Work_Archive/VPS-scripts_UBU-Backup-SRV
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 1 Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Bram Prieshof
2020-06-26 10:41:13 +02:00
commit d16c28fe38
15 changed files with 1030 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
Docs/Readme.md Executable file
View File

@@ -0,0 +1,2 @@
# Source files for UBU-Backup-SRV

30
Docs/docs/index.md Executable file
View File

@@ -0,0 +1,30 @@
# Backup server
 
## Role explenation
| Name | Description |
| -------- | ------------ |
| Source | Can upload file to it home via sftp or ftp example: webserver |
| Viewer | Can read source home folders that have been allowed via ALC's |
| Admin | Can manage users and ACL's and can read/write to all home folders |
 
## Folder locations
| Location | Description |
| -------- | ------------ |
| /backups/ftp/`<sourcename>` | Home of ftp source users |
| /backups/sftp/`<sourcename>`/home | Home of sftp source users |
| /vhome/`<viewername>` | Home of viewer users |
| /tools/ | stores tools to manage ACL's and users for the admin |
## Tools
A admin can run tools using the following command `sudo /tools/<toolname>`
| Name | Description |
| -------- | ------------ |
| aclutil | For modifing ALC's |
| ez-aclutil | Like aclutil but with extra options for source home |
| adduserutil | For adding users |
| deluserutil | For removing users |
More information about using these tools can be found under the Utils tab

147
Docs/docs/utils.md Normal file
View File

@@ -0,0 +1,147 @@
# Provided tools/utilities
## aclutil
### Examples
Get info for /home/test
`sudo /tools/aclutil -l /home/test`
Give user: admin1 read acces to /test/folder
`sudo /tools/aclutil -a -u admin1 /test/folder`
Give group: accesusers read acces to /test/folder
`sudo /tools/aclutil -a -g accesusers /test/folder`
Remove read acces to /test/folder for user: admin1
`sudo /tools/aclutil -r -u admin1 /test/folder`
Remove read acces to /test/folder for group: accesusers
`sudo /tools/aclutil -r -g accesusers /test/folder`
### Help
Syntax: aclutil [-u <username> [-g `<groupname>`][-a|r] `<target folder>`
options:
Get info about Current ALC's
```
-l, --list #get current ACL rules
-lg --listgui #get current ACL rules using the eiciel GUI
```
Set user/group for ACL change
```
-u <username>, --user <username> #User for ACL change
-g <groupname>, --group <groupname> #group for ACL change
```
Action for ACL rule
```
-a, --add #add ACL rule
-r, --remove #Remove ACL rule
```
## ez-aclutil
a modified version of aclutil tailored for the backup server source users
### Examples
list info about source u1204 that uses ftp to upload
`sudo /tools/ez-aclutil -l -f u1204`
list info about source hxa001 that uses sftp to upload
`sudo /tools/ez-aclutil -l -s hxa001`
Give all Viewer acces to source hxa001 that uses sftp to upload
`sudo /tools/ez-aclutil -a -av -s hxa001`
Remove acces to all Viewers to acces source u1204 that uses ftp to upload
`sudo /tools/ez-aclutil -r -av -f u1204`
Give Viewer vwr21 acces to source hxa001 that uses sftp to upload
`sudo /tools/ez-aclutil -a -u vrw21 -s hxa001`
Remove acces for vwr21 Viewer to acces source hxa001 that uses sftp to upload
`sudo /tools/ez-aclutil -r -u vrw21 -s hxa001`
Give group: gra1 acces to source u1204 that uses ftp to upload
`sudo /tools/ez-aclutil -a -g gra1 -f u1204`
Remove acces for group: gra1 to acces source u1204 that uses ftp to upload
`sudo /tools/ez-aclutil -r -g gra1 -f u1204`
### Help
Syntax: ez-aclutil [-u `<username>` | -g `<groupname>` | -av] [-a|r] [-f `<ftpsourcename>`] [-s `<sftsourcename>`]
Get info about set ALC's
```
-l, --list #get current ACL for specified source user's home
-gl, --listgui #get current ACL for specified source user's home using eiciel
```
Set user/group for ACL change
```
-u <username>, --user <username> #User for ACL change
-g <groupname>, --group <groupname> #group for ACL change
-av, --allviewers #Set group to backup viewers (-g or -u not needed)
```
Action for ACL rule
```
-a, --add #add ACL rule
-r, --remove #Remove ACL rule
```
Set target for ACL change
```
-f <ftpusername>, --ftp <ftpusername> #User fot ACL change
-s <sftpusername>, --sftp <sftpusername> #group fot ACL change
```
## adduserutil
### Examples
Add "newadmin" as backupserver admin
`sudo /tools/adduserutil -a newadmin`
Add "vwrara1" as viewer
`sudo /tools/adduserutil -v vwrara1`
Add "hxa001" as source that can upload using sftp
`sudo /tools/adduserutil -s -ts hxa001`
Add "u1204" as source that can upload using ftp
`sudo /tools/adduserutil -s -tf u1204`
### Help
Syntax: adduserutil [-a|v|s] [-ts|tf] `<NewUserName>`
Set user type for new user
```
-a, --admin #Backup Admin
-v, --viewer #Backup Viewer
-s, --source #Backup Source
```
Set backup source options for new user
```
-ts, --sftp #Backup source will use sftp/rsync to upload files
-tf, --ftp #Backup source will use ftp to upload files
```
## deluserutil
### Examples
Remove "newadmin" who is a backupserver admin
`sudo /tools/deluserutil -a newadmin`
Remove "vwrara1" who is a viewer
`sudo /tools/deluserutil -v vwrara1`
Remove "hxa001" who is a source that can upload using sftp
`sudo /tools/deluserutil -s -ts hxa001`
Remove "u1204" who is a source that can upload using ftp
`sudo /tools/deluserutil -s -tf u1204`
### Help
Syntax: deluserutil [-a|v|s|] [-ts|tf] `<userthatshoudberemoved>`
Provide the user type for the user that shoud be remove
```
-a, --admin #Backup Admin
-v, --viewer #Backup Viewer
-s, --source #Backup Source
```
Provide the upload methode for the user that shoud be remove
```
-ts, --sftp #Backup source uses sftp/rsync to upload files
-tf, --ftp #Backup source uses ftp to upload files
```

