From d53779ce22aabb2085a2406a7e113e49e81d81a1 Mon Sep 17 00:00:00 2001 From: majekla Date: Tue, 5 Mar 2024 21:43:29 +0000 Subject: [PATCH] Upload files to "/" --- global-netbsd.sh | 5665 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 5665 insertions(+) create mode 100644 global-netbsd.sh diff --git a/global-netbsd.sh b/global-netbsd.sh new file mode 100644 index 0000000..f5e61d4 --- /dev/null +++ b/global-netbsd.sh @@ -0,0 +1,5665 @@ +#!/bin/sh + +# Check if dialog is present on the system (for graphical display). +# If not, install it. +if [ ! -x "/usr/pkg/bin/dialog" ]; then + echo "The dialog program is not installed. Installation in progress..." + pkgin -y in dialog + pkgin -y in pico + pkgin -y in curl +fi + +checkInternetConnection () { + # Start background internet connection check + curl -m 3 http://example.com > /dev/null 2>&1 & + pid=$! + + # Initialize the progress value + progress=0 + + # Loop to update the progress bar + while [ $progress -le 100 ]; do + # Check if curl is still running + if ! kill -0 "$pid" 2>/dev/null; then + # curl has finished + break + fi + + # Update the progress bar + echo $progress + progress=$((progress + 33)) # Increase the progress without $/ + sleep 1 # Wait 1 second + done | dialog --gauge "Checking Internet connection..." 6 35 0 + + # Check if the curl command was successful + wait $pid + exit_status=$? + + if [ $exit_status -ne 0 ]; then + dialog --backtitle "Checking Internet connection" \ + --title "Connection error" \ + --msgbox "Internet access is not possible\nPlease check your connection" 6 35 + NetworkMenu + fi +} + +# checked + +ItsOkInternet () { + dialog --backtitle "Internet OK !" \ + --title " Result" \ + --msgbox "Internet OK !" 5 17 + +} + +# checked + +InstallSudo () { + + # Dialog window to get the username + user=$(dialog --title "Adding sudo user" --inputbox "Please enter the username to be added to the sudo group" 8 60 2>&1 1>/dev/tty) + + # Check if the user exists using the 'getent passwd' command. + countus=$(getent passwd "$user" | cut -d: -f1) + case $countus in + "$user") + # The user exists, the script can continue. + # Installation of sudo in the background + if [ ! -x "/usr/pkg/bin/sudo" ]; then + + checkInternetConnection + pkgin -y in sudo + + fi + + # Configuration of sudo after installation + groupadd sudo + + # Check if the user is already in the sudo group + verifgroupsudo=$(getent group | grep sudo | grep -c "$user" | tr -d ' ') + if [ "$verifgroupsudo" -gt 0 ]; then + dialog --msgbox "The user is already a member of the sudo group" 5 50 + else + # Adding the user to the sudo group + if ! usermod -G sudo "${user}"; then + dialog --msgbox "Adding the user to the sudo group failed" 7 44 + return 1 + fi + fi + + # Uncomment the line for the sudo group. + sed -i "s/# %sudo/%sudo/" /usr/pkg/etc/sudoers + + # Check if the user has been added to sudo group + verifgroupsudo=$(getent group | grep sudo | grep -c "$user" | tr -d ' ') + if [ "$verifgroupsudo" -gt 0 ]; then + dialog --msgbox "The user is now member of the sudo group" 5 45 + fi + + # Go back to Menu + UsersRightsMenu + ;; + *) + # The user does not exist, display a message. + dialog --title "Erreur" --msgbox "This user does not exist" 5 28 + InstallSudo + ;; + esac + + UsersRightsMenu + +} + +# checked + +DesktopBundleApps () { + + checkInternetConnection + + # Menu Title + dialog --backtitle "Select programs" \ + --title "Installing applications" \ + --checklist "Select programs:" 30 70 20 \ + firefox "Firefox web browser" off \ + thunderbird "Thunderbird Mail Client" off \ + keepassxc "KeePassXC password manager" off \ + vlc "VLC multimedia player" off \ + handbrake "HandBrake video encoder" off \ + audacity "Audacity audio editor" off \ + gimp "GIMP image editor" off \ + ristretto "Ristretto image viewer" off \ + youtube-dl "YouTube video downloader" off \ + libreoffice "LibreOffice office suite" off \ + unoconv "Unoconv document converter" off \ + qpdfview "Qpdfview document viewer" off \ + filezilla "FileZilla FTP client" off \ + rclone "Rclone file transfer tool" off \ + hexchat "HexChat IRC client" off \ + pidgin "Pidgin messaging client" off \ + psi "PSI messaging client" off \ + wireshark "Wireshark network protocol analyzer" off \ + nmap "Nmap network discovery tool" off \ + zenmap "Nmap graphical interface (Zenmap)" off \ + tor "Tor decentralized anonymous network" off \ + openvpn "OpenVPN Virtual Private Network setup" off \ + codeblocks "IDE for C/C++ development (Code::Blocks)" off \ + EVERYTHING "Install every packages of the list" off 2>/tmp/choices + + + # Read the user choices from the temporary file. + choices=$(sed 's/"//g' < /tmp/choices) + + # Count the number of selected programs. + num_choices=$(echo "$choices" | wc -w) + + # Initialize the progress. + progress=0 + ( + # Install the selected programs. + for choice in $choices; do + # Calculate and update the progress. + progress=$((progress + 100 / num_choices)) + echo $progress + + if [ "$choice" = "EVERYTHING" ]; then + pkgin -y in firefox + echo 5 + pkgin -y in thunderbird + echo 10 + pkgin -y in keepassxc + echo 15 + pkgin -y in vlc + echo 20 + pkgin -y in handbrake + echo 25 + pkgin -y in audacity + echo 30 + pkgin -y in gimp + echo 35 + pkgin -y in ristretto + echo 40 + pkgin -y in youtube-dl + echo 45 + pkgin -y in libreoffice + echo 50 + pkgin -y in unoconv + echo 55 + pkgin -y in qpdfview + echo 60 + pkgin -y in filezilla + echo 65 + pkgin -y in rclone + echo 70 + pkgin -y in hexchat + echo 75 + pkgin -y in pidgin + echo 80 + pkgin -y in psi + echo 85 + pkgin -y in wireshark + echo 90 + pkgin -y in nmap + pkgin -y in zenmap + echo 95 + pkgin -y in tor + pkgin -y in openvpn + pkgin -y in codeblocks + echo 100 + + else + + pkgin -y in "$choice" + + fi + + done + ) | dialog --gauge "Installation in progress..." 6 32 0 + + # Go back to InstallProgramsMenu + InstallProgramsMenu +} + +# checked + +UsualTools () { + + checkInternetConnection + + #user=$(dialog --title "User" --inputbox "Please enter the username (not root!)" 8 50 2>&1 1>/dev/tty) + + # Menu Title + dialog --backtitle "Utilities Selection" \ + --title "Installing Utilities" \ + --checklist "Select utilities:" 30 70 20 \ + xfce4-thunar "Thunar File Manager" off \ + xfce4-thunar-archive-plugin "Thunar Plugins" off \ + xfce4-thunar-media-tags-plugin "Thunar Plugins" off \ + xfce4-thunar-vcs-plugin "Thunar Plugins" off \ + wget "wget Download Tool" off \ + w3m "Text-based Web Browser" off \ + lynx "Text-based Web Browser" off \ + links "Text-based Web Browser" off \ + rsync "rsync Sync and Backup Tool" off \ + cesium "Text Editor" off \ + emacs "Text Editor" off \ + nano "Text Editor" off \ + fuse "Foreign Filesystem Management" off \ + fuse-ntfs "Foreign Filesystem Management" off \ + fuse-exfat "Foreign Filesystem Management" off \ + fuse-ext2 "Foreign Filesystem Management" off \ + fuse-httpfs "Foreign Filesystem Management" off \ + fuse-sshfs "Foreign Filesystem Management" off \ + ntfsprogs "NTFS Partition Management" off \ + dvd+rw-tools "CD/DVD/BD Burner" off \ + cdrtools "CD/DVD/BD Burner" off \ + wpa_gui "Wi-Fi Graphical Interface" off \ + cups "Printing Server" off \ + cups-filters "Printing Tools" off \ + zip "Compression Tools" off \ + unzip "Compression Tools" off \ + bzip2 "Compression Tools" off \ + bzip3 "Compression Tools" off \ + htop "Diagnostic Tools" off \ + hw-probe "Diagnostic Tools" off \ + dbus "D-Bus System Message Bus" off \ + tree "Tree Structure Display Tool" off \ + git "Github Tools" off \ + gh "Github Tools" off \ + xscreensaver "xscreensaver Screensaver" off \ + rdesktop "RDP Remote Desktop Tool" off \ + remmina "Remmina Remote Desktop Client" off \ + tigervnc "TigerVNC VNC client/server" off \ + megatools "Mega Management Tools" off \ + rp-pppoe "PPPoE connections" off \ + EVERYTHING "Install every packages of the list" off 2>/tmp/util_choices + + + # Read the user choices from the temporary file. + util_choices=$(sed 's/"//g' < /tmp/util_choices) + + # Count the number of selected utilities. + num_choices=$(echo "$util_choices" | wc -w) + + # Initialize the progress. + progress=0 + ( + # Install the selected utilities. + for choice in $util_choices; do + # Calculate and update the progress. + progress=$((progress + 100 / num_choices)) + echo $progress + + if [ "$choice" = "EVERYTHING" ]; then + + pkgin -y in xfce4-thunar + echo 2 + pkgin -y in xfce4-thunar-archive-plugin + echo 4 + pkgin -y in xfce4-thunar-media-tags-plugin + echo 6 + pkgin -y in xfce4-thunar-vcs-plugin + echo 8 + pkgin -y in wget + echo 10 + pkgin -y in w3m + echo 12 + pkgin -y in lynx + echo 14 + pkgin -y in links + echo 16 + pkgin -y in rsync + echo 18 + pkgin -y in cesium + echo 20 + pkgin -y in emacs + echo 22 + pkgin -y in nano + echo 24 + pkgin -y in fuse + echo 26 + pkgin -y in fuse-ntfs + echo 28 + pkgin -y in fuse-exfat + echo 30 + pkgin -y in fuse-ext2 + echo 32 + pkgin -y in fuse-httpfs + echo 34 + pkgin -y in fuse-sshfs + echo 36 + pkgin -y in ntfsprogs + echo 38 + pkgin -y in dvd+rw-tools + echo 40 + pkgin -y in cdrtools + echo 42 + pkgin -y in wpa_gui + echo 44 + pkgin -y in cups + echo 46 + pkgin -y in cups-filters + echo 48 + pkgin -y in zip + echo 50 + pkgin -y in unzip + echo 52 + pkgin -y in bzip2 + echo 54 + pkgin -y in bzip3 + echo 56 + pkgin -y in htop + echo 58 + pkgin -y in hw-probe + echo 60 + pkgin -y in dbus + echo 62 + pkgin -y in tree + echo 64 + pkgin -y in git + echo 66 + pkgin -y in gh + echo 68 + pkgin -y in xscreensaver + echo 70 + pkgin -y in rdesktop + echo 72 + pkgin -y in remmina + echo 74 + pkgin -y in tigervnc + echo 76 + pkgin -y in megatools + echo 78 + pkgin -y in rp-pppoe + mkdir /etc/ppp + cp /usr/pkg/share/examples/rp-pppoe/pppoe.conf /etc/ppp/ + echo 80 + + cp /usr/pkg/share/examples/rc.d/* /etc/rc.d/ + check=$(grep -o "cupsd=" < /etc/rc.conf | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + echo cupsd=YES + service cupsd start + + else + + sed -i'' 's/cupsd=NO/cupsd=YES/' /etc/rc.conf + sed -i'' 's/#cupsd=NO/cupsd=YES/' /etc/rc.conf + sed -i'' 's/#cupsd=YES/cupsd=YES/' /etc/rc.conf + + fi + + check=$(grep -o "dbus=" < /etc/rc.conf | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + echo dbus=YES >> /etc/rc.conf + service dbus start + + else + + sed -i'' 's/dbus=NO/dbus=YES/' /etc/rc.conf + sed -i'' 's/#dbus=NO/dbus=YES/' /etc/rc.conf + sed -i'' 's/#dbus=YES/dbus=YES/' /etc/rc.conf + + fi + + echo 100 + + # Go back to InstallProgramsMenu + InstallProgramsMenu + + else + + pkgin -y in "$choice" + + fi + + + if [ "$choice" = "cups" ]; then + + check=$(grep -o "cupsd=" < /etc/rc.conf | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + echo cupsd=YES + service cupsd start + + else + + sed -i'' 's/cupsd=NO/cupsd=YES/' /etc/rc.conf + sed -i'' 's/#cupsd=NO/cupsd=YES/' /etc/rc.conf + sed -i'' 's/#cupsd=YES/cupsd=YES/' /etc/rc.conf + + fi + + fi + + if [ "$choice" = "dbus" ]; then + + check=$(grep -o "dbus=" < /etc/rc.conf | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + echo dbus=YES + service dbus start + + else + + sed -i'' 's/dbus=NO/dbus=YES/' /etc/rc.conf + sed -i'' 's/#dbus=NO/dbus=YES/' /etc/rc.conf + sed -i'' 's/#dbus=YES/dbus=YES/' /etc/rc.conf + + fi + + fi + + if [ "$choice" = "rp-pppoe" ]; then + + cp /usr/pkg/share/examples/rc.d/* /etc/rc.d/ + mkdir /etc/ppp + cp /usr/pkg/share/examples/rp-pppoe/pppoe.conf /etc/ppp/ + fi + + done + ) | dialog --gauge "Installation in progress..." 6 32 0 + + # Go back to InstallProgramsMenu + InstallProgramsMenu +} + +# checked + +xfce4 () { + + dialog --yesno "This installer will set up XFCE4 and Slim automatically\nIt will not care about graphics, so if you don't already have a correct display with CTWM, you should not go on with XFCE4\n\nYou must have installed a complete version of NetBSD (with X) in order to get it working because this script will not install X\n\nAn already existing username will be asked in order to configure XFCE4 to start automatically after Slim authentication\n\nAnd at last, you must be connected to internet " 15 70 + goon_ornot=$? + + if [ $goon_ornot -eq 1 ]; then + + MainMenu + + fi + + checkInternetConnection + + user=$(dialog --title "User" --inputbox "Please enter the username (not root !)" 8 45 2>&1 1>/dev/tty) + + { + # Install Slim + pkgin -y in slim > /dev/null 2>&1 + echo 50 + pkgin -y in slim-themes > /dev/null 2>&1 + + checkslim=$(grep -o "slim=YES" < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$checkslim" -eq 0 ]; then + echo slim=YES >> /etc/rc.conf + sed -i "s/current_theme original/current_theme minimal/" /usr/pkg/etc/slim.conf + fi + + sed -i "s/xdm=YES/xdm=NO/" /etc/rc.conf + + echo 100 + + } | dialog --gauge "Installing Slim..." 6 23 0 + + { + # Install Xfce4 + pkgin -y in elementary-xfce-icon-theme > /dev/null 2>&1 + echo 2 + pkgin -y in libxfce4ui > /dev/null 2>&1 + echo 4 + pkgin -y in libxfce4util > /dev/null 2>&1 + echo 6 + pkgin -y in ristretto > /dev/null 2>&1 + echo 8 + pkgin -y in xfburn > /dev/null 2>&1 + echo 10 + pkgin -y in xfce4 > /dev/null 2>&1 + echo 12 + pkgin -y in xfce4-appfinder > /dev/null 2>&1 + echo 14 + pkgin -y in xfce4-battery-plugin > /dev/null 2>&1 + echo 16 + pkgin -y in xfce4-calculator-plugin > /dev/null 2>&1 + echo 18 + pkgin -y in xfce4-clipman-plugin > /dev/null 2>&1 + echo 20 + pkgin -y in xfce4-conf > /dev/null 2>&1 + echo 21 + pkgin -y in xfce4-cpugraph-plugin > /dev/null 2>&1 + echo 23 + pkgin -y in xfce4-dashboard > /dev/null 2>&1 + echo 24 + pkgin -y in xfce4-desktop > /dev/null 2>&1 + echo 26 + pkgin -y in xfce4-dev-tools > /dev/null 2>&1 + echo 27 + pkgin -y in xfce4-dict > /dev/null 2>&1 + echo 29 + pkgin -y in xfce4-diskperf-plugin > /dev/null 2>&1 + echo 30 + pkgin -y in xfce4-exo > /dev/null 2>&1 + echo 31 + pkgin -y in xfce4-extras > /dev/null 2>&1 + echo 33 + pkgin -y in xfce4-eyes-plugin > /dev/null 2>&1 + echo 34 + pkgin -y in xfce4-fsguard-plugin > /dev/null 2>&1 + echo 36 + pkgin -y in xfce4-garcon > /dev/null 2>&1 + echo 37 + pkgin -y in xfce4-genmon-plugin > /dev/null 2>&1 + echo 38 + pkgin -y in xfce4-icon-theme > /dev/null 2>&1 + echo 40 + pkgin -y in xfce4-indicator-plugin > /dev/null 2>&1 + echo 41 + pkgin -y in xfce4-mailwatch-plugin > /dev/null 2>&1 + echo 42 + pkgin -y in xfce4-mount-plugin > /dev/null 2>&1 + echo 50 + pkgin -y in xfce4-mousepad > /dev/null 2>&1 + echo 52 + pkgin -y in xfce4-mpc-plugin > /dev/null 2>&1 + echo 54 + pkgin -y in xfce4-netload-plugin > /dev/null 2>&1 + echo 56 + pkgin -y in xfce4-notes-plugin > /dev/null 2>&1 + echo 58 + pkgin -y in xfce4-notifyd > /dev/null 2>&1 + echo 60 + pkgin -y in xfce4-orage > /dev/null 2>&1 + echo 62 + pkgin -y in xfce4-panel > /dev/null 2>&1 + echo 64 + pkgin -y in xfce4-places-plugin > /dev/null 2>&1 + echo 66 + pkgin -y in xfce4-power-manager > /dev/null 2>&1 + echo 68 + pkgin -y in xfce4-screenshooter > /dev/null 2>&1 + echo 70 + pkgin -y in xfce4-session > /dev/null 2>&1 + echo 72 + pkgin -y in xfce4-settings > /dev/null 2>&1 + echo 73 + pkgin -y in xfce4-smartbookmark-plugin > /dev/null 2>&1 + echo 75 + pkgin -y in xfce4-systemload-plugin > /dev/null 2>&1 + echo 76 + pkgin -y in xfce4-taskmanager > /dev/null 2>&1 + echo 78 + pkgin -y in xfce4-terminal > /dev/null 2>&1 + echo 79 + pkgin -y in xfce4-thunar > /dev/null 2>&1 + echo 80 + pkgin -y in xfce4-thunar-archive-plugin > /dev/null 2>&1 + echo 81 + pkgin -y in xfce4-thunar-media-tags-plugin > /dev/null 2>&1 + echo 83 + pkgin -y in xfce4-thunar-vcs-plugin > /dev/null 2>&1 + echo 84 + pkgin -y in xfce4-time-out-plugin > /dev/null 2>&1 + echo 85 + pkgin -y in xfce4-timer-plugin > /dev/null 2>&1 + echo 87 + pkgin -y in xfce4-tumbler > /dev/null 2>&1 + echo 88 + pkgin -y in xfce4-verve-plugin > /dev/null 2>&1 + echo 89 + pkgin -y in xfce4-wavelan-plugin > /dev/null 2>&1 + echo 90 + pkgin -y in xfce4-weather-plugin > /dev/null 2>&1 + echo 91 + pkgin -y in xfce4-whiskermenu-plugin > /dev/null 2>&1 + echo 93 + pkgin -y in xfce4-wm > /dev/null 2>&1 + echo 94 + pkgin -y in xfce4-wm-themes > /dev/null 2>&1 + echo 96 + pkgin -y in xfce4-xkb-plugin > /dev/null 2>&1 + echo 97 + + cp /usr/pkg/share/examples/rc.d/* /etc/rc.d/ + + echo 100 + + } | dialog --gauge "Installing Xfce..." 6 23 0 + + dialog --yesno "Would you like to set XFCE to French?" 5 46 + xfce4_french=$? + + if [ $xfce4_french -eq 0 ]; then + + echo 'export LANG="fr_FR.UTF-8"' > /home/"$user"/.xsession + echo 'export LC_CTYPE="fr_FR.UTF-8"' >> /home/"$user"/.xsession + echo "startxfce4" >> /home/"$user"/.xsession + + else + + echo "startxfce4" > /home/"$user"/.xsession + + fi + + #echo 'export LANG="fr_FR.UTF-8"' > /home/$user/.xinitrc + #echo 'export LC_CTYPE="fr_FR.UTF-8"' >> /home/$user/.xinitrc + #echo "startxfce4" >> /home/$user/.xinitrc + #echo "startx" >> /home/$user/.profile + + dialog --yesno "Would you like to restart now?" 5 34 + restart_now=$? + + if [ $restart_now -eq 0 ]; then + + reboot + + fi + + MainMenu +} + +# checked + +PareFeu () { + + echo "This script will allow you to quickly configure the NPF firewall + + It provides a file of standard rules that will be placed in /etc/npf.conf + + By default, the provided rules file will block all incoming traffic except for SSH (tcp/22) and allow all outgoing traffic in a stateful manner + A blocklist table for fail2ban is also present, with a blocking rule associated in case you install fail2ban later + + However, the file contains a bunch of additional commented rules that will allow you to quickly adapt the configuration to your needs + + The next screen will display the provided rules file in a text editor + You can make modifications as needed. + Once you have made your modifications, exit the file and save it without changing its location + + At the end, you will be asked whether you confirm or not the application of the rules and the start of the firewall" > /tmp/ZRzepinzenr.tmp + + fold -s -w 67 /tmp/ZRzepinzenr.tmp > /tmp/ZR2zepinzenr.tmp + + dialog --title "NPF configuration" --textbox /tmp/ZR2zepinzenr.tmp 20 70 + + rm /tmp/ZR2zepinzenr.tmp /tmp/ZRzepinzenr.tmp + + if [ -e "/etc/npf.conf" ]; then + + dialog --yesno "A rule file already exists in /etc/npf.conf.