daily

aelsharawi · Mar 28, 2017 · 172f049 · 172f049
1 parent 9df0131
commit 172f049
Show file tree

Hide file tree

Showing 14 changed files with 110 additions and 95 deletions.
diff --git a/README.md b/README.md
@@ -68,8 +68,8 @@ See https://github.com/szepeviktor/wordpress-speedtest/blob/master/README.md#how
 ### Install your own SSH key
 
 ```bash
-S="${HOME}/.ssh";mkdir --mode 0700 "$S";editor "${S}/authorized_keys2"
-ssh-keygen -v -l -f "${S}/authorized_keys2"
+S="${HOME}/.ssh";mkdir --mode 0700 "$S";editor "${S}/authorized_keys"
+ssh-keygen -v -l -f "${S}/authorized_keys"
 ```
 
 Parameters
@@ -81,8 +81,8 @@ no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please l
 ### Install a user's SSH key
 
 ```bash
-u bash -c 'S="${HOME}/.ssh";mkdir --mode 0700 "$S";editor "${S}/authorized_keys2"'
-U="$(stat -c %U .)";S="$(getent passwd $U|cut -d: -f6)/.ssh";mkdir -m 0700 "$S";editor "${S}/authorized_keys2";chown -R $U:$U "$S"
+u bash -c 'S="${HOME}/.ssh";mkdir --mode 0700 "$S";editor "${S}/authorized_keys"'
+U="$(stat -c %U .)";S="$(getent passwd $U|cut -d: -f6)/.ssh";mkdir -m 0700 "$S";editor "${S}/authorized_keys";chown -R $U:$U "$S"
 ```
 
 ### Retrieve public key from private key

diff --git a/debian-setup/adduser b/debian-setup/adduser
@@ -15,10 +15,10 @@ if [ -z "$(getent passwd "$U")" ]; then
     # Add SSH key
     SSH_DIR="${HOME_DIR}/.ssh"
     mkdir --mode 0700 "$SSH_DIR"
-    echo "$SSH_KEY" > "${SSH_DIR}/authorized_keys2"
+    echo "$SSH_KEY" > "${SSH_DIR}/authorized_keys"
     chown -R "${U}:${U}" "$SSH_DIR"
     # Display fingerprint
-    ssh-keygen -l -v -f "${SSH_DIR}/authorized_keys2"
+    ssh-keygen -l -v -f "${SSH_DIR}/authorized_keys"
 
     # Add to sudoers
     adduser "$U" sudo

diff --git a/monitoring/dns-watch.sh b/monitoring/dns-watch.sh
@@ -52,8 +52,7 @@ MAX_FAILURES="3"
 
 DAEMON="dns-watch"
 DNS_WATCH_RC="/etc/dnswatchrc"
-DNS_WATCH=( )
-source "$DNS_WATCH_RC"
+declare -a DNS_WATCH
 
 # Return all RR-s
 Dnsquery_multi() {
@@ -226,6 +225,8 @@ Is_ipv4() {
     [[ "$TOBEIP" =~ ^${OCTET}\.${OCTET}\.${OCTET}\.${OCTET}$ ]]
 }
 
+source "$DNS_WATCH_RC"
+
 Is_online
 
 # Display answers

diff --git a/monitoring/domain-expiry.sh b/monitoring/domain-expiry.sh
@@ -69,13 +69,13 @@ Server_domain() {
     hostname -f
 }
 
-set -e
-
 DAEMON="domain-expiry"
 DOMAIN_EXPIRY_RC="/etc/domainexpiryrc"
 DOMAIN_EXPIRY_ALERT_DATE="2 weeks"
 declare -a DOMAIN_EXPIRY
 
+set -e
+
 logger -t "$DAEMON" "Domain expiry started"
 
 # shellcheck disable=SC1090

diff --git a/monitoring/init-alert/debian/init-alert.init b/monitoring/init-alert/debian/init-alert.init
@@ -43,7 +43,7 @@ do_start() {
   fi
 
   if printf "Host FULLY BOOTED at %s\n\n%s\n\n%s\n" "$(date -R)" "$(last -x -n 10)" "$(COLUMNS=120 pstree -aA)" \
-    | mailx -s "Host $(hostname -f) is BOOTED" ${INIT_ALERT_MAIL}; then
+    | mailx -s "Host is BOOTED: $(hostname -f)" ${INIT_ALERT_MAIL}; then
     # Wait for message delivery
     sleep 5
     return 0
@@ -63,7 +63,7 @@ do_stop() {
   fi
 