11
Docs/mkdocs.yml Executable file
View File

@@ -0,0 +1,11 @@
site_name: BCK-Serv
theme: slate
repo_name: 'Git Repo'
repo_url: https://git.ictmaatwerk.com/bprieshof/
nav:
- Home: 'index.md'
- Utils:
- 'aclutil' : 'utils/#aclutil'
- 'ez-aclutil' : 'utils/#ez-aclutil'
- 'adduserutil' : 'utils/#adduserutil'
- 'deluserutil' : 'utils/#deluserutil'

137
Tools/aclutil Executable file
View File

@@ -0,0 +1,137 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo
echo "#######################"
echo "# ACL_UTIL Help #"
echo "#######################"
echo
echo "Syntax: aclutil [-u <username> [-g <groupname>][-a|r] <target folder>"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Get info about set ALC's"
echo "-l, --list #get current ACL rules"
echo "-lg --listgui #get current ACL rules using the eiciel GUI"
echo
echo "Set user/group for ACL change"
echo "-u <username>, --user <username> #User for ACL change"
echo "-g <groupname>, --group <groupname> #group for ACL change "
echo
echo "Action for ACL rule"
echo "-a, --add #add ACL rule"
echo "-r, --remove #Remove ACL rule"
echo
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-u | --user)
TARGET=user
USER=$2
shift
shift
;;
-g | --group)
TARGET=group
GROUP=$2
shift
shift
;;
-a | --add)
ACTION=add
shift
;;
-r | --remove)
ACTION=remove
shift
;;
-l | --list)
ACTION=list
shift
;;
-lg | --listgui)
ACTION=listgui
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
FOLDERPATH="$1"
#input Validation
##Action flag
if [ -z ${ACTION+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##Target Flag
if [ "$ACTION" = "remove" ] || [ "$ACTION" = "add" ]; then
if [ -z ${TARGET+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##User flag
if [ "$TARGET" = "user" ] && [ -z $USER ]; then
echo "User name not specified"
exit
fi
##Group flag
if [ "$TARGET" = "group" ] && [ -z $GROUP ]; then
echo "Group name not specified"
exit
fi
fi
##Path
if [ -z $FOLDERPATH ]; then echo "File or directory not specified" && exit; fi
if [ ! -d "$FOLDERPATH" ] && [ ! -f "$FOLDERPATH" ]; then
echo "'$FOLDERPATH': No such file or directory"
fi
#Script
if [ "$ACTION" = "list" ]; then
getfacl $FOLDERPATH
fi
if [ "$ACTION" = "listgui" ]; then
echo "If gui did not start make sure X11 forwarding is enabled"
echo "and eiciel it is installed"
eiciel $FOLDERPATH
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "user" ]; then
setfacl -R -m u:"$USER":rx "$FOLDERPATH"
setfacl -R -d -m u:"$USER":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "group" ]; then
setfacl -R -m g:"$GROUP":rx "$FOLDERPATH"
setfacl -R -d -m g:"$GROUP":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "user" ]; then
setfacl -R -x u:"$USER" "$FOLDERPATH"
setfacl -R -d -x u:"$USER" "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "group" ]; then
setfacl -R -x g:"$GROUP" "$FOLDERPATH"
setfacl -R -d -x g:"$GROUP" "$FOLDERPATH"
fi

