jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Only use ssh port 202 with caas

Browse Source
This commit is contained in:
Johannes
2016-10-24 15:56:24 +02:00
parent e700eb1551
commit 8efa75e5d6
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
baseimage/initializeBaseUbuntuImage.sh
View File

@@ -45,7 +45,12 @@ iptables -P OUTPUT ACCEPT
# NOTE: keep these in sync with src/apps.js validatePortBindings # NOTE: keep these in sync with src/apps.js validatePortBindings
# allow ssh, http, https, ping, dns # allow ssh, http, https, ping, dns
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m tcp -m multiport --dports 25,80,202,443,587,993,4190 -j ACCEPT # caas has ssh on port 202
if [[ "${PROVIDER}" == "caas" ]]; then
iptables -A INPUT -p tcp -m tcp -m multiport --dports 25,80,202,443,587,993,4190 -j ACCEPT
else
iptables -A INPUT -p tcp -m tcp -m multiport --dports 25,80,22,443,587,993,4190 -j ACCEPT
fi
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT iptables -A INPUT -p udp --sport 53 -j ACCEPT
@@ -292,12 +297,16 @@ setfacl -n -m u:${USER}:r /var/log/journal/*/system.journal
echo "==== Install ssh ===" echo "==== Install ssh ==="
apt-get -y install openssh-server apt-get -y install openssh-server
# https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped # https://stackoverflow.com/questions/4348166/using-with-sed on why ? must be escaped
sed -e 's/^#\?Port .*/Port 202/g' \ sed -e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \
-e 's/^#\?PermitRootLogin .*/PermitRootLogin without-password/g' \
-e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \ -e 's/^#\?PermitEmptyPasswords .*/PermitEmptyPasswords no/g' \
-e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \ -e 's/^#\?PasswordAuthentication .*/PasswordAuthentication no/g' \
-i /etc/ssh/sshd_config -i /etc/ssh/sshd_config
# caas has ssh on port 202
if [[ "${PROVIDER}" == "caas" ]]; then
sed -e 's/^#\?Port .*/Port 202/g' -i /etc/ssh/sshd_config
fi
# DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org) # DO uses Google nameservers by default. This causes RBL queries to fail (host 2.0.0.127.zen.spamhaus.org)
# We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!) # We do not use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)
echo "==== Install unbound DNS ===" echo "==== Install unbound DNS ==="