commit d16c28fe381dcfaa2447ea58ffe5d4bd7770b318 Author: Bram Prieshof Date: Fri Jun 26 10:41:13 2020 +0200 Initial commit diff --git a/Docs/Readme.md b/Docs/Readme.md new file mode 100755 index 0000000..60fb442 --- /dev/null +++ b/Docs/Readme.md @@ -0,0 +1,2 @@ +# Source files for UBU-Backup-SRV + diff --git a/Docs/docs/index.md b/Docs/docs/index.md new file mode 100755 index 0000000..53b8672 --- /dev/null +++ b/Docs/docs/index.md @@ -0,0 +1,30 @@ +# Backup server +  +## Role explenation +| Name | Description | +| -------- | ------------ | +| Source | Can upload file to it home via sftp or ftp example: webserver | +| Viewer | Can read source home folders that have been allowed via ALC's | +| Admin | Can manage users and ACL's and can read/write to all home folders | +  + +## Folder locations +| Location | Description | +| -------- | ------------ | +| /backups/ftp/`` | Home of ftp source users | +| /backups/sftp/``/home | Home of sftp source users | +| /vhome/`` | Home of viewer users | +| /tools/ | stores tools to manage ACL's and users for the admin | + + +## Tools +A admin can run tools using the following command `sudo /tools/` + +| Name | Description | +| -------- | ------------ | +| aclutil | For modifing ALC's | +| ez-aclutil | Like aclutil but with extra options for source home | +| adduserutil | For adding users | +| deluserutil | For removing users | + +More information about using these tools can be found under the Utils tab \ No newline at end of file diff --git a/Docs/docs/utils.md b/Docs/docs/utils.md new file mode 100644 index 0000000..002dd93 --- /dev/null +++ b/Docs/docs/utils.md @@ -0,0 +1,147 @@ +# Provided tools/utilities + +## aclutil +### Examples +Get info for /home/test +`sudo /tools/aclutil -l /home/test` + +Give user: admin1 read acces to /test/folder +`sudo /tools/aclutil -a -u admin1 /test/folder` + +Give group: accesusers read acces to /test/folder +`sudo /tools/aclutil -a -g accesusers /test/folder` + +Remove read acces to /test/folder for user: admin1 +`sudo /tools/aclutil -r -u admin1 /test/folder` + +Remove read acces to /test/folder for group: accesusers +`sudo /tools/aclutil -r -g accesusers /test/folder` + +### Help +Syntax: aclutil [-u [-g ``][-a|r] `` +options: +Get info about Current ALC's +``` +-l, --list #get current ACL rules +-lg --listgui #get current ACL rules using the eiciel GUI +``` +Set user/group for ACL change +``` +-u , --user #User for ACL change +-g , --group #group for ACL change +``` +Action for ACL rule +``` +-a, --add #add ACL rule +-r, --remove #Remove ACL rule +``` +## ez-aclutil +a modified version of aclutil tailored for the backup server source users +### Examples +list info about source u1204 that uses ftp to upload +`sudo /tools/ez-aclutil -l -f u1204` + +list info about source hxa001 that uses sftp to upload +`sudo /tools/ez-aclutil -l -s hxa001` + +Give all Viewer acces to source hxa001 that uses sftp to upload +`sudo /tools/ez-aclutil -a -av -s hxa001` + +Remove acces to all Viewers to acces source u1204 that uses ftp to upload +`sudo /tools/ez-aclutil -r -av -f u1204` + +Give Viewer vwr21 acces to source hxa001 that uses sftp to upload +`sudo /tools/ez-aclutil -a -u vrw21 -s hxa001` + +Remove acces for vwr21 Viewer to acces source hxa001 that uses sftp to upload +`sudo /tools/ez-aclutil -r -u vrw21 -s hxa001` + +Give group: gra1 acces to source u1204 that uses ftp to upload +`sudo /tools/ez-aclutil -a -g gra1 -f u1204` + +Remove acces for group: gra1 to acces source u1204 that uses ftp to upload +`sudo /tools/ez-aclutil -r -g gra1 -f u1204` + +### Help +Syntax: ez-aclutil [-u `` | -g `` | -av] [-a|r] [-f ``] [-s ``] + + +Get info about set ALC's +``` +-l, --list #get current ACL for specified source user's home +-gl, --listgui #get current ACL for specified source user's home using eiciel +``` +Set user/group for ACL change +``` +-u , --user #User for ACL change +-g , --group #group for ACL change +-av, --allviewers #Set group to backup viewers (-g or -u not needed) +``` + +Action for ACL rule +``` +-a, --add #add ACL rule +-r, --remove #Remove ACL rule +``` +Set target for ACL change +``` +-f , --ftp #User fot ACL change +-s , --sftp #group fot ACL change +``` +## adduserutil +### Examples +Add "newadmin" as backupserver admin +`sudo /tools/adduserutil -a newadmin` + +Add "vwrara1" as viewer +`sudo /tools/adduserutil -v vwrara1` + +Add "hxa001" as source that can upload using sftp +`sudo /tools/adduserutil -s -ts hxa001` + +Add "u1204" as source that can upload using ftp +`sudo /tools/adduserutil -s -tf u1204` + +### Help +Syntax: adduserutil [-a|v|s] [-ts|tf] `` + +Set user type for new user +``` +-a, --admin #Backup Admin +-v, --viewer #Backup Viewer +-s, --source #Backup Source +``` +Set backup source options for new user +``` +-ts, --sftp #Backup source will use sftp/rsync to upload files +-tf, --ftp #Backup source will use ftp to upload files +``` +## deluserutil + +### Examples +Remove "newadmin" who is a backupserver admin +`sudo /tools/deluserutil -a newadmin` + +Remove "vwrara1" who is a viewer +`sudo /tools/deluserutil -v vwrara1` + +Remove "hxa001" who is a source that can upload using sftp +`sudo /tools/deluserutil -s -ts hxa001` + +Remove "u1204" who is a source that can upload using ftp +`sudo /tools/deluserutil -s -tf u1204` + +### Help +Syntax: deluserutil [-a|v|s|] [-ts|tf] `` + +Provide the user type for the user that shoud be remove +``` +-a, --admin #Backup Admin +-v, --viewer #Backup Viewer +-s, --source #Backup Source +``` +Provide the upload methode for the user that shoud be remove +``` +-ts, --sftp #Backup source uses sftp/rsync to upload files +-tf, --ftp #Backup source uses ftp to upload files +``` \ No newline at end of file diff --git a/Docs/mkdocs.yml b/Docs/mkdocs.yml new file mode 100755 index 0000000..5765320 --- /dev/null +++ b/Docs/mkdocs.yml @@ -0,0 +1,11 @@ +site_name: BCK-Serv +theme: slate +repo_name: 'Git Repo' +repo_url: https://git.ictmaatwerk.com/bprieshof/ +nav: + - Home: 'index.md' + - Utils: + - 'aclutil' : 'utils/#aclutil' + - 'ez-aclutil' : 'utils/#ez-aclutil' + - 'adduserutil' : 'utils/#adduserutil' + - 'deluserutil' : 'utils/#deluserutil' diff --git a/Tools/aclutil b/Tools/aclutil new file mode 100755 index 0000000..eef7ee8 --- /dev/null +++ b/Tools/aclutil @@ -0,0 +1,137 @@ +#!