/alcasar.sh |
---|
657,7 → 657,6 |
EOF |
fi |
# write INTIF (consultation LAN) in normal mode |
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF |
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF |
DEVICE=$INTIF |
BOOTPROTO=static |
669,6 → 668,7 |
ACCOUNTING=no |
USERCTL=no |
EOF |
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF |
# write INTIF in bypass mode (see "alcasar-bypass.sh") |
cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF |
DEVICE=$INTIF |
1367,10 → 1367,6 |
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default |
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service |
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default |
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket |
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default |
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf |
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message |
1428,7 → 1424,7 |
nfsen() |
{ |
groupadd -f nfcapd |
id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd |
useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd |
# nfcapd unit for systemd |
cat << EOF > /lib/systemd/system/nfcapd.service |
# This file is part of systemd. |
1842,33 → 1838,31 |
######################################################################## |
fail2ban() |
{ |
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour |
# adapt fail2ban.conf to Mageia (fedora like) & ALCASAR behaviour |
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default |
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf |
$SED "s?^bantime =.*?bantime = 3m?g" /etc/fail2ban/jail.conf |
$SED "s?^findtime =.*?findtime = 5m?g" /etc/fail2ban/jail.conf |
# add 5 jails and their filters |
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter. |
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf |
cat << EOF > /etc/fail2ban/jail.d/01alcasar_sshd.conf |
[sshd] |
enabled = true |
#enabled = false |
maxretry = 3 |
bantime = 3m |
findtime = 5m |
EOF |
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter. |
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf |
cat << EOF > /etc/fail2ban/jail.d/02alcasar_lighttpd-auth.conf |
[lighttpd-auth] |
enabled = true |
#enabled = false |
maxretry = 3 |
bantime = 3m |
findtime = 3m |
EOF |
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page) |
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf |
cat << EOF > /etc/fail2ban/jail.d/03alcasar_mod-evasive.conf |
[alcasar_mod-evasive] |
#enabled = true |
enabled = false |
1877,8 → 1871,6 |
action = iptables-allports[name=alcasar_mod-evasive] |
logpath = /var/log/lighttpd/access.log |
maxretry = 3 |
bantime = 3m |
findtime = 3m |
EOF |
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf |
[Definition] |
1887,7 → 1879,7 |
EOF |
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php |
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf |
cat << EOF > /etc/fail2ban/jail.d/04alcasar_intercept.conf |
[alcasar_intercept] |
enabled = true |
#enabled = false |
1896,9 → 1888,6 |
action = iptables-allports[name=alcasar_intercept] |
logpath = /var/log/lighttpd/access.log |
maxretry = 5 |
bantime = 3m |
findtime = 3m |
EOF |
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf |
[Definition] |
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject |
1906,7 → 1895,7 |
EOF |
## alcasar_change-pwd : ban after 5 failed user change password attempts |
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf |
cat << EOF > /etc/fail2ban/jail.d/05alcasar_change-pwd.conf |
[alcasar_change-pwd] |
enabled = true |
#enabled = false |
1915,8 → 1904,6 |
action = iptables-allports[name=alcasar_change-pwd] |
logpath = /var/log/lighttpd/access.log |
maxretry = 5 |
bantime = 3m |
findtime = 3m |
EOF |
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf |
[Definition] |
1946,7 → 1933,7 |
{ |
# Create 'gammu' system user |
groupadd -f gammu_smsd |
useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd |
useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd |
usermod -a -G dialout gammu_smsd |
# Create 'gammu' database |
/conf/letsencrypt-client/acme.sh-2.8.7.tar.gz |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/conf/letsencrypt-client/acme.sh-2.8.5.tar.gz |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Added: svn:mime-type |
