Subversion Repositories ALCASAR

Compare Revisions

No changes between revisions

Ignore whitespace Rev 1220 → Rev 1221

/CHANGELOG
1,9 → 1,12
# $Id$
 
 
BUGS - The file "alcasar-services" is now sorted
- New graphic option in grub conf file in order to avoid issues with mini-itx ATOM
 
NEWS
- Firewall-eyes is removed from ACC
- Creation of a netflow probe (kernel module)
- complete network statistics can be viewed in ACC (nfsen)
- The porttracker nfsen module allow to view network statistics by protocols
************ CHANGELOG ***********
---------------------- 2.7.2 ---------------------
BUGS - Modify the unit 'radiusd.service in order to wait for mysql
/scripts/alcasar-iptables.sh
5,11 → 5,11
# Rexy - 3abtux - CPN
#
# Reminders
# There are three channels for log :
# 1 (default) for tracability;
# 2 for secure admin (ssh);
# 3 for exterior access attempts.
# The French Security Agency (ANSSI) rules was applied by 'this script
# There are four channels for log :
# 1 tracability with The 'Netflow' kernel module (iptables target = NETFLOW);
# 2 protection of ALCASAR with the Ulog group 1 (default group)
# 3 SSH with the ulog group 2;
# 4 extern access attempts with the ulog group 3.
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova
conf_file="/usr/local/etc/alcasar.conf"
private_ip_mask=`grep PRIVATE_IP= $conf_file|cut -d"=" -f2`
76,7 → 76,7
#############################
# Marquage (et journalisation) des paquets qui tentent d'accéder directement à DansGuardian pour pouvoir les rejeter en INPUT
# mark (and log) the dansguardian bypass attempts in order to DROP them in INPUT rules
# $IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t nat -i $TUNIF -p tcp -d $PRIVATE_IP -m tcp --dport 8080 -j ULOG --ulog-prefix "RULE direct-proxy -- DENY "
$IPTABLES -A PREROUTING -t mangle -i $TUNIF -d $PRIVATE_IP -p tcp -m tcp --dport 8080 -j MARK --set-mark 1
 
# Marquage (et journalisation) des paquets qui tentent d'accéder directement au port udp 54 pour pouvoir les rejeter en INPUT
102,8 → 102,9
fi
 
# Journalisation des requètes HTTP vers Internet (seulement les paquets SYN) - Les autres protocoles sont journalisés en FORWARD
# Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
## Log HTTP requests to Internet (only syn packets) - Other protocols are log in FORWARD
## $IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -m state --state NEW -j ULOG --ulog-prefix "RULE F_http -- ACCEPT "
 
# Redirection des requêtes HTTP vers DansGuardian (proxy transparent)
# Redirect HTTP requests in DansGuardian (transparent proxy)
$IPTABLES -A PREROUTING -t nat -i $TUNIF -s $PRIVATE_NETWORK_MASK ! -d $PRIVATE_IP -p tcp --dport http -j REDIRECT --to-port 8080
137,8 → 138,8
# Conntrack on INPUT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked in mangle table (PREROUTING)
# On interdit les connexions directes au port utilisé par DansGuardian (8080). Les packets concernés ont été marqués et loggués dans la table mangle (PREROUTING)
# Deny direct connections on DansGuardian port (8080). The concerned paquets are marked and logged in mangle table (PREROUTING)
$IPTABLES -A INPUT -i $TUNIF -p tcp --dport 8080 -m mark --mark 1 -j REJECT --reject-with tcp-reset
 
# Insertion des règles de blocage IP
150,7 → 151,7
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
# $IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A INPUT -i $TUNIF -d $ip_blocked -p tcp --dport 8080 -m state --state NEW --syn -j REJECT
fi
done < /usr/local/etc/alcasar-ip-blocked
226,7 → 227,6
if [ $ip_on != "#" ]
then
ip_blocked=`echo $ip_line|cut -d" " -f1`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -j ULOG --ulog-prefix "RULE IP-blocked -- REJECT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p icmp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -d $ip_blocked -p tcp -j REJECT --reject-with tcp-reset
262,7 → 262,7
then
while read ip_exception
do
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ULOG --ulog-prefix "RULE IP-exception -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $ip_exception -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-filter-exceptions
274,7 → 274,7
while read ip_allowed_line
do
ip_allowed=`echo $ip_allowed_line|cut -d"\"" -f2`
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ULOG --ulog-prefix "RULE IP-allowed -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -d $ip_allowed -m state --state NEW -j ACCEPT
done < /usr/local/etc/alcasar-uamallowed
294,10 → 294,10
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p icmp -j ACCEPT
else
 