198
Tools/adduserutil Executable file
View File

@@ -0,0 +1,198 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo "Add user to backupserver"
echo
echo "Syntax: adduserutil [-a|v|s|ts] <NewUserName>"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Set user type for new user"
echo "-a, --admin #Backup Admin"
echo "-v, --viewer #Backup Viewer "
echo "-s, --source #Backup Source (ex:a webserver)"
echo
echo "Set backup source options for new user"
echo "-ts, --sftp #Backup source will use sftp/rsync to upload files"
echo "-tf, --ftp #Backup source will use ftp to upload files"
echo
}
Keyer()
{
echo 'Please paste in the public ssh key without ""'
read sshkey
echo
echo
echo "The following key was received"
echo "$sshkey"
echo
while true; do
read -p "Is this key correct? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-v | --viewer)
USERTYPE=viewer
shift
;;
-a |--admin)
USERTYPE=admin
shift
;;
-s|--source)
USERTYPE=source
shift
;;
-tf|--ftp )
UPTYPE=FTP
shift
;;
-ts|--sftp )
UPTYPE=SFTP
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
username="$1"
#Input Check
if [ -z "$username" ]
then
echo "Please provide a username"
echo "For more information type adduserutil -h"
echo
exit
fi
if [ "$username" = "root" ]; then
echo "Root is not allowed"
exit
fi
getent passwd $username > /dev/null
if [ $? -eq 0 ]; then
echo "This username already exists"
exit
fi
if [ -z "$USERTYPE" ]
then
echo "Please provide user type"
echo "For more information type adduserutil -h"
echo
exit
fi
if [ "$USERTYPE" = "source" ]; then
if [ -z "$UPTYPE" ]
then
echo "Please provide upload methode"
echo "For more information type adduserutil -h"
echo
exit
fi
fi
#Confirmation before setting user
echo "Create user with the following information"
echo "Username: $username"
echo "User type: $USERTYPE"
if [ "$USERTYPE" = "source" ]; then
echo "Upload methode $UPTYPE"
fi
while true; do
read -p "Do you wish to add this user? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
#Add Admin user
if [ "$USERTYPE" = "admin" ]; then
Keyer
useradd -g BCKadmin -s /bin/bash -m -d /home/"$username" "$username"
passwd --expire -d "$username"
sudo -u "$username" mkdir /home/$username/.ssh
echo "$sshkey" | sudo -u "$username" tee /home/"$username"/.ssh/authorized_keys
fi
#Add Viewer user
if [ "$USERTYPE" = "viewer" ]; then
Keyer
useradd -g BCKviewer -s /usr/sbin/nologin -d / "$username"
mkdir -p /vhome/"$username"/.ssh
mkdir -p /vhome/"$username"/backups
chown root: /vhome/"$username"
chmod 755 /vhome/"$username"
chown root: /vhome/"$username"
chown -R $username: /vhome/"$username"/.ssh
chmod 750 -R /vhome/"$username"/.ssh
echo "$sshkey" | sudo -u "$username" tee /vhome/"$username"/.ssh/authorized_keys
echo "/backups /vhome/$username/backups none defaults,bind 0 0" >>/etc/fstab
mount -a
fi
#Add sftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "SFTP" ]; then
Keyer
mkdir -p /backups/sftp/"$username"
useradd -M -N -r "$username"
usermod -g sftpusers "$username"
python3 /opt/grequalizer/grequalizer.py /opt/grequalizer/conf/grequalizer-sftp.conf -O
mkdir -p /backups/sftp/"$username"/home/.ssh
echo "$sshkey" > /backups/sftp/"$username"/home/.ssh/authorized_keys
chown -R $username: /backups/sftp/"$username"/home
chmod -R 700 /backups/sftp/"$username"/home
setfacl -R -m g:BCKadmin:rwx /backups/sftp/"$username"/home
setfacl -R -d -m g:BCKadmin:rwx /backups/sftp/"$username"/home
fi
#Add ftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "FTP" ]; then
password=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 18 | head -n 1)
useradd -M -N -r "$username"
usermod -g ftpusers "$username"
echo "$username" | tee -a /etc/vsftpd.user_list
python3 /opt/grequalizer/grequalizer.py /opt/grequalizer/conf/grequalizer-ftp.conf -O
setfacl -R -m g:BCKadmin:rwx /backups/ftp/"$username"
setfacl -R -d -m g:BCKadmin:rwx /backups/ftp/"$username"
echo $username:$password | chpasswd
echo "The password for $username is: $password"
fi

161
Tools/deluserutil Executable file
View File

@@ -0,0 +1,161 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo "Remove user from backupserver"
echo
echo "Syntax: deluserutil [-a|v|s|ts] <UserName>"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Define user type for user that shoud be removed"
echo "-a, --admin #Backup Admin"
echo "-v, --viewer #Backup Viewer "
echo "-s, --source #Backup Source (ex:a webserver)"
echo
echo "Set backup source options for new user"
echo "-ts, --sftp #Backup source uses sftp/rsync to upload files"
echo "-tf, --ftp #Backup source uses ftp to upload files"
echo
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-v | --viewer)
USERTYPE=viewer
shift
shift
;;
-a |--admin)
USERTYPE=admin
shift
;;
-s|--source)
USERTYPE=source
shift
;;
-tf|--ftp )
UPTYPE=FTP
shift
;;
-ts|--sftp )
UPTYPE=SFTP
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
username="$1"
#Input Check
if [ -z "$username" ]
then
echo "Please provide a username"
echo "For more information type deluserutil -h"
echo
exit
fi
if [ "$username" = "root" ]; then
echo "Root is not allowed"
fi
getent passwd $username > /dev/null
if [ $? -eq 2 ]; then
echo "This username does not exists"
exit
fi
if [ -z "$USERTYPE" ]
then
echo "Please provide user type"
echo "For more information type deluserutil -h"
echo
exit
fi
if [ "$USERTYPE" = "source" ]; then
if [ -z "$UPTYPE" ]
then
echo "Please provide upload methode"
echo "For more information type deluserutil -h"
echo
exit
fi
fi
#Confirmation before setting user
echo "Removing the user with the following information"
echo "Username: $username"
echo "User type: $USERTYPE"
if [ "$USERTYPE" = "source" ]; then
echo "Upload methode $UPTYPE"
fi
while true; do
read -p "Do you wish to REMOVE $username? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
#Remove Admin user
if [ "$USERTYPE" = "admin" ]; then
userdel -rf $username
fi
#Remove Viewer user
if [ "$USERTYPE" = "viewer" ]; then
umount /vhome/$username/backup
sed -i "/\/$username\//d" /etc/fstab
userdel -f $username
rm -rf /vhome/$username
fi
#Remove sftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "SFTP" ]; then
while true; do
read -p "Do you wish to REMOVE the backups connected to this user? " yn
case $yn in
[Yy]* ) rm -rf /backups/sftp/"$username" && break;;
[Nn]* ) break;;
* ) echo "Please answer yes or no.";;
esac
done
userdel -f $username
fi
#Remove ftp source user
if [ "$USERTYPE" = "source" ] && [ "$UPTYPE" = "FTP" ]; then
while true; do
read -p "Do you wish to REMOVE the backups connected to this user? " yn
case $yn in
[Yy]* ) rm -rf /backups/ftp/"$username" && break;;
[Nn]* ) break;;
* ) echo "Please answer yes or no.";;
esac
done
sed -i "/\<$username\>/d" /etc/ftpusers
userdel -f $username
fi

156
Tools/ez-aclutil Executable file
View File

@@ -0,0 +1,156 @@
#!/bin/bash
#Funtions
Help()
{
# Display Help
echo
echo "#########################"
echo "# ez ACL_UTIL Help #"
