Work_Archive/BCK-ServTest
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Inital commit

Browse Source
This commit is contained in:
Bram Prieshof
2020-06-25 10:22:52 +02:00
commit 11393c9613
11 changed files with 835 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
Tools/aclutil Executable file
View File

@@ -0,0 +1,137 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo
echo "#######################"
echo "# ACL_UTIL Help #"
echo "#######################"
echo
echo "Syntax: aclutil [-u <username> [-g <groupname>][-a|r] <target folder>"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Get info about set ALC's"
echo "-l, --list #get current ACL rules"
echo "-lg --listgui #get current ACL rules using the eiciel GUI"
echo
echo "Set user/group for ACL change"
echo "-u <username>, --user <username> #User for ACL change"
echo "-g <groupname>, --group <groupname> #group for ACL change "
echo
echo "Action for ACL rule"
echo "-a, --add #add ACL rule"
echo "-r, --remove #Remove ACL rule"
echo
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-u | --user)
TARGET=user
USER=$2
shift
shift
;;
-g | --group)
TARGET=group
GROUP=$2
shift
shift
;;
-a | --add)
ACTION=add
shift
;;
-r | --remove)
ACTION=remove
shift
;;
-l | --list)
ACTION=list
shift
;;
-lg | --listgui)
ACTION=listgui
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
FOLDERPATH="$1"
#input Validation
##Action flag
if [ -z ${ACTION+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##Target Flag
if [ "$ACTION" = "remove" ] || [ "$ACTION" = "add" ]; then
if [ -z ${TARGET+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##User flag
if [ "$TARGET" = "user" ] && [ -z $USER ]; then
echo "User name not specified"
exit
fi
##Group flag
if [ "$TARGET" = "group" ] && [ -z $GROUP ]; then
echo "Group name not specified"
exit
fi
fi
##Path
if [ -z $FOLDERPATH ]; then echo "File or directory not specified" && exit; fi
if [ ! -d "$FOLDERPATH" ] && [ ! -f "$FOLDERPATH" ]; then
echo "'$FOLDERPATH': No such file or directory"
fi
#Script
if [ "$ACTION" = "list" ]; then
getfacl $FOLDERPATH
fi
if [ "$ACTION" = "listgui" ]; then
echo "If gui did not start make sure X11 forwarding is enabled"
echo "and eiciel it is installed"
eiciel $FOLDERPATH
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "user" ]; then
setfacl -R -m u:"$USER":rx "$FOLDERPATH"
setfacl -R -d -m u:"$USER":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "group" ]; then
setfacl -R -m g:"$GROUP":rx "$FOLDERPATH"
setfacl -R -d -m g:"$GROUP":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "user" ]; then
setfacl -R -x u:"$USER" "$FOLDERPATH"
setfacl -R -d -x u:"$USER" "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "group" ]; then
setfacl -R -x g:"$GROUP" "$FOLDERPATH"
setfacl -R -d -x g:"$GROUP" "$FOLDERPATH"
fi

