BlueGreycalmElegant

Català-Valencià – Catalan中文 – Chinese (Simplified)中文 – Chinese (Traditional)Česky – CzechDansk – DanishNederlands – DutchEnglish – EnglishSuomi – FinnishFrançais – FrenchDeutsch – Germanעברית – Hebrewहिंदी – HindiMagyar – HungarianBahasa Indonesia – IndonesianItaliano – Italian日本語 – Japanese한국어 – KoreanМакедонски – Macedonianमराठी – MarathiNorsk – NorwegianPolski – PolishPortuguês – PortuguesePortuguês – Portuguese (Brazil)Русский – RussianSlovenčina – SlovakSlovenščina – SlovenianEspañol – SpanishSvenska – SwedishTürkçe – TurkishУкраїнська – UkrainianOëzbekcha – Uzbek

Compare Revisions

• This comparison shows the changes necessary to convert path

  → /alcasar.sh @ 792

  → /alcasar.sh @ 793

  ↔ Reverse comparison

• Compare Path:	Rev

  With Path:	Rev

Ignore whitespace Rev 792 → Rev 793

/alcasar.sh
396,7 → 396,9
USERCTL=no
EOF
# Configuration de l'interface eth1 (réseau de consultation)
cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
# utile uniquement pour le mode bypass (cf. alcasar-bypass.sh)
rm -f /etc/sysconfig/network-scripts/ifcfg-$INTIF
cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
DEVICE=$INTIF
BOOTPROTO=static
IPADDR=$PRIVATE_IP
848,6 → 850,7
uamserver https://$HOSTNAME/intercept.php
radiusnasid $HOSTNAME
uamsecret $secretuam
uamallowed alcasar
coaport 3799
include $DIR_DEST_ETC/alcasar-uamallowed
include $DIR_DEST_ETC/alcasar-uamdomain
1296,6 → 1299,8
[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
# postfix banner anonymisation
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
# sshd écoute côté LAN et WAN
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
1344,7 → 1349,6
$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
# Apply French Security Agency rules (sysctl + msec when possible)
# ignorer les broadcast ICMP. (attaque smurf)
1398,12 → 1402,13
then
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
else
$SED "s?timeout_established.*?itimeout_established = 3600?g" /etc/sysctl.conf
$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
fi
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
sysctl -w net.ipv4.conf.all.log_martians=0
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
# On mets en place la sécurité sur les fichiers
1439,7 → 1444,7
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
# On supprime les services et les utilisateurs inutiles
for svc in alsa sound dm atd netfs bootlogd stop-bootlogd
for svc in alsa sound dm atd bootlogd stop-bootlogd
do
/sbin/chkconfig --del $svc
done