echo "#########################"
echo
echo "Syntax: ezaclutil [-u <username> | -g <groupname> | -av][-a|r] [-f <ftpusername>] [-s <sftpusername>]"
echo "options:"
echo "-h, --help Print this Help."
echo
echo "Get info about set ALC's"
echo "-l, --list #get current ACL rules"
echo
echo "Set user/group for ACL change"
echo "-u <username>, --user <username> #User for ACL change"
echo "-g <groupname>, --group <groupname> #group for ACL change "
echo "-av, --allviewers #Set group to backup viewers (-g not needed)"
echo
echo "Action for ACL rule"
echo "-a, --add #add ACL rule"
echo "-r, --remove #Remove ACL rule"
echo
echo "Set target for ACL change"
echo "-f <ftpusername>, --ftp <ftpusername> #User for ACL change"
echo "-s <sftpusername>, --sftp <sftpusername> #group for ACL change "
echo
}
#Input Handeler
POSITIONAL=()
while [[ $# -gt 0 ]]
do
key="$1"
case $key in
-h | --help)
Help
exit
;;
-u | --user)
TARGET=user
USER=$2
shift
shift
;;
-g | --group)
TARGET=group
GROUP=$2
shift
shift
;;
-a | --add)
ACTION=add
shift
;;
-r | --remove)
ACTION=remove
shift
;;
-l | --list)
ACTION=list
shift
;;
-lg | --listgui)
ACTION=listgui
shift
;;
-av | --allviewers)
TARGET=group
GROUP=BCKviewer
shift
;;
-f | --ftp)
FOLDERPATH="/backups/ftp/$2"
shift
shift
;;
-s | --sftp)
FOLDERPATH="/backups/sftp/$2/home"
shift
shift
;;
*) # unknown option
POSITIONAL+=("$1") # save it in an array for later
shift # past argument
;;
esac
done
set -- "${POSITIONAL[@]}" # restore positional parameters
#input Validation
##Action flag
if [ -z ${ACTION+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##Target Flag
if [ "$ACTION" = "remove" ] || [ "$ACTION" = "add" ]; then
if [ -z ${TARGET+x} ]; then echo "Incorrect or missing parameter(s)" && Help && exit; fi
##User flag
if [ "$TARGET" = "user" ] && [ -z $USER ]; then
echo "User name not specified"
exit
fi
##Group flag
if [ "$TARGET" = "group" ] && [ -z $GROUP ]; then
echo "Group name not specified"
exit
fi
fi
##Path
if [ -z $FOLDERPATH ]; then echo "Target backup not specified" && exit; fi
if [ ! -d "$FOLDERPATH" ] && [ ! -f "$FOLDERPATH" ]; then
echo "Target backup not found"
fi
#Script
if [ "$ACTION" = "list" ]; then
getfacl $FOLDERPATH
fi
if [ "$ACTION" = "listgui" ]; then
echo "If gui did not start make sure X11 forwarding is enabled"
echo "and eiciel it is installed"
eiciel $FOLDERPATH
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "user" ]; then
setfacl -R -m u:"$USER":rx "$FOLDERPATH"
setfacl -R -d -m u:"$USER":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "add" ] && [ "$TARGET" = "group" ]; then
setfacl -R -m g:"$GROUP":rx "$FOLDERPATH"
setfacl -R -d -m g:"$GROUP":rx "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "user" ]; then
setfacl -R -x u:"$USER" "$FOLDERPATH"
setfacl -R -d -x u:"$USER" "$FOLDERPATH"
fi
if [ "$ACTION" = "remove" ] && [ "$TARGET" = "group" ]; then
setfacl -R -x g:"$GROUP" "$FOLDERPATH"
setfacl -R -d -x g:"$GROUP" "$FOLDERPATH"
fi