/bin/bash +#Funtions +Help() +{ + # Display Help + echo + echo "#######################" + echo "# ACL_UTIL Help #" + echo "#######################" + echo + echo "Syntax: aclutil [-u [-g ][-a|r] " + echo "options:" + echo "-h, --help Print this Help." + echo + echo "Get info about set ALC's" + echo "-l, --list #get current ACL rules" + echo "-lg --listgui #get current ACL rules using the eiciel GUI" + echo + echo "Set user/group for ACL change" + echo "-u , --user #User for ACL change" + echo "-g , --group #group for ACL change " + echo + echo "Action for ACL rule" + echo "-a, --add #add ACL rule" + echo "-r, --remove #Remove ACL rule" + echo +} + +#Input Handeler +POSITIONAL=() +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + -h | --help) + Help + exit + ;; + -u | --user) + TARGET=user + USER=$2 + shift + shift + ;; + -g | --group) + TARGET=group + GROUP=$2 + shift + shift + ;; + -a | --add) + ACTION=add + shift + ;; + -r | --remove) + ACTION=remove + shift + ;; + -l | --list) + ACTION=list + shift + ;; + -lg | --listgui) + ACTION=listgui + shift + ;; + *) # unknown option + POSITIONAL+=("$1") # save it in an array for later + shift # past argument + ;; +esac +done +set -- "${POSITIONAL[@]}" # restore positional parameters + +FOLDERPATH="$1" + +#input Validation +##Action flag +if [ -z ${ACTION+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi +##Target Flag +if [ "$ACTION" = "remove" ] || [ "$ACTION" = "add" ]; then +if [ -z ${TARGET+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi + +##User flag +if [ "$TARGET" = "user" ] && [ -z $USER ]; then +echo "User name not specified" +exit +fi + +##Group flag +if [ "$TARGET" = "group" ] && [ -z $GROUP ]; then +echo "Group name not specified" +exit +fi +fi + + +##Path +if [ -z $FOLDERPATH ]; then echo "File or directory not specified" && exit; fi + +if [ ! -d "$FOLDERPATH" ] && [ ! -f "$FOLDERPATH" ]; then + echo "'$FOLDERPATH': No such file or directory" +fi + +#Script +if [ "$ACTION" = "list" ]; then +getfacl $FOLDERPATH +fi + +if [ "$ACTION" = "listgui" ]; then +echo "If gui did not start make sure X11 forwarding is enabled" +echo "and eiciel it is installed" +eiciel $FOLDERPATH +fi + +if [ "$ACTION" = "add" ] && [ "$TARGET" = "user" ]; then +setfacl -R -m u:"$USER":rx "$FOLDERPATH" +setfacl -R -d -m u:"$USER":rx "$FOLDERPATH" +fi + + +if [ "$ACTION" = "add" ] && [ "$TARGET" = "group" ]; then +setfacl -R -m g:"$GROUP":rx "$FOLDERPATH" +setfacl -R -d -m g:"$GROUP":rx "$FOLDERPATH" +fi + +if [ "$ACTION" = "remove" ] && [ "$TARGET" = "user" ]; then +setfacl -R -x u:"$USER" "$FOLDERPATH" +setfacl -R -d -x u:"$USER" "$FOLDERPATH" +fi + + +if [ "$ACTION" = "remove" ] && [ "$TARGET" = "group" ]; then +setfacl -R -x g:"$GROUP" "$FOLDERPATH" +setfacl -R -d -x g:"$GROUP" "$FOLDERPATH" +fi diff --git a/Tools/adduserutil b/Tools/adduserutil new file mode 100755 index 0000000..01a0636 --- /dev/null +++ b/Tools/adduserutil @@ -0,0 +1,198 @@ +#!/bin/bash +#Funtions +Help() +{ + # Display Help + echo "Add user to backupserver" + echo + echo "Syntax: adduserutil [-a|v|s|ts] " + echo "options:" + echo "-h, --help Print this Help." + echo + echo "Set user type for new user" + echo "-a, --admin #Backup Admin" + echo "-v, --viewer #Backup Viewer " + echo "-s, --source #Backup Source (ex:a webserver)" + echo + echo "Set backup source options for new user" + echo "-ts, --sftp #Backup source will use sftp/rsync to upload files" + echo "-tf, --ftp #Backup source will use ftp to upload files" + echo +} + +Keyer() +{ +echo 'Please paste in the public