   if printf "Host HALTED at %s\n\n%s\n" "$(date -R)" "$(COLUMNS=120 w --ip-addr)" \
-    | mailx -s "Host $(hostname -f) is HALTED" ${INIT_ALERT_MAIL}; then
+    | mailx -s "Host is HALTED: $(hostname -f)" ${INIT_ALERT_MAIL}; then
     # Wait for message delivery
     sleep 5
     return 0
@@ -75,7 +75,7 @@ do_stop() {
 case "$1" in
 
   start)
-    [ "$VERBOSE" != no ] && log_daemon_msg "Sending alert" "$NAME"
+    [ "$VERBOSE" != no ] && log_daemon_msg "Sending start alert" "$NAME"
     do_start
     case "$?" in
       0|1)
@@ -88,7 +88,7 @@ case "$1" in
     ;;
 
   stop)
-    [ "$VERBOSE" != no ] && log_daemon_msg "Sending alert" "$NAME"
+    [ "$VERBOSE" != no ] && log_daemon_msg "Sending stop alert" "$NAME"
     do_stop
     case "$?" in
       0|1)

diff --git a/monitoring/ssh-watch.sh b/monitoring/ssh-watch.sh
@@ -2,7 +2,7 @@
 #
 # Check SSH connection.
 #
-# VERSION       :0.1.6
+# VERSION       :0.1.7
 # DATE          :2015-11-12
 # AUTHOR        :Viktor Szépe <viktor@szepe.net>
 # URL           :https://github.com/szepeviktor/debian-server-tools
@@ -31,7 +31,7 @@
 # Host names should have only DNS A records.
 
 DAEMON="ssh-watch"
-SSH_WATCH_RC="/etc/ssh-watchrc"
+SSH_WATCH_RC="/etc/sshwatchrc"
 
 # Defaults
 SKIP_HOST=""
@@ -40,7 +40,7 @@ ALERT_ADDRESS="admin@szepe.net"
 ALWAYS_ONLINE="8.8.8.8"
 INTERNET_IF="eth0"
 RETRY_TIME="40"
-SSH_WATCH=( )
+declare -a SSH_WATCH=( )
 
 Log() {
     local MESSAGE="$1"

diff --git a/monitoring/ssl-check b/monitoring/ssl-check
@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+# Check SSL secured services.
+#
+# VERSION       :0.1.0
+# DATE          :2017-03-28
+# AUTHOR        :Viktor Szépe <viktor@szepe.net>
+# LICENSE       :The MIT License (MIT)
+# URL           :https://github.com/szepeviktor/debian-server-tools
+# BASH-VERSION  :4.2+
+# LOCATION      :/usr/local/bin/ssl-check
+# CRON-DAILY    :/usr/local/bin/ssl-check
+
+# Configuration syntax
+#
+#     SSL_CHECK=(
+#       HOSTNAME:PORT[:STARTTLS]
+#       szepe.net:587:smtp
+#       szepe.net:465
+#     )
+
+DAEMON="ssl-check"
+SSL_CHECK_RC="/etc/sslcheckrc"
+
+# Defaults
+declare -a SSL_CHECK
+
+Remove_known_ssl_values() {
+    grep -vFx "issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3" \
+    | grep -vFx "issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA" \
+    | grep -vFx "Server public key is 2048 bit" \
+    | grep -vFx "Secure Renegotiation IS supported" \
+    | grep -vFx "    Protocol  : TLSv1.2" \
+    | grep -vFx "    Cipher    : ECDHE-RSA-AES128-GCM-SHA256" \
+    | grep -vFx "    Cipher    : ECDHE-RSA-AES256-GCM-SHA384" \
+    # Keeping last backslash inactive
+}
+
+set -e
+
+# shellcheck disable=SC1090
+source "$SSL_CHECK_RC"
+
+# Check hosts
+for SERVICE in "${SSL_CHECK[@]}"; do
+    HOST="$(cut -d ":" -f 1 <<< "$SERVICE")"
+    PORT="$(cut -d ":" -f 2 <<< "$SERVICE")"
+    STARTTLS="$(cut -d ":" -f 3 <<< "$SERVICE")"
+    SSL_ARGS=""
+
+    # Optional STARTTLS
+    if [ -n "$STARTTLS" ]; then
+        SSL_ARGS="-starttls ${STARTTLS}"
+    fi
+
+    # Support SNI
+    # shellcheck disable=SC2086
+    SSL_OUTPUT="$(timeout 40 openssl s_client -purpose "sslserver" -verify_return_error \
+        -connect "${HOST}:${PORT}" -servername "$HOST" ${SSL_ARGS} \
+        < /dev/null 2> /dev/null \
+        | grep -E "^(issuer=|Server public key is|Secure Renegotiation|    Protocol  :|    Cipher    :|    Verify return code:)" \
+        | Remove_known_ssl_values)"
+    if [ "$SSL_OUTPUT" != "    Verify return code: 0 (ok)" ]; then
+        echo "${DAEMON}: Unexpected output for ${SERVICE}" 1>&2
+    fi
+done
+
+exit 0
diff --git a/monitoring/super-ping-servers.txt b/monitoring/super-ping-servers.txt
diff --git a/security/cert-update-req-CN.sh b/security/cert-update-req-CN.sh
@@ -43,6 +43,7 @@
 #     default_md = sha256
 #     distinguished_name = req_distinguished_name
 #     req_extensions = v3_req
+#     oid_section = new_oids
 #
 #     [ req_distinguished_name ]
 #     CN = EDIT
@@ -52,6 +53,13 @@
 #     O = EDIT
 #     emailAddress = EDIT
 #
+#     [ new_oids ]
+#     # http://oid-info.com/get/2.5.4.17
+#     postalCode = 2.5.4.17
+#     streetAddress = 2.5.4.9
+#     jurisdictionOfIncorporationCountryName = 1.3.6.1.4.1.311.60.2.1.3
+#     businessCategory = 2.5.4.15
+#
 #     [ v3_req ]
 #     subjectAltName = @alt_names
 #
@@ -90,6 +98,8 @@ cd "$CERT_DIR"
 
