BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /alcasar.sh @ 1361

  → /alcasar.sh @ 1362

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 1361 → Rev 1362

/alcasar.sh
50,6 → 50,7
DATE=`date '+%d %B %Y - %Hh%M'`
DATE_SHORT=`date '+%d/%m/%Y'`
Lang=`echo $LANG|cut -c 1-2`
mode="install"
# ******* Files parameters - paramètres fichiers *********
DIR_INSTALL=`pwd` # current directory
DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
108,34 → 109,51
##################################################################
testing ()
{
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
if [ $free_space -lt 10 ]
then
# Test if ALCASAR is already installed
if [ -e $CONF_FILE ]
then
current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
if [ $Lang == "fr" ]
then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
fi
response=0
PTN='^[oOnNyY]$'
until [[ $(expr $response : $PTN) -gt 0 ]]
do
if [ $Lang == "fr" ]
then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
else echo -n "Do you want to update (Y/n)?";
fi
read response
done
if [ "$response" = "n" ] || [ "$response" = "N" ]
then
rm -f /tmp/alcasar-conf*
else
# Create a backup of running version importants files
$DIR_SCRIPTS/alcasar-conf.sh --create
mode="update"
fi
else
free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`
if [ $free_space -lt 10 ]
then
if [ $Lang == "fr" ]
then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
fi
exit 0
fi
fi
if [ $Lang == "fr" ]
then echo -n "Tests des paramètres réseau : "
else echo -n "Network parameters tests : "
fi
# We test gw
if [ "$EXTIF" == "" ]
then
if [ $Lang == "fr" ]
then
echo "L'adresse du routeur n'est pas configuré"
else
echo "The gateway address isn't set"
fi
exit 0
fi
# We test EXTIF config files
PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`
if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
if [ "$EXTIF" == "" ] || [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]
then
if [ $Lang == "fr" ]
then
142,12 → 160,12
echo "Échec"
echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
echo "Appliquez les changements : 'service network restart'"
echo "Appliquez les changements : 'systemctl restart network'"
else
echo "Failed"
echo "The Internet connected network card ($EXTIF) isn't well configured."
echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
echo "Apply the new configuration 'service network restart'"
echo "Apply the new configuration 'systemctl restart network'"
fi
echo "DEVICE=$EXTIF"
echo "IPADDR="
1526,60 → 1544,25
systemctl -q enable $i
done
# Apply French Security Agency (ANSSI) rules
# ignorer les broadcast ICMP. (attaque smurf)
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
# ignorer les erreurs ICMP bogus
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
# désactiver l'envoi et la réponse aux ICMP redirects
sysctl -w net.ipv4.conf.all.accept_redirects=0
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
if [ "$accept_redirect" == "0" ]
then
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
else
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
fi
sysctl -w net.ipv4.conf.all.send_redirects=0
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
if [ "$send_redirect" == "0" ]
then
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
else
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
fi
# activer les SYN Cookies (attaque syn flood)
sysctl -w net.ipv4.tcp_syncookies=1
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
if [ "$tcp_syncookies" == "0" ]
then
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
else
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
fi
# activer l'antispoofing niveau Noyau
sysctl -w net.ipv4.conf.all.rp_filter=1
# ignorer le source routing
sysctl -w net.ipv4.conf.all.accept_source_route=0
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
if [ "$accept_source_route" == "0" ]
then
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
else
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
fi
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
if [ "$timeout_established" == "0" ]
then
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
else
$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
fi
# ignore ICMP broadcast (smurf attack)
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
# ignore ICMP errors bogus
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
# remove ICMP redirects responces
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
# enable SYN Cookies (Syn flood attacks)
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
# enable kernel antispoofing
echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
# ignore source routing
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
# set conntrack timer to 1h (3600s) instead of 5 weeks
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
# disable log_martians (ALCASAR is often installed between two private network addresses)
sysctl -w net.ipv4.conf.all.log_martians=0
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
echo "net.ipv4.conf.all.log_martians = 0" >> etc/sysctl.d/alcasar.conf
# remove Magic SysReq Keys
[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.con
# switch to multi-users runlevel (instead of x11)
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
# GRUB modifications
1593,16 → 1576,12
$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
$SED "/^gfxmenu/d" /boot/grub/menu.lst
# Remove unused services and users
for old_svc in alsa sound dm
for svc in sshd.service
do
/sbin/chkconfig --del $old_svc
/bin/systemctl -q disable $svc
done
for svc in snmpd.service sshd.service
for rm_users in sysqdin
do
/bin/systemctl disable $svc
done
for rm_users in avahi-autoipd avahi icapd
do
user=`cat /etc/passwd|grep $rm_users|cut -d":" -f1`
if [ "$user" == "$rm_users" ]
then
1791,33 → 1770,6
license
header_install
testing
# Test if ALCASAR is already installed
if [ -e $CONF_FILE ]
then
current_version=`cat $CONF_FILE | grep VERSION | cut -d"=" -f2`
if [ $Lang == "fr" ]
then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
fi
response=0
PTN='^[oOnNyY]$'
until [[ $(expr $response : $PTN) -gt 0 ]]
do
if [ $Lang == "fr" ]
then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
else echo -n "Do you want to update (Y/n)?";
fi
read response
done
if [ "$response" = "n" ] || [ "$response" = "N" ]
then
rm -f /tmp/alcasar-conf*
else
# Create a backup of running version importants files
$DIR_SCRIPTS/alcasar-conf.sh --create
mode="update"
fi
fi
# RPMs install
$DIR_SCRIPTS/alcasar-urpmi.sh
if [ "$?" != "0" ]
1830,7 → 1782,7
$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
fi
# Test if manual update
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
then
header_install
if [ $Lang == "fr" ]
1866,13 → 1818,11
MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f2|cut -c1`
UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION|cut -d"." -f3`
mode="update"
else
mode="install"
fi
for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
do
$func
echo "*** 'debug' : end of function $func ***"; read a
# echo "*** 'debug' : end of function $func ***"; read a
done
;;
-u | --uninstall)