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_TCP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p tcp --dport $svc_port -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
# $IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ULOG --ulog-prefix "RULE F_UDP-$svc_name -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -p udp --dport $svc_port -m state --state NEW -j ACCEPT
fi
305,7 → 305,7
done < /usr/local/etc/alcasar-services
# Rejet explicite des autres protocoles
# reject the others protocols
$IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
# $IPTABLES -A FORWARD -i $TUNIF -j ULOG --ulog-prefix "RULE F_filter -- REJECT "
$IPTABLES -A FORWARD -i $TUNIF -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -i $TUNIF -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A FORWARD -i $TUNIF -p icmp -j REJECT
318,7 → 318,7
 
# Autorisation des connections sortant du LAN
# Allow forward connections with log
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
#$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ULOG --ulog-prefix "RULE F_all -- ACCEPT "
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j NETFLOW
$IPTABLES -A FORWARD -i $TUNIF -s $PRIVATE_NETWORK_MASK -m state --state NEW -j ACCEPT
 
358,8 → 358,6
then
$IPTABLES -A OUTPUT -p tcp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LDAP_IP -m multiport --dports ldap,ldaps -m state --state NEW,ESTABLISHED -j ACCEPT
# $IPTABLES -A INPUT -p tcp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
# $IPTABLES -A INPUT -p udp -s $LDAP_IP -m multiports --sports ldap,ldaps -m state --state ESTABLISHED -j ACCEPT
fi
 
 
/web/acc/stat.php
3,15 → 3,13
$select[0]="$l_stat_user_day";
$select[1]="$l_stat_con";
$select[2]="$l_stat_daily";
$select[3]="$l_firewall";
$select[4]="$l_moniteur";
$select[5]="$l_security";
$select[3]="$l_moniteur";
$select[4]="$l_security";
$fich[0]="manager/htdocs/user_stats.php";
$fich[1]="manager/htdocs/accounting.php";
$fich[2]="manager/htdocs/stats.php";
$fich[3]="admin/firewallEyes/index.html";
$fich[4]="/nfsen";
$fich[5]="manager/htdocs/security.php";
$fich[3]="/nfsen";
$fich[4]="manager/htdocs/security.php";
$j=0;
while ($j != count($select))
{
/web/acc/admin/firewallEyes/info.php
File deleted
/web/acc/admin/firewallEyes/images/commandHeaderBkg.jpg
Cannot display: file marked as a binary type.
svn:mime-type = image/jpeg
Property changes:
Deleted: svn:mime-type
-image/jpeg
\ No newline at end of property
/web/acc/admin/firewallEyes/images/firewallEyes.jpg
Cannot display: file marked as a binary type.
svn:mime-type = image/jpeg
Property changes:
Deleted: svn:mime-type
-image/jpeg
\ No newline at end of property
/web/acc/admin/firewallEyes/images/port-src.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/images/logo-firewallEyes.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/images/src-port.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/images/buttonBkg.jpg
Cannot display: file marked as a binary type.
svn:mime-type = image/jpeg
Property changes:
Deleted: svn:mime-type
-image/jpeg
\ No newline at end of property
/web/acc/admin/firewallEyes/images/info.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/images/port-dst.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/images/dst-port.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/images/header-background.jpg
Cannot display: file marked as a binary type.
svn:mime-type = image/jpeg
Property changes:
Deleted: svn:mime-type
-image/jpeg
\ No newline at end of property
/web/acc/admin/firewallEyes/images/source.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/images/destination.gif
Cannot display: file marked as a binary type.
svn:mime-type = application/octet-stream
Property changes:
Deleted: svn:mime-type
-application/octet-stream
\ No newline at end of property
/web/acc/admin/firewallEyes/messages
File deleted
/web/acc/admin/firewallEyes/log.css
File deleted
/web/acc/admin/firewallEyes/include.php
File deleted
\ No newline at end of file
/web/acc/admin/firewallEyes/index.html
File deleted
/web/acc/admin/firewallEyes/logs.php
File deleted
/web/acc/admin/firewallEyes/readme.txt
File deleted
\ No newline at end of file
Property changes:
Deleted: svn:eol-style
-native
\ No newline at end of property
/web/acc/admin/firewallEyes/configuration.php
File deleted
/web/acc/admin/firewallEyes/header.php
File deleted
/web/acc/admin/firewallEyes/gpl.txt
File deleted
Property changes:
Deleted: svn:eol-style
-native
\ No newline at end of property
/web/acc/menu.php
38,7 → 38,6
$l_stat_user_day = "usager/jour";
$l_stat_con = "connexions";
$l_stat_daily ="usage journalier";
$l_firewall ="parefeu";
$l_menu="Menu";
$l_moniteur="Statistiques Réseau";
$l_security="Sécurité";
65,7 → 64,6
$l_stat_user_day = "user/day";
$l_stat_con = "connections";
$l_stat_daily ="daily use";
$l_firewall ="firewall";
$l_menu="Main";
$l_moniteur="Statistiques Réseau";
$l_security="Security";
/alcasar.sh
20,7 → 20,7
# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
#
# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav
# Coovachilli, freeradius, mariaDB, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
 
