From 9e6a8fcb148839a836a562fb40aa29a907aaae89 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 12 Mar 2016 16:42:34 +0100 Subject: [PATCH 1/8] Add ufw defaults, configure hostname on the running system, make /etc/defaults non group writable --- setup/system.sh | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index 1aeec458..abf4b834 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -4,6 +4,25 @@ source setup/functions.sh # load our functions # Basic System Configuration # ------------------------- +# ### Ensure system defaults access rights are correctly configured + +# If the /etc/default directory has group write rights, the installer will +# display a lot of warnings during setup + +chmod g-w /etc/default + +# ### Set hostname of the box + +# If the hostname is not resolvable sudo can't be used. This will result in +# errors during the install +# +# First the hostname in the configuration file, the activate the setting +# Also make sure that loopback device resolves to the hostname + +echo $PRIMARY_HOSTNAME > /etc/hostname +hostname $PRIMARY_HOSTNAME +sed -i "s/127\.0\.1\.1.*/127.0.1.1\t$PRIMARY_HOSTNAME/" /etc/hosts + # ### Add Mail-in-a-Box's PPA. # We've built several .deb packages on our own that we want to include. @@ -164,6 +183,9 @@ if [ -z "$DISABLE_FIREWALL" ]; then # Install `ufw` which provides a simple firewall configuration. apt_install ufw + # Make sure the system has a default policy to accept incoming connections + sed -i "s/DEFAULT_INPUT_POLICY.*/DEFAULT_INPUT_POLICY=\"ACCEPT\"/" /etc/default/ufw + # Allow incoming connections to SSH. ufw_allow ssh; From 3a2bd32447e4b9f6ed9157353302665bee63a3b0 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 12 Mar 2016 17:01:33 +0100 Subject: [PATCH 2/8] If no IPV6 address is present, disable that in the firewall to prevent errors during setup --- setup/system.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index abf4b834..92f7941b 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -186,6 +186,13 @@ if [ -z "$DISABLE_FIREWALL" ]; then # Make sure the system has a default policy to accept incoming connections sed -i "s/DEFAULT_INPUT_POLICY.*/DEFAULT_INPUT_POLICY=\"ACCEPT\"/" /etc/default/ufw + # If IPV6 is disabled we should disable it in the ufw defaults + if [ -z "$PUBLIC_IPV6" ]; then + sed -i "s/IPV6.*/IPV6=no/" /etc/default/ufw + else + sed -i "s/IPV6.*/IPV6=yes/" /etc/default/ufw + fi + # Allow incoming connections to SSH. ufw_allow ssh; From a40dafb751a411cc0b302dc2939df40d455beef3 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 12 Mar 2016 17:13:13 +0100 Subject: [PATCH 3/8] Fix bad english --- setup/system.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/system.sh b/setup/system.sh index 92f7941b..2c7bc472 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -13,11 +13,11 @@ chmod g-w /etc/default # ### Set hostname of the box -# If the hostname is not resolvable sudo can't be used. This will result in +# If the hostname is not correctly resolvable sudo can't be used. This will result in # errors during the install # -# First the hostname in the configuration file, the activate the setting -# Also make sure that loopback device resolves to the hostname +# First set the hostname in the configuration file, then activate the setting +# Also make sure that the loopback device resolves to the hostname echo $PRIMARY_HOSTNAME > /etc/hostname hostname $PRIMARY_HOSTNAME From 3f27309d8c3870f092cef56be5b030068ae7f3b9 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 12 Mar 2016 21:23:18 +0100 Subject: [PATCH 4/8] Add offender to the comments --- setup/system.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/system.sh b/setup/system.sh index 2c7bc472..b6584cc4 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -8,6 +8,8 @@ source setup/functions.sh # load our functions # If the /etc/default directory has group write rights, the installer will # display a lot of warnings during setup +# +# This is incorrectly configured on Scaleway servers chmod g-w /etc/default From b79732ed1e5ffd6149b35d18a44c79573d27d1e0 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 13 Mar 2016 07:45:32 +0100 Subject: [PATCH 5/8] Make sure that ip6_tables module is loaded --- setup/system.sh | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/setup/system.sh b/setup/system.sh index b6584cc4..9d2c636d 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -185,16 +185,18 @@ if [ -z "$DISABLE_FIREWALL" ]; then # Install `ufw` which provides a simple firewall configuration. apt_install ufw - # Make sure the system has a default policy to accept incoming connections - sed -i "s/DEFAULT_INPUT_POLICY.*/DEFAULT_INPUT_POLICY=\"ACCEPT\"/" /etc/default/ufw - - # If IPV6 is disabled we should disable it in the ufw defaults - if [ -z "$PUBLIC_IPV6" ]; then - sed -i "s/IPV6.*/IPV6=no/" /etc/default/ufw - else - sed -i "s/IPV6.*/IPV6=yes/" /etc/default/ufw + # Some providers don't load the ip6_tables kernel module (Scaleway) + if [ -z "`lsmod | grep ^ip6_tables`" ]; then + echo ip6_tables >> /etc/modules + modprobe ip6_tables fi + # Some default configurations disable the firewall in the settings (Scaleway) + # If this isn't set, enabling the firewall will fail with: + # + # ERROR: Could not load logging rules + sed -i "s/ENABLED.*/ENABLED=yes/" /etc/ufw/ufw.conf + # Allow incoming connections to SSH. ufw_allow ssh; From 4ad318063b872ca885ec41ced9bd14b875e2c700 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 13 Mar 2016 09:03:00 +0100 Subject: [PATCH 6/8] Enable ufw in the config after allowing SSH --- setup/system.