/CHANGELOG |
---|
1,9 → 1,12 |
# $Id$ |
BUGS - The file "alcasar-services" is now sorted |
- New graphic option in grub conf file in order to avoid issues with mini-itx ATOM |
NEWS |
- Firewall-eyes is removed from ACC |
- Creation of a netflow probe (kernel module) |
- complete network statistics can be viewed in ACC (nfsen) |
- The porttracker nfsen module allow to view network statistics by protocols |
************ CHANGELOG *********** |
---------------------- 2.7.2 --------------------- |
BUGS - Modify the unit 'radiusd.service in order to wait for mysql |
/scripts/alcasar-iptables.sh |
---|
5,11 → 5,11 |
# Rexy - 3abtux - CPN |
# |
# Reminders |
# There are three channels for log : |
# 1 (default) for tracability; |
# 2 for secure admin (ssh); |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'this script |
# There are four channels for log : |
# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW); |
# 2 protection of ALCASAR with the Ulog group 1 (default group) |
# 3 SSH with the ulog group 2; |
# 4 extern access attempts with the ulog group 3. |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2` |
76,7 → 76,7 |
############################# |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT |
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules |
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY " |
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1 |
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT |
102,8 → 102,9 |
fi |
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD |
# Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD |
## $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT " |
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent) |
# Redirect HTTP requests in DansGuardian (transparent proxy) |
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080 |
137,8 → 138,8 |
# Conntrack on INPUT |
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT |
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING) |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING) |
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING) |
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING) |
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset |
# Insertion des règles de blocage IP |
150,7 → 151,7 |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
# $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT |
fi |
done < /usr/local/etc/alcasar-ip-blocked |
226,7 → 227,6 |
if [ $ip_on != "#" ] |
then |
ip_blocked=`echo $ip_line|cut -d" " -f1` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset |
262,7 → 262,7 |
then |
while read ip_exception |
do |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-filter-exceptions |
274,7 → 274,7 |
while read ip_allowed_line |
do |
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2` |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT |
done < /usr/local/etc/alcasar-uamallowed |
294,10 → 294,10 |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT |
else |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT |
fi |
305,7 → 305,7 |
done < /usr/local/etc/alcasar-services |
# Rejet explicite des autres protocoles |
# reject the others protocols |
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT " |
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT " |
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset |
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable |
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT |
318,7 → 318,7 |
# Autorisation des connections sortant du LAN |
# Allow forward connections with log |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT " |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW |
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT |
358,8 → 358,6 |
then |
$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT |
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT |
fi |
/web/acc/stat.php |
---|
3,15 → 3,13 |
$select[0]="$l_stat_user_day"; |
$select[1]="$l_stat_con"; |
$select[2]="$l_stat_daily"; |
$select[3]="$l_firewall"; |
$select[4]="$l_moniteur"; |
$select[5]="$l_security"; |
$select[3]="$l_moniteur"; |
$select[4]="$l_security"; |
$fich[0]="manager/htdocs/user_stats.php"; |
$fich[1]="manager/htdocs/accounting.php"; |
$fich[2]="manager/htdocs/stats.php"; |
$fich[3]="admin/firewallEyes/index.html"; |
$fich[4]="/nfsen"; |
$fich[5]="manager/htdocs/security.php"; |
$fich[3]="/nfsen"; |
$fich[4]="manager/htdocs/security.php"; |
$j=0; |
while ($j != count($select)) |
{ |
/web/acc/admin/firewallEyes/configuration.php |
---|
File deleted |
/web/acc/admin/firewallEyes/header.php |
---|
File deleted |
/web/acc/admin/firewallEyes/gpl.txt |
---|
File deleted |
