From 3b9fb2bf107b958ec859234da4b460a6908a74a1 Mon Sep 17 00:00:00 2001
From: Tom Mortensen <tomm@lime-technology.com>
Date: Thu, 22 Feb 2018 14:53:19 -0800
Subject: [PATCH] Add controls to enable/disable Telnet and specify custom ssh
 port

---
 plugins/dynamix/SSLSettings.page      | 186 ++++++++++++++------------
 plugins/dynamix/scripts/update_access |  53 ++++++++
 2 files changed, 151 insertions(+), 88 deletions(-)
 create mode 100755 plugins/dynamix/scripts/update_access

diff --git a/plugins/dynamix/SSLSettings.page b/plugins/dynamix/SSLSettings.page
index 39dd237ff..b958ccea8 100644
--- a/plugins/dynamix/SSLSettings.page
+++ b/plugins/dynamix/SSLSettings.page
@@ -1,5 +1,5 @@
 Menu="Identification"
-Title="SSL Certificate Settings"
+Title="Management Access"
 Icon="ident.png"
 Tag="expeditedssl"
 ---
@@ -29,75 +29,65 @@ $internalip = $eth0['IPADDR:0'];
 ?>
 <script>
 function provisionSSL(button) {
-    var oldlabel = $.trim($(button).text());
-    $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> "+oldlabel+"ing");
-
-    var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record " +
-              "for local IP address <?=$internalip?> has been created on unraid.net.";
-
-    var failure = function(data) {
-        var status = data.status;
-        var obj = data.responseJSON;
-        msg = "Sorry, an error ("+status+") occurred "+oldlabel.toLowerCase()+"ing your SSL certificate. " +
-              "The error is: "+obj.error+".";
-        $(button).prop("disabled", false).html(oldlabel);
-        swal("Oops",msg,"error");
-    };
-
-    var success_provision = function(data) {
-        if (data.bundle) {
-            if (oldlabel == 'Renew') {
-                msg = "Your Let's Encrypt SSL Certificate has been renewed.";
-                success_rebind_check(data);
-            } else {
-                $.get("//"+data.internal_dns+":<?=$var['PORT']?>/dnscheck",function() {
-                    success_rebind_check(data);
-                }).fail(function(){
-                    failure({"status": 403, "responseJSON": {"error": "Your router or DNS server has DNS rebinding protection enabled, preventing "+data.internal_dns+" <?=$internalip?> resolution.  See Help for more details and workarounds"}});
-                });
-            }
-        } else {
-            failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}});
-        }
-    };
-
-    var success_rebind_check = function(data) {
-        $.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:"<?=$var['csrf_token']?>"},function(data2) {
-            swal({title:"",text:msg,type:"success",allowEscapeKey:false},function(){button.form.submit();});
-        }).fail(failure);
-    };
-
-    $.post("/webGui/include/ProvisionCert.php",success_provision).fail(failure);
+  var oldlabel = $.trim($(button).text());
+  $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> "+oldlabel+"ing");
+  var msg = "Your Let's Encrypt SSL Certificate has been provisioned and a DNS record for local IP address <?=$internalip?> has been created on unraid.net.";
+  var failure = function(data) {
+    var status = data.status;
+    var obj = data.responseJSON;
+    msg = "Sorry, an error ("+status+") occurred "+oldlabel.toLowerCase()+"ing your SSL certificate. " +
+          "The error is: "+obj.error+".";
+    $(button).prop("disabled", false).html(oldlabel);
+    swal("Oops",msg,"error");
+  };
+  var success_provision = function(data) {
+    if (data.bundle) {
+      if (oldlabel == 'Renew') {
+        msg = "Your Let's Encrypt SSL Certificate has been renewed.";
+        success_rebind_check(data);
+      } else {
+        $.get("//"+data.internal_dns+":<?=$var['PORT']?>/dnscheck",function() {
+          success_rebind_check(data);
+        }).fail(function(){