36
config/grequalizer-ftp.conf Normal file
View File

@@ -0,0 +1,36 @@
# Variables: $u: login name, $h: users home, $g: users primary group name
[main]
home_path = /backups/ftp/$u
simulate = no
limit_to_primary_group = yes
primary_group_name = ftpusers
minimum_users_count = 1
[home_existence]
check = yes
correct = yes
[home_permissions]
check = yes
correct = yes
octal_permissions = 750
[home_owner]
check = yes
correct = yes
owner = $u
[home_group]
check = yes
correct = yes
group = root
[user_home]
check = yes
correct = yes
home_path = /
[user_shell]
check = yes
correct = yes
shell = /usr/bin/ftponly

47
config/grequalizer-sftp.conf Normal file
View File

@@ -0,0 +1,47 @@
# Variables: $u: login name, $h: users home, $g: users primary group name
[main]
home_path = /backups/sftp/$u
simulate = no
limit_to_primary_group = yes
primary_group_name = sftpusers
minimum_users_count = 1
[home_existence]
check = yes
correct = yes
#[home_permissions]
#check = yes
#correct = yes
#octal_permissions = 755
[home_owner]
check = yes
correct = yes
owner = root
[home_group]
check = yes
correct = yes
group = root
[user_home]
check = yes
correct = yes
home_path = /home
[user_shell]
check = yes
correct = yes
shell = /usr/bin/rssh
[home_files]
check = yes
correct = yes
file_list = /opt/grequalizer/conf/files_to_chroots.txt
[home_binaries_with_libs]
check = yes
correct = yes
file_list = /opt/grequalizer/conf/binaries_to_chroots.txt

3
config/rssh_append.conf Normal file
View File

@@ -0,0 +1,3 @@
allowscp
allowsftp
allowrsync

14
config/sshd_append.conf Normal file
View File

@@ -0,0 +1,14 @@
DenyGroups ftpusers
Match group sftpusers
ChrootDirectory /backups/sftp/%u
AuthorizedKeysFile /backups/sftp/%u/%h/.ssh/authorized_keys
X11Forwarding no
AllowTcpForwarding no
Match Group BCKviewer
ChrootDirectory /vhome/%u
AuthorizedKeysFile /vhome/%u/.ssh/authorized_keys
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no