# Options :
# -i or --install
27,24 → 27,24
# -u or --uninstall
 
# Functions :
# testing : Tests de connectivité et de téléchargement avant installation
# init : Installation des RPM et des scripts
# network : Paramètrage du réseau
# gestion : Installation de l'interface de gestion
# AC : Initialisation de l'autorité de certification. Création des certificats
# init_db : Création de la base 'radius' sur le serveur MySql
# param_radius : Configuration du serveur d'authentification FreeRadius
# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
# param_squid : Configuration du proxy squid en mode 'cache'
# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
# antivirus : Installation havp + libclamav
# param_nfsen : Configuration du grapheur nfsen pour apache
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
# BL : Configuration de la BlackList
# cron : Mise en place des exports de logs (+ chiffrement)
# fail2ban : Installation et configuration de Fail2Ban
# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
# testing : connectivity tests and downloading before intall
# init : Installation of RPM and scripts
# network : Network parameters
# ACC : ALCASAR Control Center installation
# CA : Certification Authority initialization
# init_db : Initilization of radius database managed with MariaDB
# param_radius : FreeRadius initialisation
# param_web_radius : copy ans modifiy original "freeradius web" in ACC
# param_chilli : coovachilli initialisation (+authentication page)
# param_squid : Squid cache proxy configuration
# param_dansguardian : DansGuardian filtering HTTP proxy configuration
# antivirus : HAVP + libclamav configuration
# param_nfsen : Configuration du grapheur nfsen pour apache
# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
# BL : Configuration de la BlackList
# cron : Mise en place des exports de logs (+ chiffrement)
# fail2ban : Installation et configuration de Fail2Ban
# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
 
DATE=`date '+%d %B %Y - %Hh%M'`
DATE_SHORT=`date '+%d/%m/%Y'`
102,7 → 102,7
service network start
 
##################################################################
## Function TESTING ##
## Function "testing" ##
## - Test of Internet access ##
##################################################################
testing ()
240,7 → 240,7
} # end of testing
 
##################################################################
## Fonction INIT ##
## Function "init" ##
## - Création du fichier "/root/ALCASAR_parametres.txt" ##
## - Installation et modification des scripts du portail ##
##################################################################
314,7 → 314,7
} # End of init ()
 
##################################################################
## Fonction network ##
## Function "network" ##
## - Définition du plan d'adressage du réseau de consultation ##
## - Nommage DNS du système ##
## - Configuration de l'interface eth1 (réseau de consultation) ##
508,13 → 508,13
} # End of network ()
 
##################################################################
## Fonction gestion ##
## - installation du centre de gestion ##
## Function "ACC" ##
## - installation du centre de gestion (ALCASAR Control Center) ##
## - configuration du serveur web (Apache) ##
## - définition du 1er comptes de gestion ##
## - sécurisation des accès ##
##################################################################
gestion()
ACC ()
{
[ -d $DIR_WEB ] && rm -rf $DIR_WEB
mkdir $DIR_WEB
705,13 → 705,13
ErrorDocument 404 https://$HOSTNAME/
</Directory>
EOF
} # End of gestion ()
} # End of ACC()
 
##########################################################################################
## Fonction AC() ##
## Fonction "CA" ##
## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
##########################################################################################
AC ()
CA ()
{
$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
$DIR_DEST_BIN/alcasar-CA.sh
722,10 → 722,10
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
chown -R root:apache /etc/pki
chmod -R 750 /etc/pki
} # End AC ()
} # End CA ()
 
##########################################################################################
## Fonction init_db() ##
## Fonction "init_db" ##
## - Initialisation de la base Mysql ##
## - Affectation du mot de passe de l'administrateur (root) ##
## - Suppression des bases et des utilisateurs superflus ##
758,7 → 758,7
} # End init_db ()
 
##########################################################################
## Fonction param_radius ##
## Fonction "param_radius" ##
## - Paramètrage des fichiers de configuration FreeRadius ##
## - Affectation du secret partagé entre coova-chilli et freeradius ##
## - Modification de fichier de conf pour l'accès à Mysql ##
815,7 → 815,7
} # End param_radius ()
 
##########################################################################
## Fonction param_web_radius ##
## Function "param_web_radius" ##
## - Import, modification et paramètrage de l'interface "dialupadmin" ##
## - Création du lien vers la page de changement de mot de passe ##
##########################################################################
874,7 → 874,7
} # End of param_web_radius ()
 
##################################################################################
## Fonction param_chilli ##
## Fonction "param_chilli" ##
## - Création du fichier d'initialisation et de configuration de coova-chilli ##
## - Paramètrage de la page d'authentification (intercept.php) ##
##################################################################################
1021,7 → 1021,7
} # End of param_chilli ()
 
##########################################################
## Fonction param_squid ##
## Fonction "param_squid" ##
## - Paramètrage du proxy 'squid' en mode 'cache' ##
## - Initialisation de la base de données ##
##########################################################
1060,7 → 1060,7
} # End of param_squid ()
##################################################################
## Fonction param_dansguardian ##
## Fonction "param_dansguardian" ##
## - Paramètrage du gestionnaire de contenu Dansguardian ##
##################################################################
param_dansguardian ()
1108,7 → 1108,7
} # End of param_dansguardian ()
 
##################################################################
## Fonction antivirus ##
## Fonction "antivirus" ##
## - configuration havp + libclamav ##
##################################################################
antivirus ()
1156,7 → 1156,7
}
 
##################################################################################
## param_ulogd function ##
## function "param_ulogd" ##
## - Ulog config for multi-log files ##
##################################################################################
param_ulogd ()
1164,7 → 1164,7
# Three instances of ulogd (three different logfiles)
[ -d /var/log/firewall ] || mkdir -p /var/log/firewall
nl=1
for log_type in tracability ssh ext-access
for log_type in int-access ssh ext-access
do
[ -e /var/log/firewall/$log_type.log ] || touch /var/log/firewall/$log_type.log
cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
1186,56 → 1186,51
 
 
##########################################################
## Fonction param_nfsen ##
## Function "param_nfsen" ##
##########################################################
param_nfsen()
{
#Decompression tarball
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
#Création groupe et utilisteur
if grep "^www-data:" /etc/group > /dev/null; then
echo "Group already exists !"
else
groupadd www-data
echo "Group 'www-data' created !"
fi
if grep "^nfsen:" /etc/passwd > /dev/null; then
echo "User already exists !"
else
useradd -m nfsen
echo "User 'nfsen' created !"
fi
usermod -G www-data nfsen
if grep "^www-data:" /etc/group > /dev/null; then
echo "Group already exists !"
else
groupadd www-data
echo "Group 'www-data' created !"
fi
if grep "^nfsen:" /etc/passwd > /dev/null; then
echo "User already exists !"
else
useradd -m nfsen
echo "User 'nfsen' created !"
fi
usermod -G www-data nfsen
#Ajout du plugin nfsen : PortTracker
mkdir -p /var/www/nfsen/plugins
chown -R nfsen:www-data /var/www/nfsen
#Ajout du plugin PortTracker
mkdir -p /var/log/netflow/porttracker
mkdir -p /usr/share/nfsen/plugins
chown -R apache:apache /usr/share/nfsen
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
chown apache /var/log/netflow/porttracker
mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
chown -R nfsen:www-data /var/www/nfsen
chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
#Copie du fichier de conf modifié de nfsen
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
#Copie du script d'initialisation de nfsen
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
systemctl enable nfsen.service
cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
#Installation de nfsen via le scrip Perl
DirTmp=$(pwd)
cd /tmp/nfsen-1.3.6p1/
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
DirTmp=$(pwd)
cd /tmp/nfsen-1.3.6p1/
/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
#Création de la DB pour rrdtool
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
chown -R apache:www-data /var/log/netflow/porttracker/
chmod -R 775 /var/log/netflow/porttracker
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
sudo -u apache nftrack -I -d /var/log/netflow/porttracker
chown -R apache:www-data /var/log/netflow/porttracker/
chmod -R 775 /var/log/netflow/porttracker
#Configuration du fichier de conf d'apache
if [ -f /etc/httpd/conf.d/nfsen.conf ];then
rm -f /etc/httpd/conf.d/nfsen.conf
fi
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
if [ -f /etc/httpd/conf.d/nfsen.conf ];then
rm -f /etc/httpd/conf.d/nfsen.conf
fi
cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
Alias /nfsen /var/www/nfsen
<Directory /var/www/nfsen/>
DirectoryIndex nfsen.php
1249,14 → 1244,14
</Directory>
EOF
#Configuration du délais d'expiration des captures du profile "live"
nfsen -m live -e 62d
nfsen -m live -e 62d
#Suppression des sources de nfsen
cd $DirTmp
rm -rf /tmp/nfsen-1.3.6p1/
cd $DirTmp
rm -rf /tmp/nfsen-1.3.6p1/
} # End of param_nfsen
 
##########################################################
## Fonction param_dnsmasq ##
## Function "param_dnsmasq" ##
##########################################################
param_dnsmasq ()
{
1308,22 → 1303,22
EOF
 
# Init file modification
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
[ -e /etc/init.d/dnsmasq.default ] || cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
# Start and stop a 2nd process for the "DNS blackhole"
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
# Start after chilli (65) which create tun0
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
# Optionnellement on pré-active les logs DNS des clients
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
[ -e /etc/sysconfig/dnsmasq.default ] || cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
# Optionnellement, exemple de configuration avec un A.D.
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
} # End dnsmasq
 
##########################################################
## Fonction BL (BlackList) ##
## Fonction "BL" ##
##########################################################
BL ()
{
1372,7 → 1367,7
}
 
##########################################################
## Fonction cron ##
## Fonction "cron" ##
## - Mise en place des différents fichiers de cron ##
##########################################################
cron ()
1459,7 → 1454,7
} # End cron
 
##################################################################
## Fonction Fail2Ban ##
## Fonction "Fail2Ban" ##
##- Modification de la configuration de fail2ban ##
##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
##################################################################
1474,7 → 1469,7
} #Fin de fail2ban_install()
 
##################################################################
## Fonction post_install ##
## Fonction "post_install" ##
## - Modification des bannières (locales et ssh) et des prompts ##
## - Installation de la structure de chiffrement pour root ##
## - Mise en place du sudoers et de la sécurité sur les fichiers##
1536,13 → 1531,8
done
# export des logs en 'retard' dans /var/Save/logs
/usr/local/bin/alcasar-log.sh --export
# processus lancés par défaut au démarrage
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen
do
/sbin/chkconfig --add $i
done
 
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
# create the alcasar-load_balancing unit
cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
# This file is part of systemd.
#
# systemd is free software; you can redistribute it and/or modify it
1566,17 → 1556,25
[Install]
WantedBy=multi-user.target
EOF
systemctl enable alcasar-load_balancing.service
# processes launched at boot time (SYSV)
for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
do
/sbin/chkconfig --add $i
done
# processes launched at boot time (Systemctl)
for i in alcasar-load_balancing.service nfsen.service
 
