Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 989 → Rev 990

/alcasar.sh
544,6 → 544,7
$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
624,6 → 625,7
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
require valid-user
AuthType digest
AuthName $HOSTNAME
638,6 → 640,7
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
require valid-user
AuthType digest
AuthName $HOSTNAME
652,6 → 655,7
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
require valid-user
AuthType digest
AuthName $HOSTNAME
666,6 → 670,7
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
require valid-user
AuthType digest
AuthName $HOSTNAME
681,6 → 686,7
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
require valid-user
AuthType digest
AuthName $HOSTNAME
1122,6 → 1128,7
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
1215,6 → 1222,7
Deny from all
Allow from 127.0.0.1
Allow from $PRIVATE_NETWORK_MASK
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
require valid-user
AuthType digest
AuthName $HOSTNAME
/scripts/sbin/alcasar-dhcp.sh
65,9 → 65,9
$SED "s?^dynip.*?#dynip?g" $CHILLI_CONF_FILE
$SED "s?^#dynip.*?#dynip?g" $CHILLI_CONF_FILE
$SED "s?^DHCP.*?DHCP=off?g" $ALCASAR_CONF_FILE
if [ $EXT_DHCP_IP ! = "none" ]
if [ $EXT_DHCP_IP != "none" ]
then
$SED "s?.*dhcpgateway.*?dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgateway .*?dhcpgateway \t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?.*dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
fi
80,7 → 80,7
$SED "s?^dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE
$SED "s?^dhcpgateway.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgateway .*?#dhcpgateway \t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE
95,7 → 95,7
$SED "s?^dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE
$SED "s?^dhcpgateway.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgateway .*?#dhcpgateway \t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE
/scripts/alcasar-iptables-bypass.sh
43,6 → 43,7
 
# On autorise tout sur loopback
# accept all on loopback
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
 
# Insertion de règles de blocage (Devel)
58,6 → 59,16
done < /usr/local/etc/alcasar-iptables-block
fi
 
# SSHD rules if activate
if [ $SSH = on ]
then
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT"
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT"
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
fi
 
# on autorise les requêtes dhcp
# accept dhcp
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT
/scripts/alcasar-iptables.sh
114,6 → 114,7
# Tout passe sur loopback
# accept all on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
 
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN)