/scripts/alcasar-CA.sh |
---|
1,13 → 1,13 |
#!/bin/bash |
#!/bin/sh |
# $Id$ |
# alcasar-CA.sh |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY |
# This script is distributed under the Gnu General Public License (GPL) |
# Création de la PKI et des certificats ALCASAR - Plusieurs idées ont été récupéées dans le script "nessus-mkcert" de Renaud Deraison et Michel Arboi |
# Creation of the ALCASAR PKI and certificates - Some ideas are from "nessus-mkcert" script written by Renaud Deraison and Michel Arboi |
# |
# Some ideas from "nessus-mkcert" script written by Renaud Deraison <deraison@cvs.nessus.org> |
# and Michel Arboi <arboi@alussinan.org> |
# |
DIR_TMP=${TMPDIR-/tmp}/alcasar-mkcert.$$ |
DIR_PKI=/etc/pki |
DIR_CERT=$DIR_PKI/tls |
14,9 → 14,10 |
DIR_WEB=/var/www/html |
CACERT=$DIR_PKI/CA/alcasar-ca.crt |
CAKEY=$DIR_PKI/CA/private/alcasar-ca.key |
SRVREQ=$DIR_CERT/alcasar.req |
SRVKEY=$DIR_CERT/private/alcasar.key |
SRVCERT=$DIR_CERT/certs/alcasar.crt |
SRVKEY=$DIR_CERT/private/alcasar.key |
SRVREQ=$DIR_CERT/alcasar.req |
SRVCHAIN=$DIR_CERT/certs/server-chain.crt |
CACERT_LIFETIME="1460" |
SRVCERT_LIFETIME="1460" |
216,8 → 217,10 |
echo "*********SRVCERT*********" >> $DIR_TMP/openssl-log |
openssl ca -config $DIR_TMP/ssl.conf -name AlcasarCA -batch -days $SRVCERT_LIFETIME -in $SRVREQ -out $SRVCERT 2>> $DIR_TMP/openssl-log |
rm -f $SRVREQ |
chmod a+r $CACERT $SRVCERT |
cp -f $SRVCERT $SRVCHAIN # in order to simplify the official intranet certificate import process |
chmod a+r $CACERT $SRVCERT $SRVCHAIN |
# Link certs in ALCASAR Control Center |
if [ -s "$CACERT" -a -s "$CAKEY" -a -s "$SRVCERT" -a -s "$SRVKEY" ]; |
then |
[ -d $DIR_WEB/certs ] || mkdir -p $DIR_WEB/certs |
/scripts/alcasar-iptables.sh |
---|
1,17 → 1,16 |
#!/bin/bash |
#!/bin/sh |
# $Id$ |
# alcasar-iptables.sh |
# by Rexy - 3abtux - CPN |
# This script is distributed under the Gnu General Public License (GPL) |
# Mise en place des regles du parefeu d'Alcasar (mode normal) |
# Script de mise en place des regles du parefeu d'Alcasar (mode normal) |
# This script write the netfilter rules for ALCASAR |
# Rexy - 3abtux - CPN |
# |
# Reminders |
# There are three channels for log : |
# 1 (default) for tracability; |
# 2 for secure admin (ssh); |
# 3 for exterior access attempts. |
# The French Security Agency (ANSSI) rules was applied by 'alcasar.sh' script |
# The bootps/dhcp (67) port is always open on tun0/eth1 by coova |
conf_file="/usr/local/etc/alcasar.conf" |
private_ip_mask=`grep PRIVATE_IP $conf_file|cut -d"=" -f2` |
35,7 → 34,7 |
PRIVATE_NETWORK_MASK=$private_network/$private_prefix # Lan IP address + prefix (192.168.182.0/24) |
PRIVATE_IP=`echo $private_ip_mask | cut -d"/" -f1` # ALCASAR LAN IP address |
DNSSERVERS="$dns1,$dns2" # first and second DNS IP servers addresses |
EXTIF="eth0" |
EXTIF="eth0" |
INTIF="eth1" |
TUNIF="tun0" # listen card for chilli daemon |
IPTABLES="/sbin/iptables" |
66,20 → 65,12 |
# Tout passe sur loopback |
# accept all on loopback |
$IPTABLES -A INPUT -i lo -j ACCEPT |
# On élimine les paquets "NEW not SYN" |
# Ensure that TCP connections start with syn packets |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
############################# |
# INTIF rules # |
############################# |
# les requètes dhcp entrantes sont acceptées |
# accept dhcp |
$IPTABLES -A INPUT -i $INTIF -p udp -m udp --sport bootpc --dport bootps -j ACCEPT |
# La règle suivante interdit la sortie par INTIF. Elle n'est utile que lorsque chilli est arrêté. |
# INTIF is closed (all by TUNIF) |
# interdit l'accès à INTIF (n'est utile que lorsque chilli est arrêté). |
# Reject INTIF access (only when chilli is down) |
$IPTABLES -A INPUT -i $INTIF -j ULOG --ulog-prefix "RULE Protect1 -- REJECT " |
$IPTABLES -A INPUT -i $INTIF -j REJECT |
86,14 → 77,15 |
############################# |
# Local protection rules # |
############################# |
# On stoppe les tentatives de NULLSCAN et XMAS (tous flags à 1) |
# Drop XMAS & NULLscans |
# On stoppe les demande de connexions non conformes (NullScan, XMAS (tous flags à 1), NEW not SYN, etc.) |
# Drop non standard connexions (NULLscans, XMAS, "NEW not SYN", etc.) |
$IPTABLES -A INPUT -p tcp --tcp-flags FIN,URG,PSH FIN,URG,PSH -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP |
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP |
$IPTABLES -A INPUT -p tcp -m tcp ! --syn -m state --state NEW -j DROP |
# On stoppe les broadcasts et multicast |
# On ne traite pas les broadcasts et multicast |
# Drop broadcast & multicast |
$IPTABLES -A INPUT -m addrtype --dst-type BROADCAST,MULTICAST -j DROP |
/scripts/alcasar-conf.sh |
---|
111,7 → 111,11 |
cp -f /etc/pki/tls/private/alcasar.key $DIR_UPDATE |
cp -f /etc/pki/CA/alcasar-ca.crt $DIR_UPDATE |
cp -f /etc/pki/CA/private/alcasar-ca.key $DIR_UPDATE |
[ -e /etc/pki/tls/certs/server-chain.crt ] && cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE # cas d'un certificat officiel |
if [ -e /etc/pki/tls/certs/server-chain.crt ]; then |
cp -f /etc/pki/tls/certs/server-chain.crt $DIR_UPDATE |
else |
cp -f /etc/pki/tls/certs/alcasar.crt $DIR_UPDATE/server-chain.crt |
fi |
fi |
# si version < 2.2 |
if [ $MAJ_RUNNING_VERSION -lt 2 ] || ([ $MAJ_RUNNING_VERSION -eq 2 ] && [ $MIN_RUNNING_VERSION -lt 2 ]) |
192,11 → 196,7 |
[ -e $DIR_UPDATE/alcasar-ca.key ] && cp -f $DIR_UPDATE/alcasar-ca.key /etc/pki/CA/private/ |
[ -e $DIR_UPDATE/alcasar.crt ] && cp -f $DIR_UPDATE/alcasar.crt /etc/pki/tls/certs/ |
[ -e $DIR_UPDATE/alcasar.key ] && cp -f $DIR_UPDATE/alcasar.key /etc/pki/tls/private/ |
if [ -e $DIR_UPDATE/server-chain.crt ]; then # si un certificat officiel est installé |
cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/ |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl*` |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?g" $FIC_VIRTUAL_SSL |
fi |
[ -e $DIR_UPDATE/server-chain.crt ] && cp -f $DIR_UPDATE/server-chain.crt /etc/pki/tls/certs/ |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
# Import de la dernière base usagers |