/alcasar.sh |
---|
544,6 → 544,7 |
$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf |
$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf |
FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf` |
$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF |
$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html |
624,6 → 625,7 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
638,6 → 640,7 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
652,6 → 655,7 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
666,6 → 670,7 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
681,6 → 686,7 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
1122,6 → 1128,7 |
$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config |
$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090 |
$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback |
$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format |
$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV |
$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches |
$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously |
1215,6 → 1222,7 |
Deny from all |
Allow from 127.0.0.1 |
Allow from $PRIVATE_NETWORK_MASK |
# Allow from AA.BB.CC.DD/32 # Allow from specific @IP |
require valid-user |
AuthType digest |
AuthName $HOSTNAME |
/scripts/sbin/alcasar-dhcp.sh |
---|
65,9 → 65,9 |
$SED "s?^dynip.*?#dynip?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?#dynip?g" $CHILLI_CONF_FILE |
$SED "s?^DHCP.*?DHCP=off?g" $ALCASAR_CONF_FILE |
if [ $EXT_DHCP_IP ! = "none" ] |
if [ $EXT_DHCP_IP != "none" ] |
then |
$SED "s?.*dhcpgateway.*?dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgateway .*?dhcpgateway \t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcprelayagent.*?dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?.*dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
fi |
80,7 → 80,7 |
$SED "s?^dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_NETWORK_MASK?g" $CHILLI_CONF_FILE |
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE |
$SED "s?^dhcpgateway.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgateway .*?#dhcpgateway \t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE |
95,7 → 95,7 |
$SED "s?^dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE |
$SED "s?^#dynip.*?dynip\t\t$PRIVATE_DYN_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcp_range.*?dhcp-range=$PRIVATE_DYN_FIRST_IP,$PRIVATE_DYN_LAST_IP,$PRIVATE_NETMASK,12h?g" $DNSMASQ_CONF_FILE |
$SED "s?^dhcpgateway.*?#dhcpgateway\t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgateway .*?#dhcpgateway \t\t$EXT_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcprelayagent.*?#dhcprelayagent\t\t$RELAY_DHCP_IP?g" $CHILLI_CONF_FILE |
$SED "s?^dhcpgatewayport.*?#dhcpgatewayport\t\t$RELAY_DHCP_PORT?g" $CHILLI_CONF_FILE |
$SED "s?^EXT_DHCP_IP.*?EXT_DHCP_IP=none?g" $ALCASAR_CONF_FILE |
/scripts/alcasar-iptables-bypass.sh |
---|
43,6 → 43,7 |
# On autorise tout sur loopback |
# accept all on loopback |
$IPTABLES -A OUTPUT -o lo -j ACCEPT |
$IPTABLES -A INPUT -i lo -j ACCEPT |
# Insertion de règles de blocage (Devel) |
58,6 → 59,16 |
done < /usr/local/etc/alcasar-iptables-block |
fi |
# SSHD rules if activate |
if [ $SSH = on ] |
then |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -m state --state NEW -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-LAN -- ACCEPT" |
$IPTABLES -A INPUT -i $INTIF -s $PRIVATE_NETWORK_MASK -d $PRIVATE_IP -p tcp --dport ssh -j ACCEPT |
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW --syn -j ULOG --ulog-nlgroup 2 --ulog-prefix "RULE ssh-from-WAN -- ACCEPT" |
$IPTABLES -A INPUT -i $EXTIF -s $Admin_from_IP -d $PUBLIC_IP -p tcp --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT |
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT |
fi |
# on autorise les requêtes dhcp |
# accept dhcp |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
/scripts/alcasar-iptables.sh |
---|
114,6 → 114,7 |
# Tout passe sur loopback |
# accept all on loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
$IPTABLES -A OUTPUT -o lo -j ACCEPT |
# Rejet des demandes de connexions non conformes (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |
# Drop non standard connexions (FIN-URG-PUSH, XMAS, NullScan, SYN-RST et NEW not SYN) |