Ubuntu
ufw package

Application list with non-hardcoded ports possible?

Asked by Mark Schmitz

Hello,

would it be possible to get the actual sshd listening port instead of using the hard-coded port 22?

That could be achieved by generating the applications profiles dynamically upon installation and maybe update upon running ufw?

I'm asking specifically because of SSH – as it's not uncommon to change the default port and it would be nice if the application profile for SSH and/or OpenSSH was updated automatically.

Currently I'm using the bash script below to update the SSH port for all profiles using port 22 or ending in SSH, if the port has been changed already:

```bash

#! /usr/bin/env bash
epoch=$(date +%s)
profiles_dir=/etc/ufw/applications.d/
cd $profiles_dir

# get all active listening ports from /etc/ssh/sshd_config ; i.e. lines starting with Port (not commented out)
arr_ssh_ports=($(awk '$1 ~ "^Port" {print $2}' /etc/ssh/sshd_config))

# alternaives:
# grep -E "^Port" /etc/ssh/sshd_config | cut -d" " -f2`
# awk '$1 ~ "^Port" {print $2}' /etc/ssh/sshd_config
# sed -ne '/^Port/{s/[Port ]//g;p}' /etc/ssh/sshd_config

# convert the bash array to a comma separated string
comma_separated_ports=$(IFS=, && echo "${arr_ssh_ports[*]}")
# alternative:
# echo ${ur_ssh[@]} | sed 's/ /,/g'

# without using bash arrays:
# string_ssh_ports=$(awk '$1 ~ "^Port" {print $2}' /etc/ssh/sshd_config)
# comma_separated_ports=${string_ssh_ports//$'\n'/,}

# assume port 22 is only used for SSH, find all profiles, store in string
ssh_22_profiles=$(grep -Fl 'ports=22/tcp' *)

if [[ -n $ssh_22_profiles ]]; then
  # create backup tar of all profiles to be changed
  echo "Creating backup: ssh_22_profiles_${epoch}.tar of profiles to be changed:"
  tar cvf ../ssh_22_profiles_${epoch}.tar $ssh_22_profiles

  echo -e "\nCurrent profile(s):"
  grep -ih 'SSH]' -A 3 *

  for f in $ssh_22_profiles ; do
    sed -i -e 's!ports=22/tcp!ports='$comma_separated_ports'/tcp!g' $f ;
  done

  echo -e "\nNew profile(s):"
  grep -ih 'SSH]' -A 3 *
else
  # port has been changed before, is no longer default 22
  current_ssh_app_ports=$(grep -ih 'SSH]' -A 3 * | grep 'ports=' | sort -u)
  sshd_profile_ports='ports='$comma_separated_ports'/tcp'
  if [[ $current_ssh_app_ports != $sshd_profile_ports ]]; then
    ssh_profiles=$(grep -Fl "$current_ssh_app_ports" *)

    echo "Creating backup: ssh_profiles_${epoch}.tar of profiles to be changed:"
    tar cvf ../ssh_profiles_${epoch}.tar $ssh_profiles

    echo -e "\nCurrent profile(s):"
    grep -ih 'SSH]' -A 3 *

    for f in $ssh_profiles ; do
      sed -i -e 's!'$current_ssh_app_ports'!'$sshd_profile_ports'!g' $f ;
    done

    echo -e "\nNew profile(s):"
    grep -ih 'SSH]' -A 3 *
  else
    echo "Ports in profiles match sshd configuration: $comma_separated_ports/tcp"
  fi
fi

```

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu ufw Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Launchpad Janitor (janitor) said : 		#1

This question was expired because it remained in the 'Open' state without activity for the last 15 days.