Merge branch 'security/tls'

Kristan Kenney · Kristan Kenney · commit 7d8c631a4cb9 · 2019-07-02T00:07:32.000-03:00
diff --git a/install/deb/dovecot/conf.d/10-ssl.conf b/install/deb/dovecot/conf.d/10-ssl.conf
@@ -1,5 +1,8 @@
 ssl = yes
 ssl_protocols = !SSLv3 !TLSv1
+ssl_prefer_server_ciphers = yes
+ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
 
 ssl_cert = </usr/local/hestia/ssl/certificate.crt
 ssl_key = </usr/local/hestia/ssl/certificate.key
+ssl_dh = </etc/ssl/dhparam.pem
diff --git a/install/deb/ssl/dhparam.pem b/install/deb/ssl/dhparam.pem
@@ -1,13 +1,13 @@
 -----BEGIN DH PARAMETERS-----
-MIICCAKCAgEA+tQGpIebOZgTRfzeJO8V08AKJxjIEPl+ks2s0kVcYEYn7XhoqV9p
-vMxYxSz+3gavaKD42tbxbru01MZhi6PAhvWZn1pUgdUFTDPv6Suq/zQuNvxEx/p4
-/TvfQ+6IqWcPFjGZb6lmnR4v592joEmTaps6Uqv2PDqCgZoeLDqVSsqWRotFbFWa
-mHCFU/5RsSyUAPhuH9lk0UOnK+rkQulppZsAKNLMUBSoNGg+OjYbvcRq8WMQIx8H
-Or8i9lZa12UFfr3ui5I7Y29aARh4M8WTtWKAxoDp6N8ENT3hXqgEm4cIVmHOgFDZ
-SvWvsV/6ghDpYIOgiatKauQPd2wXkZ/95yeO2JxyYS9rGK4a10QICsB/Jj5j/1i8
-yimrllUs5UW8BjmkRTYQPFtvZzrYUoSohSazz7r5Q7/K/Nh40Tb+SgGvQqMxTolL
-nTR2kP8DDpTIar/E2B1fDM+yk07hMmKlTOP+nFmJtcq61rM79kQfpsG4mxIX2sxR
-el6qP5ng8NQG648aL9OnaUgisLpz1ll6cL7rXHExxEiFgb667F+uKVYJ31d0KyBE
-6zrb7iIr5l1q+/vIxIu3QvOfH43+lAV/XHaNP1YvrCkTmkihBAeHt74x5uZRalg3
-3qci/XOL0h6i5YW3s7Yem1tqy04P2XYVfmfr4KzzNjOFAQwADKm7G3sCAQI=
------END DH PARAMETERS-----
+MIICCAKCAgEA7N3ZOcXgACR0Rat9G/7h8krD7ysVvmEmvAdg8o5l7eKVdtp/QSNK
+anF0JyInJMBEgq05GY7YwvFovglJL73T/eEjTK3qPU6eHzxNGKfR0pM6rnAb+EXL
+dSNJm3Xz9wH4IKn6OJ3nD9aLmBVI5FlIMV1R4QKX3sIWUxRqRSQIzjNQTnY1e/Pk
+BT/ZrUUF7fPPVbg0nPD8Y48ISr7pB6M14Kr66cggGIqUVdBdkPYyt4RpFWR1n3Tv
+rz1j0U+UoVnan2FgGsSiSFT9I/CiIxgC/SrdwxZLUgbAiKsnw9H7nGW92C4cRqY0
+2eKMVNEBk32GSPQXaA+Q5TILyzxuwDbXMxHMxnUVKQGFEcXjWXXyiv7tLAeu68Do
+j5iNFOHbDp17SftnxYHi2vTsYk+9K6Pzc+NmUgibM52Rs92PPYd++HcgMeGrYcqi
+temHP2jPtAymixch0wdqBMgeGTb29w51LR0BAU6D6BeR25pkZvPUag3bb6SU1Oli
+E15DDWh3UnmfTw2M9W1uxlzQAlXOLL6/ZWuvwyqhCY6X7tIONtSgdYGjtiTFaPJp
+ZBdOOrblodLxSu0ObR59SFjv8Pz3sTw4xiRFTG3lFtuIVHdBUbtJHR+2p4fHy/JG
+Ccs+Z1KrmJfEzSMzKwfvZYJ526demNulglFBbcQV06ehqjc6MCG3HnMCAQI=
+-----END DH PARAMETERS-----
diff --git a/install/deb/vsftpd/vsftpd.conf b/install/deb/vsftpd/vsftpd.conf
@@ -32,7 +32,7 @@ ssl_enable=YES
 allow_anon_ssl=NO
 require_ssl_reuse=NO
 ssl_ciphers=HIGH
-ssl_tlsv1=YES
+ssl_tlsv1=NO
 ssl_sslv2=NO
 ssl_sslv3=NO
 force_local_data_ssl=NO
diff --git a/install/hst-install-ubuntu.sh b/install/hst-install-ubuntu.sh
@@ -1163,6 +1163,7 @@ if [ "$nginx" = 'yes' ]; then
     done
     if [ ! -z "$resolver" ]; then
         sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /etc/nginx/nginx.conf
+        sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
     fi
 
     update-rc.d nginx defaults > /dev/null 2>&1
diff --git a/install/upgrade/restart.sh b/install/upgrade/restart.sh
@@ -33,6 +33,9 @@ for v in `ls /etc/php/`; do
 		$BIN/v-restart-service php$v-fpm $restart
 	fi
 done
+if [ ! -z $FTP_SYSTEM ]; then
+    $BIN/v-restart-ftp $restart
+fi
 
