2019-01-04 16:38:20 +01:00
|
|
|
#!/bin/sh
|
2019-01-07 14:47:05 +01:00
|
|
|
#
|
|
|
|
# Set or get allowed(s) ip(s) of <jailname>
|
|
|
|
# Usage: ip <jailname> [<ip>|all]
|
|
|
|
#
|
2019-01-04 16:38:20 +01:00
|
|
|
|
2020-04-02 13:44:13 +02:00
|
|
|
# shellcheck source=./includes
|
2020-04-02 00:31:57 +02:00
|
|
|
LIBDIR="$(dirname $0)" && . "${LIBDIR}/includes"
|
2019-01-04 16:38:20 +01:00
|
|
|
|
2020-04-02 13:44:13 +02:00
|
|
|
jail_name="${1:?}"
|
2019-01-04 16:38:20 +01:00
|
|
|
ip="${2:-}"
|
2020-04-02 01:07:12 +02:00
|
|
|
|
|
|
|
if [ ! -n "${jail_name}" ]; then
|
2019-01-07 14:47:05 +01:00
|
|
|
"${LIBDIR}/bkctld-help" && exit 1
|
|
|
|
fi
|
2020-04-02 01:07:12 +02:00
|
|
|
jail_path=$(jail_path "${jail_name}")
|
|
|
|
|
|
|
|
test -d "${jail_path}" || error "${jail_name}: jail is missing."
|
2019-01-04 16:38:20 +01:00
|
|
|
|
2020-04-08 00:31:55 +02:00
|
|
|
jail_sshd_config="${jail_path}/${SSHD_CONFIG}"
|
|
|
|
|
2019-01-04 16:38:20 +01:00
|
|
|
if [ -z "${ip}" ]; then
|
2020-04-02 23:33:54 +02:00
|
|
|
# parse IP addresses from AllowUsers directives in sshd config
|
2020-04-08 00:31:55 +02:00
|
|
|
grep -E "^AllowUsers" "${jail_sshd_config}" \
|
|
|
|
| grep -E -o "root@[^ ]+" \
|
|
|
|
| while read allow; do
|
2020-04-02 01:07:12 +02:00
|
|
|
echo "${allow}" | cut -d'@' -f2
|
2019-01-04 16:38:20 +01:00
|
|
|
done
|
|
|
|
else
|
|
|
|
if [ "${ip}" = "all" ] || [ "${ip}" = "0.0.0.0/0" ]; then
|
2020-04-02 23:33:54 +02:00
|
|
|
new_ips="0.0.0.0/0"
|
2019-01-04 16:38:20 +01:00
|
|
|
else
|
2020-04-02 23:33:54 +02:00
|
|
|
existing_ips=$("${LIBDIR}/bkctld-ip" "${jail_name}")
|
|
|
|
new_ips=$(echo "${existing_ips}" "${ip}" | xargs -n1 | grep -v "0.0.0.0/0" | sort | uniq)
|
2019-01-04 16:38:20 +01:00
|
|
|
fi
|
2020-04-02 23:33:54 +02:00
|
|
|
allow_users="AllowUsers"
|
|
|
|
for ip in ${new_ips}; do
|
|
|
|
allow_users="${allow_users} root@${ip}"
|
2019-01-04 16:38:20 +01:00
|
|
|
done
|
2020-04-08 00:31:55 +02:00
|
|
|
if grep -q -E "^AllowUsers" "${jail_sshd_config}"; then
|
|
|
|
sed -i "s~^AllowUsers .*~${allow_users}~" "${jail_sshd_config}"
|
|
|
|
else
|
|
|
|
error "${jail_name}: No 'AllowUsers' directive found in '${jail_sshd_config}'"
|
|
|
|
fi
|
2020-04-02 23:33:54 +02:00
|
|
|
notice "${jail_name}: IP whitelist updated to ${ip}"
|
2020-04-02 01:07:12 +02:00
|
|
|
"${LIBDIR}/bkctld-reload" "${jail_name}"
|
|
|
|
"${LIBDIR}/bkctld-firewall" "${jail_name}"
|
2019-01-04 16:38:20 +01:00
|
|
|
fi
|