Fix issues #128 #129 + improvements

joglomedia · Feb 17, 2022 · bf6acbf · bf6acbf
1 parent dbf9836
commit bf6acbf
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 25 deletions.
diff --git a/.env.dist b/.env.dist
@@ -276,6 +276,10 @@ VSFTPD_VERSION="3.0.5"
 # Enable FTP over TLS.
 VSFTPD_SSL_ENABLE=true
 
+# Range of passv ports.
+FTP_MIN_PORT=45000
+FTP_MAX_PORT=45099
+
 [dns]
 # TODO: Install DNS server.
 
@@ -284,12 +288,13 @@ VSFTPD_SSL_ENABLE=true
 INSTALL_MAILER=true
 INSTALL_SPFDKIM=true
 
-# Sender domain is required, default sets to hostname.
-# Ensure that the hostname/sender domain already pointed to this server IP address.
-SENDER_DOMAIN="example.com"
+# Sender domain is required, if left empty it will be sets to the default hostname domain.
+# Ensure that the hostname or sender domain already pointed to this server IP address.
+SENDER_DOMAIN=""
 
 [certbot]
 INSTALL_CERTBOT=true
+HOSTNAME_CERT_PATH=""
 
 [firewall]
 INSTALL_FW=true

diff --git a/scripts/install_vsftpd.sh b/scripts/install_vsftpd.sh
@@ -163,16 +163,20 @@ function init_vsftpd_install() {
         echo "Configuring FTP server (VSFTPD)..."
 
         if [[ "${DRYRUN}" != true ]]; then
+            FTP_MIN_PORT=${FTP_MIN_PORT:-45000}
+            FTP_MAX_PORT=${FTP_MAX_PORT:-45099}
+
             # Backup default vsftpd conf.
-            [[ -f /etc/vsftpd.conf ]] && \
+            if [[ -f /etc/vsftpd.conf ]]; then
                 run mv /etc/vsftpd.conf /etc/vsftpd.conf.bak
-
+            fi
+
             run touch /etc/vsftpd.conf
 
-            # Enable jail
+            # Enable jail mode.
             cat > /etc/vsftpd.conf <<EOL
-listen=NO
-listen_ipv6=YES
+listen=YES
+listen_ipv6=NO
 anonymous_enable=NO
 local_enable=YES
 write_enable=YES
@@ -188,14 +192,21 @@ pam_service_name=vsftpd
 force_dot_files=YES
 
 pasv_enable=YES
-pasv_min_port=40000
-pasv_max_port=50000
+pasv_min_port=${FTP_MIN_PORT}
+pasv_max_port=${FTP_MAX_PORT}
+#pasv_address=${SERVER_IP}
+#pasv_addr_resolve=YES
 
-user_sub_token=${USER}
-local_root=/home/${USER}
+user_sub_token=\$USER
+local_root=/home/\$USER
+
+userlist_enable=YES
+userlist_file=/etc/vsftpd.userlist
+userlist_deny=NO
 EOL
 
             # Enable SSL.
+            # TODO: Change the self-signed certificate with a valid Let's Encrypt certificate.
             if [[ "${VSFTPD_SSL_ENABLE}" == true ]]; then
                 cat >> /etc/vsftpd.conf <<EOL
 
@@ -213,6 +224,23 @@ rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
 rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 EOL
             fi
+
+            # If using elastic IP (such as AWS EC2), set the server IP.
+            if [[ "${SERVER_IP}" != "$(get_ip_private)" ]]; then
+                run sed -i "s|^#pasv_address=.*|pasv_address=${SERVER_IP}|g" /etc/vsftpd.conf
+                run sed -i "s|^#pasv_addr_resolve=.*|pasv_addr_resolve=YES|g" /etc/vsftpd.conf
+            fi
+
+            # If Let's Encrypt SSL certificate is issued for hostname, set the certificate.
+            if [[ -n "${HOSTNAME_CERT_PATH}" && -f "${HOSTNAME_CERT_PATH}/fullchain.pem" ]]; then
+                run sed -i "s|^rsa_cert_file=[^[:digit:]]*$|rsa_cert_file=${HOSTNAME_CERT_PATH}/fullchain.pem|g" /etc/vsftpd.conf
+                run sed -i "s|^rsa_private_key_file=[^[:digit:]]*$|rsa_private_key_file=${HOSTNAME_CERT_PATH}/privkey.pem|g" /etc/vsftpd.conf
+            fi
+
+            # Add default LEMPer Stack user to vsftpd.userlist.
+            LEMPER_USERNAME=${LEMPER_USERNAME:-lemper}
+            run touch /etc/vsftpd.userlist
+            run bash -c "echo '${LEMPER_USERNAME}' | tee -a /etc/vsftpd.userlist"
         fi
 