Property changes: |
Deleted: svn:eol-style |
-native |
\ No newline at end of property |
/web/acc/admin/firewallEyes/info.php |
---|
File deleted |
/web/acc/admin/firewallEyes/images/info.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/port-dst.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/dst-port.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/header-background.jpg |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = image/jpeg |
Property changes: |
Deleted: svn:mime-type |
-image/jpeg |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/source.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/destination.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/commandHeaderBkg.jpg |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = image/jpeg |
Property changes: |
Deleted: svn:mime-type |
-image/jpeg |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/firewallEyes.jpg |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = image/jpeg |
Property changes: |
Deleted: svn:mime-type |
-image/jpeg |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/port-src.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/logo-firewallEyes.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/src-port.gif |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/web/acc/admin/firewallEyes/images/buttonBkg.jpg |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = image/jpeg |
Property changes: |
Deleted: svn:mime-type |
-image/jpeg |
\ No newline at end of property |
/web/acc/admin/firewallEyes/messages |
---|
File deleted |
/web/acc/admin/firewallEyes/log.css |
---|
File deleted |
/web/acc/admin/firewallEyes/include.php |
---|
File deleted |
\ No newline at end of file |
/web/acc/admin/firewallEyes/index.html |
---|
File deleted |
/web/acc/admin/firewallEyes/logs.php |
---|
File deleted |
/web/acc/admin/firewallEyes/readme.txt |
---|
File deleted |
\ No newline at end of file |
Property changes: |
Deleted: svn:eol-style |
-native |
\ No newline at end of property |
/web/acc/menu.php |
---|
38,7 → 38,6 |
$l_stat_user_day = "usager/jour"; |
$l_stat_con = "connexions"; |
$l_stat_daily ="usage journalier"; |
$l_firewall ="parefeu"; |
$l_menu="Menu"; |
$l_moniteur="Statistiques Réseau"; |
$l_security="Sécurité"; |
65,7 → 64,6 |
$l_stat_user_day = "user/day"; |
$l_stat_con = "connections"; |
$l_stat_daily ="daily use"; |
$l_firewall ="firewall"; |
$l_menu="Main"; |
$l_moniteur="Statistiques Réseau"; |
$l_security="Security"; |
/alcasar.sh |
---|
20,7 → 20,7 |
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal) |
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares : |
# |
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav |
# Coovachilli, freeradius, mariaDB, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump |
# Options : |
# -i or --install |
27,18 → 27,18 |
# -u or --uninstall |
# Functions : |
# testing : Tests de connectivité et de téléchargement avant installation |
# init : Installation des RPM et des scripts |
# network : Paramètrage du réseau |
# gestion : Installation de l'interface de gestion |
# AC : Initialisation de l'autorité de certification. Création des certificats |
# init_db : Création de la base 'radius' sur le serveur MySql |
# param_radius : Configuration du serveur d'authentification FreeRadius |
# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin) |
# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification |
# param_squid : Configuration du proxy squid en mode 'cache' |
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian |
# antivirus : Installation havp + libclamav |
# testing : connectivity tests and downloading before intall |
# init : Installation of RPM and scripts |
# network : Network parameters |
# ACC : ALCASAR Control Center installation |
# CA : Certification Authority initialization |
# init_db : Initilization of radius database managed with MariaDB |
# param_radius : FreeRadius initialisation |
# param_web_radius : copy ans modifiy original "freeradius web" in ACC |
# param_chilli : coovachilli initialisation (+authentication page) |
# param_squid : Squid cache proxy configuration |
# param_dansguardian : DansGuardian filtering HTTP proxy configuration |
# antivirus : HAVP + libclamav configuration |
# param_nfsen : Configuration du grapheur nfsen pour apache |
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours |
# BL : Configuration de la BlackList |
102,7 → 102,7 |
service network start |
################################################################## |
## Function TESTING ## |
## Function "testing" ## |
## - Test of Internet access ## |
################################################################## |
testing () |