\nDo you want to edit the current file or delete it and start over with the default configuration?" 7 53 + check_file=$? + + if [ $check_file -eq 0 ]; then + + pico /etc/npf.conf + + dialog --yesno "Do you want to activate the NPF firewall?\n\nIf you are connected via SSH, the connection will be lost upon activation.\nHowever, if you haven't modified the rule allowing SSH traffic, you will be able to reconnect immediately." 11 60 + activate_npf=$? + + if [ $activate_npf -eq 0 ]; then + + checknpf=$(grep -o "npf=" < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$checknpf" -eq 0 ]; then + echo npf=YES >> /etc/rc.conf + else + sed -i'' 's/npf=NO/npf=YES/' /etc/rc.conf + sed -i'' 's/#npf=YES/npf=YES/' /etc/rc.conf + sed -i'' 's/#npf=NO/npf=YES/' /etc/rc.conf + fi + + npfctl start + npfctl reload /etc/npf.conf + + fi + + SecurityMenu + + fi + + fi + # Creating the rules file: + { + echo "########################################################################" + echo " " + echo "# 1 - Provide information about your network interface(s):" + echo " " + echo "# WAN Interface :" + echo "\$WAN_if = \"wm0\"" + echo "\$WAN_addrs = ifaddrs(wm0)" + echo " " + echo "# LAN Interface :" + echo "# (Uncomment the following only if the server acts as a gateway)" + echo "#\$LAN_if = \"wm1\"" + echo "#\$LAN_addrs = ifaddrs(wm1)" + echo " " + echo 'alg "icmp"' + echo " " + echo "########################################################################" + echo " " + echo "# 2 - Define the networks" + echo " " + echo "# The RFC protects the server from private networks in case it is directly facing the internet." + echo "# (Uncomment only if the WAN IP is a public IP address)" + echo "#\$RFC1918 = { 10.0.0.0/8, 172.16.0.0/14, 192.168.0.0/16 }" + echo " " + echo "# (Uncomment only if the server acts as a gateway)" + echo "#\$LAN_net = { 10.10.10.0/24 }" + echo " " + echo "########################################################################" + echo " " + echo "# 3 - Create a NAT mapping for the LAN." + echo " " + echo "# (Uncomment only if the server acts as a gateway)" + echo "#map inet4(\$WAN_if) dynamic \$LAN_net -> inet4(\$WAN_if)" + echo " " + echo "########################################################################" + echo " " + echo "# 4 - Create a procedure for logging connections:" + echo " " + echo 'procedure "log" {' + echo ' # Send all events to a log (see npfd))' + echo ' log: npflog0' + echo '}' + echo " " + echo "########################################################################" + echo " " + echo "# 5 - Create tables" + echo " " + echo "# Create a table for fail2ban" + echo "table type ipset" + echo " " + echo "########################################################################" + echo " " + echo "# 6 - Rule group for the WAN interface:" + echo " " + echo "group \"WAN\" on \$WAN_if {" + echo " " + echo " # Block IP from fail2ban table" + echo " block in final from apply \"log\"" + echo " " + echo " # Allow all stateful outgoing traffic by selecting the protocol:" + echo " #pass stateful out final proto tcp all" + echo " #pass stateful out final proto udp all" + echo " #pass stateful out final proto icmp all" + echo " #pass stateful out final proto ipv6-icmp all" + echo " " + echo " # Allow all stateful outgoing traffic (all protocols)." + echo " pass stateful out final all" + echo " " + echo " # SSH: Allow SSH connections to the server" + echo " pass stateful in on \$WAN_if proto tcp to \$WAN_addrs port ssh" + echo " " + echo " # Web Server: Allow HTTP and HTTPS connections to the server" + echo " #pass in final proto tcp from any to \$WAN_addrs port http" + echo " #pass in final proto tcp from any to \$WAN_addrs port https" + echo " " + echo " # DHCP: Allow incoming responses from the DHCP server." + echo " #pass in family inet4 proto udp from any port bootps to any port bootpc" + echo " #pass in family inet6 proto udp from any to any port \"dhcpv6-client\"" + echo " " + echo " # Ping: Allow incoming ping requests" + echo ' #pass in family inet4 proto icmp icmp-type echo all' + echo ' #pass in final proto icmp icmp-type echo all' + echo ' #pass in final proto icmp icmp-type timxceed all' + echo ' #pass in final proto icmp icmp-type unreach all' + echo ' #pass in final proto icmp icmp-type echoreply all' + echo ' #pass in final proto icmp icmp-type sourcequench all' + echo ' #pass in final proto icmp icmp-type paramprob all' + echo ' #pass in final proto ipv6-icmp all' + echo ' #pass family inet6 proto ipv6-icmp all' + echo " " + echo ' # Traceroute: Allow incoming traceroute.' + echo ' #pass in proto udp to any port 33434-33600' + echo " " + echo ' # DNS: Allow incoming DNS requests' + echo ' #pass stateful out final proto udp to any port domain' + echo " " + echo ' # mDNS: Allow local traffic' + echo ' #pass in proto udp to any port mdns' + echo " " + echo ' # Block private networks:' + echo " #block in final from \$RFC1918 apply \"log\"" + echo " #block out final to \$RFC1918 apply \"log\"" + echo " " + echo ' # Forbidden IPs: (separate configuration)' + echo ' # ruleset "blacklistd"' + echo " " + echo " # IP Spoofing: Protect yourself (be careful not to cut off SSH access!)" + echo ' #block in final from 127.0.0.1 apply "log"' + echo " " + echo ' # L2TP/IPSEC-NAT-T Tunnels.' + echo " #pass in final proto esp from any to inet4(\$WAN_if)" + echo " #pass out final proto esp from inet4(\$WAN_if) to any" + echo " #pass stateful in final from any to inet4(\$WAN_if) port \"ipsec-nat-t\"" + echo " #pass stateful in final from any to inet4(\$WAN_if) port l2tp" + echo " " + echo ' # IGMP on 224.0.0.1.' + echo ' #pass in final proto igmp all' + echo ' #pass in final from any to 224.0.0.0/4' + echo " " + echo ' # VNC' + echo " #pass in final proto tcp from any to any port 5900" + echo " " + echo '}' + echo " " + echo "########################################################################" + echo " " + echo "# 7 - Rule group for the LAN interface:" + echo " " + echo "# (This group manages rules for the LAN interface when the server acts as a gateway)" + echo " " + echo "#group \"LAN\" on \$LAN_if {" + echo " " + echo " # Allow stateful incoming and outgoing traffic" + echo ' #pass stateful out final all' + echo ' #pass stateful in final all' + echo " " + echo " # Allow connections from the LAN network:" + echo " #pass in final from \$LAN_net" + echo " " + echo " # Allow all traffic" + echo " #pass in final all" + echo " #pass out final all" + echo " " + echo '#}' + echo " " + echo "########################################################################" + echo " " + echo "# 8 - Default rule group:" + echo " " + echo 'group default {' + echo " " + echo ' # Loopback : Allow traffic' + echo " pass final on lo0 all" + echo " " + echo ' # Close the firewall' + echo ' block all apply "log"' + echo " " + echo '}' + echo "########################################################################" + } > /etc/npf.conf + + pico /etc/npf.conf + + dialog --yesno "Do you want to activate the NPF firewall?\n\nIf you are connected via SSH, the connection will be lost upon activation.\nHowever, if you haven't modified the rule allowing SSH traffic, you will be able to reconnect immediately." 10 60 + activate_npf=$? + + if [ $activate_npf -eq 0 ]; then + + checknpf=$(grep -o "npf=" < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$checknpf" -eq 0 ]; then + + # Launch NPF at startup: + echo npf=YES >> /etc/rc.conf + else + # Launch NPF at startup: + sed -i'' 's/npf=NO/npf=YES/' /etc/rc.conf + sed -i'' 's/#npf=YES/npf=YES/' /etc/rc.conf + sed -i'' 's/#npf=NO/npf=YES/' /etc/rc.conf + fi + + # Start NPF, load the rules + npfctl start + npfctl reload /etc/npf.conf + + fi + + PareFeuMenu +} + +# checked + +ShowRulesNPF () { + + if [ ! -e "/etc/npf.conf" ]; then + dialog --msgbox "The firewall is not yet configured." 5 38 + PareFeuMenu + fi + + npfctl show > /tmp/Gzebpnief.tmp + + dialog --textbox /tmp/Gzebpnief.tmp 0 0 + + rm /tmp/Gzebpnief.tmp + + PareFeuMenu +} + +# checked + +InstallFail2ban () { + + { + # check if fail2ban is already installed + if [ ! -e /usr/pkg/bin/fail2ban-server ]; then + + checkInternetConnection + + echo 10 + + pkgin -y in fail2ban > /dev/null 2>&1 + + echo 50 + + cp /usr/pkg/share/examples/rc.d/fail2ban /etc/rc.d/ + + # check for fail2ban in /etc/rc.conf + check=$(grep -o 'fail2ban=' < /etc/rc.conf | sort | uniq | tr -d ' ') + if [ "$check" -eq 0 ]; then + + echo fail2ban=YES >> /etc/rc.conf + + else + + sed -i'' "s/fail2ban=NO/fail2ban=YES/" /etc/rc.conf + sed -i'' "s/#fail2ban=YES/fail2ban=YES/" /etc/rc.conf + sed -i'' "s/#fail2ban=NO/fail2ban=YES/" /etc/rc.conf + + fi + + + # check for other things : + mkdir /usr/pkg/etc/fail2ban/filter.d/ignorecommands + cp /usr/pkg/share/examples/fail2ban/filter.d/ignorecommands/apache-fakegooglebot /usr/pkg/etc/fail2ban/filter.d/ignorecommands/ + chmod 0644 /usr/pkg/etc/fail2ban/filter.d/ignorecommands/apache-fakegooglebot + + fi + + echo 100 + + } | dialog --gauge "Check for fail2ban..." 6 25 0 + + + # checking for NPF correct configuration for fail2ban : + if [ ! -e /etc/npf.conf ]; then + + dialog --yesno "To allow fail2ban to function properly, the NPF firewall must be configured and started beforehand\n\nDo you want to configure NPF now?" 9 70 + npfnow_ornot=$? + if [ $npfnow_ornot -eq 0 ]; then + + PareFeu + + fi + + fi + + + #Check for previous configuration + if [ -e /usr/pkg/etc/fail2ban/jail.local ]; then + + + dialog --yesno "A previous configuration of Fail2ban has been found\n\nWould you like to edit it (Yes) or start from a new configuration (No)" 8 70 + new_ornot=$? + + if [ $new_ornot -eq 1 ]; then + + # Standard fail2ban.local : + { + echo '[INCLUDES]' + echo 'before = paths-pkgsrc.conf' + + echo '' + + echo '[DEFAULT]' + echo 'ignoreip = 127.0.0.1/8' + echo 'bantime = 10m' + echo 'findtime = 10m' + echo 'maxretry = 5' + echo 'maxmatches = %(maxretry)s' + echo 'backend = auto' + echo 'usedns = warn' + echo 'logencoding = auto' + echo 'enabled = false' + echo 'mode = normal' + echo 'filter = %(__name__)s[mode=%(mode)s]' + + echo '' + + echo 'destemail = root@localhost' + echo 'sender = root@' + echo 'mta = sendmail' + echo 'protocol = tcp' + echo 'chain = ' + echo 'port = 0:65535' + echo 'fail2ban_agent = Fail2Ban/%(fail2ban_version)s' + + echo '' + + echo 'banaction = npf' + + echo '' + + echo '[sshd]' + echo '# To use more aggressive sshd modes set filter parameter "mode" in jail.local:' + echo '# normal (default), ddos, extra or aggressive (combines all).' + echo '# See "tests/files/logs/sshd" or "filter.d/sshd.conf" for usage example and details.' + echo '#mode = normal' + echo 'enabled = true' + echo 'port = ssh' + echo 'logpath = /var/log/authlog' + echo 'backend = %(sshd_backend)s' + + echo '' + + echo '[dropbear]' + echo 'port = ssh' + echo 'logpath = %(dropbear_log)s' + echo 'backend = %(dropbear_backend)s' + + echo '' + + echo '[selinux-ssh]' + echo 'port = ssh' + echo 'logpath = %(auditd_log)s' + + echo '' + + echo '#' + echo '# HTTP servers' + echo '#' + + echo '[apache-auth]' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + + echo '' + + echo '[apache-badbots]' + echo '# Ban hosts which agent identifies spammer robots crawling the web' + echo '# for email addresses. The mail outputs are buffered.' + echo 'port = http,https' + echo 'logpath = %(apache_access_log)s' + echo 'bantime = 48h' + echo 'maxretry = 1' + + echo '' + + echo '[apache-noscript]' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + + echo '' + + echo '[apache-overflows]' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + echo 'maxretry = 2' + + echo '' + + echo '[apache-nohome]' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + echo 'maxretry = 2' + + echo '' + + echo '[apache-botsearch]' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + echo 'maxretry = 2' + + echo '' + + echo '[apache-fakegooglebot]' + echo 'port = http,https' + echo 'logpath = %(apache_access_log)s' + echo 'maxretry = 1' + echo 'ignorecommand = %(fail2ban_confpath)s/filter.d/ignorecommands/apache-fakegooglebot ' + + echo '' + + echo '[apache-modsecurity]' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + echo 'maxretry = 2' + + echo '' + + echo '[apache-shellshock]' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + echo 'maxretry = 1' + + echo '' + + echo '[openhab-auth]' + echo 'filter = openhab' + echo 'banaction = %(banaction_allports)s' + echo 'logpath = /opt/openhab/logs/request.log' + + echo '' + + echo '# To use more aggressive http-auth modes set filter parameter "mode" in jail.local:' + echo '# normal (default), aggressive (combines all), auth or fallback' + echo '[nginx-http-auth]' + echo '# mode = normal' + echo 'port = http,https' + echo 'logpath = %(nginx_error_log)s' + + echo '' + + echo "# To use 'nginx-limit-req' jail you should have \`ngx_http_limit_req_module\`" + echo "# and define \`limit_req\` and \`limit_req_zone\` as described in nginx documentation" + echo '# http://nginx.org/en/docs/http/ngx_http_limit_req_module.html' + echo '# or for example see in '\''config/filter.d/nginx-limit-req.conf'\''' + echo '[nginx-limit-req]' + echo 'port = http,https' + echo 'logpath = %(nginx_error_log)s' + + echo '' + + echo '[nginx-botsearch]' + echo 'port = http,https' + echo 'logpath = %(nginx_error_log)s' + + echo '' + + echo '[nginx-bad-request]' + echo 'port = http,https' + echo 'logpath = %(nginx_access_log)s' + + echo '' + + echo "# Ban attackers that try to use PHP's URL-fopen() functionality" + echo '# through GET/POST variables. - Experimental, with more than a year' + echo '# of usage in production environments.' + + echo '' + + echo '[php-url-fopen]' + echo 'port = http,https' + echo 'logpath = %(nginx_access_log)s' + echo ' %(apache_access_log)s' + + echo '' + + echo '[suhosin]' + echo 'port = http,https' + echo 'logpath = %(suhosin_log)s' + + echo '' + + echo '[lighttpd-auth]' + echo '# Same as above for Apache'\''s mod_auth' + echo '# It catches wrong authentifications' + echo 'port = http,https' + echo 'logpath = %(lighttpd_error_log)s' + + echo '' + + echo '#' + echo '# Webmail and groupware servers' + echo '#' + + echo '[roundcube-auth]' + echo 'port = http,https' + echo 'logpath = %(roundcube_errors_log)s' + echo '# Use following line in your jail.local if roundcube logs to journal.' + echo '#backend = %(syslog_backend)s' + + echo '' + + echo '[openwebmail]' + echo 'port = http,https' + echo 'logpath = /var/log/openwebmail.log' + + echo '' + + echo '[horde]' + echo 'port = http,https' + echo 'logpath = /var/log/horde/horde.log' + + echo '' + + echo '[groupoffice]' + echo 'port = http,https' + echo 'logpath = /home/groupoffice/log/info.log' + + echo '' + + echo '[sogo-auth]' + echo '# Monitor SOGo groupware server' + echo '# without proxy this would be:' + echo '# port = 20000' + echo 'port = http,https' + echo 'logpath = /var/log/sogo/sogo.log' + + echo '' + + echo '[tine20]' + echo 'logpath = /var/log/tine20/tine20.log' + echo 'port = http,https' + + echo '' + + echo '#' + echo '# Web Applications' + echo '#' + + echo '[drupal-auth]' + echo 'port = http,https' + echo 'logpath = %(syslog_daemon)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[guacamole]' + echo 'port = http,https' + echo 'logpath = /var/log/tomcat*/catalina.out' + echo '#logpath = /var/log/guacamole.log' + + echo '' + + echo '[monit]' + echo '#Ban clients brute-forcing the monit gui login' + echo 'port = 2812' + echo 'logpath = /var/log/monit' + echo ' /var/log/monit.log' + + echo '' + + echo '[webmin-auth]' + echo 'port = 10000' + echo 'logpath = %(syslog_authpriv)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[froxlor-auth]' + echo 'port = http,https' + echo 'logpath = %(syslog_authpriv)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '#' + echo '# HTTP Proxy servers' + echo '#' + + echo '[squid]' + echo 'port = 80,443,3128,8080' + echo 'logpath = /var/log/squid/access.log' + + echo '' + + echo '[3proxy]' + echo 'port = 3128' + echo 'logpath = /var/log/3proxy.log' + + echo '' + + echo '#' + echo '# FTP servers' + echo '#' + + echo '[proftpd]' + echo 'port = ftp,ftp-data,ftps,ftps-data' + echo 'logpath = %(proftpd_log)s' + echo 'backend = %(proftpd_backend)s' + + echo '' + + echo '[pure-ftpd]' + echo 'port = ftp,ftp-data,ftps,ftps-data' + echo 'logpath = %(pureftpd_log)s' + echo 'backend = %(pureftpd_backend)s' + + echo '' + + echo '[gssftpd]' + echo 'port = ftp,ftp-data,ftps,ftps-data' + echo 'logpath = %(syslog_daemon)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[wuftpd]' + echo 'port = ftp,ftp-data,ftps,ftps-data' + echo 'logpath = %(wuftpd_log)s' + echo 'backend = %(wuftpd_backend)s' + + echo '' + + echo '[vsftpd]' + echo '# or overwrite it in jails.local to be' + echo '# logpath = %(syslog_authpriv)s' + echo '# if you want to rely on PAM failed login attempts' + echo "# vsftpd's failregex should match both of those formats" + echo 'port = ftp,ftp-data,ftps,ftps-data' + echo 'logpath = %(vsftpd_log)s' + + echo '' + + echo '#' + echo '# Mail servers' + echo '#' + + echo '# ASSP SMTP Proxy Jail' + echo '[assp]' + echo 'port = smtp,465,submission' + echo 'logpath = /root/path/to/assp/logs/maillog.txt' + + echo '' + + echo '[courier-smtp]' + echo 'port = smtp,465,submission' + echo 'logpath = %(syslog_mail)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[postfix]' + echo '# To use another modes set filter parameter "mode" in jail.local:' + echo 'mode = more' + echo 'port = smtp,465,submission' + echo 'logpath = %(postfix_log)s' + echo 'backend = %(postfix_backend)s' + + echo '' + + echo '[postfix-rbl]' + echo 'filter = postfix[mode=rbl]' + echo 'port = smtp,465,submission' + echo 'logpath = %(postfix_log)s' + echo 'backend = %(postfix_backend)s' + echo 'maxretry = 1' + + echo '' + + echo '[sendmail-auth]' + echo 'port = submission,465,smtp' + echo 'logpath = %(syslog_mail)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[sendmail-reject]' + echo '# To use more aggressive modes set filter parameter "mode" in jail.local:' + echo '# normal (default), extra or aggressive' + echo '# See "tests/files/logs/sendmail-reject" or "filter.d/sendmail-reject.conf" for usage example and details.' + echo '#mode = normal' + echo 'port = smtp,465,submission' + echo 'logpath = %(syslog_mail)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[qmail-rbl]' + echo 'filter = qmail' + echo 'port = smtp,465,submission' + echo 'logpath = /service/qmail/log/main/current' + + echo '' + + echo '# dovecot defaults to logging to the mail syslog facility' + echo '# but can be set by syslog_facility in the dovecot configuration.' + echo '[dovecot]' + echo 'port = pop3,pop3s,imap,imaps,submission,465,sieve' + echo 'logpath = %(dovecot_log)s' + echo 'backend = %(dovecot_backend)s' + + echo '' + + echo '[sieve]' + echo 'port = smtp,465,submission' + echo 'logpath = %(dovecot_log)s' + echo 'backend = %(dovecot_backend)s' + + echo '' + + echo '[solid-pop3d]' + echo 'port = pop3,pop3s' + echo 'logpath = %(solidpop3d_log)s' + + echo '' + + echo '[exim]' + echo '# see filter.d/exim.conf for further modes supported from filter:' + echo '#mode = normal' + echo 'port = smtp,465,submission' + echo 'logpath = %(exim_main_log)s' + + echo '' + + echo '[exim-spam]' + echo 'port = smtp,465,submission' + echo 'logpath = %(exim_main_log)s' + + echo '' + + echo '[kerio]' + echo 'port = imap,smtp,imaps,465' + echo 'logpath = /opt/kerio/mailserver/store/logs/security.log' + + echo '' + + echo '#' + echo '# Mail servers authenticators: might be used for smtp,ftp,imap servers, so' + echo '# all relevant ports get banned' + echo '#' + + echo '' + + echo '[courier-auth]' + echo 'port = smtp,465,submission,imap,imaps,pop3,pop3s' + echo 'logpath = %(syslog_mail)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[postfix-sasl]' + echo 'filter = postfix[mode=auth]' + echo 'port = smtp,465,submission,imap,imaps,pop3,pop3s' + echo '# You might consider monitoring /var/log/mail.warn instead if you are' + echo '# running postfix since it would provide the same log lines at the' + echo '# "warn" level but overall at the smaller filesize.' + echo 'logpath = %(postfix_log)s' + echo 'backend = %(postfix_backend)s' + + echo '' + + echo '[perdition]' + echo 'port = imap,imaps,pop3,pop3s' + echo 'logpath = %(syslog_mail)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[squirrelmail]' + echo 'port = smtp,465,submission,imap,imap2,imaps,pop3,pop3s,http,https,socks' + echo 'logpath = /var/db/squirrelmail/prefs/squirrelmail_access_log' + + echo '' + + echo '[cyrus-imap]' + echo 'port = imap,imaps' + echo 'logpath = %(syslog_mail)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[uwimap-auth]' + echo 'port = imap,imaps' + echo 'logpath = %(syslog_mail)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '#' + echo '#' + echo '# DNS servers' + echo '#' + echo '' + + echo '#' + echo '#' + echo '# !!! WARNING !!!' + echo '# Since UDP is connection-less protocol, spoofing of IP and imitation' + echo '# of illegal actions is way too simple. Thus enabling of this filter' + echo '# might provide an easy way for implementing a DoS against a chosen' + echo '# victim. See' + echo '# http://nion.modprobe.de/blog/archives/690-fail2ban-+-dns-fail.html' + echo '# Please DO NOT USE this jail unless you know what you are doing.' + echo '#' + echo '# IMPORTANT: see filter.d/named-refused for instructions to enable logging' + echo '# This jail blocks UDP traffic for DNS requests.' + echo '# [named-refused-udp]' + echo '#' + echo '# filter = named-refused' + echo '# port = domain,953' + echo '# protocol = udp' + echo '# logpath = /var/log/named/security.log' + + echo '#' + echo '#' + + echo '# IMPORTANT: see filter.d/named-refused for instructions to enable logging' + echo '# This jail blocks TCP traffic for DNS requests.' + + echo '' + echo '' + + echo '[named-refused]' + echo 'port = domain,953' + echo 'logpath = /var/log/named/security.log' + + echo '' + echo '' + + echo '[nsd]' + echo 'port = 53' + echo 'action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]' + echo ' %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]' + echo 'logpath = /var/log/nsd.log' + + echo '' + + echo '#' + echo '# Miscellaneous' + echo '#' + + echo '' + + echo '[asterisk]' + echo 'port = 5060,5061' + echo 'action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]' + echo ' %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]' + echo 'logpath = /var/log/asterisk/messages' + echo 'maxretry = 10' + + echo '' + + echo '[freeswitch]' + echo 'port = 5060,5061' + echo 'action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]' + echo ' %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]' + echo 'logpath = /var/log/freeswitch.log' + echo 'maxretry = 10' + + echo '' + + echo '# enable adminlog; it will log to a file inside znc'\''s directory by default.' + echo '[znc-adminlog]' + echo 'port = 6667' + echo 'logpath = /var/db/znc/moddata/adminlog/znc.log' + + echo '' + + echo '# To log wrong MySQL access attempts add to /usr/pkg/etc/my.cnf in [mysqld] or' + echo '# equivalent section:' + echo '# log-warnings = 2' + echo '#' + echo '# for syslog (daemon facility)' + echo '# [mysqld_safe]' + echo '# syslog' + echo '#' + echo '# for own logfile' + echo '# [mysqld]' + echo '# log-error=/var/log/mysqld.log' + echo '[mysqld-auth]' + echo 'port = 3306' + echo 'logpath = %(mysql_log)s' + echo 'backend = %(mysql_backend)s' + + echo '' + + echo '[mssql-auth]' + echo '# Default configuration for Microsoft SQL Server for Linux' + echo '# See the '\''mssql-conf'\'' manpage how to change logpath or port' + echo 'logpath = /var/opt/mssql/log/errorlog' + echo 'port = 1433' + echo 'filter = mssql-auth' + + echo '' + + echo '# Log wrong MongoDB auth (for details see filter '\''filter.d/mongodb-auth.conf'\'')' + echo '[mongodb-auth]' + echo '# change port when running with "--shardsvr" or "--configsvr" runtime operation' + echo 'port = 27017' + echo 'logpath = /var/log/mongodb/mongodb.log' + echo '' + echo '# Jail for more extended banning of persistent abusers' + echo '# !!! WARNINGS !!!' + echo '# 1. Make sure that your loglevel specified in fail2ban.conf/.local' + echo '# is not at DEBUG level -- which might then cause fail2ban to fall into' + echo '# an infinite loop constantly feeding itself with non-informative lines' + echo '# 2. Increase dbpurgeage defined in fail2ban.conf to e.g. 648000 (7.5 days)' + echo '# to maintain entries for failed logins for sufficient amount of time' + echo '[recidive]' + echo '' + echo 'logpath = /var/log/fail2ban.log' + echo 'banaction = %(banaction_allports)s' + echo 'bantime = 1w' + echo 'findtime = 1d' + + echo '' + + echo '# Generic filter for PAM. Has to be used with action which bans all' + echo '# ports such as iptables-allports, shorewall' + + echo '' + + echo '[pam-generic]' + echo '# pam-generic filter can be customized to monitor specific subset of '\''tty'\''s' + echo 'banaction = %(banaction_allports)s' + echo 'logpath = %(syslog_authpriv)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[xinetd-fail]' + echo 'banaction = iptables-multiport-log' + echo 'logpath = %(syslog_daemon)s' + echo 'backend = %(syslog_backend)s' + echo 'maxretry = 2' + + echo '' + + echo '# stunnel - need to set port for this' + echo '[stunnel]' + echo 'logpath = /var/log/stunnel4/stunnel.log' + + echo '' + + echo '[ejabberd-auth]' + echo 'port = 5222' + echo 'logpath = /var/log/ejabberd/ejabberd.log' + + echo '' + + echo '[counter-strike]' + echo 'logpath = /opt/cstrike/logs/L[0-9]*.log' + echo 'tcpport = 27030,27031,27032,27033,27034,27035,27036,27037,27038,27039' + echo 'udpport = 1200,27000,27001,27002,27003,27004,27005,27006,27007,27008,27009,27010,27011,27012,27013,27014,27015' + echo 'action_ = %(default/action_)s[name=%(__name__)s-tcp, port="%(tcpport)s", protocol="tcp"]' + echo ' %(default/action_)s[name=%(__name__)s-udp, port="%(udpport)s", protocol="udp"]' + + echo '' + + echo '[softethervpn]' + echo 'port = 500,4500' + echo 'protocol = udp' + echo 'logpath = /usr/local/vpnserver/security_log/*/sec.log' + + echo '' + + echo '[gitlab]' + echo 'port = http,https' + echo 'logpath = /var/log/gitlab/gitlab-rails/application.log' + + echo '' + + echo '[grafana]' + echo 'port = http,https' + echo 'logpath = /var/log/grafana/grafana.log' + + echo '' + + echo '[bitwarden]' + echo 'port = http,https' + echo 'logpath = /home/*/bwdata/logs/identity/Identity/log.txt' + + echo '' + + echo '[centreon]' + echo 'port = http,https' + echo 'logpath = /var/log/centreon/login.log' + + echo '' + + echo '# consider low maxretry and a long bantime' + echo '# nobody except your own Nagios server should ever probe nrpe' + echo '[nagios]' + echo 'logpath = %(syslog_daemon)s ; nrpe.cfg may define a different log_facility' + echo 'backend = %(syslog_backend)s' + echo 'maxretry = 1' + + echo '' + + echo '[oracleims]' + echo '# see "oracleims" filter file for configuration requirement for Oracle IMS v6 and above' + echo 'logpath = /opt/sun/comms/messaging64/log/mail.log_current' + echo 'banaction = %(banaction_allports)s' + + echo '' + + echo '[directadmin]' + echo 'logpath = /var/log/directadmin/login.log' + echo 'port = 2222' + + echo '' + + echo '[portsentry]' + echo 'logpath = /var/db/portsentry/portsentry.history' + echo 'maxretry = 1' + + echo '' + + echo '[pass2allow-ftp]' + echo '# this pass2allow example allows FTP traffic after successful HTTP authentication' + echo 'port = ftp,ftp-data,ftps,ftps-data' + echo '# knocking_url variable must be overridden to some secret value in jail.local' + echo 'knocking_url = /knocking/' + echo 'filter = apache-pass[knocking_url="%(knocking_url)s"]' + echo '# access log of the website with HTTP auth' + echo 'logpath = %(apache_access_log)s' + echo 'blocktype = RETURN' + echo 'returntype = DROP' + echo 'action = %(action_)s[blocktype=%(blocktype)s, returntype=%(returntype)s,' + echo ' actionstart_on_demand=false, actionrepair_on_unban=true]' + echo 'bantime = 1h' + echo 'maxretry = 1' + echo 'findtime = 1' + + echo '' + + echo '[murmur]' + echo '# AKA mumble-server' + echo 'port = 64738' + echo 'action_ = %(default/action_)s[name=%(__name__)s-tcp, protocol="tcp"]' + echo ' %(default/action_)s[name=%(__name__)s-udp, protocol="udp"]' + echo 'logpath = /var/log/mumble-server/mumble-server.log' + + echo '' + + echo '[screensharingd]' + echo '# For Mac OS Screen Sharing Service (VNC)' + echo 'logpath = /var/log/system.log' + echo 'logencoding = utf-8' + + echo '' + + echo '[haproxy-http-auth]' + echo "# HAProxy by default doesn't log to file you'll need to set it up to forward" + echo '# logs to a syslog server which would then write them to disk.' + echo '# See "haproxy-http-auth" filter for a brief cautionary note when setting' + echo '# maxretry and findtime.' + echo 'logpath = /var/log/haproxy.log' + + echo '' + + echo '[slapd]' + echo 'port = ldap,ldaps' + echo 'logpath = /var/log/slapd.log' + echo '' + echo '[domino-smtp]' + echo 'port = smtp,ssmtp' + echo 'logpath = /home/domino01/data/IBM_TECHNICAL_SUPPORT/console.log' + + echo '' + + echo '[phpmyadmin-syslog]' + echo 'port = http,https' + echo 'logpath = %(syslog_authpriv)s' + echo 'backend = %(syslog_backend)s' + + echo '' + + echo '[zoneminder]' + echo '# Zoneminder HTTP/HTTPS web interface auth' + echo '# Logs auth failures to apache2 error log' + echo 'port = http,https' + echo 'logpath = %(apache_error_log)s' + + echo '' + + echo '[traefik-auth]' + echo "# to use 'traefik-auth' filter you have to configure your Traefik instance," + echo "# see \`filter.d/traefik-auth.conf\` for details and service example." + echo 'port = http,https' + echo 'logpath = /var/log/traefik/access.log' + + echo '' + + echo '[scanlogd]' + echo 'logpath = %(syslog_local0)s' + echo 'banaction = %(banaction_allports)s' + + echo '' + + echo '[monitorix]' + echo 'port = 8080' + echo 'logpath = /var/log/monitorix-httpd' + } > /usr/pkg/etc/fail2ban/jail.local + + + pico /usr/pkg/etc/fail2ban/jail.local + + else + + pico /usr/pkg/etc/fail2ban/jail.local + + dialog --yesno "Do you want to (re)start fail2ban?" 5 39 + restart_ornot=$? + if [ $restart_ornot -eq 0 ]; then + + service fail2ban restart > /dev/null 2>&1 + + Fail2banMenu + + fi + + fi + + dialog --yesno "Do you want to (re)start fail2ban?" 5 39 + restart_ornot=$? + if [ $restart_ornot -eq 0 ]; then + + service fail2ban restart > /dev/null 2>&1 + + fi + + fi + +Fail2banMenu + +} + +# checked + +ConfigureSSH () { + + # Check if OpenSSH is installed or not + check=$(grep -o "sshd=YES" < /etc/rc.conf | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + if [ ! -e /usr/sbin/sshd ]; then + + dialog --yesno "OpenSSH is not installed on your system, do you want to install it?" 6 44 + sshd_install=$? + + checkInternetConnection + + if [ $sshd_install -eq 0 ]; then + + pkgin -y in opensshd + # I don't remember if sshd goes automatically to /etc/rc.d/... in case : + cp /usr/pkg/share/examples/rc.d/sshd /etc/rc.d/sshd + + echo sshd=YES >> /etc/rc.conf + + fi + fi + + fi + + + # Check if a previous configuration has already been done + if [ -e /etc/ssh/sshd_config.BAK ]; then + + dialog --yesno "A previous configuration seems to have been done\nDo you want to restore the backup file (Yes) or work on the actual configuration? (No)" 7 52 + what_todo=$? + + if [ $what_todo -eq 0 ]; then + + cp /etc/ssh/sshd_config.BAK /etc/ssh/ssh/sshd_config + + fi + + + else + + dialog --yesno "Do you want to create a backup of the original /etc/ssh/sshd_config before starting to edit the configuration?\n(you really should say yes!!)" 7 70 + bak_ornot=$? + + if [ $bak_ornot -eq 0 ]; then + + cp /etc/ssh/sshd_config /etc/ssh/sshd_config.BAK + + dialog --msgbox "/etc/ssh/sshd_config has been saved as /etc/ssh/sshd_config.BAK" 5 68 + + fi + + fi + + + # be guided for configuration or not ? + dialog --yesno "Do you wish to be guided (Yes) in order to configure SSH properly (with usual parameters)\nor\nDo you prefer to do it yourself? (No)" 8 70 + guided_ornot=$? + + if [ $guided_ornot -eq 0 ]; then + + dialog --msgbox "Then, let's start!" 5 22 + + { + echo "###########################" + echo "# CUSTOM SSH CONFIGURATION" + echo " " + + } >> /etc/ssh/sshd_config + + # SSH PORT + dialog --yesno "Do you want to change the SSH port?\n\nBy default, the SSH port is 22 (TCP)\n(It is recommended to use another port to reduce the risk of automated attacks)" 9 70 + change_port=$? + + if [ $change_port -eq 0 ]; then + + nport=$(dialog --inputbox "Please enter a new port number (>10,000 and <65,000 preferably)" 8 68 2>&1 1>/dev/tty) + { + echo "# PORT" + echo "Port $nport" + echo " " + } >> /etc/ssh/sshd_config + + # check if the NPF firewall has already been configured + if [ -e /etc/npf.conf ]; then + + check=$(npfctl show | grep -o "inactive" | sort | uniq | wc -l | tr -d ' ') + if [ ! "$check" -eq 1 ]; then + + dialog --msgbox "The NPF firewall seems to be active\nYou also need to change the SSH port in the rules file to avoid being blocked when SSH is activated.\n\nThe NPF rules file will open\nMake the changes, exit, and save without changing the file location" 11 70 + + pico /etc/npf.conf + + changePortNPF="1" + + fi + + + fi + + else + { + echo "# PORT" + echo "Port 22" + echo " " + } >> /etc/ssh/sshd_config + + fi + + # LISTEN ADDRESS + dialog --yesno "Do you want to configure the listening addresses?\n\n(If your server has multiple network interfaces, it is recommended to specify the IP address(es) of your server on which the SSH service should listen if you do not want users to be able to connect via undesired or protected interfaces)\n\nIf you answer (No), then SSH will listen by default on all interfaces of your server" 13 70 + listen_ip=$? + + if [ $listen_ip -eq 0 ]; then + + echo "# LISTEN ADDRESS" >> /etc/ssh/sshd_config + + i=0 + while [ $i -lt "50" ]; do + ip_add=$(dialog --inputbox "Please enter an IP address allowed to connect" 8 55 2>&1 1>/dev/tty) + echo "ListenAddress $ip_add" >> /etc/ssh/sshd_config + + dialog --yesno "Do you want to add another IP?" 5 34 + add_another=$? + + if [ $add_another -eq 1 ]; then + + i=$((i+51)) + fi + + i=$((i+1)) + done + + echo " " >> /etc/ssh/sshd_config + + else + { + echo "# LISTEN ADDRESS" + echo "ListenAddress 0.0.0.0" + echo "ListenAddress ::" + } >> /etc/ssh/sshd_config + fi + + # AUTHORIZED/ USERS + dialog --yesno "Do you want to specify the users allowed to connect to this server via SSH?