| 630,7 → 630,7 |
|---|
| [ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default |
| $SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL |
| $SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL |
| $SED "s^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
| $SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
| chown -R root:apache /etc/pki |
| chmod -R 750 /etc/pki |
| } # End AC () |
| 1305,40 → 1305,53 |
|---|
| $SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver |
| sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
| # désactiver l'envoi et la réponse aux ICMP redirects |
| sysctl -w net.ipv4.conf.all.accept_redirects=0 |
| accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l` |
| if [ "$accept_redirect" == "0" ] |
| then |
| echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf |
| echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf |
| else |
| $SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf |
| fi |
| sysctl -w net.ipv4.conf.all.send_redirects=0 |
| send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l` |
| if [ "$send_redirect" == "0" ] |
| then |
| echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf |
| echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf |
| else |
| $SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf |
| fi |
| $SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf |
| $SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf |
| sysctl -w net.ipv4.conf.all.accept_redirects=0 |
| sysctl -w net.ipv4.conf.all.send_redirects=0 |
| # activer les SYN Cookies (attaque syn flood) |
| sysctl -w net.ipv4.tcp_syncookies=1 |
| tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l` |
| if [ "$tcp_syncookies" == "0" ] |
| then |
| echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf |
| echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf |
| else |
| $SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
| fi |
| $SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
| sysctl -w net.ipv4.tcp_syncookies=1 |
| # activer l'antispoofing niveau Noyau |
| $SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver |
| sysctl -w net.ipv4.conf.all.rp_filter=1 |
| # ignorer le source routing |
| sysctl -w net.ipv4.conf.all.accept_source_route=0 |
| accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l` |
| if [ "$accept_source_route" == "0" ] |
| then |
| echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf |
| echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf |
| else |
| $SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf |
| fi |
| $SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf |
| sysctl -w net.ipv4.conf.all.accept_source_route=0 |
| # On supprime les log_martians (ALCASAR est souvent entre deux réseaux dont les plans d'adressage sont de type 'privée') |
| # réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines |
| sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600 |
| timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l` |
| if [ "$timeout_established" == "0" ] |
| then |
| echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf |
| else |
| $SED "s?timeout_established.*?itimeout_established = 3600?g" /etc/sysctl.conf |
| fi |
| # suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) |
| sysctl -w net.ipv4.conf.all.log_martians=0 |
| $SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
| |