240,7 → 240,7 |
} # end of testing |
################################################################## |
## Fonction INIT ## |
## Function "init" ## |
## - Création du fichier "/root/ALCASAR_parametres.txt" ## |
## - Installation et modification des scripts du portail ## |
################################################################## |
314,7 → 314,7 |
} # End of init () |
################################################################## |
## Fonction network ## |
## Function "network" ## |
## - Définition du plan d'adressage du réseau de consultation ## |
## - Nommage DNS du système ## |
## - Configuration de l'interface eth1 (réseau de consultation) ## |
508,13 → 508,13 |
} # End of network () |
################################################################## |
## Fonction gestion ## |
## - installation du centre de gestion ## |
## Function "ACC" ## |
## - installation du centre de gestion (ALCASAR Control Center) ## |
## - configuration du serveur web (Apache) ## |
## - définition du 1er comptes de gestion ## |
## - sécurisation des accès ## |
################################################################## |
gestion() |
ACC () |
{ |
[ -d $DIR_WEB ] && rm -rf $DIR_WEB |
mkdir $DIR_WEB |
705,13 → 705,13 |
ErrorDocument 404 https://$HOSTNAME/ |
</Directory> |
EOF |
} # End of gestion () |
} # End of ACC() |
########################################################################################## |
## Fonction AC() ## |
## Fonction "CA" ## |
## - Création d'une Autorité de Certification et du certificat serveur pour apache ## |
########################################################################################## |
AC () |
CA () |
{ |
$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh |
$DIR_DEST_BIN/alcasar-CA.sh |
722,10 → 722,10 |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
} # End AC () |
} # End CA () |
########################################################################################## |
## Fonction init_db() ## |
## Fonction "init_db" ## |
## - Initialisation de la base Mysql ## |
## - Affectation du mot de passe de l'administrateur (root) ## |
## - Suppression des bases et des utilisateurs superflus ## |
758,7 → 758,7 |
} # End init_db () |
########################################################################## |
## Fonction param_radius ## |
## Fonction "param_radius" ## |
## - Paramètrage des fichiers de configuration FreeRadius ## |
## - Affectation du secret partagé entre coova-chilli et freeradius ## |
## - Modification de fichier de conf pour l'accès à Mysql ## |
815,7 → 815,7 |
} # End param_radius () |
########################################################################## |
## Fonction param_web_radius ## |
## Function "param_web_radius" ## |
## - Import, modification et paramètrage de l'interface "dialupadmin" ## |
## - Création du lien vers la page de changement de mot de passe ## |
########################################################################## |
874,7 → 874,7 |
} # End of param_web_radius () |
################################################################################## |
## Fonction param_chilli ## |
## Fonction "param_chilli" ## |
## - Création du fichier d'initialisation et de configuration de coova-chilli ## |
## - Paramètrage de la page d'authentification (intercept.php) ## |
################################################################################## |
1021,7 → 1021,7 |
} # End of param_chilli () |
########################################################## |
## Fonction param_squid ## |
## Fonction "param_squid" ## |
## - Paramètrage du proxy 'squid' en mode 'cache' ## |
## - Initialisation de la base de données ## |
########################################################## |
1060,7 → 1060,7 |
} # End of param_squid () |
################################################################## |
## Fonction param_dansguardian ## |
## Fonction "param_dansguardian" ## |
## - Paramètrage du gestionnaire de contenu Dansguardian ## |
################################################################## |
param_dansguardian () |
1108,7 → 1108,7 |
} # End of param_dansguardian () |
################################################################## |
## Fonction antivirus ## |
## Fonction "antivirus" ## |
## - configuration havp + libclamav ## |
################################################################## |
antivirus () |
1156,7 → 1156,7 |
} |
################################################################################## |
## param_ulogd function ## |
## function "param_ulogd" ## |
## - Ulog config for multi-log files ## |
################################################################################## |
param_ulogd () |
1164,7 → 1164,7 |
# Three instances of ulogd (three different logfiles) |
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall |
nl=1 |
for log_type in tracability ssh ext-access |
for log_type in int-access ssh ext-access |
do |
[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log |
cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf |
1186,7 → 1186,7 |
########################################################## |
## Fonction param_nfsen ## |
## Function "param_nfsen" ## |
########################################################## |
param_nfsen() |
{ |
1207,19 → 1207,14 |
fi |
usermod -G www-data nfsen |
#Ajout du plugin nfsen : PortTracker |
mkdir -p /var/www/nfsen/plugins |
mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins |
chown -R nfsen:www-data /var/www/nfsen |
#Ajout du plugin PortTracker |
mkdir -p /var/log/netflow/porttracker |
mkdir -p /usr/share/nfsen/plugins |
chown -R apache:apache /usr/share/nfsen |
chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker |
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/ |
chown apache /var/log/netflow/porttracker |
#Copie du fichier de conf modifié de nfsen |
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/ |
#Copie du script d'initialisation de nfsen |
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/ |
systemctl enable nfsen.service |
#Installation de nfsen via le scrip Perl |
DirTmp=$(pwd) |
cd /tmp/nfsen-1.3.6p1/ |
1256,7 → 1251,7 |
} # End of param_nfsen |
########################################################## |
## Fonction param_dnsmasq ## |
## Function "param_dnsmasq" ## |
########################################################## |
param_dnsmasq () |
{ |
1323,7 → 1318,7 |
} # End dnsmasq |
########################################################## |
## Fonction BL (BlackList) ## |
## Fonction "BL" ## |
########################################################## |
BL () |
{ |
1372,7 → 1367,7 |
} |
########################################################## |
## Fonction cron ## |
## Fonction "cron" ## |
## - Mise en place des différents fichiers de cron ## |
########################################################## |
cron () |
1459,7 → 1454,7 |
} # End cron |
################################################################## |
## Fonction Fail2Ban ## |
## Fonction "Fail2Ban" ## |
##- Modification de la configuration de fail2ban ## |
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ## |
################################################################## |
1474,7 → 1469,7 |
} #Fin de fail2ban_install() |
################################################################## |
## Fonction post_install ## |
## Fonction "post_install" ## |
## - Modification des bannières (locales et ssh) et des prompts ## |
## - Installation de la structure de chiffrement pour root ## |
## - Mise en place du sudoers et de la sécurité sur les fichiers## |
1536,12 → 1531,7 |
done |
# export des logs en 'retard' dans /var/Save/logs |
/usr/local/bin/alcasar-log.sh --export |
# processus lancés par défaut au démarrage |
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen |
do |
/sbin/chkconfig --add $i |
done |
# create the alcasar-load_balancing unit |
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service |
# This file is part of systemd. |
# |
1566,10 → 1556,18 |
[Install] |
WantedBy=multi-user.target |
EOF |
systemctl enable alcasar-load_balancing.service |
# processes launched at boot time (SYSV) |
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam |
do |
/sbin/chkconfig --add $i |
done |
# processes launched at boot time (Systemctl) |
for i in alcasar-load_balancing.service nfsen.service |
# On applique les préconisations ANSSI |
# Apply French Security Agency rules |
do |
systemctl enable $i |
done |
# Apply French Security Agency (ANSSI) rules |
# ignorer les broadcast ICMP. (attaque smurf) |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 |
# ignorer les erreurs ICMP bogus |
1643,7 → 1641,6 |
$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst |
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst |
$SED "/^gfxmenu/d" /boot/grub/menu.lst |
# Remove unused services and users |
for old_svc in alsa sound dm |
do |
1675,7 → 1672,6 |
chown -R root:apache $DIR_DEST_ETC/* |
chmod -R 660 $DIR_DEST_ETC/* |
chmod ug+x $DIR_DEST_ETC/digest |
# Apply and save the firewall rules |
sh $DIR_DEST_BIN/alcasar-iptables.sh |
sleep 2 |
1832,10 → 1828,10 |
else |
mode="install" |
fi |
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install |
for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install |
do |
$func |
echo "*** 'debug' : end of function $func ***"; read a |
# echo "*** 'debug' : end of function $func ***"; read a |
done |
;; |
-u | --uninstall) |