Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 2868 → Rev 2867

/alcasar.sh
657,7 → 657,6
EOF
fi
# write INTIF (consultation LAN) in normal mode
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
DEVICE=$INTIF
BOOTPROTO=static
669,6 → 668,7
ACCOUNTING=no
USERCTL=no
EOF
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
# write INTIF in bypass mode (see "alcasar-bypass.sh")
cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
DEVICE=$INTIF
1367,10 → 1367,6
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
1428,7 → 1424,7
nfsen()
{
groupadd -f nfcapd
id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
# nfcapd unit for systemd
cat << EOF > /lib/systemd/system/nfcapd.service
# This file is part of systemd.
1842,33 → 1838,31
########################################################################
fail2ban()
{
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
# adapt fail2ban.conf to Mageia (fedora like) & ALCASAR behaviour
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
$SED "s?^bantime =.*?bantime = 3m?g" /etc/fail2ban/jail.conf
$SED "s?^findtime =.*?findtime = 5m?g" /etc/fail2ban/jail.conf
 
# add 5 jails and their filters
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
cat << EOF > /etc/fail2ban/jail.d/01alcasar_sshd.conf
[sshd]
enabled = true
#enabled = false
maxretry = 3
bantime = 3m
findtime = 5m
EOF
 
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
cat << EOF > /etc/fail2ban/jail.d/02alcasar_lighttpd-auth.conf
[lighttpd-auth]
enabled = true
#enabled = false
maxretry = 3
bantime = 3m
findtime = 3m
EOF
 
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
cat << EOF > /etc/fail2ban/jail.d/03alcasar_mod-evasive.conf
[alcasar_mod-evasive]
#enabled = true
enabled = false
1877,8 → 1871,6
action = iptables-allports[name=alcasar_mod-evasive]
logpath = /var/log/lighttpd/access.log
maxretry = 3
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
[Definition]
1887,7 → 1879,7
EOF
 
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
cat << EOF > /etc/fail2ban/jail.d/04alcasar_intercept.conf
[alcasar_intercept]
enabled = true
#enabled = false
1896,9 → 1888,6
action = iptables-allports[name=alcasar_intercept]
logpath = /var/log/lighttpd/access.log
maxretry = 5
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
[Definition]
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
1906,7 → 1895,7
EOF
 
## alcasar_change-pwd : ban after 5 failed user change password attempts
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
cat << EOF > /etc/fail2ban/jail.d/05alcasar_change-pwd.conf
[alcasar_change-pwd]
enabled = true
#enabled = false
1915,8 → 1904,6
action = iptables-allports[name=alcasar_change-pwd]
logpath = /var/log/lighttpd/access.log
maxretry = 5
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
[Definition]
1946,7 → 1933,7
{
# Create 'gammu' system user
groupadd -f gammu_smsd
useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
usermod -a -G dialout gammu_smsd
 
# Create 'gammu' database
/conf/letsencrypt-client/acme.sh-2.8.7.tar.gz
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/conf/letsencrypt-client/acme.sh-2.8.5.tar.gz
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/rpms/gammu.spec
File deleted
/rpms/x86_64/lib64gammu8-1.42.0-1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/rpms/x86_64/gammu-1.42.0-1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/rpms/x86_64/gammu-1.41.0-1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/rpms/x86_64/lib64gammu8-1.41.0-1.mga7.x86_64.rpm
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Added: svn:mime-type
+application/octet-stream
\ No newline at end of property
/scripts/alcasar-rpm-download.sh
13,7 → 13,7
# The kernel version we compile netflow for
KERNEL="kernel-server-5.7.19-3.mga7-1-1.mga7"
# ****** Alcasar needed RPMS - paquetages nécessaires au fonctionnement d'Alcasar ******
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat"
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo"
 
rpm_repository_sync ()
{
/scripts/alcasar-uninstall.sh
118,11 → 118,10
 
antivirus ()
{
echo -en "(4) : "
echo -en "(3) : "
[ -e /lib/systemd/system/clamav-daemon.service.default ] && mv /lib/systemd/system/clamav-daemon.service.default /lib/systemd/system/clamav-daemon.service && echo -n "1, "
[ -e /lib/systemd/system/clamav-daemon.socket.default ] && mv /lib/systemd/system/clamav-daemon.socket.default /lib/systemd/system/clamav-daemon.socket && echo -n "2, "
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "3, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "4"
[ -e /etc/clamd.conf.default ] && mv /etc/clamd.conf.default /etc/clamd.conf && echo -n "2, "
[ -e /etc/freshclam.conf.default ] && mv /etc/freshclam.conf.default /etc/freshclam.conf && echo -n "3"
}
 
ulogd ()
193,7 → 192,7
 
fail2ban ()
{
echo -en "(11) : "
echo -en "(6) : "
[ -e /etc/fail2ban/jail.conf.default ] && mv /etc/fail2ban/jail.conf.default /etc/fail2ban/jail.conf && echo -n "1, "
[ -e /etc/fail2ban/action.d/iptables-allports.conf.default ] && mv /etc/fail2ban/action.d/iptables-allports.conf.default /etc/fail2ban/action.d/iptables-allports.conf # only for ALCASAR version <= V3.5.1
i=2
358,9 → 357,6
sleep 1
fi
 
# Reset "skip.list" (we keep "kernel" in order not to download kernel we don't want to have)
echo "/^kernel/" > /etc/urpmi/skip.list
 
# Cleaning (remove all "old" alcasar scripts)
echo -en "\n- End of cleaning ...\n"
for rm_fic in /usr/local/bin /usr/local/etc /usr/local/sbin
/scripts/alcasar-urpmi.sh
17,9 → 17,8
# (old) perl-Socket6 : needed by nfsen
# "fonts-dejavu-common" & "fonts-ttf-dejavu" : fonts needed by wkhtmltopdf
# "lsscsi" & nvme-cli" : needed by phpsysinfo
# "socat" : avoid a warning when run the install script of letsencrypt ("acme.sh")
# "sudo" : needed after a reinstallation (to be investigated)
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo socat"
PACKAGES="vim-enhanced freeradius freeradius-mysql freeradius-ldap lighttpd lighttpd-mod_auth php-fpm php-gd php-ldap php-mysqli php-mbstring php-sockets php-curl php-pdo_sqlite php-cli php-rrd unbound e2guardian postfix mariadb ntp bind-utils openssh-server rng-utils rsync clamd fail2ban gnupg2 ulogd pm-fallback-policy ipset usb_modeswitch vnstat dos2unix p7zip msec kernel-userspace-headers kernel-firmware-nonfree dnsmasq dhcp-server tcpdump fonts-dejavu-common fonts-ttf-dejavu lsscsi nvme-cli sudo"
 
rpm_repository_sync ()
{
118,6 → 117,12
fi
fi
done
# fix some RPM versions
echo "/^kernel/" > /etc/urpmi/skip.list
echo "/^freeradius/" >> /etc/urpmi/skip.list
echo "/^wkhtmltopdf/" >> /etc/urpmi/skip.list
echo "/^clamd/" >> /etc/urpmi/skip.list
echo "/^clamav/" >> /etc/urpmi/skip.list
# download the kernel used by ALCASAR
if [ $Lang == "fr" ]
then
264,10 → 269,4
then
exit 1
fi
# fix some RPM versions
echo "/^kernel/" > /etc/urpmi/skip.list
echo "/^freeradius/" >> /etc/urpmi/skip.list
echo "/^wkhtmltopdf/" >> /etc/urpmi/skip.list
echo "/^clamd/" >> /etc/urpmi/skip.list
echo "/^clamav/" >> /etc/urpmi/skip.list
exit 0
/CHANGELOG
4,19 → 4,17
-------------------- 3.5.1 --------------------
NEWS
- Integration of the European “WIFI4EU” system (in the exploitation doc)
- linux-Kernel 5.7.19
- ipt-NETFLOW 2.5.1
- gammu 1.42
- Linux-Kernel 5.7.14
- Ipt-NETFLOW 2.5.1
ACC
- Spanish translation (Thanks to Germán BOWERS)
CHANGES
- Improve the voucher (tickets) display with a serif font
- Local DNS resolution simplification
- ALCASAR E2guardian html template when intercepted (due to blacklisted-URL or malware detected)
BUGS
- Network IP addresses can now be set as exception
- "sudo" RPM isn't automatically loaded
- Several fail2ban fixes & simplifications
- sudo RPM isn't automatically loaded
- several fail2ban fixes
-------------------- 3.5.0 --------------------
NEWS
- Mageia7.1 and Linux Kernel 5.6.14