ssh key without ""' +read sshkey +echo +echo +echo "The following key was received" +echo "$sshkey" +echo +while true; do + read -p "Is this key correct? " yn + case $yn in + [Yy]* ) break;; + [Nn]* ) exit;; + * ) echo "Please answer yes or no.";; + esac +done +} + + +#Input Handeler +POSITIONAL=() +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + -h | --help) + Help + exit + ;; + -v | --viewer) + USERTYPE=viewer + shift + ;; + -a |--admin) + USERTYPE=admin + shift + ;; + -s|--source) + USERTYPE=source + shift + ;; + -tf|--ftp ) + UPTYPE=FTP + shift + ;; + -ts|--sftp ) + UPTYPE=SFTP + shift + ;; + *) # unknown option + POSITIONAL+=("$1") # save it in an array for later + shift # past argument + ;; +esac +done +set -- "${POSITIONAL[@]}" # restore positional parameters + +username="$1" + + +#Input Check +if [ -z "$username" ] +then + echo "Please provide a username" + echo "For more information type adduserutil -h" + echo + exit +fi + +if [ "$username" = "root" ]; then + echo "Root is not allowed" + exit +fi + +getent passwd $username > /dev/null +if [ $? -eq 0 ]; then + echo "This username already exists" + exit +fi + +if [ -z "$USERTYPE" ] +then + echo "Please provide user type" + echo "For more information type adduserutil -h" + echo + exit +fi +if [ "$USERTYPE" = "source" ]; then +if [ -z "$UPTYPE" ] +then + echo "Please provide upload methode" + echo "For more information type adduserutil -h" + echo + exit +fi +fi + + +#Confirmation before setting user +echo "Create user with the following information" +echo "Username: $username" +echo "User type: $USERTYPE" +if [ "$USERTYPE" = "source" ]; then +echo "Upload methode $UPTYPE" +fi +while true; do + read -p "Do you wish to add this user? " yn + case $yn in + [Yy]* ) break;; + [Nn]* ) exit;; + * ) echo "Please answer yes or no.";; + esac +done + + +#Add Admin user +if [ "$USERTYPE" = "admin" ]; then +Keyer + +useradd -g BCKadmin -s /bin/bash -m -d /home/"$username" "$username" +passwd --expire -d "$username" +sudo -u "$username" mkdir /home/$username/.ssh +echo "$sshkey" | sudo -u "$username" tee /home/"$username"/.ssh/authorized_keys +fi + + +#Add Viewer user +if [ "$USERTYPE" = "viewer" ]; then +Keyer + +useradd -g BCKviewer -s /usr/sbin/nologin -d / "$username" +mkdir -p /vhome/"$username"/.ssh +mkdir -p /vhome/"$username"/backups +chown root: /vhome/"$username" +chmod 755 /vhome/"$username" +chown root: /vhome/"$username" +chown -R $username: /vhome/"$username"/.ssh +chmod 750 -R /vhome/"$username"/.ssh +echo "$sshkey" | sudo -u "$username" tee /vhome/"$username"/.ssh/authorized_keys +echo "/backups /vhome/$username/backups none defaults,bind 0 0" >>/etc/fstab +mount -a +fi + + +#Add sftp source user +if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "SFTP" ]; then +Keyer + +mkdir -p /backups/sftp/"$username" +useradd -M -N -r "$username" +usermod -g sftpusers "$username" +python3 /opt/grequalizer/grequalizer.py /opt/grequalizer/conf/grequalizer-sftp.conf -O +mkdir -p /backups/sftp/"$username"/home/.ssh +echo "$sshkey" > /backups/sftp/"$username"/home/.ssh/authorized_keys +chown -R $username: /backups/sftp/"$username"/home +chmod -R 700 /backups/sftp/"$username"/home +setfacl -R -m g:BCKadmin:rwx /backups/sftp/"$username"/home +setfacl -R -d -m g:BCKadmin:rwx /backups/sftp/"$username"/home +fi + + + +#Add ftp source user +if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "FTP" ]; then +password=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 18 | head -n 1) +useradd -M -N -r "$username" +usermod -g ftpusers "$username" +echo "$username" | tee -a /etc/vsftpd.user_list +python3 /opt/grequalizer/grequalizer.py /opt/grequalizer/conf/grequalizer-ftp.conf -O +setfacl -R -m g:BCKadmin:rwx /backups/ftp/"$username" +setfacl -R -d -m g:BCKadmin:rwx /backups/ftp/"$username" +echo $username:$password | chpasswd +echo "The password for $username is: $password" +fi diff --git a/Tools/deluserutil b/Tools/deluserutil new file mode 100755 index 0000000..76c29eb --- /dev/null +++ b/Tools/deluserutil @@ -0,0 +1,161 @@ +#!/bin/bash +#Funtions +Help() +{ + # Display Help + echo "Remove user from backupserver" + echo + echo "Syntax: deluserutil [-a|v|s|ts] " + echo "options:" + echo "-h, --help Print this Help." + echo + echo "Define user type for user that shoud be removed" + echo "-a, --admin #Backup Admin" + echo "-v, --viewer #Backup Viewer " + echo "-s, --source #Backup Source (ex:a webserver)" + echo + echo "Set backup source options for new user" + echo "-ts, --sftp #Backup source uses sftp/rsync to upload files" + echo "-tf, --ftp #Backup source uses ftp to upload files" + echo +} + + +#Input Handeler +POSITIONAL=() +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + -h | --help) + Help + exit + ;; + -v | --viewer) + USERTYPE=viewer + shift + shift + ;; + -a |--admin) + USERTYPE=admin + shift + ;; + -s|--source) + USERTYPE=source + shift + ;; + -tf|--ftp ) + UPTYPE=FTP + shift + ;; + -ts|--sftp ) + UPTYPE=SFTP + shift + ;; + *) # unknown option + POSITIONAL+=("$1") # save it in an array for later + shift # past argument + ;; +esac +done +set -- "${POSITIONAL[@]}" # restore positional parameters + +username="$1" + + +#Input Check +if [ -z "$username" ] +then + echo "Please provide a username" + echo "For more information type deluserutil -h" + echo + exit +fi + +if [ "$username" = "root" ]; then + echo "Root is not allowed" +fi + +getent passwd $username > /dev/null +if [ $? -eq 2 ]; then + echo "This username does not exists" + exit +fi + +if [ -z "$USERTYPE" ] +then + echo "Please provide user type" + echo "For more information type deluserutil -h" + echo + exit +fi +if [ "$USERTYPE" = "source" ]; then +if [ -z "$UPTYPE" ] +then + echo "Please provide upload methode" + echo "For more information type deluserutil -h" + echo + exit +fi +fi + +#Confirmation before setting user +echo "Removing the user with the following information" +echo "Username: $username" +echo "User type: $USERTYPE" +if [ "$USERTYPE" = "source" ]; then +echo "Upload methode $UPTYPE" +fi +while true; do + read -p "Do you wish to REMOVE $username? " yn + case $yn in + [Yy]* ) break;; + [Nn]* ) exit;; + * ) echo "Please answer yes or no.";; + esac +done + + +#Remove Admin user +if [ "$USERTYPE" = "admin" ]; then +userdel -rf $username +fi + + +#Remove Viewer user +if [ "$USERTYPE" = "viewer" ]; then +umount /vhome/$username/backup +sed -i "/\/$username\//d" /etc/fstab +userdel -f $username +rm -rf /vhome/$username +fi + + +#Remove sftp source user +if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "SFTP" ]; then +while true; do + read -p "Do you wish to REMOVE the backups connected to this user? " yn + case $yn in + [Yy]* ) rm -rf /backups/sftp/"$username" && break;; + [Nn]* ) break;; + * ) echo "Please answer yes or no.";; + esac +done +userdel -f $username +fi + + +#Remove ftp source user +if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "FTP" ]; then +while true; do + read -p "Do you wish to REMOVE the backups connected to this user? " yn + case $yn in + [Yy]* ) rm -rf /backups/ftp/"$username" && break;; + [Nn]* ) break;; + * ) echo "Please answer yes or no.";; + esac +done + sed -i "/\<$username\>/d" /etc/ftpusers + userdel -f $username +fi diff --git a/Tools/ez-aclutil b/Tools/ez-aclutil new file mode 100755 index 0000000..c065a91 --- /dev/null +++ b/Tools/ez-aclutil @@ -0,0 +1,156 @@ +#!/bin/bash +#Funtions +Help() +{ + # Display Help + echo + echo "#########################" + echo "# ez ACL_UTIL Help #" + echo "#########################" + echo + echo "Syntax: ezaclutil [-u | -g | -av][-a|r] [-f ] [-s ]" + echo "options:" + echo "-h, --help Print this Help." + echo + echo "Get info about set ALC's" + echo "-l, --list #get current ACL rules" + echo + echo "Set user/group for ACL change" + echo "-u , --user #User for ACL change" + echo "-g , --group #group for ACL change " + echo "-av, --allviewers #Set group to backup viewers (-g not needed)" + echo + echo "Action for ACL rule" + echo "-a, --add #add ACL rule" + echo "-r, --remove #Remove ACL rule" + echo + echo "Set target for ACL change" + echo "-f , --ftp #User for ACL change" + echo "-s , --sftp #group for ACL change " + echo +} + +#Input Handeler +POSITIONAL=() +while [[ $# -gt 0 ]] +do +key="$1" + +case $key in + -h | --help) + Help + exit + ;; + -u | --user) + TARGET=user + USER=$2 + shift + shift + ;; + -g | --group) + TARGET=group + GROUP=$2 + shift + shift + ;; + -a | --add) + ACTION=add + shift + ;; + -r | --remove) + ACTION=remove + shift + ;; + -l | --list) + ACTION=list + shift + ;; + -lg | --listgui) + ACTION=listgui + shift + ;; + -av | --allviewers) + TARGET=group + GROUP=BCKviewer + shift + ;; + + -f | --ftp) + FOLDERPATH="/backups/ftp/$2" + shift + shift + ;; + -s | --sftp) + FOLDERPATH="/backups/sftp/$2/home" + shift + shift + ;; + *) # unknown option + POSITIONAL+=("$1") # save it in an array for later + shift # past argument + ;; +esac +done +set -- "${POSITIONAL[@]}" # restore positional parameters + + +#input Validation +##Action flag +if [ -z ${ACTION+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi +##Target Flag +if [ "$ACTION" = "remove" ] || [ "$ACTION" = "add" ]; then +if [ -z ${TARGET+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi + +##User flag +if [ "$TARGET" = "user" ] && [ -z $USER ]; then +echo "User name not specified" +exit +fi + +##Group flag +if [ "$TARGET" = "group" ] && [ -z $GROUP ]; then +echo "Group name not specified" +exit +fi +fi + + +##Path +if [ -z $FOLDERPATH ]; then echo "Target backup not specified" && exit; fi + +if [ ! -d "$FOLDERPATH" ] && [ ! -f "$FOLDERPATH" ]; then + echo "Target backup not found" +fi + +#Script +if [ "$ACTION" = "list" ]; then +getfacl $FOLDERPATH +fi + +if [ "$ACTION" = "listgui" ]; then +echo "If gui did not start make sure X11 forwarding is enabled" +echo "and eiciel it is installed" +eiciel $FOLDERPATH +fi + +if [ "$ACTION" = "add" ] && [ "$TARGET" = "user" ]; then +setfacl -R -m u:"$USER":rx "$FOLDERPATH" +setfacl -R -d -m u:"$USER":rx "$FOLDERPATH" +fi + + +if [ "$ACTION" = "add" ] && [ "$TARGET" = "group" ]; then +setfacl -R -m g:"$GROUP":rx "$FOLDERPATH" +setfacl -R -d -m g:"$GROUP":rx "$FOLDERPATH" +fi + +if [ "$ACTION" = "remove" ] && [ "$TARGET" = "user" ]; then +setfacl -R -x u:"$USER" "$FOLDERPATH" +setfacl -R -d -x u:"$USER" "$FOLDERPATH" +fi + + +if [ "$ACTION" = "remove" ] && [ "$TARGET" = "group" ]; then +setfacl -R -x g:"$GROUP" "$FOLDERPATH" +setfacl -R -d -x g:"$GROUP" "$FOLDERPATH" +fi diff --git a/config/grequalizer-ftp.conf b/config/grequalizer-ftp.conf new file mode 100644 index 0000000..1d8f02d --- /dev/null +++ b/config/grequalizer-ftp.conf @@ -0,0 +1,36 @@ +# Variables: $u: login name, $h: users home, $g: users primary group name +[main] +home_path = /backups/ftp/$u +simulate = no +limit_to_primary_group = yes +primary_group_name = ftpusers +minimum_users_count = 1 + +[home_existence] +check = yes +correct = yes + +[home_permissions] +check = yes +correct = yes +octal_permissions = 750 + +[home_owner] +check = yes +correct = yes +owner = $u + +[home_group] +check = yes +correct = yes +group = root + +[user_home] +check = yes +correct = yes +home_path = / + +[user_shell] +check = yes +correct = yes +shell = /usr/bin/ftponly diff --git a/config/grequalizer-sftp.conf b/config/grequalizer-sftp.conf new file mode 100644 index 0000000..10cc426 --- /dev/null +++ b/config/grequalizer-sftp.conf @@ -0,0 +1,47 @@ +# Variables: $u: login name, $h: users home, $g: users primary group name + +[main] +home_path = /backups/sftp/$u +simulate = no +limit_to_primary_group = yes +primary_group_name = sftpusers +minimum_users_count = 1 + +[home_existence] +check = yes +correct = yes + +#[home_permissions] +#check = yes +#correct = yes +#octal_permissions = 755 + +[home_owner] +check = yes +correct = yes +owner = root + +[home_group] +check = yes +correct = yes +group = root + +[user_home] +check = yes +correct = yes +home_path = /home + +[user_shell] +check = yes +correct = yes +shell = /usr/bin/rssh + +[home_files] +check = yes +correct = yes +file_list = /opt/grequalizer/conf/files_to_chroots.txt + +[home_binaries_with_libs] +check = yes +correct = yes +file_list = /opt/grequalizer/conf/binaries_to_chroots.txt diff --git a/config/rssh_append.conf b/config/rssh_append.conf new file mode 100644 index 0000000..fe92515 --- /dev/null +++ b/config/rssh_append.conf @@ -0,0 +1,3 @@ +allowscp +allowsftp +allowrsync diff --git a/config/sshd_append.conf b/config/sshd_append.conf new file mode 100644 index 0000000..3e1f927 --- /dev/null +++ b/config/sshd_append.conf @@ -0,0 +1,14 @@ +DenyGroups ftpusers + +Match group sftpusers + ChrootDirectory /backups/sftp/%u + AuthorizedKeysFile /backups/sftp/%u/%h/.ssh/authorized_keys + X11Forwarding no + AllowTcpForwarding no + +Match Group BCKviewer + ChrootDirectory /vhome/%u + AuthorizedKeysFile /vhome/%u/.ssh/authorized_keys + ForceCommand internal-sftp + AllowTcpForwarding no + X11Forwarding no diff --git a/config/sudo.conf b/config/sudo.conf new file mode 100644 index 0000000..8524a21 --- /dev/null +++ b/config/sudo.conf @@ -0,0 +1 @@ +%BCKadmin