\n(Only the specified users will be allowed to connect)\n\nIf (No), all users will be allowed to connect" 9 70 + user_yesconnect=$? + + if [ $user_yesconnect -eq 0 ]; then + + echo "# ALLOW USERS" >> /etc/ssh/sshd_config + + permitusers=$(dialog --inputbox "Please enter the username(s) of the only user(s) allowed to connect\n(separate usernames with spaces)" 9 70 2>&1 1>/dev/tty) + + echo "AllowUsers ${permitusers}" >> /etc/ssh/sshd_config + + echo " " >> /etc/ssh/sshd_config + + + fi + + # DENIED USERS + dialog --yesno "Do you want to prohibit specific users from connecting to this server via SSH?\n(only the specified users will be prohibited from connecting.\n\nIf you have previously allowed users to connect, then answer (No)" 9 70 + user_noconnect=$? + + if [ $user_noconnect -eq 0 ]; then + + echo "# DENY USERS" >> /etc/ssh/sshd_config + + denyusers=$(dialog --inputbox "Please enter the username(s) of the user(s) denied from connecting\n(separate usernames with spaces)" 9 70 2>&1 1>/dev/tty) + + echo "DenyUsers ${denyusers}" >> /etc/ssh/sshd_config + + echo " " >> /etc/ssh/sshd_config + + fi + + + # PERMIT ROOT LOGIN + dialog --yesno "Do you want to prohibit (Yes) or allow (No) root to connect to this server?\n\n(It is recommended to prohibit root login)" 8 70 + permit_root=$? + + echo "# PERMIT ROOT LOGIN" >> /etc/ssh/sshd_config + + if [ $permit_root -eq 0 ]; then + + echo "PermitRootLogin no" >> /etc/ssh/sshd_config + echo " " >> /etc/ssh/sshd_config + + else + + echo "PermitRootLogin yes" >> /etc/ssh/sshd_config + echo " " >> /etc/ssh/sshd_config + + fi + + + # PUB KEY AUTHENTICATION + dialog --yesno "Do you want to allow both key-based and password-based authentication (Yes) or only one of them (No)?\n\nIf you answer (No), you will be prompted to choose on the next screen." 9 70 + pubkey_yesno=$? + + + if [ $pubkey_yesno -eq 0 ]; then + { + echo "# PUB KEY AND PASSWORD AUTHENTICATION" + echo "PasswordAuthentication yes" + echo "AuthorizedKeysFile .ssh/authorized_keys" + echo "KbdInteractiveAuthentication yes" + echo "UsePAM yes" + echo " " + } >> /etc/ssh/sshd_config + + else + + dialog --yesno "Do you want to allow only password-based authentication (Yes)\nor\nonly public key-based authentication (No)?\n\nSSH key-based authentication is highly recommended, however, you should not disable password authentication until you have added the public SSH key of the machine that will connect to this server to the /home/USER/.ssh/authorized_keys file on this server. Otherwise, you may risk losing access to the server." 13 70 + pass_orkey=$? + + if [ $pass_orkey -eq 0 ]; then + + { + echo "# PASSWORD AUTHENTICATION ONLY" + echo "PasswordAuthentication yes" + echo "PubkeyAuthentication no" + echo "KbdInteractiveAuthentication yes" + echo "UsePAM yes" + echo " " + } >> /etc/ssh/sshd_config + + else + { + echo "# PUB KEY AUTHENTICATION ONLY" + echo "PasswordAuthentication no" + echo "PubkeyAuthentication yes" + echo "AuthorizedKeysFile .ssh/authorized_keys" + echo "KbdInteractiveAuthentication no" + echo "UsePAM no" + echo " " + } >> /etc/ssh/sshd_config + + fi + + fi + + + + # X11Forwarding + dialog --yesno "Do you need to run graphical applications (X11) via SSH?" 5 61 + x11_forward=$? + + + if [ $x11_forward -eq 0 ]; then + + { + echo "# X11 FORWARDING" + echo "X11Forwarding yes" + echo " " + } >> /etc/ssh/sshd_config + else + { + echo "# NO X11 FORWARDING" + echo "X11Forwarding no" + echo " " + } >> /etc/ssh/sshd_config + fi + + + + # AllowTcpForwarding + dialog --yesno "Will you be setting up SSH tunnels?" 5 40 + ssh_tunnels=$? + + + if [ $ssh_tunnels -eq 0 ]; then + + { + echo "# SSH TUNNELING" + echo "AllowTcpForwarding yes" + echo " " + } >> /etc/ssh/sshd_config + + else + + { + + echo "# NO SSH TUNNELING" + echo "AllowTcpForwarding no" + echo " " + } >> /etc/ssh/sshd_config + + fi + + + + # USER ENVIRONMENT + dialog --yesno "Will you need to set environment variables via SSH?\n\nIt is recommended not to enable this option." 7 56 + user_env=$? + + + if [ $user_env -eq 0 ]; then + { + echo "# USER ENVIRONMENT" + echo "PermitUserEnvironment yes" + echo " " + } >> /etc/ssh/sshd_config + + else + { + echo "# NO USER ENVIRONMENT" + echo "PermitUserEnvironment no" + echo " " + } >> /etc/ssh/sshd_config + + fi + + + + # LOGIN GRACE TIME + dialog --yesno "Do you want to set a timeout during authentication?\n\nIt is recommended to configure a timeout." 7 56 + grace_limit=$? + + + if [ $grace_limit -eq 0 ]; then + + timelogin=$(dialog --inputbox "Please enter a timeout value (in seconds)\n(example: 60)" 9 50 2>&1 1>/dev/tty) + + { + echo "# LOGIN GRACE TIME" + echo "LoginGraceTime $timelogin" + echo " " + } >> /etc/ssh/sshd_config + + fi + + + + # MAX AUTHENTICATION TRIES + dialog --yesno "Do you want to limit the number of authentication attempts?\n\n(recommended)" 7 64 + max_ornot=$? + + + if [ $max_ornot -eq 0 ]; then + + maxauth=$(dialog --inputbox "Please enter a maximum number of attempts\n(3 or 4 are usually good values)" 9 47 2>&1 1>/dev/tty) + + { + echo "# MAX AUTHENTICATION TRIES" + echo "MaxAuthTries $maxauth" + echo " " + } >> /etc/ssh/sshd_config + + fi + + + + # MAX SESSIONS + dialog --yesno "Do you want to limit the number of simultaneous SSH sessions for each user?\n\n(recommended)" 8 70 + ssh_simul=$? + + + if [ $ssh_simul -eq 0 ]; then + + maxsimul=$(dialog --inputbox "Please enter a maximum number of sessions" 8 50 2>&1 1>/dev/tty) + + { + echo "# MAX SESSIONS PER USER" + echo "MaxSessions $maxsimul" + echo " " + } >> /etc/ssh/sshd_config + + fi + + + + + # AUTOMATIC CLOSING + dialog --yesno "Do you want to configure automatic closure of inactive sessions?\n\n(recommended)" 7 69 + close_inac=$? + + if [ $close_inac -eq 0 ]; then + + dialog --msgbox "The configuration is done in 2 steps\n\nFirst, you need to define the time (in seconds) between the sending of 2 inactivity requests (example 300)\nThen, we define the maximum number of requests sent before automatic session closure (example 3)\n\nTaking these 2 examples, the connection would be terminated after 15 minutes (300*3)" 13 70 + interval=$(dialog --inputbox "Please enter the maximum number of seconds between the sending of 2 inactivity requests (example 300)" 9 60 2>&1 1>/dev/tty) + nbrequest=$(dialog --inputbox "Please enter the maximum number of requests sent before session closure (example 3)" 9 60 2>&1 1>/dev/tty) + + { + echo "# CLOSE INACTIVE SESSIONS" + echo "ClientAliveInterval $interval" + echo "ClientAliveCountMax $nbrequest" + echo " " + } >> /etc/ssh/sshd_config + + fi + + + + # SYSLOG FACILITY + dialog --yesno "Do you want to set SysLogFacility to AUTH?\n\nThis allows SSH messages to be logged appropriately." 7 60 + facility_ornot=$? + + if [ $facility_ornot -eq 0 ]; then + + { + echo "# SYSLOG FACILITY" + echo "SyslogFacility AUTH" + echo " " + } >> /etc/ssh/sshd_config + + fi + + + + # LOG LEVEL + dialog --yesno "Do you want to set the logging level?" 5 42 + level_ornot=$? + + if [ $level_ornot -eq 0 ]; then + + dialog --yesno "Do you want to set it to INFO for normal usage (Yes)\nor\nVERBOSE for more details (No)?" 7 57 + info_verbose=$? + + if [ $info_verbose -eq 0 ]; then + + { + echo "# LOG LEVEL" + echo "LogLevel INFO" + echo " " + } >> /etc/ssh/sshd_config + + else + { + echo "# LOG LEVEL" + echo "LogLevel VERBOSE" + echo " " + } >> /etc/ssh/sshd_config + + fi + + fi + + + + + # DNS + dialog --yesno "Do you want to disable DNS resolution?\n\nThis speeds up SSH connections and reduces the possibility of DNS-based attacks." 8 70 + dns_ornot=$? + + if [ $dns_ornot -eq 0 ]; then + + { + echo "# DNS" + echo "UseDNS no" + echo " " + } >> /etc/ssh/sshd_config + + else + { + echo "# DNS" + echo "UseDNS yes" + echo " " + } >> /etc/ssh/sshd_config + fi + + + + + # SFTP + dialog --yesno "Will you be using the SFTP protocol (FTP over SSH) for file exchange via SSH?" 6 66 + sftp_ornot=$? + + if [ $sftp_ornot -eq 0 ]; then + + dialog --yesno "Do you want to use /usr/libexex/sftp-server (default choice) (Yes)\nor\ninternal-sftp (No)?" 7 70 + which_sftp=$? + + if [ $which_sftp -eq 0 ]; then + { + echo "# SFTP" + echo "Subsystem sftp /usr/libexec/sftp-server" + echo " " + } >> /etc/ssh/sshd_config + else + { + echo "# SFTP" + echo "Subsystem sftp internal-sftp" + echo " " + } >> /etc/ssh/sshd_config + fi + + fi + + + + # MOTD + dialog --yesno "Do you want to disable the Message of the Day (Motd)?\n\n(recommended)" 7 58 + motd_ornot=$? + + if [ $motd_ornot -eq 0 ]; then + { + echo "# MOTD" + echo "PrintMotd no" + echo " " + } >> /etc/ssh/sshd_config + else + { + echo "# MOTD" + echo "PrintMotd yes" + echo " " + } >> /etc/ssh/sshd_config + fi + + + + + # LAST LOG + dialog --yesno "Do you want to hide (Yes) or display (No) the message showing the date and time of the last login when a user logs in?\n\n(It is recommended to hide this information)" 8 70 + hidelog_ornot=$? + + if [ $hidelog_ornot -eq 0 ]; then + { + echo "# PRINT LAST LOG" + echo "PrintLastLog no" + echo " " + } >> /etc/ssh/sshd_config + else + { + echo "# PRINT LAST LOG" + echo "PrintLastLog yes" + echo " " + } >> /etc/ssh/sshd_config + fi + + # USUAL + { + echo "# DISABLE HPN" + echo "HPNDisabled yes" + echo " " + } >> /etc/ssh/sshd_config + + dialog --msgbox "The configuration is now completed" 5 39 + + else + + dialog --msgbox "/etc/ssh/sshd_config is going to be opened in a text editor in order to let you configure SSH yourself\n\nDo what you need to do, then Exit and Save without changing the location of the file\n\nYou'll be asked to activate (or not) the configuration at the end" 11 69 + + pico /etc/ssh/sshd_config + + + # check if Port is commented or not + check=$(grep Port < /etc/ssh/sshd_config | grep "[0-9]" | grep -o '#' | sort | uniq | wc -l | tr -d ' ') + + if [ "$check" -eq 0 ]; then + + # check if Port has been modified + check2=$(grep -o "Port 22" < /etc/ssh/sshd_config | sort | uniq | wc -l | tr -d ' ') + if [ ! "$check2" -eq 1 ]; then + + # check if the NPF firewall has already been configured + if [ -e /etc/npf.conf ]; then + + # check if NPF is running + check=$(npfctl show | grep -o "inactive" | sort | uniq | wc -l | tr -d ' ') + if [ ! "$check" -eq 1 ]; then + + dialog --msgbox "The NPF firewall seems to be active\nYou also need to change the SSH port in the rules file to avoid being blocked when SSH is activated.\n\nThe NPF rules file will open\nMake the changes, exit, and save without changing the file location" 11 70 + + pico /etc/npf.conf + + changePortNPF="1" + + fi + + + fi + + fi + + fi + + fi + + dialog --yesno "Do you want to (re)start SSH?" 5 33 + activate_ornot=$? + + if [ $activate_ornot -eq 0 ]; then + + service sshd restart > /dev/null 2>&1 + + sleep 1 + + check=$(service sshd status | grep -o "sshd is not running." | wc -l | tr -d) + + if [ "$check" -eq 0 ]; then + dialog --msgbox "It seems that something went wrong, sshd did not start" 5 59 + + fi + + if [ "$changePortNPF" -eq 1 ]; then + + dialog --yesno "You have modified the SSH port, do you want to restart the firewall now?" 6 66 + restart_npf=$? + + if [ $restart_npf -eq 0 ]; then + + service npf restart > /dev/null 2>&1 + + fi + + + fi + + check=$(service sshd status | grep -o "sshd is running" | wc -l | tr -d ' ') + + if [ "$check" -eq 1 ]; then + dialog --msgbox "SSH is running, Congratulations!" 5 36 + fi + + + fi + + SecurityMenu + +} + +# checked + +FormatToNTFS () { + + { + + ################################################ + # STAGE 0 : CHECK FOR NECESSARY TOOLS + + if [ ! -e /usr/pkg/sbin/mkntfs ]; then + checkInternetConnection + + pkgin -y in fuse > /dev/null 2>&1 + echo 20 + pkgin -y in fuse-ntfs > /dev/null 2>&1 + echo 40 + pkgin -y in fuse-ntfs-3g > /dev/null 2>&1 + echo 60 + pkgin -y in libntfs > /dev/null 2>&1 + echo 80 + pkgin -y inntfsprogs > /dev/null 2>&1 + echo 100 + + fi + + + } | dialog --gauge "Checking for necessary software..." 6 39 + + dialog --msgbox "If you have just inserted the USB device, then you can continue. Otherwise, please unplug it, wait a few seconds, then plug it back in, wait a few seconds, and then continue" 7 70 + + ################################################ + # STAGE 1 : DETECTION AND CHOICE OF THE DEVICE + + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + dmesg | tail -5 | grep -o "sd[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No USB devices detected" 5 30 + rm -f "$TMPFILE" + DiskMngmtMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the USB device to format\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + ################################################################################################################### + # STAGE 2 : CHECK IF THE DEVICE IS ASSOCIATED TO A GEOMETRY AND IF THIS GEOMETRY IS ALREADY MOUNTED ON THE SYSTEM + + # check if already mounted then format + if [ -n "$device" ]; then + + # check if the selected device is already associated with a geometry + seekdkX=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | wc -l | tr -d ' ') + + if [ "$seekdkX" -gt 0 ]; then + + # get geom name (dkX) + getgeom=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq) + checkmounted=$(mount | grep -o "/dev/${getgeom}" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkmounted" -eq 1 ]; then + + dialog --msgbox "The device is mounted, please unmount it first" 5 50 + DiskMngmtMenu + + fi + + fi + + { + + ################### + # STAGE 3 : FORMAT + + # Destroy and Create a new GPT table + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 10 + + # Create a partition of type windows + gpt add -t windows "$device" > /dev/null 2>&1 + + echo 20 + + # The operation is repeated a second time to accommodate the transition from MBR to GPT (again, it is needed sometimes) + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 30 + + # Create a partition of type windows + gpt add -t windows "$device" > /dev/null 2>&1 + + echo 40 + + # Retrieve the created geometry: + geom=$(dmesg | tail -5 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + # Create the filesystem: + mkntfs -f "/dev/$geom" > /dev/null 2>&1 + + echo 100 + + + } | dialog --gauge "Formatting in progress..." 6 31 + + geom=$(dmesg | tail -5 | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + + ############################################## + # STAGE 4 : MOUNT THE NEWLY CREATED GEOMETRY + + dialog --yesno "Do you want to mount the USB device to /media/$geom?" 5 56 + mount_ornot=$? + + if [ "$mount_ornot" -eq 0 ]; then + + # Creating the mount point + mkdir -p /media/"$geom" > /dev/null 2>&1 + + # Mounting NTFS + env PERFUSE_BUFSIZE=135168 ntfs-3g /dev/"$geom" /media/"$geom" > /dev/null 2>&1 + + dialog --msgbox "Don't forget about permissions on /media/$geom" 5 51 + + fi + + DiskMngmtMenu + + + fi +} + +# checked + +FormatToEXFAT () { + + { + + ################################################ + # STAGE 0 : CHECK FOR NECESSARY TOOLS + + if [ ! -e /usr/pkg/sbin/mkexfatfs ]; then + checkInternetConnection + + pkgin -y in fuse > /dev/null 2>&1 + echo 20 + pkgin -y in fuse-ntfs > /dev/null 2>&1 + echo 40 + pkgin -y in fuse-ntfs-3g > /dev/null 2>&1 + echo 60 + pkgin -y in libntfs > /dev/null 2>&1 + echo 70 + pkgin -y fuse-exfat > /dev/null 2>&1 + echo 80 + pkgin -y inntfsprogs > /dev/null 2>&1 + echo 100 + + fi + + + } | dialog --gauge "Checking for necessary software..." 6 39 + + dialog --msgbox "If you have just inserted the USB device, then you can continue. Otherwise, please unplug it, wait a few seconds, then plug it back in, wait a few seconds, and then continue" 7 70 + + ################################################ + # STAGE 1 : DETECTION AND CHOICE OF THE DEVICE + + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + dmesg | tail -5 | grep -o "sd[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No USB devices detected" 5 30 + rm -f "$TMPFILE" + DiskMngmtMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the USB device to format\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + ################################################################################################################### + # STAGE 2 : CHECK IF THE DEVICE IS ASSOCIATED TO A GEOMETRY AND IF THIS GEOMETRY IS ALREADY MOUNTED ON THE SYSTEM + + # check if already mounted then format + if [ -n "$device" ]; then + + # check if the selected device is already associated with a geometry + seekdkX=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | wc -l | tr -d ' ') + + if [ "$seekdkX" -gt 0 ]; then + + # get geom name (dkX) + getgeom=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq) + checkmounted=$(mount | grep -o "/dev/${getgeom}" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkmounted" -eq 1 ]; then + + dialog --msgbox "The device is mounted, please unmount it first" 5 50 + DiskMngmtMenu + + fi + + fi + + { + + ################### + # STAGE 3 : FORMAT + + # Destroy and Create a new GPT table + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 10 + + # Create a partition of type windows + gpt add -t windows "$device" > /dev/null 2>&1 + + echo 20 + + # The operation is repeated a second time to accommodate the transition from MBR to GPT (again, it is needed sometimes) + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 30 + + # Create a partition of type windows + gpt add -t windows "$device" > /dev/null 2>&1 + + echo 40 + + # Retrieve the created geometry: + geom=$(dmesg | tail -5 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + # Create the filesystem: + /usr/pkg/sbin/mkexfatfs "/dev/$geom" > /dev/null 2>&1 + + echo 100 + + + } | dialog --gauge "Formatting in progress..." 