198
Tools/adduserutil Executable file
View File

@@ -0,0 +1,198 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo "Add user to backupserver"
echo
echo "Syntax: adduserutil [-a|v|s|ts] <NewUserName>"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Set user type for new user"
echo "-a, --admin #Backup Admin"
echo "-v, --viewer #Backup Viewer "
echo "-s, --source #Backup Source (ex:a webserver)"
echo
echo "Set backup source options for new user"
echo "-ts, --sftp #Backup source will use sftp/rsync to upload files"
echo "-tf, --ftp #Backup source will use ftp to upload files"
echo
}
Keyer()
{
echo 'Please paste in the public ssh key without ""'
read sshkey
echo
echo
echo "The following key was received"
echo "$sshkey"
echo
while true; do
read -p "Is this key correct? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-v | --viewer)
USERTYPE=viewer
shift
;;
-a |--admin)
USERTYPE=admin
shift
;;
-s|--source)
USERTYPE=source
shift
;;
-tf|--ftp )
UPTYPE=FTP
shift
;;
-ts|--sftp )
UPTYPE=SFTP
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
username="$1"
#Input Check
if [ -z "$username" ]
then
echo "Please provide a username"
echo "For more information type adduserutil -h"
echo
exit
fi
if [ "$username" = "root" ]; then
echo "Root is not allowed"
exit
fi
getent passwd $username > /dev/null
if [ $? -eq 0 ]; then
echo "This username already exists"
exit
fi
if [ -z "$USERTYPE" ]
then
echo "Please provide user type"
echo "For more information type adduserutil -h"
echo
exit
fi
if [ "$USERTYPE" = "source" ]; then
if [ -z "$UPTYPE" ]
then
echo "Please provide upload methode"
echo "For more information type adduserutil -h"
echo
exit
fi
fi
#Confirmation before setting user
echo "Create user with the following information"
echo "Username: $username"
echo "User type: $USERTYPE"
if [ "$USERTYPE" = "source" ]; then
echo "Upload methode $UPTYPE"
fi
while true; do
read -p "Do you wish to add this user? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
#Add Admin user
if [ "$USERTYPE" = "admin" ]; then
Keyer
useradd -g BCKadmin -s /bin/bash -m -d /home/"$username" "$username"
passwd --expire -d "$username"
sudo -u "$username" mkdir /home/$username/.ssh
echo "$sshkey" | sudo -u "$username" tee /home/"$username"/.ssh/authorized_keys
fi
#Add Viewer user
if [ "$USERTYPE" = "viewer" ]; then
Keyer
useradd -g BCKviewer -s /usr/sbin/nologin -d / "$username"
mkdir -p /vhome/"$username"/.ssh
mkdir -p /vhome/"$username"/backups
chown root: /vhome/"$username"
chmod 755 /vhome/"$username"
chown root: /vhome/"$username"
chown -R $username: /vhome/"$username"/.ssh
chmod 750 -R /vhome/"$username"/.ssh
echo "$sshkey" | sudo -u "$username" tee /vhome/"$username"/.ssh/authorized_keys
echo "/backups /vhome/$username/backups none defaults,bind 0 0" >>/etc/fstab
mount -a
fi
#Add sftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "SFTP" ]; then
Keyer
mkdir -p /backups/sftp/"$username"
useradd -M -N -r "$username"
usermod -g sftpusers "$username"
python3 /opt/grequalizer/grequalizer.py /opt/grequalizer/conf/grequalizer-sftp.conf -O
mkdir -p /backups/sftp/"$username"/home/.ssh
echo "$sshkey" > /backups/sftp/"$username"/home/.ssh/authorized_keys
chown -R $username: /backups/sftp/"$username"/home
chmod -R 700 /backups/sftp/"$username"/home
setfacl -R -m g:BCKadmin:rwx /backups/sftp/"$username"/home
setfacl -R -d -m g:BCKadmin:rwx /backups/sftp/"$username"/home
fi
#Add ftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "FTP" ]; then
password=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 18 | head -n 1)
useradd -M -N -r "$username"
usermod -g ftpusers "$username"
echo "$username" | tee -a /etc/vsftpd.user_list
python3 /opt/grequalizer/grequalizer.py /opt/grequalizer/conf/grequalizer-ftp.conf -O
setfacl -R -m g:BCKadmin:rwx /backups/ftp/"$username"
setfacl -R -d -m g:BCKadmin:rwx /backups/ftp/"$username"
echo $username:$password | chpasswd
echo "The password for $username is: $password"
fi