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/system.sh b/setup/system.sh index 9d2c636d..cd39dc9e 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -191,12 +191,6 @@ if [ -z "$DISABLE_FIREWALL" ]; then modprobe ip6_tables fi - # Some default configurations disable the firewall in the settings (Scaleway) - # If this isn't set, enabling the firewall will fail with: - # - # ERROR: Could not load logging rules - sed -i "s/ENABLED.*/ENABLED=yes/" /etc/ufw/ufw.conf - # Allow incoming connections to SSH. ufw_allow ssh; @@ -213,6 +207,12 @@ if [ -z "$DISABLE_FIREWALL" ]; then fi fi + # Some default configurations disable the firewall in the settings (Scaleway) + # If this isn't set, enabling the firewall will fail with: + # + # ERROR: Could not load logging rules + sed -i "s/ENABLED.*/ENABLED=yes/" /etc/ufw/ufw.conf + ufw --force enable; fi #NODOC From 402b35db9d5a38e543dacc843e50113c4a8b0b55 Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sat, 26 Mar 2016 15:39:07 +0100 Subject: [PATCH 7/8] Remove setting of hostname, move to seperate PR #773 --- setup/system.sh | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/setup/system.sh b/setup/system.sh index c76cf740..ce8eba36 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -13,18 +13,6 @@ source setup/functions.sh # load our functions chmod g-w /etc/default -# ### Set hostname of the box - -# If the hostname is not correctly resolvable sudo can't be used. This will result in -# errors during the install -# -# First set the hostname in the configuration file, then activate the setting -# Also make sure that the loopback device resolves to the hostname - -echo $PRIMARY_HOSTNAME > /etc/hostname -hostname $PRIMARY_HOSTNAME -sed -i "s/127\.0\.1\.1.*/127.0.1.1\t$PRIMARY_HOSTNAME/" /etc/hosts - # ### Add swap space to the system # If the physical memory of the system is below 2GB it is wise to create a From bf82a1a535075bc3e7b2ea5b77d8e8d4816556ab Mon Sep 17 00:00:00 2001 From: Michael Kroes Date: Sun, 27 Mar 2016 14:29:02 +0200 Subject: [PATCH 8/8] Add a preflight check for the precence of ip_tables. Check if the kernel has ipv6_tables support and if the module is present load it. If ipv6 support isn't available and we have a public ipv6 address warn the user that the system has no ipv6 firewall --- setup/preflight.sh | 21 +++++++++++++++++++++ setup/system.sh | 40 ++++++++++++++++++++++++++++++++++++---- 2 files changed, 57 insertions(+), 4 deletions(-) diff --git a/setup/preflight.sh b/setup/preflight.sh index c3351471..3f7d9091 100644 --- a/setup/preflight.sh +++ b/setup/preflight.sh @@ -60,3 +60,24 @@ if [ -z "$ARM" ]; then exit fi fi + +# Check that the kernel supports at least ipv4 ip_tables, either by a module or by being +# compiled directly in the kernel +# +# If this isn't supported tell the user to compile the kernel module or disable the firewall +# and inform of the risk of doing so. +if + [ ! -e /proc/net/ip_tables_names ] && + [ ! -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_tables.ko ] && + [ -z "$DISABLE_FIREWALL" ] +then + echo "Your system doesn't support at least ipv4 ip_tables. You will either need to compile" + echo "a kernel that supports it, or compile the kernel module" + echo + echo "If you would like to continue without a firewall you can set 'export DISABLE_FIREWALL=1' at the" + echo "command line. However, doing this prevents Mail-in-a-Box to activate fail2ban. This service" + echo "protects the system from bruteforce attacks on the exposed network services. Also services " + echo "that shouldn't be exposed are now exposed if you don't use a different (external) firewall" + exit +fi + diff --git a/setup/system.sh b/setup/system.sh index ce8eba36..44c106cb 100755 --- a/setup/system.sh +++ b/setup/system.sh @@ -227,10 +227,42 @@ if [ -z "$DISABLE_FIREWALL" ]; then # Install `ufw` which provides a simple firewall configuration. apt_install ufw - # Some providers don't load the ip6_tables kernel module (Scaleway) - if [ -z "`lsmod | grep ^ip6_tables`" ]; then - echo ip6_tables >> /etc/modules - modprobe ip6_tables + # Check if the ip_tables has ipv6 support on this system, prefilght has + # taken care of ipv4. + # + # We check if: + # - the kernel has support built-in + # - the module is present on the system. + # + # If no ipv6 support is available we disable the ipv6 firewall + # + # If ipv6 is supported on the system we load the module if necessary and activate the + # ipv6 firewall. + if + [ ! -e /proc/net/ip6_tables_names ] && + [ ! -e /lib/modules/`uname -r`/kernel/net/ipv6/netfilter/ip6_tables.ko ] + then + # If we have a public ipv6 address we should notify the user that no ipv6 firewall is available + if [ ! -z "$PUBLIC_IPV6" ]; then + echo "WARNING: There is a public ipv6 address but no ipv6 firewall available in the kernel" + fi + + # Disable the IPV6 firewall + sed -i "s/IPV6.*/IPV6=no/" /etc/default/ufw + else + # Check if the ipv6 ip_tables is not active in the kernel or that the module + # isn't loaded. Some providers fail to load the module by default (Scaleway) + if + [ ! -e /proc/net/ip6_tables_names ] && + [ -z "`lsmod | grep ^ip6_tables`" ] + then + # Load the ip6_tables kernel module, previous step made sure it exists + echo ip6_tables >> /etc/modules + modprobe ip6_tables + fi + + # Enable the IPV6 firewall + sed -i "s/IPV6.*/IPV6=yes/" /etc/default/ufw fi # Allow incoming connections to SSH.