6 31 + + geom=$(dmesg | tail -5 | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + ############################################## + # STAGE 4 : MOUNT THE NEWLY CREATED GEOMETRY + + dialog --yesno "Do you want to mount the USB device to /media/$geom?" 5 56 + mount_ornot=$? + + if [ "$mount_ornot" -eq 0 ]; then + + # Creating the mount point + mkdir -p /media/"$geom" > /dev/null 2>&1 + + # Mounting + env PERFUSE_BUFSIZE=135168 /usr/pkg/sbin/mount.exfat /dev/"$geom" /media/"$geom" > /dev/null 2>&1 + #env PERFUSE_BUFSIZE=135168 ntfs-3g /dev/$geom /media/$geom > /dev/null 2>&1 + + dialog --yesno "Don't you want to give Read/Write permissions to a user on /media/$geom?" 6 60 + rw_ornot=$? + if [ $rw_ornot -eq 0 ]; then + + user=$(dialog --title "Read/Write Permissions" --inputbox "Please enter the username" 8 40 2>&1 1>/dev/tty) + /sbin/chown -R "$user" /media/"$geom" + chmod -R /media/"$geom" + + else + + dialog --msgbox "Don't forget about permissions on /media/$geom" 5 51 + + fi + + fi + + DiskMngmtMenu + + fi + +} + +# checked + +FormatToFFSv1 () { + + dialog --yesno "FFSv1 is outdated and does not support storage devices > 1 TB. Do you want to continue?" 6 67 + ffsv1_choix=$? + + case $ffsv1_choix in + 1) + DiskMngmtMenu + ;; + esac + + dialog --msgbox "If you have just inserted the USB device, then you can continue. Otherwise, please unplug it, wait a few seconds, then plug it back in, wait a few seconds, and then continue" 7 70 + + ################################################ + # STAGE 1 : DETECTION AND CHOICE OF THE DEVICE + + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + dmesg | tail -5 | grep -o "sd[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No USB devices detected" 5 30 + rm -f "$TMPFILE" + DiskMngmtMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the USB device to format\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + ################################################################################################################### + # STAGE 2 : CHECK IF THE DEVICE IS ASSOCIATED TO A GEOMETRY AND IF THIS GEOMETRY IS ALREADY MOUNTED ON THE SYSTEM + + # check if already mounted then format + if [ -n "$device" ]; then + + # check if the selected device is already associated with a geometry + seekdkX=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | wc -l | tr -d ' ') + + if [ "$seekdkX" -gt 0 ]; then + + # get geom name (dkX) + getgeom=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq) + checkmounted=$(mount | grep -o "/dev/${getgeom}" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkmounted" -eq 1 ]; then + + dialog --msgbox "The device is mounted, please unmount it first" 5 50 + DiskMngmtMenu + + fi + + fi + + { + + ################### + # STAGE 3 : FORMAT + + # Destroy and Create a new GPT table + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 10 + + # Destroy and Create a new GPT table again + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 20 + + # Create a partition of type FFS + gpt add -t ffs "$device" > /dev/null 2>&1 + + echo 30 + + # Retrieve the created geometry: + geom=$(dmesg | tail -5 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + # Create the filesystem: + newfs -O1 "$geom" > /dev/null 2>&1 + + echo 100 + + } | dialog --gauge "Formatting in progress..." 6 31 + + ############################################## + # STAGE 4 : MOUNT THE NEWLY CREATED GEOMETRY + + geom=$(dmesg | tail -5 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + dialog --yesno "Do you want to mount the USB device to /media/$geom?" 5 56 + mount_ornot=$? + + if [ $mount_ornot -eq 0 ]; then + + # Création du point de montage + mkdir -p /media/"$geom" > /dev/null 2>&1 + + # Montage + mount /dev/"$geom" /media/"$geom" > /dev/null 2>&1 + + dialog --yesno "Don't you want to give Read/Write permissions to a user on /media/$geom?" 6 60 + rw_ornot=$? + if [ $rw_ornot -eq 0 ]; then + + user=$(dialog --title "Read/Write Permissions" --inputbox "Please enter the username" 8 40 2>&1 1>/dev/tty) + /sbin/chown -R "$user" /media/"$geom" + chmod -R /media/"$geom" + + else + + dialog --msgbox "Don't forget about permissions on /media/$geom" 5 51 + + fi + + fi + + DiskMngmtMenu + + fi + +} + +# checked + +FormatToFFSv2 () { + + dialog --msgbox "If you have just inserted the USB device, then you can continue. Otherwise, please unplug it, wait a few seconds, then plug it back in, wait a few seconds, and then continue" 7 70 + + ################################################ + # STAGE 1 : DETECTION AND CHOICE OF THE DEVICE + + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + dmesg | tail -5 | grep -o "sd[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No USB devices detected" 5 30 + rm -f "$TMPFILE" + DiskMngmtMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the USB device to format\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + ################################################################################################################### + # STAGE 2 : CHECK IF THE DEVICE IS ASSOCIATED TO A GEOMETRY AND IF THIS GEOMETRY IS ALREADY MOUNTED ON THE SYSTEM + + # check if already mounted then format + if [ -n "$device" ]; then + + # check if the selected device is already associated with a geometry + seekdkX=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | wc -l | tr -d ' ') + + if [ "$seekdkX" -gt 0 ]; then + + # get geom name (dkX) + getgeom=$(dmesg | tail -10 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq) + checkmounted=$(mount | grep -o "/dev/${getgeom}" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkmounted" -eq 1 ]; then + + dialog --msgbox "The device is mounted, please unmount it first" 5 50 + DiskMngmtMenu + + fi + + fi + + { + + ################### + # STAGE 3 : FORMAT + + # Destroy and Create a new GPT table + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 10 + + # Destroy and Create a new GPT table again + gpt destroy "$device" > /dev/null 2>&1 + gpt create -f "$device" > /dev/null 2>&1 + + echo 20 + + # Create a partition of type FFS + gpt add -t ffs "$device" > /dev/null 2>&1 + + echo 30 + + # Retrieve the created geometry: + geom=$(dmesg | tail -5 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + # Create the filesystem: + newfs -O2 "$geom" > /dev/null 2>&1 + + echo 100 + + } | dialog --gauge "Formatting in progress..." 6 30 + + ############################################## + # STAGE 4 : MOUNT THE NEWLY CREATED GEOMETRY + + geom=$(dmesg | tail -5 | grep "${device}" | grep -o "dk[0-9]" | sort | uniq | tr -d ' ') + + dialog --yesno "Do you want to mount the USB device to /media/$geom?" 5 56 + mount_ornot=$? + + if [ "$mount_ornot" -eq 0 ]; then + + # Création du point de montage + mkdir -p /media/"$geom" > /dev/null 2>&1 + + # Montage + mount /dev/"$geom" /media/"$geom" > /dev/null 2>&1 + + dialog --yesno "Don't you want to give Read/Write permissions to a user on /media/$geom?" 6 60 + rw_ornot=$? + if [ "$rw_ornot" -eq 0 ]; then + + user=$(dialog --title "Read/Write Permissions" --inputbox "Please enter the username" 8 40 2>&1 1>/dev/tty) + /sbin/chown -R "$user" /media/"$geom" + chmod -R /media/"$geom" + + else + + dialog --msgbox "Don't forget about permissions on /media/$geom" 5 51 + + fi + + fi + + DiskMngmtMenu + + fi + +} + +# checked + +mountUSB () { + + dialog --msgbox "If you have just inserted the USB device, then you can continue. Otherwise, please unplug it, wait a few seconds, then plug it back in, wait a few seconds, and then continue" 7 70 + + count=$(dmesg | tail -5 | grep -o ntfs | wc -l | tr -d " ") + + if [ "$count" -gt 0 ]; then + + device=$(dmesg | tail -5 | grep "ntfs" | grep -o "dk[0-9]" | sort | uniq) + checkmounted=$(mount | grep -o "/dev/$device" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkmounted" -eq 1 ]; then + dialog --msgbox "Device already mounted on /dev/$dkX" 5 41 + else + if [ -n "$device" ]; then + # if NTFS + env PERFUSE_BUFSIZE=135168 ntfs-3g /dev/"$device" /media/"$device" + # if ExFAT : + env PERFUSE_BUFSIZE=135168 /usr/pkg/sbin/mount.exfat /dev/"$device" /media/"$device" + + else + dialog --msgbox "No NTFS-associated device dkX found." 5 40 + fi + fi + + else + dkX=$(dmesg | tail -10 | grep -o "dk[0-9]") + checkdkX=$(dmesg | tail -10 | grep -o "dk[0-9]" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkdkX" -eq 0 ]; then + + dialog --msgbox "Device not detected" 5 23 + DiskMngmtMenu + + fi + + checkmounted=$(mount | grep -o "/dev/$dkX" | sort | uniq | wc -l | tr -d ' ') + if [ "$checkmounted" -eq 1 ]; then + dialog --msgbox "Device already mounted on /dev/$dkX" 5 41 + DiskMngmtMenu + else + mount /dev/"$dkX" /media/"$dkX" + + fi + fi + + dialog --yesno "Don't you want to give Read/Write permissions to a user on /media/$device?" 6 60 + rw_ornot=$? + if [ "$rw_ornot" -eq 0 ]; then + + user=$(dialog --title "Read/Write Permissions" --inputbox "Please enter the username" 8 40 2>&1 1>/dev/tty) + /sbin/chown -R "$user" /media/"$dkX" + chmod -R /media/"$dkX" + + else + + dialog --msgbox "Don't forget about permissions on /media/$dkX" 5 51 + + fi + + DiskMngmtMenu +} + +# checked + + +umountUSB () { + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + mount | grep media | grep -o "dk[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No mounted USB devices detected" 5 35 + rm -f "$TMPFILE" + DiskMngmtMenu + return + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the USB device to unmount\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + # Unmount the selected device + if [ -n "$device" ]; then + umount -f "/media/$device" || dialog --msgbox "Error unmounting /media/$device" 5 33 + fi + + # Return to disk management menu + DiskMngmtMenu + +} + +# checked + +BurnISOtoUSB () { + + dialog --msgbox "If you have just inserted the USB device, then you can continue. Otherwise, please unplug it, wait a few seconds, then plug it back in, wait a few seconds, and then continue" 7 70 + + # Verifications + seekdkX=$(dmesg | tail -10 | grep "sd[0-9]" | grep -o "dk[0-9]" | sort | uniq) + + for each in $seekdkX; do + + checkmounted=$(mount | grep -o "/dev/$each" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkmounted" -eq 1 ]; then + + dialog --msgbox "The device is mounted, please unmount it first" 5 50 + DiskMngmtMenu + + fi + done + + + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + sysctl hw.disknames | grep -o "sd[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No USB devices detected" 5 32 + rm -f "$TMPFILE" + DiskMngmtMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the USB device to burn ISO\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + # Burn the .iso image + if [ -n "$device" ]; then + + isoFile=$(dialog --title "ISO file" --inputbox "Please enter the absolute path of your .iso file" 9 54 2>&1 1>/dev/tty) + { + dd if="$isoFile" of=/dev/"$device" bs=8m msgfmt=human + + } | dialog --gauge "Writing in progress..." 6 26 + fi + + # Return to disk management menu + DiskMngmtMenu + +} + +# checked + +BurnISOtoCD () { + + checkInternetConnection + + { + + pkgin -y in cdrtools > /dev/null 2>&1 + + echo 100 + + } | dialog --gauge "Checking for necessary software..." 6 39 + + + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + # grep -v "*" is not a glob ! It's necessary to keep only the bus actually connected + cdrecord --scanbus | grep "[0-9],[0-9],[0-9]" | sed "/\*/d" | grep -o "[0-9],[0-9],[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No burner detected..." 5 32 + rm -f "$TMPFILE" + DiskMngmtMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the burner\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + # Burn the .iso image + if [ -n "$device" ]; then + + isoFile=$(dialog --title "ISO file" --inputbox "Please enter the absolute path of your .iso file" 9 54 2>&1 1>/dev/tty) + + if [ ! -e "${isoFile}" ]; then + + dialog --msgbox "File does not exist" 5 23 + DiskMngmtMenu + + fi + { + cdrecord dev="${device}" -v "${isoFile}" > /dev/null 2>&1 + + echo 100 + + } | dialog --gauge "Writing in progress..." 6 26 + + TMPFILE=$(mktemp) + + dialog --yesno "Do you want to verify if the burning was done correctly?" 5 61 + burn_ok=$? + + if [ "$burn_ok" -eq 0 ]; then + + readcd dev="${device}" f=/tmp/diskburnedTMP.iso > /dev/null 2>&1 + sleep 1 + check=$(cmp "${isoFile}" /tmp/diskburnedTMP.iso | sort | uniq | wc -l | tr -d ' ') + + + if [ "$check" -eq 0 ]; then + + dialog --msgbox "The burning process was successful" 5 38 + rm /tmp/diskburnedTMP.iso + + fi + + fi + + + fi + + # Return to disk management menu + DiskMngmtMenu + +} + +# checked + +SecurelyErase () { + + dialog --msgbox "If you have just inserted the USB device, then you can continue. Otherwise, please unplug it, wait a few seconds, then plug it back in, wait a few seconds, and then continue" 7 70 + + # Verifications + seekdkX=$(dmesg | tail -10 | grep "sd[0-9]" | grep -o "dk[0-9]" | sort | uniq) + + for each in $seekdkX; do + + checkmounted=$(mount | grep -o "/dev/$each" | sort | uniq | wc -l | tr -d ' ') + + if [ "$checkmounted" -eq 1 ]; then + + dialog --msgbox "The device is mounted, please unmount it first" 5 50 + DiskMngmtMenu + + fi + done + + + # Create a temporary file + TMPFILE=$(mktemp) + + # Generate the list of devices + sysctl hw.disknames | grep -o "sd[0-9]" | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No USB devices detected" 5 32 + rm -f "$TMPFILE" + DiskMngmtMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the USB device to burn ISO\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + # Erase the device + if [ -n "$device" ]; then + { + dd if=/dev/zero of=/dev/"$device" bs=8m msgfmt=human + + echo 100 + + } | dialog --gauge "Erasing in progress..." 6 26 + fi + + # Return to disk management menu + DiskMngmtMenu + +} + +# checked + +RestartDHCP () { + + service dhcpcd restart > /dev/null 2>&1 + + NetworkMenu + +} + +# checked + +SwitchToWifi () { + + + # Create a temporary file + TMPFILE=$(mktemp) + + # Get NICs + netstat -i | cut -d' ' -f1 | grep -v "Name" | grep -v "lo0" | grep -v "npflo" | tr -d '*' | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No NIC detected" 5 30 + rm -f "$TMPFILE" + NetworkMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the Wifi NIC please\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + # choice of the user : + #echo $device + + + { + # Enabling dhcpcd at startup + check=$(grep -o 'dhcpcd=' < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 1 ]; then + sed -i 's/dhcpcd=NO/dhcpcd=YES/' /etc/rc.conf + sed -i 's/#dhcpcd=YES/dhcpcd=YES/' /etc/rc.conf + sed -i 's/#dhcpcd=NO/dhcpcd=YES/' /etc/rc.conf + else + echo dhcpcd=YES >> /etc/rc.conf + fi + + echo 16 + + # Setting up wifi NIC flags for dhcpcd + FILE="/etc/rc.conf" + + # Check if the dhcpcd_flags entry exists and contains "-qM wm0" but not "${device}" + if grep -q "^dhcpcd_flags=.*-qM wm0" "$FILE" && ! grep -q "^dhcpcd_flags=.*${device}" "$FILE"; then + # Use sed to add wifi NIC after "-qM wm0" + sed -i'' -e "/^dhcpcd_flags=.*-qM wm0/s/-qM wm0/& ${device}/" "$FILE" + fi + + # Restart dhcpcd + service dhcpcd restart > /dev/null 2>&1 + + echo 32 + + # Change the WAN interface in the firewall rules file + FILE="/etc/npf.conf" + + # Replace "wm0" with the wifi NIC in specific lines + if [ -f "$FILE" ]; then + sed -i'' -e "/^\$WAN_if = \"wm0\"/s/wm0/${device}/" -e "/^\$WAN_addrs = ifaddrs(wm0)/s/wm0/${device}/" "$FILE" + # Restart the firewall + service npf restart > /dev/null 2>&1 + fi + + + echo 48 + + + # Activation of wifi NIC at startup + check=$(grep -o "ifconfig_${device}=" < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 1 ]; then + sed -i "s/ifconfig_${device}=\"down\"/ifconfig_${device}=\"up\"/" /etc/rc.conf + sed -i "s/#ifconfig_${device}=\"up\"/ifconfig_${device}=\"up\"/" /etc/rc.conf + sed -i "s/#ifconfig_${device}=\"down\"/ifconfig_${device}=\"up\"/" /etc/rc.conf + else + echo "ifconfig_${device}=\"up\"" >> /etc/rc.conf + fi + + # Starting the wifi NIC interface + ifconfig "${device}" up > /dev/null 2>&1 + sleep 3 + + echo 64 + + # Activation of wpa_supplicant at startup + check=$(grep -o 'wpa_supplicant=' < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 1 ]; then + sed -i 's/wpa_supplicant=NO/wpa_supplicant=YES/' /etc/rc.conf + sed -i 's/#wpa_supplicant=YES/wpa_supplicant=YES/' /etc/rc.conf + sed -i 's/#wpa_supplicant=NO/wpa_supplicant=YES/' /etc/rc.conf + else + echo "wpa_supplicant=YES" >> /etc/rc.conf + fi + + echo 80 + + # Starting wpa_supplicant + service wpa_supplicant restart > /dev/null 2>&1 + sleep 3 + + + echo 100 + + + } | dialog --gauge "Enabling Wifi..." 6 21 0 + + dialog --msgbox "Wifi Enabled" 5 16 + + NetworkMenu +} + + +ConnectWifi () { + + check=$(service wpa_supplicant status| grep -o 'wpa_supplicant is running' | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + dialog --yesno "WPA supplicant is not running\n\nWould you like to go to 'Switch from Ethernet to Wifi' function (Yes)\nor\nJust activate WPA temporary and do what you want? (No)" 10 70 + switch_ornot=$? + + if [ $switch_ornot -eq 0 ]; then + + SwitchToWifi + + else + + service wpa_supplicant onestart > /dev/null 2>&1 + + fi + + + fi + + + { + # Network scan + wpa_cli scan + sleep 3 + echo 20 + sleep 3 + echo 40 + sleep 3 + echo 60 + sleep 2 + echo 80 + + + wpa_cli scan_results > /tmp/EvnpinvAvpininZ8.tmp + sed '1,2d' < /tmp/EvnpinvAvpininZ8.tmp | sed 's/.