+          failure({"status": 403, "responseJSON": {"error": "Your router or DNS server has DNS rebinding protection enabled, preventing "+data.internal_dns+" <?=$internalip?> resolution. See Help for more details and workarounds"}});
+        });
+      }
+    } else {
+      failure({"status": 403, "responseJSON": {"error": "Server was unable to provision SSL certificate"}});
+    }
+  };
+  var success_rebind_check = function(data) {
+    $.post("/webGui/include/CertUpload.php",{text:data.bundle,csrf_token:"<?=$var['csrf_token']?>"},function(data2) {
+      swal({title:"",text:msg,type:"success",allowEscapeKey:false},function(){button.form.submit();});
+    }).fail(failure);
+  };
+  $.post("/webGui/include/ProvisionCert.php",success_provision).fail(failure);
 }
-
 function updateDNS(button) {
-    $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Updating DNS");
-
-    var failure = function(data) {
-        var status = data.status;
-        var obj = data.responseJSON;
-        var msg = "Sorry, an error ("+status+") occurred updating unraid.net DNS records. " +
-                  "The error is: "+obj.error+".";
-        $(button).prop("disabled", false).html("Update DNS");
-        swal('Oops',msg,'error');
-    };
-
-    var success = function(data) {
-        $(button).prop("disabled", false).html("Update DNS");
-        swal("","Your local IP address <?=$internalip?> has been updated for unraid.net.","success");
-    };
-
-    $.post("/webGui/include/UpdateDNS.php",success).fail(failure);
+  $(button).prop("disabled", true).html("<i class=\"fa fa-spinner fa-spin\" aria-hidden=\"true\"></i> Updating DNS");
+  var failure = function(data) {
+    var status = data.status;
+    var obj = data.responseJSON;
+    var msg = "Sorry, an error ("+status+") occurred updating unraid.net DNS records. The error is: "+obj.error+".";
+    $(button).prop("disabled", false).html("Update DNS");
+    swal('Oops',msg,'error');
+  };
+  var success = function(data) {
+    $(button).prop("disabled", false).html("Update DNS");
+    swal("","Your local IP address <?=$internalip?> has been updated for unraid.net.","success");
+  };
+  $.post("/webGui/include/UpdateDNS.php",success).fail(failure);
 }
 function checkPorts(form) {
   if (!form.PORT.value) form.PORT.value = 80;
   if (!form.PORTSSL.value) form.PORTSSL.value = 443;
-  var http = form.PORT.value < 1024 && form.PORT.value != 80;
-  var https = form.PORTSSL.value < 1024 && form.PORTSSL.value != 443;
-  if (http || https) {
-    var text = http ? 'HTTP' : '';
-    text = https ? (text ? 'HTTP & HTTPS' : 'HTTPS') : text;
-    swal({title:'Non-recommended port',text:text+' port may conflict with well known services',type:'warning',showCancelButton:true},function(){form.submit();});
+  if (!form.PORTSSH.value) form.PORTSSL.value = 22;
+  var port = [];
+  if (form.PORT.value < 1024 && form.PORT.value != 80) port.push('HTTP');
+  if (form.PORTSSL.value < 1024 && form.PORTSSL.value != 443) port.push('HTTPS');
+  if (form.PORTSSH.value < 1024 && form.PORTSSH.value != 22) port.push('SSH');
+  if (port) {
+    swal({title:'Non-recommended port',text:port.join(',')+' may conflict with well known services',type:'warning',showCancelButton:true},function(){form.submit();});
   } else {
     form.submit();
   }
@@ -105,12 +95,25 @@ function checkPorts(form) {
 </script>
 <form markdown="1" name="SSLSettings" method="POST" action="/update.htm" target="progressFrame">
 <input type="hidden" name="changePorts" value="apply">
-Restrict GUI access to management interface only:
-: <select name="RESTRICT_MGT" size="1" class="narrow">
-  <?=mk_option($var['RESTRICT_MGT'], "no", "No")?>
-  <?=mk_option($var['RESTRICT_MGT'], "yes", "Yes")?>
+Restricted management access:
+: <select name="BIND_MGT" size="1" class="narrow">
+  <?=mk_option($var['BIND_MGT'], "no", "No")?>
+  <?=mk_option($var['BIND_MGT'], "yes", "Yes")?>
   </select>
 