         # Add systemd service.
@@ -221,7 +249,7 @@ EOL
         [[ ! -f /etc/systemd/system/multi-user.target.wants/vsftpd.service ]] && \
             run ln -s /lib/systemd/system/vsftpd.service /etc/systemd/system/multi-user.target.wants/vsftpd.service
 
-        # Restart Fail2ban daemon.
+        # Restart vsftpd daemon.
         echo "Restarting FTP server (VSFTPD)..."
         run systemctl unmask vsftpd
         run systemctl restart vsftpd

diff --git a/scripts/remove_vsftpd.sh b/scripts/remove_vsftpd.sh
@@ -61,11 +61,15 @@ function init_vsftpd_removal() {
     if [[ "${REMOVE_VSFTPD_CONFIG}" == y* || "${REMOVE_VSFTPD_CONFIG}" == Y* ]]; then
         [[ -f /etc/vsftpd.conf ]] && run rm -f /etc/vsftpd.conf
         [[ -f /etc/vsftpd.conf.bak ]] && run rm -f /etc/vsftpd.conf.bak
+        [[ -f /etc/vsftpd.userlist ]] && run rm -f /etc/vsftpd.userlist
+
         echo "All configuration files deleted permanently."
     fi
 
     # Final test.
     if [[ "${DRYRUN}" != true ]]; then
+        run systemctl daemon-reload
+
         if [[ -z $(command -v vsftpd) ]]; then
             success "FTP server (VSFTPD) removed succesfully."
         else

diff --git a/scripts/secure_server.sh b/scripts/secure_server.sh
@@ -187,6 +187,7 @@ function install_ufw() {
     # Install UFW
     run apt-get install -qq -y ufw
 
+    # UFW app rules is here /etc/ufw/applications.d
     if [[ -n $(command -v ufw) ]]; then
         echo "Configuring UFW firewall rules..."
 
@@ -214,25 +215,30 @@ function install_ufw() {
 
         # Open FTP ports.
         if [[ "${INSTALL_VSFTPD}" == true ]]; then
+            FTP_MIN_PORT=${FTP_MIN_PORT:-45000}
+            FTP_MAX_PORT=${FTP_MAX_PORT:-45099}
+
             run ufw allow 20/tcp
             run ufw allow 21/tcp
-            run ufw allow 990/tcp # For TLS enabled.
-            run ufw allow 40000:50000/tcp # The range of passive ports.
+            # For TLS enabled.
+            run ufw allow 990/tcp
+            # The range of passive ports.
+            run ufw allow "${FTP_MIN_PORT}:${FTP_MAX_PORT}/tcp"
         fi
 
-        # Open SMTPs port.
-        run ufw allow 25
-        run ufw allow 465
-        run ufw allow 587
-
         if [[ "${INSTALL_MAILER}" == true ]]; then
+            # Open SMTPs port.
+            run ufw allow 25/tcp
+            run ufw allow 465/tcp
+            run ufw allow 587/tcp
+
             # Open IMAPs ports.
-            run ufw allow 143
-            run ufw allow 993
+            run ufw allow 143/tcp
+            run ufw allow 993/tcp
 
             # Open POP3s ports.
-            run ufw allow 110
-            run ufw allow 995
+            run ufw allow 110/tcp
+            run ufw allow 995/tcp
         fi
 
         # Open DNS port.
@@ -318,7 +324,9 @@ function install_csf() {
 
         # Open FTP ports.
         if [[ "${INSTALL_VSFTPD}" == true ]]; then
-            CSF_ALLOW_PORTS="${CSF_ALLOW_PORTS},20,21,990,40000:50000"
+            FTP_MIN_PORT=${FTP_MIN_PORT:-45000}
+            FTP_MAX_PORT=${FTP_MAX_PORT:-45099}
+            CSF_ALLOW_PORTS="${CSF_ALLOW_PORTS},20,21,990,${FTP_MIN_PORT}:${FTP_MAX_PORT}"
         fi
 
         # Allowed incoming TCP ports.