\{26\}//' | sed 's/.*]//' | sed '/^[[:space:]]*$/d' | sed 's/^[[:space:]]//' > /tmp/Ev2npinvAvpininZ8.tmp + + sleep 1 + + echo 100 + + } | dialog --gauge "Scan in progress..." 6 24 0 + + # Nom du fichier contenant les SSID + SSID_FILE="/tmp/Ev2npinvAvpininZ8.tmp" + + # Build the options array for the dialog box + DIALOG_OPTS="" + while read -r ssid; do + DIALOG_OPTS="$DIALOG_OPTS ${ssid} ''" + done < "$SSID_FILE" + + # Display the dialog box to choose the WiFi network + chosen_ssid=$(dialog --backtitle "Detected WiFi Networks" --title "List" --menu "Choose a WiFi network:" 0 0 0 "$DIALOG_OPTS" 3>&1 1>&2 2>&3) + + ssid=$(grep "$chosen_ssid" < /tmp/EvnpinvAvpininZ8.tmp) + + # Check the security type + check=$(echo "$ssid" | grep -o "PSK" | wc -l | tr -d ' ') + + if [ "$check" -gt 0 ]; then + + password=$(dialog --title 'Enter Password' --inputbox "Please enter the password" 8 35 2>&1 1>/dev/tty) + + { + echo " " + echo "network={" + echo " ssid=\"$chosen_ssid\"" + echo " psk=\"$password\"" + echo " proto=RSN" + echo " key_mgmt=WPA-PSK" + echo " pairwise=CCMP" + echo "}" + } >> /etc/wpa_supplicant.conf + fi + + # Reload wpa_supplicant + service wpa_supplicant reload > /dev/null 2>&1 + + # Restart the dhcpd service + service dhcpcd restart > /dev/null 2>&1 + + # Remove configuration files: + rm /tmp/EvnpinvAvpininZ8.tmp + rm /tmp/Ev2npinvAvpininZ8.tmp + + + + NetworkMenu +} + +# checked + +SwitchToEthernet () { + + # Create a temporary file + TMPFILE=$(mktemp) + + # Get NICs + netstat -i | cut -d' ' -f1 | grep -v "Name" | grep -v "lo0" | grep -v "npflo" | tr -d '*' | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No NIC detected" 5 30 + rm -f "$TMPFILE" + NetworkMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the Ethernet NIC please\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + # choice of the user : + #echo $device + + + # Create a temporary file + TMPFILE=$(mktemp) + + # Get NICs + netstat -i | cut -d' ' -f1 | grep -v "Name" | grep -v "lo0" | grep -v "npflo" | tr -d '*' | sort | uniq > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No NIC detected" 5 30 + rm -f "$TMPFILE" + NetworkMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + wifiNIC=$(eval "dialog --radiolist \"Choose the Wifi NIC please\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + + { + + # Stop the wpa_supplicant service: + service wpa_supplicant stop > /dev/null 2>&1 + sleep 2 + # Disable wpa_supplicant at startup + check=$(grep -o 'wpa_supplicant=' < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 1 ]; then + service wpa_supplicant stop > /dev/null 2>&1 + sed -i '/wpa_supplicant=YES/d' /etc/rc.conf + fi + + echo 25 + + # Turn off the wifi card: + ifconfig "$wifiNIC" down > /dev/null 2>&1 + # Stop and Disable ${wifiNIC} at startup + check=$(grep -o "ifconfig_${wifiNIC}=" < /etc/rc.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 1 ]; then + ifconfig "${wifiNIC}" down > /dev/null 2>&1 + sed -i "/ifconfig_${wifiNIC}=\"up\"/d" /etc/rc.conf + fi + sleep 2 + + echo 50 + + # Change the WAN interface in the firewall rules file: + FILE="/etc/npf.conf" + + # Replace "${wifiNIC}" with "${device}" in specific lines + if [ -f "$FILE" ]; then + sed -i'' -e "/^\$WAN_if = \"${wifiNIC}\"/s/${wifiNIC}/${device}/" -e "/^\$WAN_addrs = ifaddrs(${wifiNIC})/s/${wifiNIC}/${device}/" "$FILE" + # Restart the firewall + service npf restart > /dev/null 2>&1 + fi + + echo 75 + + # Remove the wifi card flags from dhcpcd_flags + FILE="/etc/rc.conf" + + # Check if the dhcpcd_flags entry exists and contains "${wifiNIC}" + if grep -q "^dhcpcd_flags=.*${wifiNIC}" "$FILE"; then + # Use sed to remove "${wifiNIC}" from dhcpcd_flags + sed -i'' -e "/^dhcpcd_flags=/s/ ${wifiNIC}//" "$FILE" + fi + + # Restart dhcpcd + service dhcpcd restart > /dev/null 2>&1 + + echo 100 + + + } | dialog --gauge "Disabling Wifi..." 6 22 0 + + + dialog --msgbox "Wifi Disabled" 5 18 + + NetworkMenu +} + +# checked + + +getentPasswd () { + # Display the contents of the /etc/passwd file in a dialog screen + dialog --backtitle "Contents of the /etc/passwd file" --title "Users" --textbox /etc/passwd 0 0 + + # Call UsersRightsMenu after dialog closes + UsersRightsMenu +} + +# checked + + +CreateUser () { + # Dialog to get the username + user=$(dialog --title ' Create a User' --inputbox "Please enter the username" 8 43 2>&1 1>/dev/tty) + + # Verification: + countus=$(getent passwd "$user" | cut -d: -f1) + case $countus in + "$user") + dialog --backtitle "User Exists!" \ + --title ' Result' \ + --msgbox "The user exists" 5 24 + UsersRightsMenu + ;; + esac + + # Dialog to ask if a home directory should be created + dialog --yesno "Do you want to create a home directory for the user" 5 56 + create_home=$? + + if [ "$create_home" -eq 0 ]; then + dialog --yesno "/home/$user ?" 5 50 + homestandard=$? + + if [ "$homestandard" -eq 1 ]; then + perso=$(dialog --title "Custom Location" --inputbox "Please enter the absolute path of the desired base directory. (example: /export/home/$user)" 9 70 2>&1 1>/dev/tty) + mkdir -p "${perso}" + useradd_options="-md ${perso}" + + fi + + if [ "$homestandard" -eq 0 ]; then + + useradd_options="-md /home/$user" + + fi + fi + + + # Dialog to ask if the user should be allowed to log in + dialog --yesno "Do you want to allow login on this system" 5 46 + login_shell=$? + + # Dialog to ask for the maximum password validity period + password_expire=$(dialog --title "Password Expiration" --inputbox "Please enter the maximum password validity period (in days)" 9 64 2>&1 1>/dev/tty) + + # Dialog to ask for the groups the user should be added to + groups=$(dialog --title "User Groups" --inputbox "Please enter the groups separated by commas to which the user should be added" 9 70 2>&1 1>/dev/tty) + pass=$(dialog --title "Password" --inputbox "Please enter a password" 8 30 2>&1 1>/dev/tty) + + dialog --yesno "Do you want to allow the user to change password on first login?" 6 68 + changeAtlogon=$? + + # Creating the options string: + + if [ "$login_shell" -eq 1 ]; then + useradd_options="${useradd_options} -s /sbin/nologin" # Disable login if not allowed + fi + if [ "$password_expire" ]; then + useradd_options="${useradd_options} -f $password_expire" # Maximum password validity period + fi + + # Adding the user to the specified groups + count=$(echo "$groups" | grep -o ',' | wc -c | tr -d ' ') + + if [ "$count" -eq 0 ]; then + useradd_options="${useradd_options} -G $groups" + fi + + i=1 + while [ $i -le "$count" ]; do + + grouptoadd=$(echo "$groups" | cut -d',' -f$i) + useradd_options="${useradd_options} -G $grouptoadd" + i=$((i+1)) + + done + + if [ "$pass" ]; then + useradd_options="${useradd_options} -p ${pass}" + fi + + if [ "$changeAtlogon" -eq 0 ]; then + useradd_options="${useradd_options} -F" + fi + + + # Creating the user with the chosen options + useradd "$useradd_options" "$user" + passwd "${user}" + + dialog --backtitle "User Created!" \ + --title ' Result' \ + --msgbox "The user has been successfully created" 5 42 + + UsersRightsMenu + +} + +# checked + +DeleteUser () { + # Get the list of system users excluding specified users + users=$(getent passwd | cut -d: -f1 | grep -Ev 'root|toor|daemon|operator|wheel|bin|games|postfix|named|ntpd|sshd|_pflogd|_proxy|_timedc|_sdpd|_httpd|_mdnsd|_rwhod|_tests|_tcpdump|_tss|_rtadvd|_unbound|_nsd|_dhcpcd|uucp|nobody|dbus|polkitd') + + # Check if the list of users is empty + if [ -z "$users" ]; then + dialog --backtitle "Remove a User" \ + --title "No Users Available" \ + --msgbox "No users to remove." 8 50 + return + fi + + # Initialize an empty string to store dialog options + dialog_options="" + + # Loop through the list of users + for user in $users; do + # Get the user's ID + uid=$(id -u "$user") + + # Check if the user's ID was successfully retrieved + if [ -z "$uid" ]; then + echo "Error: Unable to find user ID for $user" + continue + fi + + # Build each option and add it to the dialog options string + dialog_options="$dialog_options $user $uid off" + done + + + + # Display the checkbox dialog to select users for deletion + selected_users=$(dialog --backtitle "Remove a User" \ + --title "Choose whom to remove" \ + --checklist "Use space bar. Choose only one user if you want to archive the home folder. To remove all, select as many users as necessary:" \ + 20 60 10 \ + "$dialog_options" \ + 2>&1 >/dev/tty) + + # Check if users have been selected + if [ -n "$selected_users" ]; then + # Ask if the home directory should also be removed + dialog --yesno "Do you also want to remove the home directory of the selected user?" 6 65 + remove_home=$? + + # Remove the selected users + for user in $selected_users; do + if [ $remove_home -eq 0 ]; then + # Remove the user and their home directory + userdel -r "$user" + else + dialog --yesno "Do you want to archive the home directory of the selected user?" 6 65 + compress_home=$? + + if [ $compress_home -eq 0 ]; then + # Get the user's home directory + user_home=$(getent passwd "$user" | cut -d: -f6) + + # Check if the directory exists + if [ -d "$user_home" ]; then + # Archive and compress the directory + tar cf - "$user_home" | xz > "${user_home}.tar.xz" + userdel -r "$user" + else + dialog --backtitle "Directory Not Found!" \ + --title 'Directory Not Found' \ + --msgbox "The home directory does not exist." 5 38 + fi + else + userdel "$user" + fi + fi + done + fi + + + + dialog --backtitle "User(s) Removed!" \ + --title ' Result' \ + --msgbox "Deletion Successful" 5 23 + + + UsersRightsMenu +} + +# checked + +getentGroup () { + # Display the contents of the /etc/group file in a dialog box + dialog --backtitle "Contents of /etc/group file" --title "Groups" --textbox /etc/group 0 0 + + # Call UsersRightsMenu after dialog is closed + UsersRightsMenu +} + +# checked + + + +CreateGroup () { + + groupName=$(dialog --title " Add a Group" --inputbox "Please enter the group name" 8 34 2>&1 1>/dev/tty) + countus=$(getent group "$groupName" | cut -d: -f1) + case $countus in + "$groupName") + dialog --backtitle "Group Exists!" \ + --title " Result" \ + --msgbox "Group Exists" 5 17 + ;; + *) + groupadd "$groupName" 2>/dev/null + + countus2=$(getent group "$groupName" | cut -d: -f1) + case $countus2 in + "$groupName") + dialog --backtitle "Group Created" \ + --title " Result" \ + --msgbox "The group has been successfully created" 5 43 + ;; + *) + dialog --backtitle "Error" \ + --title " Result" \ + --msgbox "Error creating the group" 5 29 + esac + ;; + esac + + UsersRightsMenu + +} + + +CheckGroupExists () { + + groupName=$(dialog --title " Check Group Existence" --inputbox "Please enter the group name" 8 37 2>&1 1>/dev/tty) + countus=$(getent group "$groupName" | cut -d: -f1) + case $countus in + "$groupName") + dialog --backtitle "Group Exists!" \ + --title " Result" \ + --msgbox "Group Exists" 5 17 + ;; + *) + dialog --backtitle "Group Not Found!" \ + --title " Result" \ + --msgbox "Group Not Found" 5 20 + + ;; + esac + + UsersRightsMenu + +} + +# checked + + +DeleteGroup () { + + groupName=$(dialog --title " Delete a group" --inputbox "Please enter the group name" 8 37 2>&1 1>/dev/tty) + countus=$(getent group "$groupName" | cut -d: -f1) + case $countus in + "$groupName") + + groupdel "$groupName" 2>/dev/null + + countus=$(getent group "$groupName" | cut -d: -f1) + case $countus in + "$groupName") + dialog --backtitle "Error!" \ + --title " Result" \ + --msgbox "Group not deleted" 5 21 + ;; + *) + dialog --backtitle "Group Deleted!" \ + --title " Result" \ + --msgbox "Group Deleted" 5 17 + ;; + esac + + + ;; + *) + dialog --backtitle "Group Not Found!" \ + --title " Result" \ + --msgbox "Group Not Found" 5 19 + + ;; + esac + + UsersRightsMenu + +} + + +AddToGroup () { + + # Dialogue to get the username + user=$(dialog --title "Check User Existence" --inputbox "Please enter the username" 8 30 2>&1 1>/dev/tty) + countus=$(getent passwd "$user" | cut -d: -f1) + + case $countus in + "$user") + group=$(dialog --title "Check Group Existence" --inputbox "Please enter the group name" 8 32 2>&1 1>/dev/tty) + countus2=$(getent group "$group" | cut -d: -f1) + + case $countus2 in + "$group") + usermod -G "$group" "$user" + countus3=$(groups "$user" | grep -o "$group") + + case $countus3 in + "$group") + dialog --backtitle "User Added" \ + --title ' Result' \ + --msgbox "User added" 5 15 + ;; + *) + dialog --backtitle "Error" \ + --title ' Result' \ + --msgbox "User not added" 5 19 + + UsersRightMenu + ;; + esac + + ;; + *) + dialog --backtitle "Group Not Found!" \ + --title ' Result' \ + --msgbox "The group does not exist" 5 29 + + UsersRightsMenu + ;; + esac + + ;; + *) + dialog --backtitle "User Not Found!" \ + --title ' Result' \ + --msgbox "The user does not exist" 5 28 + + UsersRightsMenu + ;; + esac + + UsersRightsMenu +} + +# checked + + +LeaveGroup () { + + dialog --backtitle "Modify /etc/group" \ + --title ' Modify /etc/group' \ + --msgbox "The /etc/group file will open. Please locate the line starting with the group name, then remove your username and any extra comma, then exit (ctrl+x) and save (Y) in /etc/group" 7 70 + pico /etc/group + + UsersRightsMenu + +} + +# checked + + +ovpnVPN () { + checkInternetConnection + + openVPNinstallation () { + clear + echo "--------------------------------------------------" + echo "Installation in progress, please wait ..." + echo " " + + pkgin -y in wget + pkgin -y in curl + pkgin -y in openvpn + pkgin -y in unzip + + clear + echo "--------------------------------------------------" + echo "Do you want to require the server to connect to the VPN upon startup? [y]," + echo "Or do you prefer to decide when to connect it yourself? [n]" + read -r ansou + case $ansou in + y|Y) + echo openvpn=YES + ;; + n|N) + + ;; + esac + + } + + startovpnconnection () { + + clear + echo "--------------------------------------------------" + echo "Connection is starting, please wait..." + openvpn --config /usr/pkg/etc/openvpn/ovpn.conf --daemon + sleep 10 + echo " " + echo "--------------------------------------------------" + echo "Do you want to check if the connection was successful ? [y/n]" + read -r ansverif + case $ansverif in + y|Y) + echo " " + echo "--------------------------------------------------" + echo "if success:true happens, you're connected:" + echo " " + curl https://www.ovpn.com/v2/api/client/ptr + sleep 5 + return + ;; + n|N) + + ;; + esac + + } + + addOVPNcredentials () { + echo "" + echo "--------------------------------------------------" + echo "Please enter your OVPN login:" + read -r nameu + echo "$nameu" >> /usr/pkg/etc/openvpn/credentials + echo "" + echo "--------------------------------------------------" + echo "Please enter your OVPN password:" + read -r mtpu + echo "$mtpu" >> /usr/pkg/etc/openvpn/credentials + + } + + OVPNconfiguration () { + # All the OVPN servers around the world + places="at-vienna at-vienna-tcp au-sydney au-sidney-tcp ca-toronto ca-toronto-tcp dk-copenhagen dk-copenhagen-tcp fi-helsinki fi-helsinki-tcp fr-paris fr-paris-tcp de-erfurt de-erfurt-tcp de-frankfurt de-frankfurt-tcp de-offenbach de-offenbach-tcp it-milan it-milan-tcp jp-tokyo jp-tokyo-tcp nl-amsterdam nl-amsterdam-tcp no-oslo no-oslo-tcp pl-warsaw pl-warsaw-tcp ro-bucharest ro-bucharest-tcp sg-singapore sg-singapore-tcp es-madrid es-madrid-tcp se-gothenburg se-gothenburg-tcp se-malmo se-malmo-tcp se-stockholm se-stockholm-tcp se-sundsvall se-sundsvall-tcp ch-zurich ch-zurich-tcp gb-london gb-london-tcp us-atlanta us-atlanta-tcp us-chicago us-chicago-tcp us-dallas us-dallas-tcp us-denver us-denver-tcp us-losangeles us-losangeles-tcp us-miami us-miami-tcp us-newyork us-newyork-tcp us-seattle us-seattle-tcp ua-kyiv ua-kyiv-tcp" + + clear + echo "---------------------------------------" + echo "# Here is the list of available places" + echo "# (tcp not written = udp)" + echo "" + + i=1 + for place in $places; do + echo "$i - $place" + i=$((i + 1)) + done + + echo "" + echo "Please choose a place by its number:" + read -r choice + + i=1 + for place in $places; do + if [ "$i" -eq "$choice" ]; then + + # Download file configuration from ovpn and install it + wget https://files.ovpn.com/freebsd/ovpn-"${place}".zip -P /tmp + #cd /tmp ; unzip ovpn-"${place}".zip + unzip /tmp/ovpn-"${place}".zip -d /tmp/ + rm -r /usr/pkg/etc/openvpn + mkdir -p /usr/pkg/etc/openvpn + touch /usr/pkg/etc/openvpn/update-resolv-conf + mv /tmp/config/* /usr/pkg/etc/openvpn/ + chmod +x /usr/pkg/etc/openvpn/update-resolv-conf + rm -rf /tmp/config + rm -f /tmp/ovpn-"${place}".zip + + # Adapt file configuration to NetBSD + sed -i'' "s/\/usr\/local/\/usr\/pkg/" /usr/pkg/etc/openvpn/ovpn.conf + sleep 1 + sed -i "/^log/d" /usr/pkg/etc/openvpn/ovpn.conf + sleep 1 + echo "" >> /usr/pkg/etc/openvpn/ovpn.conf + echo "log /var/log/openvpn.log" >> /usr/pkg/etc/openvpn/ovpn.conf + + # Add OVPN credentials + addOVPNcredentials + + # Start OVPN or not + clear + echo "--------------------------------------------------" + echo "Do you want to connect to OVPN now ? [y/n]" + read -r answno + case $answno in + y|Y) + startovpnconnection + ;; + n|N) + ;; + esac + + fi + i=$((i + 1)) + done + } + + + i=0 + while [ $i -lt 5 ]; do + clear + echo "--------------------------------------------------" + echo "What do you want to do ?" + echo "" + echo " - connect to the VPN [c]," + echo " - disconnect from the VPN [d]," + echo " - proceed with the configuration? [p]" + echo "" + echo "--------------------------------------------------" + echo "Please enter the letter:" + read -r cinst + case $cinst in + c|C) + startovpnconnection + i=$((i+6)) + ;; + d|D) + pkill openvpn + i=$((i+6)) + ;; + p|P) + openVPNinstallation + OVPNconfiguration + i=$((i+6)) + ;; + *) + echo "--------------------------------------------------" + echo "I didn't understand your choice." + echo "Please enter only c/d/p" + sleep 3 + i=$((i+1)) + ;; + esac + done + + MainMenu +} + + +installClamAV () { + + checkInternetConnection + + { + + pkgin -y in clamav clamav-doc + pkgin -y in rsync + cp /usr/pkg/share/examples/rc.d/* /etc/rc.d/ + + check=$(grep -o "freshclamd=YES" < /etc/rc.conf | wc -l | tr -d ' ' ) + if [ "$check" -eq 0 ]; then + echo freshclamd=YES >> /etc/rc.conf + fi + + service freshclamd start > /dev/null 2>&1 + + mkdir -p /var/db/clamav/quarantine > /dev/null 2>&1 + chown clamav:clamav /var/db/clamav/quarantine > /dev/null 2>&1 + + + ############ + # Optimize threat detection configuration: + + # Remove settings from previous installation: + FILE="/usr/pkg/etc/clamd.conf" + PATTERN="# OPTIMIZED CONFIGURATION" + + # Check if file and string exist + if [ -f "$FILE" ] && grep -q "$PATTERN" "$FILE"; then + # Remove all lines from the string onwards + sed -i'' "/$PATTERN/,\$d" "$FILE" + fi + { + echo " " + echo "# OPTIMIZED CONFIGURATION" + echo "DetectPUA yes" + echo "ExcludePUA PUA.Win.Packer" + echo "ExcludePUA PUA.Win.Trojan.Packed" + echo "ExcludePUA PUA.Win.Packer.Upx" + echo "ExcludePUA PUA.Doc.Packed" + echo "MaxScanTime 120000" + echo "MaxScanSize 20480M" + echo "MaxRecursion 30" + echo "MaxFiles 15000" + echo "MaxEmbeddedPE 2048M" + echo "MaxHTMLNormalize 2048M" + echo "MaxHTMLNoTags 2048M" + echo "MaxScriptNormalize 2048M" + echo "MaxZipTypeRcg 50M" + echo "PCREMaxFileSize 2048M" + } >> /usr/pkg/etc/clamd.conf + + } | dialog --gauge "Installation and optimization in progress..." 