WebSVN – ALCASAR – Diff – /alcasar.sh



#!/bin/bash
#  $Id: alcasar.sh 2868 2020-10-26 21:22:24Z rexy $
 
# alcasar.sh
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
# This script is distributed under the Gnu General Public License (GPL)
#  team@alcasar.net

USERCTL=no
MTU=$MTU
EOF
	fi
# write INTIF (consultation LAN) in normal mode
cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
DEVICE=$INTIF
BOOTPROTO=static
ONBOOT=yes
NOZEROCONF=yes

IPV6INIT=no
IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
EOF
 
# write INTIF in bypass mode (see "alcasar-bypass.sh")
	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
DEVICE=$INTIF
BOOTPROTO=static
IPADDR=$PRIVATE_IP

{
# Clamd adaptation to e2guardian
[ -e /lib/systemd/system/clamav-daemon.service.default ] || cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default
	$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service
	$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service
[ -e /lib/systemd/system/clamav-daemon.socket.default ] || cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default
	$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
	$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket
	
[ -e /etc/clamd.conf.default ] || cp /etc/clamd.conf /etc/clamd.conf.default
	$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf
	$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message
	$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf
	$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf

## - configure NetFlow grapher (nfsen-ng)               ##
##########################################################
nfsen()
{
	groupadd -f nfcapd
	id -u nfcapd >/dev/null 2>&1 || useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd
# nfcapd unit for systemd
	cat << EOF > /lib/systemd/system/nfcapd.service
#  This file is part of systemd.
#
#  systemd is free software; you can redistribute it and/or modify it

##- Adapt conf file to ALCASAR                                        ##
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
########################################################################
fail2ban()
{
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
 
 
 
# add 5 jails and their filters
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
[sshd]
enabled = true
#enabled  = false
maxretry = 3
bantime = 3m
findtime = 5m
EOF
 
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf
[lighttpd-auth]
enabled = true
#enabled  = false
maxretry = 3
bantime = 3m
findtime = 3m
EOF
 
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf
[alcasar_mod-evasive]
#enabled = true
enabled = false
backend = auto
filter = alcasar_mod-evasive
action = iptables-allports[name=alcasar_mod-evasive]
logpath = /var/log/lighttpd/access.log
maxretry = 3
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
[Definition]
failregex =  <HOST> .+\] "[^"]+" 403
ignoreregex =
EOF
 
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf
[alcasar_intercept]
enabled = true
#enabled = false
backend = auto
filter = alcasar_intercept
action = iptables-allports[name=alcasar_intercept]
logpath = /var/log/lighttpd/access.log
maxretry = 5
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
[Definition]
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
ignoreregex =
EOF
 
## alcasar_change-pwd : ban after 5 failed user change password attempts
cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf
[alcasar_change-pwd]
enabled = true
#enabled = false
backend = auto
filter = alcasar_change-pwd
action = iptables-allports[name=alcasar_change-pwd]
logpath = /var/log/lighttpd/access.log
maxretry = 5
bantime = 3m
findtime = 3m
EOF
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
[Definition]
failregex = <HOST> .* \"POST \/password\.php
ignoreregex =

#########################################################
gammu_smsd()
{
# Create 'gammu' system user
	groupadd -f gammu_smsd
	useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd
	usermod -a -G dialout gammu_smsd
 
# Create 'gammu' database
	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"
	$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"