ALL=(root) /tools/adduserutil, /tools/deluserutil, /tools/aclutil, /tools/ez-aclutil diff --git a/config/vsftpd.conf b/config/vsftpd.conf new file mode 100644 index 0000000..7e549bd --- /dev/null +++ b/config/vsftpd.conf @@ -0,0 +1,25 @@ +listen=NO +listen_ipv6=YES +anonymous_enable=NO +local_enable=YES +write_enable=YES +dirmessage_enable=YES +use_localtime=YES +xferlog_enable=YES +connect_from_port_20=YES +chroot_local_user=YES +chroot_local_user=YES +secure_chroot_dir=/var/run/vsftpd/empty +allow_writeable_chroot=YES +pam_service_name=ftp +user_sub_token=$USER +local_root=/backups/ftp/$USER +userlist_enable=YES +userlist_file=/etc/vsftpd.user_list +userlist_deny=NO +pasv_min_port=30000 +pasv_max_port=31000 +#Certificate/SSL +rsa_cert_file=/etc/ssl/private/vsftpd.pem +rsa_private_key_file=/etc/ssl/private/vsftpd.pem +ssl_enable=yes diff --git a/setup.sh b/setup.sh new file mode 100644 index 0000000..d9cb340 --- /dev/null +++ b/setup.sh @@ -0,0 +1,62 @@ +mrepo=https://git.ictmaatwerk.com/VPS-scripts/UBU-Backup-SRV +mbranch=master + +#install needed packages +apt install rssh vsftpd openssh-server -y +apt-get install --no-install-recommends eiciel +#Setup groups +groupadd sftpusers +groupadd ftpusers +groupadd BCKviewer +groupadd BCKadmin + +#setup Folders +mkdir -p /backups/ftp/ +mkdir -p /backups/sftp/ +mkdir -p /vhome +mkdir /tools + +#setup tools +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/aclutil -O /tools/aclutil +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/adduserutil -O /tools/adduserutil +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/deluserutil -O /tools/deluserutil +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/ez-aclutil -O /tools/ez-aclutil +chmod 700 /tools/deluserutil +chmod 700 /tools/adduserutil +chmod 700 /tools/aclutil +chmod 700 /tools/ez-aclutil + +#SSH Config +sed -i -e '/Subsystem\ssftp/c\Subsystem sftp internal-sftp' /etc/ssh/sshd_config +curl --silent --show-error "$mrepo"/raw/branch/"$mbranch"/config/sshd_append.conf >>/etc/ssh/sshd_config + +#rssh Config +curl --silent --show-error "$mrepo"/raw/branch/"$mbranch"/config/rssh_append.conf >>/etc/rssh.conf + +#vsftp Config +openssl req -new -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -subj "/C=NL/ST=Gelderland/L=Arnhem/O=ICT Maatwerk B.V./CN=$(hostname -f)" +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/vsftpd.conf -O /etc/vsftpd.conf + +#sudo Config +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/sudo.conf -O /etc/sudoers.d/BCKadmin + +#Setup grequalizer +git clone https://github.com/lpirl/grequalizer.git /opt/grequalizer +mkdir /opt/grequalizer/conf/ +echo "/opt/grequalizer" > /opt/grequalizer/conf/files_to_chroots.txt +echo "/usr/bin/rsync" > /opt/grequalizer/conf/binaries_to_chroots.txt +echo "/usr/bin/rssh" >> /opt/grequalizer/conf/binaries_to_chroots.txt +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/grequalizer-sftp.conf -O /opt/grequalizer/conf/grequalizer-sftp.conf +wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/grequalizer-ftp.conf -O /opt/grequalizer/conf/grequalizer-ftp.conf + +#UFW Config +##FTP +ufw allow 20:21/tcp +ufw allow 30000:31000/tcp +#SSH/SFTP +ufw limit 22/tcp +echo "y" | ufw enable + +#Restarting and enableing services +systemctl enable vsftpd sshd +systemctl restart vsftpd sshd