+> By default webGUI and SSH access are available on any active interface of the system.
+>
+> Restricted management access limits webGUI and SSH access to the management interface only (eth0).
+
+Use TELNET:
+: <select name="USE_TELNET" size="1" class="narrow">
+  <?=mk_option($var['USE_TELNET'], "no", "No")?>
+  <?=mk_option($var['USE_TELNET'], "yes", "Yes")?>
+  </select>
+
+> By default TELNET access is enabled. TELNET is an insecure type of access however,
+> and it is highly recommended to use SSH access instead and disable TELNET access.
+
 Use SSL/TLS:
 : <select name="USE_SSL" size="1" class="narrow">
   <?=mk_option($var['USE_SSL'], "auto", "Auto")?>
@@ -118,25 +121,25 @@ Use SSL/TLS:
   <?=mk_option($var['USE_SSL'], "yes", "Yes")?>
   </select>
 
-> Determines how the webGui responds to HTTP and/or HTTPS protocol.
+> Determines how the webGUI responds to HTTP and/or HTTPS protocol.
 >
 > Select **No** to disable HTTPS
 >
-> Select **Yes** to enable HTTPS and redirect HTTP to HTTPS.  If a Let's Encrypt SSL certificate has not
+> Select **Yes** to enable HTTPS and redirect HTTP to HTTPS. If a Let's Encrypt SSL certificate has not
 > been provisioned, then an automatically generated self-signed SSL certificate will be used.
 >
 > Select **Auto** if you are using or plan to use a Let's Encrypt SSL certificate provisioned
-> by Lime Technology.  Before the certificate is provisioned, the webGui remains
-> in http-mode.  After provisioning, the webGui automatically switches to https-mode.  In addition
+> by Lime Technology. Before the certificate is provisioned, the webGUI remains
+> in http-mode. After provisioning, the webGUI automatically switches to https-mode. In addition
 > two background processes are enabled:
 >
 > - *updatedns* - This starts 30 seconds after server reboot has completed and contacts the Lime Technology
-> DNS service to register the servers local IP address.  Thereafter it wakes up every 10 minutes in case
+> DNS service to register the servers local IP address. Thereafter it wakes up every 10 minutes in case
 > the local IP address has changed again.
 >
 > - *renewcert* - This starts 60 seconds after server reboot has completed and contacts the Lime Technology
 > certificate renewal service to determine if your Let's Encrypt SSL certificate needs to be renewed.
-> Thereafter it wakes up every 24 hours.  If within 30 days of expiration, a new certificate is automatically
+> Thereafter it wakes up every 24 hours. If within 30 days of expiration, a new certificate is automatically
 > provisioned and downloaded to your server.
 >
 > Note: After provisioning a Let's Encrypt SSL certificate you may turn off the *updatedns* and *newcert*
@@ -161,24 +164,31 @@ Use SSL/TLS:
 > `config/ssl/certs/<server-name>_unraid_bundle.pem` => No
 
 HTTP port:
-: <input type="number" name="PORT" class="trim" min="0" max="65535" value="<?=htmlspecialchars($var['PORT'])?>">
+: <input type="number" name="PORT" class="trim" min="1" max="65535" value="<?=htmlspecialchars($var['PORT']??80)?>">
 
-> Enter the HTTP port, default is 80.
+> Enter the HTTP port, default port is 80.
 
 HTTPS port:
-: <input type="number" name="PORTSSL" class="trim" min="0" max="65535" value="<?=htmlspecialchars($var['PORTSSL'])?>">
+: <input type="number" name="PORTSSL" class="trim" min="1" max="65535" value="<?=htmlspecialchars($var['PORTSSL']??443)?>">
 
-> Enter the HTTPS port, default is 443.
+> Enter the HTTPS port, default port is 443.
+
+SSH port:
+: <input type="number" name="PORTSSH" class="trim" min="1" max="65535" value="<?=htmlspecialchars($var['PORTSSH']??22)?>">
+
+> Enter the SSH port, default port is 22.
 
 Local TLD:
-: <input type="text" name="LOCAL_TLD" value="<?=htmlspecialchars($var['LOCAL_TLD'])?>">
+: <input type="text" name="LOCAL_TLD" value="<?=htmlspecialchars($var['LOCAL_TLD'])?>" class="narrow">
 
-> Enter your local Top Level Domain.  May be blank.
+> Enter your local Top Level Domain. May be blank.
 
 &nbsp;
 : <input type="button" value="Apply" onclick="checkPorts(this.form)"><input type="button" value="Done" onclick="done()">
 
 </form>
+
+<br><br>
 <form markdown="1" name="Provision" method="POST" action="/update.htm" target="progressFrame">
 <input type="hidden" name="changePorts" value="apply">
 Certificate issuer:
@@ -195,24 +205,24 @@ Certificate expiration:
 : <button type="button" onclick="provisionSSL(this)" <?=$disabled_provision?>><?=$provisionlabel?></button><button type="button" onclick="updateDNS(this)" <?=$disabled_updatedns?>>Update DNS</button>
 
 > **Provision** may be used to allocate a *free* SSL Certficiate from [Let's Encrypt](https://letsencrypt.org/) and
-> then upload to your server.  Note: We **highly** recommend using a static IP address in this case.
+> then upload to your server. Note: We **highly** recommend using a static IP address in this case.
 
-> **Update DNS** may be used to manually initiate updating the DNS A-record of your server FQDN on unraid.net.  Note
+> **Update DNS** may be used to manually initiate updating the DNS A-record of your server FQDN on unraid.net. Note
 > that DNS propagation change could take anywhere from 1 minute to several hours (we set TTL to 60 seconds).
 