161
Tools/deluserutil Executable file
View File

@@ -0,0 +1,161 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo "Remove user from backupserver"
echo
echo "Syntax: deluserutil [-a|v|s|ts] <UserName>"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Define user type for user that shoud we removed"
echo "-a, --admin #Backup Admin"
echo "-v, --viewer #Backup Viewer "
echo "-s, --source #Backup Source (ex:a webserver)"
echo
echo "Set backup source options for new user"
echo "-ts, --sftp #Backup source will use sftp/rsync to upload files"
echo "-tf, --ftp #Backup source will use ftp to upload files"
echo
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-v | --viewer)
USERTYPE=viewer
shift
shift
;;
-a |--admin)
USERTYPE=admin
shift
;;
-s|--source)
USERTYPE=source
shift
;;
-tf|--ftp )
UPTYPE=FTP
shift
;;
-ts|--sftp )
UPTYPE=SFTP
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
username="$1"
#Input Check
if [ -z "$username" ]
then
echo "Please provide a username"
echo "For more information type deluserutil -h"
echo
exit
fi
if [ "$username" = "root" ]; then
echo "Root is not allowed"
fi
getent passwd $username > /dev/null
if [ $? -eq 2 ]; then
echo "This username does not exists"
exit
fi
if [ -z "$USERTYPE" ]
then
echo "Please provide user type"
echo "For more information type deluserutil -h"
echo
exit
fi
if [ "$USERTYPE" = "source" ]; then
if [ -z "$UPTYPE" ]
then
echo "Please provide upload methode"
echo "For more information type deluserutil -h"
echo
exit
fi
fi
#Confirmation before setting user
echo "Removing the user with the following information"
echo "Username: $username"
echo "User type: $USERTYPE"
if [ "$USERTYPE" = "source" ]; then
echo "Upload methode $UPTYPE"
fi
while true; do
read -p "Do you wish to REMOVE $username? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
#Remove Admin user
if [ "$USERTYPE" = "admin" ]; then
userdel -rf $username
fi
#Remove Viewer user
if [ "$USERTYPE" = "viewer" ]; then
umount /vhome/$username/backup
sed -i "/\/$username\//d" /etc/fstab
userdel -f $username
rm -rf /vhome/$username
fi
#Remove sftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "SFTP" ]; then
while true; do
read -p "Do you wish to REMOVE the backups connected to this user? " yn
case $yn in
[Yy]* ) rm -rf /backups/sftp/"$username" && break;;
[Nn]* ) break;;
* ) echo "Please answer yes or no.";;
esac
done
userdel -f $username
fi
#Remove ftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "FTP" ]; then
while true; do
read -p "Do you wish to REMOVE the backups connected to this user? " yn
case $yn in
[Yy]* ) rm -rf /backups/ftp/"$username" && break;;
[Nn]* ) break;;
* ) echo "Please answer yes or no.";;
esac
done
sed -i "/\<$username\>/d" /etc/ftpusers
userdel -f $username
fi