6 50 0 + + + dialog --yesno "Would you like to set up the security bases from securiteinfo.com? You must have a paid subscription. Please create a file /tmp/dbsecuriteinfo.tmp containing the blocks 'DatabaseCustomURL https://...' provided in your customer area on the securiteinfo.com website, or copy/paste them into the text file that will open during verification. You can rerun the ClamAV installation script later to add your URLs when you have them" 12 65 + create_securinfo=$? + + if [ $create_securinfo -eq 0 ]; then + + # Add the securiteinfo.com download URLs to freshclam + # Remove settings from a previous installation: + FILE="/usr/pkg/etc/freshclam.conf" + PATTERN="# SECURITEINFO.COM BASES" + + # Check if the file and string exist + if [ -f "$FILE" ] && grep -q "$PATTERN" "$FILE"; then + # Remove all lines from the string onwards + sed -i'' "/$PATTERN/,\$d" "$FILE" + fi + + dialog --msgbox "The text file will open, please make sure to place one 'DatabaseCustomUrl https://...' group per line.\nThen exit and save without changing the file location" 7 60 + pico /tmp/dbsecuriteinfo.tmp + { + echo "" + echo "# SECURITEINFO.COM BASES" + } >> /usr/pkg/etc/freshclam.conf + + cat /tmp/dbsecuriteinfo.tmp >> /usr/pkg/etc/freshclam.conf + + service freshclamd restart > /dev/null 2>&1 + freshclam > /dev/null 2>&1 + + fi + + dialog --yesno "Would you like to set up the security bases from SaneSecurity?" 5 67 + create_sanesecu=$? + + if [ $create_sanesecu -eq 0 ]; then + + # Direct download of the bases + if [ ! -e /usr/pkg/bin/rsync ]; then + pkgin -y in rsync + fi + + rsync rsync://rsync.sanesecurity.net/sanesecurity/* /var/clamav/ > /dev/null 2>&1 + + fi + + dialog --msgbox "Installation Completed" 5 27 + + + AntiVirusMenu + +} + +UpdateSaneSecurityClamAV () { + + checkInternetConnection + + { + nohup rsync rsync://rsync.sanesecurity.net/sanesecurity/* /var/clamav/ & + + echo 100 + + } | dialog --gauge "Update in progress..." 6 30 0 + + AntiVirusMenu + +} + +FullScanClamAV () { + + dialog --msgbox "Scanning / will begin..." 5 30 + dialog --msgbox "The log will be located in /var/db/clamav/scan.log" 6 32 + + nohup clamscan -r --log=/var/db/clamav/scan.log --move=/var/db/clamav/quarantine / & + + dialog --msgbox "Scan launched in the background" 5 35 + + AntiVirusMenu +} + +HomeScanClamAV () { + + dialog --msgbox "Scanning /home will begin..." 5 33 + dialog --msgbox "The log will be located in /var/db/clamav/scan.log" 6 32 + + nohup clamscan -r --log=/var/db/clamav/scan.log --move=/var/db/clamav/quarantine /home & + + dialog --msgbox "Scan launched in the background" 5 35 + + AntiVirusMenu +} + + +LogClamAV () { + + dialog --textbox /var/db/clamav/scan.log 0 0 + + AntiVirusMenu + +} + +ArchiveLogClamAV () { + + # Get the date and time in the desired format + DATE=$(date "+%d-%m-%Y") + TIME=$(date "+%H:%M:%S") + + # Path of the file to compress + FILE="/var/db/clamav/scan.log" + + # Check if the file to compress exists + if [ ! -f "$FILE" ]; then + dialog --msgbox "The file to compress does not exist" 5 40 + AntiVirusMenu + fi + + # Compressed file name + COMPRESSED_FILE_NAME="scan_${DATE}_${TIME}.xz" + + # Full path of the compressed file + COMPRESSED_FILE_PATH="/var/db/clamav/${COMPRESSED_FILE_NAME}" + + # Compress the file + xz "$FILE" -c > "$COMPRESSED_FILE_PATH" + + AntiVirusMenu +} + + +CleanLogClamAV () { + + dialog --yesno "Are you sure you want to delete the log?" 5 45 + confirm=$? + + if [ "$confirm" -eq 0 ]; then + rm /var/db/clamav/scan.log + touch /var/db/clamav/scan.log + fi + + AntiVirusMenu +} + +locateRebuild () { + + { + + /usr/libexec/locate.updatedb + + echo 100 + + } | dialog --gauge "Rebuilding index..." 6 40 0 + + dialog --msgbox "Rebuilding complete" 5 23 + + MainMenu +} + + +CheckUserExists () { + + # Dialogue to get the username + user=$(dialog --title "Check User Existence" --inputbox "Please enter the username" 8 30 2>&1 1>/dev/tty) + countus=$(getent passwd "$user" | cut -d: -f1) + + case $countus in + "$user") + userInfo=$(id "$user") + dialog --backtitle "User Exists!" \ + --title ' Result' \ + --msgbox "The user exists:\n\nInformation:\n$userInfo" 10 50 + ;; + *) + dialog --backtitle "User Not Found!" \ + --title ' Result' \ + --msgbox "The user does not exist" 5 28 + ;; + esac + + UsersRightsMenu + +} + +SFTPFS () { + + # Check if OpenSSH is installed or not + check=$(grep -o "sshd=YES" < /etc/rc.conf | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + if [ ! -e /usr/sbin/sshd ]; then + + dialog --yesno "OpenSSH is not installed on your system, do you want to install it?" 6 44 + sshd_install=$? + + checkInternetConnection + + if [ "$sshd_install" -eq 0 ]; then + + pkgin -y in opensshd + # I don't remember if sshd goes automatically to /etc/rc.d/... in case : + cp /usr/pkg/share/examples/rc.d/sshd /etc/rc.d/sshd + + echo sshd=YES >> /etc/rc.conf + + fi + + else + + echo sshd=YES >> /etc/rc.conf + + fi + + fi + + # check if a previous SFTP file server is already configured + check22=$(grep -o "sftpexclusive" < /etc/ssh/sshd_config | sort | uniq | wc -l | tr -d ' ') + + if [ "$check22" -eq "1" ]; then + + dialog --msgbox "This server is already configured as SFTP File Server" 5 57 + ServicesMenu + + fi + + + # Check if /etc/ssh/sshd_config contains Subsystem sftp command + check=$(grep Subsystem < /etc/ssh/sshd_config | grep sftp | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 1 ]; then + + # now, check if the sftp is internal-sftp + check2=$(grep Subsystem < /etc/ssh/sshd_config | grep "internal-sftp" | sort | uniq | wc -l | tr -d ' ') + if [ "$check2" -eq 0 ]; then + + # Configure sftp-internal + nosftp + sftpexclusive group and user chrooting to /SFTP/%u + #sed -i'' "s/\/usr\/libexec\/sftp-server/internal-sftp\n\nMatch Group sftpexclusive\n ChrootDirectory \/SFTP\/%u\n ForceCommand internal-sftp\n AllowTcpForwarding no\n X11Forwarding no\n/" /etc/ssh/sshd_config + sed -i'' "s/\/usr\/libexec\/sftp-server/internal-sftp\n\nMatch Group nosftp\n ForceCommand \/usr\/bin\/false\n\nMatch Group sftpexclusive\n ChrootDirectory \/SFTP\/%u\n ForceCommand internal-sftp\n AllowTcpForwarding no\n X11Forwarding no\n/" /etc/ssh/sshd_config + + fi + + else + + # Add a Subystem + configuration + { + echo " " + echo "# SFTP FILE SERVER" + echo "Subsystem sftp internal-sftp" + echo " " + echo "Match group nosftp" + echo " ForceCommand /usr/bin/false" + echo " " + echo "Match Group sftpexclusive" + echo " ChrootDirectory /SFTP/%u" + echo " ForceCommand internal-sftp" + echo " AllowTcpForwarding no" + echo " X11Forwarding no" + echo " " + } >> /etc/ssh/sshd_config + + fi + + # Create groups nosftp and sftpexclusive + groupadd nosftp 2>/dev/null + groupadd sftpexclusive 2>/dev/null + + # Add the /usr/bin/false shell to /etc/shells (in order to deactivate user account in case) + echo "/usr/bin/false" >> /etc/shells + + # deactivate Motd + check4=$(grep -o '#PrintMotd yes' < /etc/ssh/sshd_config | wc -l | tr -d ' ') + if [ "$check4" -eq 1 ]; then + + sed -i'' "s/#PrintMotd yes/PrintMotd no/" /etc/ssh/sshd_config + + fi + check41=$(grep -o 'PrintMotd yes' < /etc/ssh/sshd_config | wc -l | tr -d ' ') + if [ "$check41" -eq 1 ]; then + + sed -i'' "s/PrintMotd yes/PrintMotd no/" /etc/ssh/sshd_config + + fi + + + + # deactivate Banner + check5=$(grep -o '#Banner none' < /etc/ssh/sshd_config | wc -l | tr -d ' ') + if [ "$check5" -eq 1 ]; then + + sed -i'' "s/#Banner none/Banner none/" /etc/ssh/sshd_config + + fi + check51=$(grep -o 'Banner none' < /etc/ssh/sshd_config | wc -l | tr -d ' ') + if [ "$check51" -eq 1 ]; then + + sed -i'' "s/Banner none/Banner none/" /etc/ssh/sshd_config + + fi + + # Restart SSH + service sshd restart > /dev/null 2>&1 + + + + # check if the NPF firewall has already been configured. + i=0 + while [ $i -lt "3" ]; do + if [ -e /etc/npf.conf ]; then + + # check if NPF is active + check=$(npfctl show | grep -o "inactive" | sort | uniq | wc -l | tr -d ' ') + if [ ! "$check" -eq 1 ]; then + + # NPF is active + # check SSH port is the same than in /etc/npf.conf + sshdport=$(grep 'Port ' < /etc/ssh/sshd_config | grep -o "[0-9]" | tr -d "\n") + + + npfsshport=$(grep ssh < /etc/npf.conf | grep -o ssh | sort | uniq | wc -l | tr -d ' ') + if [ "$npfsshport" -eq 1 ]; then + + npfsshport="22" + + + fi + npfsshport2=$(grep ssh < /etc/npf.conf | grep -o "22" | sort | uniq | wc -l | tr -d ' ') + if [ "$npfsshport2" -eq 1 ]; then + + npfsshport="22" + + fi + + # Compare the 2 var + if [ "$sshdport" -eq "$npfsshport" ]; then + # perfect ! Same port + i=$((i+11)) + else + # SSH ports are different between /etc/ssh/sshd_config and /etc/npf.conf + dialog --msgbox "The NPF firewall seems to be active but the SSH port is different between /etc/ssh/sshd_config and /etc/npf.conf\n\n/etc/ssh/sshd_config and then /etc/npf.conf will open so that you can make your changes" 9 70 + pico /etc/ssh/sshd_config + pico /etc/npf.conf + + service npf restart > /dev/null 2>&1 + service sshd restart > /dev/null 2>&1 + fi + + else + + dialog --yesno "The NPF firewall seems inactive\nWould you like to configure it?" 6 35 + npf_ornot=$? + + if [ "$npf_ornot" -eq 0 ]; then + + PareFeu + + fi + + + fi + + + else + + dialog --yesno "The NPF firewall seems inactive\nWould you like to configure it?" 6 35 + npf_ornot=$? + + if [ "$npf_ornot" -eq 0 ]; then + + PareFeu + + fi + + + fi + + i=$((i+1)) + done + + + dialog --msgbox "The configuration is done!\nPlease now create SFTP users" 6 32 + +} + +CreateSFTPuser () { + + + # check if a previous SFTP file server is already configured + check22=$(grep -o "sftpexclusive" < /etc/ssh/sshd_config | sort | uniq | wc -l | tr -d ' ') + + if [ ! "$check22" -eq "1" ]; then + + dialog --msgbox "This server is not configured as SFTP File Server\nPlease 'Configure a SFTP file server with OpenSSH'" 6 54 + OpenSSHFSMenu + + fi + + # Get the username to create + user=$(dialog --title "Adding a SFTP user" --inputbox "Please enter the username of the new SFTP user" 8 52 2>&1 1>/dev/tty) + + # check if the user already exists + countus=$(getent passwd "$user" | cut -d: -f1) + case $countus in + "$user") + dialog --msgbox "This user already exists" 5 29 + OpenSSHFSMenu + + ;; + *) + ;; + esac + + # Create the user with no login access and a home directory to /SFTP/user + useradd -G sftpexclusive -s /sbin/nologin -m -d /SFTP/"${user}" "${user}" + + passwd "${user}" + + # Permissions : + /sbin/chown root:sftpexclusive /SFTP/"${user}" + chmod 755 /SFTP/"${user}" + + + # Check if everything has been done correctly + countus=$(getent passwd "$user" | cut -d: -f1 | wc -l | tr -d ' ') + if [ "$countus" -eq 1 ]; then + + if [ -d /SFTP/"${user}" ]; then + dialog --msgbox "${user} has been correctly created and is member of sftpexclusive" 6 70 + else + dialog --msgbox "Something went wrong" 5 24 + fi + + + fi + +OpenSSHFSMenu +} + +DeleteSFTPuser () { + # Get the list of system users excluding specified users + users=$(getent passwd | grep '/SFTP/' | cut -d: -f1) + + # Check if the list of users is empty + if [ -z "$users" ]; then + dialog --backtitle "Remove a User" \ + --title "No Users Available" \ + --msgbox "No users to remove." 8 50 + return + fi + + # Initialize an empty string to store dialog options + dialog_options="" + + # Loop through the list of users + for user in $users; do + # Get the user's ID + uid=$(id -u "$user") + + # Check if the user's ID was successfully retrieved + if [ -z "$uid" ]; then + echo "Error: Unable to find user ID for $user" + OpenSSHFSMenu + fi + + # Build each option and add it to the dialog options string + dialog_options="$dialog_options $user $uid off" + done + + + + # Display the checkbox dialog to select users for deletion + selected_users=$(dialog --backtitle "Remove a User" \ + --title "Choose whom to remove" \ + --checklist "Use space bar. Choose only one user if you want to archive the home folder. To remove all, select as many users as necessary:" \ + 20 60 10 \ + "$dialog_options" \ + 2>&1 >/dev/tty) + + # Check if users have been selected + if [ -n "$selected_users" ]; then + # Ask if the home directory should also be removed + dialog --yesno "Do you also want to remove the home directory of the selected user?" 6 65 + remove_home=$? + + # Remove the selected users + for user in $selected_users; do + if [ "$remove_home" -eq 0 ]; then + # Remove the user and their home directory + userdel -r "$user" + else + dialog --yesno "Do you want to archive the home directory of the selected user?" 6 65 + compress_home=$? + + if [ "$compress_home" -eq 0 ]; then + # Get the user's home directory + user_home="/SFTP/${user}" + + # Check if the directory exists + if [ -d "$user_home" ]; then + # Archive and compress the directory + tar cf - "$user_home" | xz > "${user_home}.tar.xz" + userdel -r "$user" + + dialog --msgbox "The home directory has been archived to /SFTP/${user}.tar.xz" 6 70 + else + dialog --backtitle "Directory Not Found!" \ + --title 'Directory Not Found' \ + --msgbox "The home directory does not exist." 5 38 + fi + else + userdel "$user" + fi + fi + done + fi + + + + dialog --backtitle "User(s) Removed!" \ + --title ' Result' \ + --msgbox "Deletion Successful" 5 23 + + +OpenSSHFSMenu +} + +ListSFTPusers () { + + getent passwd | grep '/SFTP' | cut -d: -f1 > /tmp/AAervinrinZbiznvinzdmin32.tmp + # Display the contents of the /etc/passwd file in a dialog screen + dialog --backtitle "List of SFTP users" --title "SFTP" --textbox /tmp/AAervinrinZbiznvinzdmin32.tmp 0 0 + + rm /tmp/AAervinrinZbiznvinzdmin32.tmp + + # Call OpenSSHFSMenu after dialog close + OpenSSHFSMenu +} + +ChangepassSFTPuser () { + + # Get the username + user=$(dialog --title "Username" --inputbox "Please enter the username" 8 30 2>&1 1>/dev/tty) + + # check if the user already exists + countus=$(getent passwd "$user" | cut -d: -f1) + case $countus in + "$user") + passwd "${user}" + ;; + *) + dialog --msgbox "User doesn't exist!" 5 23 + OpenSSHFSMenu + ;; + esac + +OpenSSHFSMenu +} + +DisableSFTPuser () { + + # Get the username + user=$(dialog --title "Username" --inputbox "Please enter the username" 8 30 2>&1 1>/dev/tty) + + # check if the user already exists + countus=$(getent passwd "$user" | cut -d: -f1) + case $countus in + "$user") + usermod -G nosftp "${user}" + countus3=$(groups "${user}" | grep -o "nosftp") + + case $countus3 in + "nosftp") + dialog --backtitle "User account disabled" \ + --title ' Result' \ + --msgbox "User account disabled" 5 25 + ;; + *) + dialog --backtitle "Error" \ + --title ' Result' \ + --msgbox "User not disabled" 5 25 + + OpenSSHFSMenu + ;; + esac + ;; + *) + dialog --msgbox "User doesn't exist!" 