Line 1... |
Line 1... |
1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
2 |
# $Id: alcasar.sh 854 2012-04-09 19:31:46Z richard $
|
2 |
# $Id: alcasar.sh 860 2012-04-20 17:51:24Z richard $
|
3 |
|
3 |
|
4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
7 |
|
7 |
|
Line 454... |
Line 454... |
454 |
EOF
|
454 |
EOF
|
455 |
# Firewall config
|
455 |
# Firewall config
|
456 |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
456 |
$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
457 |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
457 |
$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
|
458 |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
|
458 |
chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
|
459 |
# create the filter exxeption file
|
459 |
# create the filter exception file and ip_bloqued file
|
460 |
touch $DIR_DEST_ETC/alcasar-filter-exceptions
|
460 |
touch $DIR_DEST_ETC/alcasar-filter-exceptions
|
- |
|
461 |
# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
|
- |
|
462 |
echo "#$PUBLIC_IP/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
|
461 |
# load conntrack ftp module
|
463 |
# load conntrack ftp module
|
462 |
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
|
464 |
[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
|
463 |
echo "ip_conntrack_ftp" >> /etc/modprobe.preload
|
465 |
echo "ip_conntrack_ftp" >> /etc/modprobe.preload
|
464 |
# le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh)
|
466 |
# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
|
465 |
} # End of network ()
|
467 |
} # End of network ()
|
466 |
|
468 |
|
467 |
##################################################################
|
469 |
##################################################################
|
468 |
## Fonction gestion ##
|
470 |
## Fonction gestion ##
|
469 |
## - installation du centre de gestion ##
|
471 |
## - installation du centre de gestion ##
|
Line 1399... |
Line 1401... |
1399 |
# postfix banner anonymisation
|
1401 |
# postfix banner anonymisation
|
1400 |
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
|
1402 |
$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
|
1401 |
# sshd écoute côté LAN et WAN
|
1403 |
# sshd écoute côté LAN et WAN
|
1402 |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
|
1404 |
$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
|
1403 |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
|
1405 |
$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
|
1404 |
# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on)
|
1406 |
# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
|
1405 |
/sbin/chkconfig --del sshd
|
1407 |
/sbin/chkconfig --del sshd
|
1406 |
echo "SSH=off" >> $CONF_FILE
|
1408 |
echo "SSH=off" >> $CONF_FILE
|
1407 |
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
|
1409 |
echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
|
1408 |
echo "QOS=off" >> $CONF_FILE
|
1410 |
echo "QOS=off" >> $CONF_FILE
|
1409 |
echo "LDAP=off" >> $CONF_FILE
|
1411 |
echo "LDAP=off" >> $CONF_FILE
|
1410 |
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
1412 |
echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
|
1411 |
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
|
1413 |
echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
|
1412 |
echo "EXT_LAN_FILTERING=off" >> $CONF_FILE
|
- |
|
1413 |
echo "DNS_FILTERING=off" >> $CONF_FILE
|
1414 |
echo "DNS_FILTERING=off" >> $CONF_FILE
|
1414 |
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
|
1415 |
echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
|
1415 |
# Coloration des prompts
|
1416 |
# Coloration des prompts
|
1416 |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
|
1417 |
[ -e /etc/bashrc.default ] || cp /etc/bashrc /etc/bashrc.default
|
1417 |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
|
1418 |
cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
|