156
Tools/ez-aclutil Executable file
View File

@@ -0,0 +1,156 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo
echo "#########################"
echo "# ez ACL_UTIL Help #"
echo "#########################"
echo
echo "Syntax: ezaclutil [-u <username> [-g <groupname>] [-a|r] [-f <ftpusername>] [-s <sftpusername>] <sourcename>"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Get info about set ALC's"
echo "-l, --list #get current ACL rules"
echo
echo "Set user/group for ACL change"
echo "-u <username>, --user <username> #User for ACL change"
echo "-g <groupname>, --group <groupname> #group for ACL change "
echo "-av, --allviewers #Set group to backup viewers (-g not needed)"
echo
echo "Action for ACL rule"
echo "-a, --add #add ACL rule"
echo "-r, --remove #Remove ACL rule"
echo
echo "Set target for ACL change"
echo "-f <ftpusername>, --ftp <ftpusername> #User fot ACL change"
echo "-s <sftpusername>, --sftp <sftpusername> #group fot ACL change "
echo
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-u | --user)
TARGET=user
USER=$2
shift
shift
;;
-g | --group)
TARGET=group
GROUP=$2
shift
shift
;;
-a | --add)
ACTION=add
shift
;;
-r | --remove)
ACTION=remove
shift
;;
-l | --list)
ACTION=list
shift
;;
-lg | --listgui)
ACTION=listgui
shift
;;
-av | --allviewers)
TARGET=group
GROUP=BCKviewer
shift
;;
-f | --ftp)
FOLDERPATH="/backups/ftp/$2"
shift
shift
;;
-s | --sftp)
FOLDERPATH="/backups/sftp/$2/home"
shift
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
#input Validation
##Action flag
if [ -z ${ACTION+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##Target Flag
if [ "$ACTION" = "remove" ] || [ "$ACTION" = "add" ]; then
if [ -z ${TARGET+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##User flag
if [ "$TARGET" = "user" ] && [ -z $USER ]; then
echo "User name not specified"
exit
fi
##Group flag
if [ "$TARGET" = "group" ] && [ -z $GROUP ]; then
echo "Group name not specified"
exit
fi
fi
##Path
if [ -z $FOLDERPATH ]; then echo "Target backup not specified" && exit; fi
if [ ! -d "$FOLDERPATH" ] && [ ! -f "$FOLDERPATH" ]; then
echo "Target backup not found"
fi
#Script
if [ "$ACTION" = "list" ]; then
getfacl $FOLDERPATH
fi
if [ "$ACTION" = "listgui" ]; then
echo "If gui did not start make sure X11 forwarding is enabled"
echo "and eiciel it is installed"
eiciel $FOLDERPATH
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "user" ]; then
setfacl -R -m u:"$USER":rx "$FOLDERPATH"
setfacl -R -d -m u:"$USER":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "group" ]; then
setfacl -R -m g:"$GROUP":rx "$FOLDERPATH"
setfacl -R -d -m g:"$GROUP":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "user" ]; then
setfacl -R -x u:"$USER" "$FOLDERPATH"
setfacl -R -d -x u:"$USER" "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "group" ]; then
setfacl -R -x g:"$GROUP" "$FOLDERPATH"
setfacl -R -d -x g:"$GROUP" "$FOLDERPATH"
fi

36
config/grequalizer-ftp.conf Normal file
View File

@@ -0,0 +1,36 @@
# Variables: $u: login name, $h: users home, $g: users primary group name
[main]
home_path = /backups/ftp/$u
simulate = no
limit_to_primary_group = yes
primary_group_name = ftpusers
minimum_users_count = 1
[home_existence]
check = yes
correct = yes
[home_permissions]
check = yes
correct = yes
octal_permissions = 750
[home_owner]
check = yes
correct = yes
owner = $u
[home_group]
check = yes
correct = yes
group = root
[user_home]
check = yes
correct = yes
home_path = /
[user_shell]
check = yes
correct = yes
shell = /usr/bin/ftponly

47
config/grequalizer-sftp.conf Normal file
View File

@@ -0,0 +1,47 @@
# Variables: $u: login name, $h: users home, $g: users primary group name
[main]
home_path = /backups/sftp/$u
simulate = no
limit_to_primary_group = yes
primary_group_name = sftpusers
minimum_users_count = 1
[home_existence]
check = yes
correct = yes
#[home_permissions]
#check = yes
#correct = yes
#octal_permissions = 755
[home_owner]
check = yes
correct = yes
owner = root
[home_group]
check = yes
correct = yes
group = root
[user_home]
check = yes
correct = yes
home_path = /home
[user_shell]
check = yes
correct = yes
shell = /usr/bin/rssh
[home_files]
check = yes
correct = yes
file_list = /opt/grequalizer/conf/files_to_chroots.txt
[home_binaries_with_libs]
check = yes
correct = yes
file_list = /opt/grequalizer/conf/binaries_to_chroots.txt