+application/octet-stream |
\ No newline at end of property |
/rpms/gammu.spec |
---|
File deleted |
/rpms/x86_64/lib64gammu8-1.42.0-1.mga7.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/rpms/x86_64/gammu-1.42.0-1.mga7.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Deleted: svn:mime-type |
-application/octet-stream |
\ No newline at end of property |
/rpms/x86_64/gammu-1.41.0-1.mga7.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Added: svn:mime-type |
+application/octet-stream |
\ No newline at end of property |
/rpms/x86_64/lib64gammu8-1.41.0-1.mga7.x86_64.rpm |
---|
Cannot display: file marked as a binary type. |
svn:mime-type = application/octet-stream |
Property changes: |
Added: svn:mime-type |
+application/octet-stream |
\ No newline at end of property |
/scripts/alcasar-rpm-download.sh |
---|
13,7 → 13,7 |
# The kernel version we compile netflow for |
KERNEL="kernel-server-5.7.19-3.mga7-1-1.mga7" |
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ****** |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat" |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo" |
rpm_repository_sync () |
{ |
/scripts/alcasar-uninstall.sh |
---|
118,11 → 118,10 |
antivirus () |
{ |
echo -en "(4) : " |
echo -en "(3) : " |
[ -e /lib/systemd/system/clamav-daemon.service.default ] && mv /lib/systemd/system/clamav-daemon.service.default /lib/systemd/system/clamav-daemon.service && echo -n "1, " |
[ -e /lib/systemd/system/clamav-daemon.socket.default ] && mv /lib/systemd/system/clamav-daemon.socket.default /lib/systemd/system/clamav-daemon.socket && echo -n "2, " |
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "3, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4" |
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "2, " |
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "3" |
} |
ulogd () |
193,7 → 192,7 |
fail2ban () |
{ |
echo -en "(11) : " |
echo -en "(6) : " |
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "1, " |
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf # only for ALCASAR version <= V3.5.1 |
i=2 |
358,9 → 357,6 |
sleep 1 |
fi |
# Reset "skip.list" (we keep "kernel" in order not to download kernel we don't want to have) |
echo "/^kernel/" > /etc/urpmi/skip.list |
# Cleaning (remove all "old" alcasar scripts) |
echo -en "\n- End of cleaning ...\n" |
for rm_fic in /usr/local/bin /usr/local/etc /usr/local/sbin |
/scripts/alcasar-urpmi.sh |
---|
17,9 → 17,8 |
# (old) perl-Socket6 : needed by nfsen |
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf |
# "lsscsi" & nvme-cli" : needed by phpsysinfo |
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh") |
# "sudo" : needed after a reinstallation (to be investigated) |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat" |
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo" |
rpm_repository_sync () |
{ |
118,6 → 117,12 |
fi |
fi |
done |
# fix some RPM versions |
echo "/^kernel/" > /etc/urpmi/skip.list |
echo "/^freeradius/" >> /etc/urpmi/skip.list |
echo "/^wkhtmltopdf/" >> /etc/urpmi/skip.list |
echo "/^clamd/" >> /etc/urpmi/skip.list |
echo "/^clamav/" >> /etc/urpmi/skip.list |
# download the kernel used by ALCASAR |
if [ $Lang == "fr" ] |
then |
264,10 → 269,4 |
then |
exit 1 |
fi |
# fix some RPM versions |
echo "/^kernel/" > /etc/urpmi/skip.list |
echo "/^freeradius/" >> /etc/urpmi/skip.list |
echo "/^wkhtmltopdf/" >> /etc/urpmi/skip.list |
echo "/^clamd/" >> /etc/urpmi/skip.list |
echo "/^clamav/" >> /etc/urpmi/skip.list |
exit 0 |
/CHANGELOG |
---|
4,19 → 4,17 |
-------------------- 3.5.1 -------------------- |
NEWS |
- Integration of the European “WIFI4EU” system (in the exploitation doc) |
- linux-Kernel 5.7.19 |
- ipt-NETFLOW 2.5.1 |
- gammu 1.42 |
- Linux-Kernel 5.7.14 |
- Ipt-NETFLOW 2.5.1 |
ACC |
- Spanish translation (Thanks to Germán BOWERS) |
CHANGES |
- Improve the voucher (tickets) display with a serif font |
- Local DNS resolution simplification |
- ALCASAR E2guardian html template when intercepted (due to blacklisted-URL or malware detected) |
BUGS |
- Network IP addresses can now be set as exception |
- "sudo" RPM isn't automatically loaded |
- Several fail2ban fixes & simplifications |
- sudo RPM isn't automatically loaded |
- several fail2ban fixes |
-------------------- 3.5.0 -------------------- |
NEWS |
- Mageia7.1 and Linux Kernel 5.6.14 |