5 23 + OpenSSHFSMenu + ;; + esac + +OpenSSHFSMenu +} + +ListDisabledSFTPusers () { + + grep '^nosftp:' /etc/group | cut -d: -f4 | tr ',' '\n' > /tmp/AAervinrinZbiznvinzdmin32.tmp + # Display the contents of the /etc/passwd file in a dialog screen + dialog --backtitle "List of SFTP disabled users" --title "DISABLED" --textbox /tmp/AAervinrinZbiznvinzdmin32.tmp 0 0 + + rm /tmp/AAervinrinZbiznvinzdmin32.tmp + + # Call OpenSSHFSMenu after dialog close + OpenSSHFSMenu + +} + +RenableSFTPuser () { + + # Get the username + user=$(dialog --title "Username" --inputbox "Please enter the username" 8 30 2>&1 1>/dev/tty) + + # check if the user already exists + countus=$(getent passwd "$user" | cut -d: -f1) + case $countus in + "$user") + sed -i'' -e "/^nosftp:/s/,${user}\(,\|$\)/\1/" -e "/^nosftp:/s/${user},//" -e "/^nosftp:/s/,${user}$//" -e "/^nosftp:/s/:${user}$/:/" /etc/group + + countus3=$(groups "${user}" | grep -o nosftp) + case $countus3 in + "nosftp") + dialog --backtitle "Error" \ + --title ' Result' \ + --msgbox "User not enabled" 5 25 + + OpenSSHFSMenu + ;; + *) + dialog --backtitle "Enabled" \ + --title ' Result' \ + --msgbox "User account enabled" 5 25 + + + ;; + esac + ;; + *) + + + ;; + esac + +OpenSSHFSMenu + +} + +Fail2banStatus () { + + service fail2ban status > /tmp/aaevpinpaeinEAB.tmp + + dialog --title "Fail2ban Status" --textbox /tmp/aaevpinpaeinEAB.tmp 20 70 + + rm /tmp/aaevpinpaeinEAB.tmp + + Fail2banMenu + +} + +ShowBannedIP () { + + fail2ban-client banned > /tmp/aaevpinpaeinEAB.tmp + + dialog --title "Fail2ban Banned IP" --textbox /tmp/aaevpinpaeinEAB.tmp 20 70 + + rm /tmp/aaevpinpaeinEAB.tmp + + Fail2banMenu + +} + +UnbanAnIP () { + + # Create a temporary file + TMPFILE=$(mktemp) + + # Get NICs + fail2ban-client banned | grep -Eo '\b([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}\b|\b([0-9]{1,3}\.){3}[0-9]{1,3}\b' > "$TMPFILE" + + # Check if the list is empty + if [ ! -s "$TMPFILE" ]; then + dialog --msgbox "No IP banned" 5 30 + rm -f "$TMPFILE" + Fail2banMenu + fi + + # Read the temporary file and construct the option for dialog + devices="" + while IFS= read -r line; do + devices="$devices $line \"$line\" off" + done < "$TMPFILE" + + # Use dialog to display the list of devices + device=$(eval "dialog --radiolist \"Choose the IP to unban\" 0 0 0 $devices 3>&1 1>&2 2>&3") + + # Clean up and remove the temporary file + rm -f "$TMPFILE" + + fail2ban-client unban "${device}" + + +} + +ArchiveFail2banLog () { + + # Get the date and time in the desired format + DATE=$(date "+%d-%m-%Y") + TIME=$(date "+%H:%M:%S") + + # Path of the file to compress + FILE="/var/log/fail2ban.log" + + # Check if the file to compress exists + if [ ! -f "$FILE" ]; then + dialog --msgbox "The file to compress does not exist" 5 40 + Fail2banMenu + fi + + # Compressed file name + COMPRESSED_FILE_NAME="fail2ban_${DATE}_${TIME}.xz" + + # Full path of the compressed file + COMPRESSED_FILE_PATH="/var/log/${COMPRESSED_FILE_NAME}" + + # Compress the file + xz "$FILE" -c > "$COMPRESSED_FILE_PATH" + + Fail2banMenu + + +} + +Openfail2banLog () { + + pico /var/log/fail2ban.log + + Fail2banMenu +} + +EnableForwardingIP () { + + dialog --yesno "Voulez-vous autoriser le routage IPv4 et IPv6 (Yes)\nou\nseulement IPv4 (No)" 7 70 + ipv6_ornot=$? + + if [ $ipv6_ornot -eq 0 ]; then + + sysctl -w net.inet.ip.forwarding=1 > /dev/null 2>&1 + sysctl -w net.inet6.ip6.forwarding=1 > /dev/null 2>&1 + + # check if ip fowarding has already been added + check=$(grep -o '# FORWARDING IP' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + printf "\n" >> /etc/sysctl.conf + echo "# FORWARDING IP" >> /etc/sysctl.conf + + check1=$(grep -o 'net.inet.ip.forwarding=1' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check1" -eq 0 ]; then + + echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf + echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf + + fi + + check1=$(grep -o 'net.inet6.ip6.forwarding=1' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check1" -eq 0 ]; then + + echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf + + fi + + + + else + + check1=$(grep -o 'net.inet.ip.forwarding=1' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check1" -eq 0 ]; then + + echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf + echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf + + fi + + check1=$(grep -o 'net.inet6.ip6.forwarding=1' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check1" -eq 0 ]; then + + echo "net.inet6.ip6.forwarding=1" >> /etc/sysctl.conf + + fi + + + fi + + + else + + sysctl -w net.inet.ip.forwarding=1 > /dev/null 2>&1 + + # check if ip fowarding has already been added + check=$(grep -o '# FORWARDING IP' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check" -eq 0 ]; then + + printf "\n" >> /etc/sysctl.conf + echo "# FORWARDING IP" >> /etc/sysctl.conf + + check1=$(grep -o 'net.inet.ip.forwarding=1' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check1" -eq 0 ]; then + + echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf + + fi + + else + + check1=$(grep -o 'net.inet.ip.forwarding=1' < /etc/sysctl.conf | sort | uniq | wc -l | tr -d ' ') + if [ "$check1" -eq 0 ]; then + + echo "net.inet.ip.forwarding=1" >> /etc/sysctl.conf + + fi + + + fi + + fi + + + # check if activated : + check=$(sysctl net.inet.ip.forwarding | grep -o "= [0-9]" | grep -o "[0-9]") + if [ "$check" -eq 1 ]; then + + dialog --msgbox "IPv4 Forwading enabled" 5 26 + + else + + dialog --msgbox "IPv4 Forwading disabled" 5 28 + + fi + + check2=$(sysctl net.inet6.ip6.forwarding | grep -o "= [0-9]" | grep -o "[0-9]") + if [ "$check2" -eq 1 ]; then + + dialog --msgbox "IPv6 Forwading enabled" 5 26 + + else + + dialog --msgbox "IPv6 Forwading disabled" 5 28 + + fi + + + + NetworkMenu +} + +DisableForwardingIP () { + + sysctl -w net.inet.ip.forwarding=0 > /dev/null 2>&1 + sysctl -w net.inet6.ip6.forwarding=0 > /dev/null 2>&1 + + sed '/^# FORWARDING IP/d' /etc/sysctl.conf + sed '/^net.inet.ip.forwarding=1/d' /etc/sysctl.conf + sed '/^net.inet6.ip6.forwarding=1/d' /etc/sysctl.conf + + + # check if activated : + check=$(sysctl net.inet.ip.forwarding | grep -o "= [0-9]" | grep -o "[0-9]") + if [ "$check" -eq 1 ]; then + + dialog --msgbox "IPv4 Forwading enabled" 5 26 + + else + + dialog --msgbox "IPv4 Forwading disabled" 5 28 + + fi + + check2=$(sysctl net.inet6.ip6.forwarding | grep -o "= [0-9]" | grep -o "[0-9]") + if [ "$check2" -eq 1 ]; then + + dialog --msgbox "IPv6 Forwading enabled" 5 26 + + else + + dialog --msgbox "IPv6 Forwading disabled" 5 28 + + fi + + NetworkMenu +} + +PowerOff () { + + poweroff + +} + +RebooT () { + + reboot + +} + +################# +# MENUS + +NetworkMenu () { + # Your dialog command with dynamically calculated sizes + choix1=$(dialog --clear \ + --backtitle "NETWORK MENU" \ + --title "Network Menu" \ + --menu "Choose an option:" \ + 19 70 10 \ + 1 "Check Internet Connection" \ + 2 "Restart DHCP Service" \ + - "------------------------------------------------------------" \ + 3 "Enable IP forwarding" \ + 4 "Disable IP forwarding" \ + - "------------------------------------------------------------" \ + 5 "Switch from Ethernet to Wifi" \ + 6 "Connect to WiFi Network" \ + 7 "Switch from Wifi to Ethernet" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix1 in + 1) checkInternetConnection ; ItsOkInternet ; NetworkMenu ;; + 2) RestartDHCP ;; + 3) EnableForwardingIP ;; + 4) DisableForwardingIP ;; + -) NetworkMenu ;; + 5) SwitchToWifi ;; + 6) ConnectWifi ;; + 7) SwitchToEthernet ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac + +} + +PareFeuMenu () { + + choix1=$(dialog --clear \ + --backtitle "FIREWALL MENU" \ + --title "Firewall Menu" \ + --menu "Choose an option:" \ + 12 70 10 \ + 1 "Configure NPF" \ + 2 "View NPF Status and Active Rules" \ + - "------------------------------------------------------------" \ + r "PREVIOUS MENU" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix1 in + 1) PareFeu ;; + 2) ShowRulesNPF ;; + -) PareFeuMenu ;; + r|R) SecurityMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac + +} + + +AntiVirusMenu () { + + choix1=$(dialog --clear \ + --backtitle "ANTIVIRUS MENU" \ + --title "AntiVirus Menu" \ + --menu "Choose an option:" \ + 19 70 10 \ + 1 "Install ClamAV with securiteinfo/sanesecurity databases" \ + 2 "Update SaneSecurity ClamAV databases" \ + - "------------------------------------------------------------" \ + 3 "Run a full antivirus scan" \ + 4 "Run an antivirus scan of /home" \ + 5 "Show ClamAV scan log" \ + 6 "Archive ClamAV log file" \ + 7 "Clear ClamAV log file" \ + - "------------------------------------------------------------" \ + r "PREVIOUS MENU" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix1 in + 1) installClamAV ;; + 2) UpdateSaneSecurityClamAV ;; + -) AntiVirusMenu ;; + 3) FullScanClamAV ;; + 4) HomeScanClamAV ;; + 5) LogClamAV ;; + 6) ArchiveLogClamAV ;; + 7) CleanLogClamAV ;; + r|R) SecurityMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac + +} + +Fail2banMenu () { + # Your dialog command with dynamically calculated sizes + choix=$(dialog --clear \ + --backtitle "SECURITY MENU" \ + --title "Security Menu" \ + --menu "Choose an option:" \ + 19 70 10 \ + 1 "Configure Fail2ban" \ + - "------------------------------------------------------------" \ + 2 "Show status" \ + - "------------------------------------------------------------" \ + 3 "Open fail2ban log" \ + 4 "Archive fail2ban log" \ + - "------------------------------------------------------------" \ + 5 "Show banned IP" \ + 6 "Unban an IP" \ + - "------------------------------------------------------------" \ + r "PREVIOUS MENU" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) InstallFail2ban ;; + 2) Fail2banStatus ;; + 3) Openfail2banLog ;; + 4) ArchiveFail2banLog ;; + 5) ShowBannedIP ;; + 6) UnbanAnIP ;; + -) Fail2banMenu ;; + r|R) SecurityMenu;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac + + +} + +SecurityMenu () { + # Your dialog command with dynamically calculated sizes + choix=$(dialog --clear \ + --backtitle "SECURITY MENU" \ + --title "Security Menu" \ + --menu "Choose an option:" \ + 19 70 10 \ + 1 "Firewall" \ + - "------------------------------------------------------------" \ + 2 "Configure SSH" \ + - "------------------------------------------------------------" \ + 3 "Fail2ban" \ + - "------------------------------------------------------------" \ + 4 "Anti-Virus" \ + - "------------------------------------------------------------" \ + 5 "Set up OVPN VPN" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) PareFeuMenu ;; + 2) ConfigureSSH ;; + 3) Fail2banMenu ;; + 4) AntiVirusMenu ;; + 5) ovpnVPN ;; + -) SecurityMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + +UsersRightsMenu () { + # Your dialog command with dynamically calculated sizes + choix=$(dialog --clear \ + --backtitle "USERS AND ACCESS RIGHTS MENU" \ + --title "Users and Access Rights Menu" \ + --menu "Choose an option:" \ + 19 70 10 \ + 1 "Display list of users" \ + 2 "Create a user" \ + 3 "Check user existence" \ + 4 "Delete a user" \ + - "-----------------------------------------------------------" \ + 5 "Display list of groups" \ + 6 "Create a group" \ + 7 "Check group existence" \ + 8 "Delete a group" \ + 9 "Add user to a group" \ + 10 "Remove user from a group" \ + - "-----------------------------------------------------------" \ + 11 "Install sudo and add user to sudo group" \ + - "-----------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) getentPasswd ;; + 2) CreateUser ;; + 3) CheckUserExists ;; + 4) DeleteUser ;; + 5) getentGroup ;; + 6) CreateGroup ;; + 7) CheckGroupExists ;; + 8) DeleteGroup ;; + 9) AddToGroup ;; + 10) LeaveGroup ;; + 11) InstallSudo ;; + -) UsersRightsMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + + +InstallProgramsMenu () { + choix=$(dialog --clear \ + --backtitle "PROGRAM INSTALLATION MENU" \ + --title "Program Installation Menu" \ + --menu "Choose an option:" \ + 12 70 10 \ + 1 "Install desktop applications" \ + 2 "Install usual utilities" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) DesktopBundleApps ;; + 2) UsualTools ;; + -) InstallProgramsMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + + + +NetServices () { + + dialog --msgbox "Not yet ready" 5 17 + MainMenu + +} + +DiskMngmtMenu () { + choix=$(dialog --clear \ + --backtitle "DISK MANAGEMENT MENU" \ + --title "Disk Management Menu" \ + --menu "Choose an option:" \ + 18 70 10 \ + 1 "Format a USB device to FFSv1" \ + 2 "Format a USB device to FFSv2" \ + 3 "Format a USB device to NTFS" \ + 4 "Format a USB device to EXFAT (not fully working)" \ + 5 "Securely erase a USB device" \ + - "------------------------------------------------------------" \ + 6 "Mount a USB device to /media/dkX" \ + 7 "Unmount a USB device mounted to /media/dkX" \ + - "------------------------------------------------------------" \ + 8 "Burn .iso to a USB device" \ + 9 "Burn .iso to a CD" \ + - "------------------------------------------------------------" \ + 10 "Rebuild locate index" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) FormatToFFSv1 ;; + 2) FormatToFFSv2 ;; + 3) FormatToNTFS ;; + 4) FormatToEXFAT ;; + 5) SecurelyErase ;; + 6) mountUSB ;; + 7) umountUSB ;; + 8) BurnISOtoUSB ;; + 9) BurnISOtoCD ;; + 10) locateRebuild ;; + -) DiskMngmtMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + +OpenSSHFSMenu () { + choix=$(dialog --clear \ + --backtitle "OPENSSH FILE SERVER MENU" \ + --title "OpenSSH File Server Menu" \ + --menu "Choose an option:" \ + 19 70 10 \ + 1 "Configure a SFTP file server with OpenSSH" \ + - "------------------------------------------------------------" \ + 2 "Create a SFTP user" \ + 3 "List SFTP users" \ + 4 "Delete a SFTP user" \ + 5 "Change password for a SFTP user" \ + - "------------------------------------------------------------" \ + 6 "Disable a SFTP user account" \ + 7 "List SFTP disabled users" \ + 8 "Re-enable a SFTP user account" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) SFTPFS ;; + -) OpenSSHFSMenu ;; + 2) CreateSFTPuser ;; + 3) ListSFTPusers ;; + 4) DeleteSFTPuser ;; + 5) ChangepassSFTPuser ;; + 6) DisableSFTPuser ;; + 7) ListDisabledSFTPusers ;; + 8) RenableSFTPuser ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + +ServicesMenu () { + choix=$(dialog --clear \ + --backtitle "SERVICES MENU" \ + --title "Services Menu" \ + --menu "Choose an option:" \ + 11 70 10 \ + 1 "OpenSSH File Server" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) OpenSSHFSMenu ;; + -) ServicesMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + + +DesktopMenu () { + choix=$(dialog --clear \ + --backtitle "DESKTOP ENVIRONMENT MENU" \ + --title "Desktop Environment Menu" \ + --menu "Choose an option:" \ + 11 70 10 \ + 1 "Install XFCE4/Slim desktop environment" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) xfce4 ;; + -) DesktopMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + + + + +############################################################################### + +MainMenu () { + choix=$(dialog --clear \ + --backtitle "WELCOME TO THE GLOBAL NETBSD SCRIPT" \ + --title "Main Menu" \ + --menu "Choose an option:" \ + 19 70 10 \ + h "README" \ + - "------------------------------------------------------------" \ + 1 "Network" \ + 2 "Security" \ + 3 "Users and Permissions" \ + 4 "Programs" \ + 5 "Web Server" \ + 6 "Disk Management" \ + 7 "Services" \ + 8 "Desktop Environment" \ + - "------------------------------------------------------------" \ + q "QUIT" \ + - "------------------------------------------------------------" \ + s "POWER OFF" \ + x "REBOOT" \ + 3>&1 1>&2 2>&3) + + case $choix in + h) READMEMenu ;; + 1) NetworkMenu ;; + 2) SecurityMenu ;; + 3) UsersRightsMenu ;; + 4) InstallProgramsMenu ;; + 5) NetServices ;; + 6) DiskMngmtMenu ;; + 7) ServicesMenu ;; + 8) DesktopMenu ;; + -) MainMenu ;; + q|Q) exit 0 ;; + s|S) PowerOff ;; + x|X) RebooT ;; + esac +} + + +############################################################################### + +READMEMenu () { + + choix=$(dialog --clear \ + --backtitle "README MENU" \ + --title "README Menu" \ + --menu "Choose an option:" \ + 18 70 10 \ + 1 "Read Me First" \ + - "------------------------------------------------------------" \ + p "MAIN MENU" \ + q "QUIT" \ + 3>&1 1>&2 2>&3) + + case $choix in + 1) ReadMeFirst ;; + -) READMEMenu ;; + p|P) MainMenu ;; + q|Q) exit 0 ;; + esac +} + +ReadMeFirst() { + +echo "Welcome to this server configuration module for NetBSD! +------------------------------------------------------------ + +First of all, this module should only be executed on a fresh installation of NetBSD 9.3/10. +It should not be executed on an already configured and production server as the scripts it contains could interact with the existing server configurations and potentially cause damage. + +I decline any responsibility regarding the execution of this module. + +The purpose of this module is primarily to facilitate basic server management tasks on a NetBSD server by providing a fully automated configuration of many services through a minimalist graphical interface. +It can also serve as a source of functional commands and syntaxes under NetBSD standard shell. + +Of course, it is graciously made available to the public and can be modified by anyone without any form of compensation (except a thank you, if you feel like it). + +If you spot any faulty features (or bad english :-S ! I'm french) or wish to discuss the possibility of adding new features and collaborate, you can contact me: theophile.dudreuilh@yahoo.com" > /tmp/AEzevinvpin.tmp + +fold -s -w 67 /tmp/AEzevinvpin.tmp > /tmp/aaevpinpaeinEAB.tmp + +dialog --title "Read Me First" --textbox /tmp/aaevpinpaeinEAB.tmp 20 70 +} + + + + +# Appel du menu +MainMenu