def setup_ufw(rollback=False):
"""
Setup ufw and apply rules from settings UFW_RULES
You can add rules and re-run setup_ufw but cannot delete rules or reset by script
since deleting or reseting requires user interaction
See Ubuntu Server documentation for more about UFW.
"""
if not rollback:
#TODO - Optimize to store & compare existing rules to stop unecessary reloads
#Should be able to do something with the ufw status command to store the rules
#ufw_rules = sudo("ufw status | awk '/tcp|udp/ {print $1,$2,$3}'").split('\n')
ufw = run("dpkg -l | grep '%s' | awk '{print $2}'").strip()
#It would be nice to handle an existing installation but until ufw can easily
#predefine rules in a conf we'll need to just mark it if woven installs it
if not ufw:
if env.verbosity:
print env.host, "INSTALLING & ENABLING FIREWALL ufw"
apt_get_install('ufw')
set_server_state('ufw_installed')
sudo('ufw allow %s/tcp'% env.port) #ssh port
for rule in env.UFW_RULES:
if rule:
if env.verbosity:
print ' *',rule
sudo('ufw '+rule)
backup_file('/etc/ufw/ufw.conf')
sed('/etc/ufw/ufw.conf','ENABLED=no','ENABLED=yes',use_sudo=True)
sudo('ufw reload')
else:
#if it was installed by woven remove it else leave it the hell alone
if server_state('ufw_installed'):
sudo('ufw disable')
apt_get_purge('ufw')
set_server_state('ufw_installed',delete=True)
def restrict_ssh(rollback=False):
"""
Set some sensible restrictions in Ubuntu /etc/ssh/sshd_config and restart sshd
UseDNS no #prevents dns spoofing sshd defaults to yes
X11Forwarding no # defaults to no
AuthorizedKeysFile %h/.ssh/authorized_keys
uncomments PasswordAuthentication no and restarts sshd
"""
if not rollback:
if server_state('ssh_restricted'):
print env.host, 'Warning: sshd_config has already been modified. Skipping..'
return False
sshd_config = '/etc/ssh/sshd_config'
if env.verbosity:
print env.host, "RESTRICTING SSH with "+sshd_config
filename = 'sshd_config'
if not exists('/home/%s/.ssh/authorized_keys'% env.user): #do not pass go do not collect $200
print env.host, 'You need to upload_ssh_key first.'
return False
backup_file(sshd_config)
context = {"HOST_SSH_PORT": env.HOST_SSH_PORT}
upload_template('woven/ssh/sshd_config','/etc/ssh/sshd_config',context=context,use_sudo=True)
# Restart sshd
sudo('/etc/init.d/ssh restart')
# The user can modify the sshd_config file directly but we save
if env.INTERACTIVE and contains('#PasswordAuthentication no','/etc/ssh/sshd_config',use_sudo=True):
c_text = 'Woven will now remove password login from ssh, and use only your ssh key. \n'
c_text = c_text + 'CAUTION: please confirm that you can ssh %s@%s -p%s from a terminal without requiring a password before continuing.\n'% (env.user, env.host, env.port)
c_text += 'If you cannot login, press enter to rollback your sshd_config file'
proceed = confirm(c_text,default=False)
if not env.INTERACTIVE or proceed:
#uncomments PasswordAuthentication no and restarts
uncomment(sshd_config,'#(\s?)PasswordAuthentication(\s*)no',use_sudo=True)
sudo('/etc/init.d/ssh restart')
else: #rollback
print env.host, 'Rolling back sshd_config to default and proceeding without passwordless login'
restore_file('/etc/ssh/sshd_config', delete_backup=False)
sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
sudo('/etc/init.d/ssh restart')
return False
set_server_state('ssh_restricted')
return True
else: #Full rollback
restore_file('/etc/ssh/sshd_config')
if server_state('ssh_port_changed'):
sed('/etc/ssh/sshd_config','Port '+ str(env.DEFAULT_SSH_PORT),'Port '+str(env.HOST_SSH_PORT),use_sudo=True)
sudo('/etc/init.d/ssh restart')
sudo('/etc/init.d/ssh restart')
set_server_state('ssh_restricted', delete=True)
return True
def uncomment_sources(rollback=False):
"""
Uncomments universe sources in /etc/apt/sources.list if necessary
#(.?)deb(.*)http:(.*)universe
"""
if not rollback:
if contains(filename='/etc/apt/sources.list',text='#(.?)deb(.*)http:(.*)universe'):
if env.verbosity:
print env.host, "UNCOMMENTING universe SOURCES in /etc/apt/sources.list"
backup_file('/etc/apt/sources.list')
uncomment('/etc/apt/sources.list','#(.?)deb(.*)http:(.*)universe',use_sudo=True)
else:
restore_file('/etc/apt/sources.list')
def set_timezone(rollback=False):
"""
Set the time zone on the server using Django settings.TIME_ZONE
"""
if not rollback:
if contains(text=env.TIME_ZONE,filename='/etc/timezone',use_sudo=True):
if env.verbosity:
print env.host, 'Time Zone already set to '+env.TIME_ZONE
return False
if env.verbosity:
print env.host, "CHANGING TIMEZONE /etc/timezone to "+env.TIME_ZONE
backup_file('/etc/timezone')
sudo('echo %s > /tmp/timezone'% env.TIME_ZONE)
sudo('cp -f /tmp/timezone /etc/timezone')
sudo('dpkg-reconfigure --frontend noninteractive tzdata')
else:
restore_file('/etc/timezone')
sudo('dpkg-reconfigure --frontend noninteractive tzdata')
return True
def upload_ssh_key(rollback=False):
"""
Upload your ssh key for passwordless logins
"""
auth_keys = '/home/%s/.ssh/authorized_keys'% env.user
if not rollback:
if not exists('.ssh'):
run('mkdir .ssh')
#determine local .ssh dir
home = os.path.expanduser('~')
ssh_dsa = os.path.join(home,'.ssh/id_dsa.pub')
ssh_rsa = os.path.join(home,'.ssh/id_rsa.pub')
if os.path.exists(ssh_dsa):
ssh_key = ssh_dsa
elif os.path.exists(ssh_rsa):
ssh_key = ssh_rsa
else:
ssh_key = ''
if ssh_key:
ssh_file = open(ssh_key,'r').read()
if exists(auth_keys):
backup_file(auth_keys)
if env.verbosity:
print env.host, "UPLOADING SSH KEY if it doesn't already exist on host"
append(ssh_file,auth_keys) #append prevents uploading twice
return
else:
if exists(auth_keys+'.wovenbak'):
restore_file('/home/%s/.ssh/authorized_keys'% env.user)
else: #no pre-existing keys remove the .ssh directory
sudo('rm -rf /home/%s/.ssh')
return