3
config/rssh_append.conf Normal file
View File

@@ -0,0 +1,3 @@
allowscp
allowsftp
allowrsync

14
config/sshd_append.conf Normal file
View File

@@ -0,0 +1,14 @@
DenyGroups ftpusers
Match group sftpusers
ChrootDirectory /backups/sftp/%u
AuthorizedKeysFile /backups/sftp/%u/%h/.ssh/authorized_keys
X11Forwarding no
AllowTcpForwarding no
Match Group BCKviewer
ChrootDirectory /vhome/%u
AuthorizedKeysFile /vhome/%u/.ssh/authorized_keys
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

1
config/sudo.conf Normal file
View File

@@ -0,0 +1 @@
%BCKadmin ALL=(root) /tools/adduserutil, /tools/deluserutil, /tools/aclutil, /tools/ez-aclutil

25
config/vsftpd.conf Normal file
View File

@@ -0,0 +1,25 @@
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
allow_writeable_chroot=YES
pam_service_name=ftp
user_sub_token=$USER
local_root=/backups/ftp/$USER
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
pasv_min_port=30000
pasv_max_port=31000
#Certificate/SSL
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=yes

57
setup.sh Normal file
View File

@@ -0,0 +1,57 @@
mrepo=https://git.ictmaatwerk.com/VPS-scripts/Backup-Util
mbranch=master
#install needed packages
apt install rssh vsftpd -y
#Setup groups
groupadd sftpusers
groupadd ftpusers
groupadd BCKviewer
groupadd BCKadmin
#setup Folders
mkdir -p /backups/ftp/
mkdir -p /backups/sftp/
mkdir -p /vhome
#setup tools
wget -q -t7 "$repo"/raw/branch/"$branch"/Tools/aclutil -O /tools/aclutil
wget -q -t7 "$repo"/raw/branch/"$branch"/Tools/adduserutil -O /tools/adduserutil
wget -q -t7 "$repo"/raw/branch/"$branch"/Tools/deluserutil -O /tools/deluserutil
wget -q -t7 "$repo"/raw/branch/"$branch"/Tools/ez-aclutil -O /tools/ez-aclutil
chmod 700 /tools/deluserutil
chmod 700 /tools/adduserutil
chmod 700 /tools/aclutil
chmod 700 /tools/ez-aclutil
#SSH Config
sed -i -e '/Subsystem\ssftp/c\Subsystem sftp internal-sftp' sshd_config
curl --silent --show-error "$repo"/raw/branch/"$branch"/config/sshd_append.conf >>/etc/ssh/sshd_config
#rssh Config
curl --silent --show-error "$repo"/raw/branch/"$branch"/config/rssh_append.conf >>/etc/rssh.conf
#vsftp Config
openssl req -new -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -subj "/C=NL/ST=Gelderland/L=Arnhem/O=ICT Maatwerk B.V./CN=$(hostname -f)"
wget -q -t7 "$repo"/raw/branch/"$branch"/config/vsftpd.conf -O /etc/vsftpd.conf
#sudo Config
wget -q -t7 "$repo"/raw/branch/"$branch"/config/sudo.conf -O ~/
#Setup grequalizer
git clone https://github.com/lpirl/grequalizer.git /opt/grequalizer
mkdir /opt/grequalizer/conf/
echo "/opt/grequalizer" > /opt/grequalizer/conf/files_to_chroots.txt
echo "/usr/bin/rsync" > /opt/grequalizer/conf/binaries_to_chroots.txt
echo "/usr/bin/rssh" >> /opt/grequalizer/conf/binaries_to_chroots.txt
wget -q -t7 "$repo"/raw/branch/"$branch"/config/grequalizer-sftp.conf -O /opt/grequalizer/conf/grequalizer-sftp.conf
wget -q -t7 "$repo"/raw/branch/"$branch"/config/grequalizer-ftp.conf -O /opt/grequalizer/conf/grequalizer-ftp.conf
#UFW Config
##FTP
ufw allow 20:21/tcp
ufw allow 30000:31000/tcp
#SSH/SFTP
ufw limit 22/tcp
echo "y" | ufw limit > $OUTPUT 2>&1