon}"
done
# Backup using global exclude/include definitions
tar cvfz "${filename}" -C / \
--exclude-from="/var/ipfire/backup/exclude" \
--exclude-from="/var/ipfire/backup/exclude.user" \
$(process_includes "/var/ipfire/backup/include") \
$(process_includes "/var/ipfire/backup/include.user") \
"$@"
return 0
}
restore_backup() {
local filename="${1}"
# remove all openvpn certs to prevent old unusable
# certificates being left in directory after a restore
rm -f /var/ipfire/ovpn/certs/*
# Extract backup
if ! tar xvzpf "${filename}" -C / \
--exclude-from="/var/ipfire/backup/exclude" \
--exclude-from="/var/ipfire/backup/exclude.user"; then
echo "Could not extract backup" >&2
return 1
fi
# Restart syslogd, httpd and suricata in case we've just loaded old logs
apachectl -k graceful
/bin/kill -HUP `cat /var/run/suricata.pid 2> /dev/null` 2> /dev/null
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null
# remove wrong vnstat tag file
rm -f /var/log/vnstat/tag
# create dhcpcd user
groupadd -g 52 dhcpcd
useradd -c 'dhcpcd privsep user' \
-d /run/dhcpcd/chroot \
-g dhcpcd \
-s /bin/false \
-u 52 dhcpcd
# Run converters
# Outgoing Firewall
if [ -d "/var/ipfire/outgoing" ]; then
# Reset files
local file
for file in /var/ipfire/firewall/{config,outgoing} \
/var/ipfire/fwhosts/custom{hosts,groups,networks}; do
: > "${file}"
chown nobody:nobody "${file}"
done
# Run converter
convert-outgoingfw
# Remove old configuration
rm -rf "/var/ipfire/outgoing"
fi
# External Access
if [ -d "/var/ipfire/xtaccess" ]; then
: > /var/ipfire/firewall/config
chown nobody:nobody "/var/ipfire/firewall/config"
# Run converter
convert-xtaccess
# Remove old configuration
rm -rf "/var/ipfire/xtaccess"
fi
# DMZ Holes
if [ -d "/var/ipfire/dmzholes" ] || [ -d "/var/ipfire/portfw" ]; then
: > /var/ipfire/firewall/config
chown nobody:nobody "/var/ipfire/firewall/config"
# Run converter
convert-dmz
# Remove old configuration
rm -rf "/var/ipfire/dmzholes"
fi
# Port Forwardings
if [ -d "/var/ipfire/portfw" ]; then
# Run converter
convert-portfw
# Remove old configuration
rm -rf "/var/ipfire/portfw"
fi
# Convert location
convert-to-location
# Reload firewall
firewallctrl
# Snort to suricata converter.
if [ -d "/var/ipfire/snort" ]; then
# Run converter
convert-snort
# Remove old configuration directory.
rm -rf "/var/ipfire/snort"
fi
# IDS multiple providers converter.
if [ -e "/var/ipfire/suricata/rules-settings" ]; then
# Run the converter
convert-ids-multiple-providers
fi
# IDS backend converter.
if [ -e "/var/ipfire/suricata/oinkmaster.conf" ]; then
# Run the converter
convert-ids-backend-files
fi
# Convert DNS settings
convert-dns-settings
# move nobeeps if exist
[ -e "/var/ipfire/ppp/nobeeps" ] && mv /var/ipfire/ppp/nobeeps /var/ipfire/red/nobeeps
# Replace previously used OpenVPN Diffie-Hellman parameter by ffdhe4096
sed -i 's|/var/ipfire/ovpn/ca/dh1024.pem|/etc/ssl/ffdhe4096.pem|' /var/ipfire/ovpn/server.conf /var/ipfire/ovpn/n2nconf/*/*.conf
# Update OpenVPN CRL
/etc/fcron.daily/openvpn-crl-updater
# Update OpenVPN N2N Client Configs
## Add providers legacy default line to n2n client config files
# Check if ovpnconfig exists and is not empty
if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
# Identify all n2n connections
for y in $(awk -F',' '/net/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
# Add the legacy option to all N2N client conf files if it does not already exist
if [ $(grep -c "Open VPN Client Config" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 1 ] ; then
if [ $(grep -c "providers legacy default" /var/ipfire/ovpn/n2nconf/${y}/${y}.conf) -eq 0 ] ; then
echo "providers legacy default" >> /var/ipfire/ovpn/n2nconf/${y}/${y}.conf
fi
fi
done
fi
#Update ovpnconfig to include pass or no-pass for old backup versions missing the entry
# Check if ovpnconfig exists and is not empty
if [ -s /var/ipfire/ovpn/ovpnconfig ]; then