# On applique les préconisations ANSSI
# Apply French Security Agency rules
do
systemctl enable $i
done
# Apply French Security Agency (ANSSI) rules
# ignorer les broadcast ICMP. (attaque smurf)
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# ignorer les erreurs ICMP bogus
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# désactiver l'envoi et la réponse aux ICMP redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
sysctl -w net.ipv4.conf.all.accept_redirects=0
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
if [ "$accept_redirect" == "0" ]
then
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
1583,8 → 1581,8
else
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
fi
sysctl -w net.ipv4.conf.all.send_redirects=0
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
sysctl -w net.ipv4.conf.all.send_redirects=0
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
if [ "$send_redirect" == "0" ]
then
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
1592,8 → 1590,8
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
fi
# activer les SYN Cookies (attaque syn flood)
sysctl -w net.ipv4.tcp_syncookies=1
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
sysctl -w net.ipv4.tcp_syncookies=1
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
if [ "$tcp_syncookies" == "0" ]
then
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
1601,10 → 1599,10
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
fi
# activer l'antispoofing niveau Noyau
sysctl -w net.ipv4.conf.all.rp_filter=1
sysctl -w net.ipv4.conf.all.rp_filter=1
# ignorer le source routing
sysctl -w net.ipv4.conf.all.accept_source_route=0
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
sysctl -w net.ipv4.conf.all.accept_source_route=0
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
if [ "$accept_source_route" == "0" ]
then
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
1612,8 → 1610,8
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
fi
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
if [ "$timeout_established" == "0" ]
then
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
1621,7 → 1619,7
$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
fi
# disable log_martians (ALCASAR is often installed between two private network addresses)
sysctl -w net.ipv4.conf.all.log_martians=0
sysctl -w net.ipv4.conf.all.log_martians=0
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
# modification /etc/inittab
1631,51 → 1629,49
$SED "s?^5.*?#&?g" /etc/inittab
$SED "s?^6.*?#&?g" /etc/inittab
# switch to multi-users runlevel (instead of x11)
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
# GRUB modifications
# limit wait time to 3s
# create an alcasar entry instead of linux-nonfb
# change display to 1024*768 (vga791)
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
$SED "/^gfxmenu/d" /boot/grub/menu.lst
 
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
$SED "/^gfxmenu/d" /boot/grub/menu.lst
# Remove unused services and users
for old_svc in alsa sound dm
do
/sbin/chkconfig --del $old_svc
done
for svc in snmpd.service sshd.service
do
/bin/systemctl disable $svc
done
for rm_users in avahi-autoipd avahi icapd
do
user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
if [ "$user" == "$rm_users" ]
for old_svc in alsa sound dm
do
/sbin/chkconfig --del $old_svc
done
for svc in snmpd.service sshd.service
do
/bin/systemctl disable $svc
done
for rm_users in avahi-autoipd avahi icapd
do
user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
if [ "$user" == "$rm_users" ]
then
/usr/sbin/userdel -f $rm_users
fi
done
# Load and apply the previous conf file
if [ "$mode" = "update" ]
then
/usr/sbin/userdel -f $rm_users
$DIR_DEST_BIN/alcasar-conf.sh --load
PARENT_SCRIPT=`basename $0`
export PARENT_SCRIPT # to avoid stop&start process during the installation process
$DIR_DEST_BIN/alcasar-conf.sh --apply
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
fi
done
# Load and apply the previous conf file
if [ "$mode" = "update" ]
then
$DIR_DEST_BIN/alcasar-conf.sh --load
PARENT_SCRIPT=`basename $0`
export PARENT_SCRIPT # to avoid stop&start process during the installation process
$DIR_DEST_BIN/alcasar-conf.sh --apply
$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
fi
rm -f /tmp/alcasar-conf*
chown -R root:apache $DIR_DEST_ETC/*
chmod -R 660 $DIR_DEST_ETC/*
chmod ug+x $DIR_DEST_ETC/digest
 
rm -f /tmp/alcasar-conf*
chown -R root:apache $DIR_DEST_ETC/*
chmod -R 660 $DIR_DEST_ETC/*
chmod ug+x $DIR_DEST_ETC/digest
# Apply and save the firewall rules
sh $DIR_DEST_BIN/alcasar-iptables.sh
sleep 2
1832,10 → 1828,10
else
mode="install"
fi
for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
do
$func
echo "*** 'debug' : end of function $func ***"; read a
# echo "*** 'debug' : end of function $func ***"; read a
done
;;
-u | --uninstall)