1
config/sudo.conf Normal file
View File

@@ -0,0 +1 @@
%BCKadmin ALL=(root) /tools/adduserutil, /tools/deluserutil, /tools/aclutil, /tools/ez-aclutil

25
config/vsftpd.conf Normal file
View File

@@ -0,0 +1,25 @@
listen=NO
listen_ipv6=YES
anonymous_enable=NO
local_enable=YES
write_enable=YES
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
chroot_local_user=YES
chroot_local_user=YES
secure_chroot_dir=/var/run/vsftpd/empty
allow_writeable_chroot=YES
pam_service_name=ftp
user_sub_token=$USER
local_root=/backups/ftp/$USER
userlist_enable=YES
userlist_file=/etc/vsftpd.user_list
userlist_deny=NO
pasv_min_port=30000
pasv_max_port=31000
#Certificate/SSL
rsa_cert_file=/etc/ssl/private/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=yes

62
setup.sh Normal file
View File

@@ -0,0 +1,62 @@
mrepo=https://git.ictmaatwerk.com/VPS-scripts/UBU-Backup-SRV
mbranch=master
#install needed packages
apt install rssh vsftpd openssh-server -y
apt-get install --no-install-recommends eiciel
#Setup groups
groupadd sftpusers
groupadd ftpusers
groupadd BCKviewer
groupadd BCKadmin
#setup Folders
mkdir -p /backups/ftp/
mkdir -p /backups/sftp/
mkdir -p /vhome
mkdir /tools
#setup tools
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/aclutil -O /tools/aclutil
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/adduserutil -O /tools/adduserutil
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/deluserutil -O /tools/deluserutil
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/Tools/ez-aclutil -O /tools/ez-aclutil
chmod 700 /tools/deluserutil
chmod 700 /tools/adduserutil
chmod 700 /tools/aclutil
chmod 700 /tools/ez-aclutil
#SSH Config
sed -i -e '/Subsystem\ssftp/c\Subsystem sftp internal-sftp' /etc/ssh/sshd_config
curl --silent --show-error "$mrepo"/raw/branch/"$mbranch"/config/sshd_append.conf >>/etc/ssh/sshd_config
#rssh Config
curl --silent --show-error "$mrepo"/raw/branch/"$mbranch"/config/rssh_append.conf >>/etc/rssh.conf
#vsftp Config
openssl req -new -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/ssl/private/vsftpd.pem -out /etc/ssl/private/vsftpd.pem -subj "/C=NL/ST=Gelderland/L=Arnhem/O=ICT Maatwerk B.V./CN=$(hostname -f)"
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/vsftpd.conf -O /etc/vsftpd.conf
#sudo Config
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/sudo.conf -O /etc/sudoers.d/BCKadmin
#Setup grequalizer
git clone https://github.com/lpirl/grequalizer.git /opt/grequalizer
mkdir /opt/grequalizer/conf/
echo "/opt/grequalizer" > /opt/grequalizer/conf/files_to_chroots.txt
echo "/usr/bin/rsync" > /opt/grequalizer/conf/binaries_to_chroots.txt
echo "/usr/bin/rssh" >> /opt/grequalizer/conf/binaries_to_chroots.txt
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/grequalizer-sftp.conf -O /opt/grequalizer/conf/grequalizer-sftp.conf
wget -q -t7 "$mrepo"/raw/branch/"$mbranch"/config/grequalizer-ftp.conf -O /opt/grequalizer/conf/grequalizer-ftp.conf
#UFW Config
##FTP
ufw allow 20:21/tcp
ufw allow 30000:31000/tcp
#SSH/SFTP
ufw limit 22/tcp
echo "y" | ufw enable
#Restarting and enableing services
systemctl enable vsftpd sshd
systemctl restart vsftpd sshd