| 444,11 → 444,14 |
|---|
| ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) & |
| EOF |
| # Firewall config |
| $SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
| $SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
| chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
| # création du fichier d'exception au filtrage |
| touch $DIR_DEST_ETC/alcasar-filter-exceptions |
| $SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
| $SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh |
| chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau) |
| # create the filter exxeption file |
| touch $DIR_DEST_ETC/alcasar-filter-exceptions |
| # load conntrack ftp module |
| [ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default |
| echo "ip_conntrack_ftp" >> /etc/modprobe.preload |
| # le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh) |
| } # End of network () |
| |
| 461,8 → 464,6 |
|---|
| ################################################################## |
| gestion() |
| { |
| # Suppression des CGI et des pages WEB installés par défaut |
| rm -rf /var/www/cgi-bin/* |
| [ -d $DIR_WEB ] && rm -rf $DIR_WEB |
| mkdir $DIR_WEB |
| # Copie et configuration des fichiers du centre de gestion |
| 489,6 → 490,7 |
|---|
| $SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini |
| $SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini |
| # Configuration et sécurisation Apache |
| rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README* |
| [ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default |
| $SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf |
| 495,6 → 497,13 |
|---|
| $SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^LoadModule cgi_module.*?#LoadModule cgi_module modules/mod_cgi.so?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf |
| $SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf |
| FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf` |
| $SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF |
| $SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html |
| 624,21 → 633,6 |
|---|
| AuthUserFile $DIR_DEST_ETC/digest/key_backup |
| ErrorDocument 404 https://$HOSTNAME/ |
| </Directory> |
| Alias /save/ "$DIR_SAVE/" |
| <Directory $DIR_SAVE> |
| SSLRequireSSL |
| Options Indexes |
| Order deny,allow |
| Deny from all |
| Allow from 127.0.0.1 |
| Allow from $PRIVATE_NETWORK_MASK |
| require valid-user |
| AuthType digest |
| AuthName $HOSTNAME |
| AuthUserFile $DIR_DEST_ETC/digest/key_backup |
| ErrorDocument 404 https://$HOSTNAME/ |
| ReadmeName /readmeSave.html |
| </Directory> |
| EOF |
| } # End of gestion () |
| |
| 1305,7 → 1299,7 |
|---|
| # sshd écoute côté LAN et WAN |
| $SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config |
| $SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config |
| # Put the default value in conf file (sshd, QOS, protocols filter and dns filter are off)(web antivirus is on) |
| # Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on) |
| /sbin/chkconfig --del sshd |
| echo "SSH=off" >> $CONF_FILE |
| echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE |
| 1313,6 → 1307,7 |
|---|
| echo "LDAP=off" >> $CONF_FILE |
| echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE |
| echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE |
| echo "EXT_LAN_FILTERING=off" >> $CONF_FILE |
| echo "DNS_FILTERING=off" >> $CONF_FILE |
| echo "WEB_ANTIVIRUS=on" >> $CONF_FILE |
| # Coloration des prompts |