 # Generate private key
 openssl genrsa -out "$PRIV" 2048
+# https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Supported_elliptic_curves
+# ECC: openssl ecparam -out "$PRIV" -name prime256v1 -genkey
 openssl rsa -in "$PRIV" -noout -text
 read -r -s -n 1 -p "Check private key and press any key ..."
 

diff --git a/security/ssl-check b/security/ssl-check
diff --git a/tools/add-user.sh b/tools/add-user.sh
@@ -95,7 +95,7 @@ main() {
     mkdir --mode 0700 "$SSH_DIR"
 
     # File that contains the user's public keys for authentication
-    SSH_AUTHKEYS="${SSH_DIR}/authorized_keys2"
+    SSH_AUTHKEYS="${SSH_DIR}/authorized_keys"
 
     # Is stdin a TTY?
     if [[ -t 0 ]]; then

diff --git a/webserver/Apache-SSL.md b/webserver/Apache-SSL.md
@@ -10,15 +10,16 @@ cat /proc/sys/kernel/random/entropy_avail
 
 https://wiki.mozilla.org/Security/Server_Side_TLS
 
-- Entropy source
-- Protocol
-- Ciphersuites
-- DH Parameters
-- SSL session cache
-- OCSP Stapling
+- ECDSA certificate **Speed!**
+- Entropy source **Speed!**
+- Protocol **TLS1.2 Speed!**
+- Ciphersuites **AES-NI Speed!**
+- DH parameters
+- SSL session cache **Speed!**
+- OCSP stapling **Speed!**
 - SNI
 - HSTS
-- HTTP/2
+- HTTP/2 **Speed!**
 
 [Current master in Debian](https://anonscm.debian.org/cgit/pkg-apache/apache2.git/tree/debian/config-dir/mods-available/ssl.conf)
 

diff --git a/webserver/add-site.sh b/webserver/add-site.sh
@@ -29,8 +29,8 @@ echo "${U}@$(hostname -f): webmaster@$(hostname -d)" >> /etc/courier/aliases/sys
 makealiases
 
 # * Install SSH key
-S="$(getent passwd "$U"|cut -d: -f6)/.ssh";mkdir --mode 0700 "$S";touch "${S}/authorized_keys2";chown -R ${U}:${U} "$S"
-editor "${S}/authorized_keys2"
+S="$(getent passwd "$U"|cut -d: -f6)/.ssh";mkdir --mode 0700 "$S";touch "${S}/authorized_keys";chown -R ${U}:${U} "$S"
+editor "${S}/authorized_keys"
 # * Git URL
 echo "ssh://${U}@${DOMAIN}:SSH-PORT/home/${U}/dev.git"
 

diff --git a/webserver/apache-conf-available/ssl-mozilla-intermediate.default b/webserver/apache-conf-available/ssl-mozilla-intermediate.default
@@ -88,8 +88,9 @@
     # Prevent CRIME attack
     SSLCompression off
 
-    # @FIXME https://github.com/mozilla/server-side-tls/issues/135
-    #SSLSessionTickets off
+    # Using them without restarting the web server
+    # with an appropriate frequency (e.g. daily) compromises perfect forward secrecy.
+    SSLSessionTickets on
 
     # OCSP Stapling (could also be in every virtual host)
     SSLUseStapling On