 # Restart SSH daemon and Hestia Control Panel service
 $BIN/v-restart-service ssh $restart
diff --git a/install/upgrade/versions/1.0.3.sh b/install/upgrade/versions/1.0.3.sh
diff --git a/install/upgrade/versions/1.0.5.sh b/install/upgrade/versions/1.0.5.sh
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Hestia Control Panel upgrade script for target version 1.0.5
+
+#######################################################################################
+#######                      Place additional commands below.                   #######
+#######################################################################################
+
+# Set default theme
+if [ -z $THEME ]; then
+    echo "(*) Enabling support for themes..."
+    $BIN/v-change-sys-theme default
+fi
+
+# Replace dhparam 1024 with dhparam 4096
+echo "(*) Installing 4096-bit SSL security certificate..."
+mv /etc/ssl/dhparam.pem $HESTIA_BACKUP/conf/
+cp -rf $HESTIA/install/deb/ssl/dhparam.pem /etc/ssl/
+chmod 600 /etc/ssl/dhparams.pem
+
+# Enhance Vsftpd security
+echo "(*) Modifying Vsftpd SSL configuration..."
+cp -rf /etc/vsftpd.conf $HESTIA_BACKUP/conf/
+sed -i "s|ssl_tlsv1=YES|ssl_tlsv1=NO|g" /etc/vsftpd.conf
+
+# Enhance Dovecot security
+echo "(*) Modifying Dovecot SSL configuration..."
+mv /etc/dovecot/conf.d/10-ssl.conf $HESTIA_BACKUP/conf/
+cp -rf $HESTIA/install/deb/dovecot/10-ssl.conf /etc/dovecot/conf.d/
+
+# Update DNS resolvers in hestia-nginx's configuration
+echo "(*) Updating DNS resolvers for Hestia Internal Web Server..."
+dns_resolver=$(cat /etc/resolv.conf | grep -i '^nameserver' | cut -d ' ' -f2 | tr '\r\n' ' ' | xargs)
+for ip in $dns_resolver; do
+    if [[ $ip =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        resolver="$ip $resolver"
+    fi
+done
+if [ ! -z "$resolver" ]; then
+    sed -i "s/1.0.0.1 1.1.1.1/$resolver/g" /usr/local/hestia/nginx/conf/nginx.conf
+fi
diff --git a/src/deb/nginx/nginx.conf b/src/deb/nginx/nginx.conf
@@ -82,8 +82,16 @@ http {
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    ssl_dhparam         /etc/ssl/dhparam.pem;
+    ssl_ecdh_curve      secp384r1;
+    ssl_session_tickets off;
+    resolver 1.0.0.1 1.1.1.1 valid=300s ipv6=off;
+    resolver_timeout    5s;
+    ssl_stapling on;
+    ssl_stapling_verify on;
     add_header          X-Frame-Options SAMEORIGIN;
     add_header          X-Content-Type-Options nosniff;
+    add_header          X-XSS-Protection "1; mode=block";
 
     # Vhost
     server {
diff --git a/src/hst_autocompile.sh b/src/hst_autocompile.sh
@@ -87,7 +87,7 @@ fi
 BUILD_ARCH='amd64'
 HESTIA_V="${BUILD_VER}_${BUILD_ARCH}"
 NGINX_V=$(curl -s https://raw.githubusercontent.com/hestiacp/hestiacp/$branch/src/deb/nginx/control |grep "Version:" |cut -d' ' -f2)
-OPENSSL_V='1.1.1b'
+OPENSSL_V='1.1.1c'
 PCRE_V='8.43'
 ZLIB_V='1.2.11'
 PHP_V=$(curl -s https://raw.githubusercontent.com/hestiacp/hestiacp/$branch/src/deb/php/control |grep "Version:" |cut -d' ' -f2)
@@ -287,8 +287,7 @@ if [ "$NGINX_B" = true ] ; then
     else
       cp $BUILD_DIR/hestiacp-$branch/src/deb/nginx/nginx.conf "usr/local/hestia/nginx/conf/nginx.conf"
     fi
-    
-
+        
     # copy binary
     cp usr/local/hestia/nginx/sbin/nginx usr/local/hestia/nginx/sbin/hestia-nginx
 