 > Note: **Provision** may fail if your router or upstream DNS server has
-> [DNS rebinding protection](https://en.wikipedia.org/wiki/DNS_rebinding) enabled.  DNS rebinding
-> protection prevents DNS from resolving a private IP network range.  DNS rebinding protection is meant as
+> [DNS rebinding protection](https://en.wikipedia.org/wiki/DNS_rebinding) enabled. DNS rebinding
+> protection prevents DNS from resolving a private IP network range. DNS rebinding protection is meant as
 > a security feature on a local LAN which includes legacy devices with buggy/insecure "web" interfaces.
 
-> One source of DNS rebinding protection could be your ISP DNS server.  In this case the problem may be solved by
+> One source of DNS rebinding protection could be your ISP DNS server. In this case the problem may be solved by
 > switching to a different DNS server such as Google's public DNS.
 
-> More commonly, DNS rebinding protection could be enabled in your router.  Most consumer routers do not implement DNS
+> More commonly, DNS rebinding protection could be enabled in your router. Most consumer routers do not implement DNS
 > rebinding protection; but, if they do, a configuration setting should be available to turn it off.
 
-> Higher end routers usually do enable DNS rebinding protection however.  Typically there are ways of turning it off
-> entirely or selectively based on domain.  Examples:
+> Higher end routers usually do enable DNS rebinding protection however. Typically there are ways of turning it off
+> entirely or selectively based on domain. Examples:
 
 > **DD-WRT:** If you are using "dnsmasq" with DNS rebinding protection enabled, you can add this line to your router
 > configuration file:
diff --git a/plugins/dynamix/scripts/update_access b/plugins/dynamix/scripts/update_access
new file mode 100755
index 000000000..b134c5ea7
--- /dev/null
+++ b/plugins/dynamix/scripts/update_access
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+CONF=/etc/ssh/sshd_config
+INET=/etc/inetd.conf
+
+# read settings
+if [[ -a /boot/config/ident.cfg ]]; then
+  /usr/bin/fromdos </boot/config/ident.cfg >/var/tmp/ident.cfg
+  source /var/tmp/ident.cfg
+fi
+
+# preset default values
+[[ -z $BIND_MGT ]] && BIND_MGT=yes
+[[ -z $USE_TELNET ]] && USE_TELNET=yes
+[[ -z $PORTSSH ]] && PORTSSH=22
+
+# get management IP addresses
+if [[ $BIND_MGT == yes ]]; then
+  ETH=eth0
+  [[ -e /sys/class/net/bond0 ]] && ETH=bond0
+  [[ -e /sys/class/net/br0 ]] && ETH=br0
+  IPV4=$(ip -4 addr show $ETH|awk '/inet /{gsub(/\/.+$/,"",$2);print $2;exit}')
+  IPV6=$(ip -6 addr show $ETH noprefixroute|awk '/inet6 /{gsub(/\/.+$/,"",$2);print $2;exit}')
+  [[ -z $IPV6 ]] && IPV6=$(ip -6 addr show $ETH scope global permanent|awk '/inet6 /{gsub(/\/.+$/,"",$2);print $2;exit}')
+fi
+
+# update SSH listening port
+if [[ $PORTSSH == 22 ]]; then
+  sed -ri 's/^#?Port [0-9]+$/#Port 22/' $CONF
+else
+  sed -ri "s/^#?Port [0-9]+\$/Port $PORTSSH/" $CONF
+fi
+
+# bind/unbind SSH service
+if [[ -n $IPV4 ]]; then
+  sed -ri "s/^#?(ListenAddress) 0.0.0.0\$/\1 $IPV4/" $CONF
+else
+  sed -ri 's/^#?(ListenAddress) [0-9]{1,3}\..+$/#\1 0.0.0.0/' $CONF
+fi
+if [[ -n $IPV6 ]]; then
+  sed -ri "s/^#?(ListenAddress) ::\$/\1 $IPV6/" $CONF
+else
+  sed -ri 's/^#?(ListenAddress) [A-Fa-f0-9]{1,4}:.+$/#\1 ::/' $CONF
+fi
+/etc/rc.d/rc.sshd restart >/dev/null
+
+# enable/disable TELNET service
+if  [[ $USE_TELNET == yes ]]; then
+  sed -ri 's/^#?(telnet\s.*telnetd$)/\1/' $INET
+else
+  sed -ri 's/^#?(telnet\s.*telnetd$)/#\1/' $INET
+fi
+/etc/rc.d/rc.inetd restart >/dev/null