# Add blank line at top of ovpnconfig otherwise the first roadwarrior entry is treated like a blank line and missed out from update
awk 'NR==1{print ""}1' /var/ipfire/ovpn/ovpnconfig > /var/ipfire/ovpn/tmp_file && mv /var/ipfire/ovpn/tmp_file /var/ipfire/ovpn/ovpnconfig
# Make all N2N connections 'no-pass' since they do not use encryption
awk '{FS=OFS=","} {if($5=="net") {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
# Evaluate roadwarrior connection names for *.p12 files
for y in $(awk -F',' '/host/ { print $3 }' /var/ipfire/ovpn/ovpnconfig); do
# Sort all unencrypted roadwarriors out and set 'no-pass' in [43] index
if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'Encrypted data') ]]; then
awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="no-pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
fi
# Sort all encrypted roadwarriors out and set 'pass' in [43] index
if [[ -n $(openssl pkcs12 -info -in /var/ipfire/ovpn/certs/${y}.p12 -noout -password pass:'' 2>&1 | grep 'verify error') ]]; then
awk -v var="$y" '{FS=OFS=","} {if($3==var) {$43="pass"; print $0}}' /var/ipfire/ovpn/ovpnconfig >> /var/ipfire/ovpn/ovpnconfig.new
fi
done
fi
# Replace existing ovpnconfig with updated index
mv /var/ipfire/ovpn/ovpnconfig.new /var/ipfire/ovpn/ovpnconfig
# Set correct ownership
chown nobody:nobody /var/ipfire/ovpn/ovpnconfig
# Generate new HTTPS RSA key if the existing is too small
KEYSIZE=$(openssl rsa -in /etc/httpd/server.key -text -noout | sed -n 's/Private-Key:\ (\(.*\)\ bit.*/\1/p')
if [ $KEYSIZE \< 2048 ]; then
openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
chmod 600 /etc/httpd/server.key
sed "s/HOSTNAME/`hostname -f`/" < /etc/certparams | \
openssl req -new -key /etc/httpd/server.key \
-out /etc/httpd/server.csr &>/dev/null
openssl x509 -req -days 999999 -sha256 \
-in /etc/httpd/server.csr \
-signkey /etc/httpd/server.key \
-out /etc/httpd/server.crt &>/dev/null
fi
return 0
}
find_logfiles() {
local filelist=( /var/log/logwatch/* /var/log/messages* /var/log/*.log /var/log/**/*.log )
echo "${filelist[@]}"
}
make_addon_backup() {
local name="${1}"
shift
if [ ! -f "/var/ipfire/backup/addons/includes/${name}" ]; then
echo "${name} does not have any backup includes" >&2
return 1
fi
local filename="/var/ipfire/backup/addons/backup/${name}.ipf"
tar cvzf "${filename}" \
$(process_includes "/var/ipfire/backup/addons/includes/${name}")
}
restore_addon_backup() {
local name="${1}"
if [ -d "/tmp/${name}.ipf" ]; then
mv "/tmp/${name}.ipf" "/var/ipfire/backup/addons/backup/${name}.ipf"
fi
# Extract backup
if ! tar xvzpf "/var/ipfire/backup/addons/backup/${name}.ipf" -C /; then
echo "Could not extract backup" >&2
return 1
fi
}
main() {
local command="${1}"
shift
case "${command}" in
include)
local filename="${1}"
if [ -z "${filename}" ]; then
filename="/var/ipfire/backup/${NOW}.ipf"
fi
make_backup "${filename}" $(find_logfiles)
;;
exclude)
local filename="${1}"
if [ -z "${filename}" ]; then
filename="/var/ipfire/backup/${NOW}.ipf"
fi
make_backup "${filename}"
;;
restore)
local filename="${1}"
if [ -z "${filename}" ]; then
filename="/tmp/restore.ipf"
fi
restore_backup "${filename}"
;;
addonbackup)
make_addon_backup "$@"
;;
restoreaddon)
restore_addon_backup "${1/.ipf/}"
;;
iso)
# Desired backup filename
local filename="/var/ipfire/backup/${NOW}.ipf"
if make_backup "${filename}"; then
/usr/local/bin/backupiso "${NOW}"
fi
;;
makedirs)
mkdir -p /var/ipfire/backup/addons/{backup,includes}
;;
list)
process_includes "/var/ipfire/backup/include" "/var/ipfire/backup/include.user"
;;
/var/ipfire/backup/*.ipf|/var/ipfire/backup/addons/backup/*.ipf|/var/tmp/backupiso/*.iso)
unlink "${command}"
;;
*)
echo "${0}: [include|exclude|restore|addonbackup <addon>|restoreaddon <addon>|iso]" >&2
return 2
;;
esac
return $?
}
main "$@" || exit $?
Reference in New Issue View Git Blame Copy Permalink