Rev 2867	Rev 2868
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar.sh 2867 2020-10-24 14:33:04Z rexy $`	2	`# $Id: alcasar.sh 2868 2020-10-26 21:22:24Z rexy $`
3		3
4	`# alcasar.sh`	4	`# alcasar.sh`
5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`	5	`# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7	`# team@alcasar.net`	7	`# team@alcasar.net`
Line 655...	Line 655...
655	`USERCTL=no`	655	`USERCTL=no`
656	`MTU=$MTU`	656	`MTU=$MTU`
657	`EOF`	657	`EOF`
658	`fi`	658	`fi`
659	`# write INTIF (consultation LAN) in normal mode`	659	`# write INTIF (consultation LAN) in normal mode`
-		660	`cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF`
660	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF`	661	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF`
661	`DEVICE=$INTIF`	662	`DEVICE=$INTIF`
662	`BOOTPROTO=static`	663	`BOOTPROTO=static`
663	`ONBOOT=yes`	664	`ONBOOT=yes`
664	`NOZEROCONF=yes`	665	`NOZEROCONF=yes`
Line 666...	Line 667...
666	`IPV6INIT=no`	667	`IPV6INIT=no`
667	`IPV6TO4INIT=no`	668	`IPV6TO4INIT=no`
668	`ACCOUNTING=no`	669	`ACCOUNTING=no`
669	`USERCTL=no`	670	`USERCTL=no`
670	`EOF`	671	`EOF`
671	`cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF`	-
672	`# write INTIF in bypass mode (see "alcasar-bypass.sh")`	672	`# write INTIF in bypass mode (see "alcasar-bypass.sh")`
673	`cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF`	673	`cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF`
674	`DEVICE=$INTIF`	674	`DEVICE=$INTIF`
675	`BOOTPROTO=static`	675	`BOOTPROTO=static`
676	`IPADDR=$PRIVATE_IP`	676	`IPADDR=$PRIVATE_IP`
Line 1365...	Line 1365...
1365	`{`	1365	`{`
1366	`# Clamd adaptation to e2guardian`	1366	`# Clamd adaptation to e2guardian`
1367	`[ -e /lib/systemd/system/clamav-daemon.service.default ] \|\| cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default`	1367	`[ -e /lib/systemd/system/clamav-daemon.service.default ] \|\| cp /lib/systemd/system/clamav-daemon.service /lib/systemd/system/clamav-daemon.service.default`
1368	`$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service`	1368	`$SED "/^[Service]/a ExecStartPre=\/bin\/chown e2guardian:e2guardian \/run\/clamav" /lib/systemd/system/clamav-daemon.service`
1369	`$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service`	1369	`$SED "/^[Service]/a ExecStartPre=\/bin\/mkdir -p \/run\/clamav" /lib/systemd/system/clamav-daemon.service`
-		1370	`[ -e /lib/systemd/system/clamav-daemon.socket.default ] \|\| cp /lib/systemd/system/clamav-daemon.socket /lib/systemd/system/clamav-daemon.socket.default`
-		1371	`$SED "s?^SocketUser=.*?SocketUser=e2guardian?g" /lib/systemd/system/clamav-daemon.socket`
-		1372	`$SED "s?^SocketGroup=.*?SocketGroup=e2guardian?g" /lib/systemd/system/clamav-daemon.socket`
-		1373
1370	`[ -e /etc/clamd.conf.default ] \|\| cp /etc/clamd.conf /etc/clamd.conf.default`	1374	`[ -e /etc/clamd.conf.default ] \|\| cp /etc/clamd.conf /etc/clamd.conf.default`
1371	`$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf`	1375	`$SED "s?^MaxThreads.*?MaxThreads 32?g" /etc/clamd.conf`
1372	`$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message`	1376	`$SED "s?^#LogTime.*?LogTime yes?g" /etc/clamd.conf # enable logtime for each message`
1373	`$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf`	1377	`$SED "s?^LogVerbose.*?LogVerbose no?g" /etc/clamd.conf`
1374	`$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf`	1378	`$SED "s?^#LogRotate.*?LogRotate yes?g" /etc/clamd.conf`
Line 1422...	Line 1426...
1422	`## - configure NetFlow grapher (nfsen-ng) ##`	1426	`## - configure NetFlow grapher (nfsen-ng) ##`
1423	`##########################################################`	1427	`##########################################################`
1424	`nfsen()`	1428	`nfsen()`
1425	`{`	1429	`{`
1426	`groupadd -f nfcapd`	1430	`groupadd -f nfcapd`
1427	`useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd`	1431	`id -u nfcapd >/dev/null 2>&1 \|\| useradd -r -g nfcapd -s /bin/false -c "system user for nfcapd" nfcapd`
1428	`# nfcapd unit for systemd`	1432	`# nfcapd unit for systemd`
1429	`cat << EOF > /lib/systemd/system/nfcapd.service`	1433	`cat << EOF > /lib/systemd/system/nfcapd.service`
1430	`# This file is part of systemd.`	1434	`# This file is part of systemd.`
1431	`#`	1435	`#`
1432	`# systemd is free software; you can redistribute it and/or modify it`	1436	`# systemd is free software; you can redistribute it and/or modify it`
Line 1836...	Line 1840...
1836	`##- Adapt conf file to ALCASAR ##`	1840	`##- Adapt conf file to ALCASAR ##`
1837	`##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##`	1841	`##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##`
1838	`########################################################################`	1842	`########################################################################`
1839	`fail2ban()`	1843	`fail2ban()`
1840	`{`	1844	`{`
1841	`# adapt fail2ban.conf to Mageia (fedora like) & ALCASAR behaviour`	1845	`# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour`
1842	`[ -e /etc/fail2ban/jail.conf.default ] \|\| cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default`	1846	`[ -e /etc/fail2ban/jail.conf.default ] \|\| cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default`
1843	`$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf`	1847	`$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf`
1844	`$SED "s?^bantime =.*?bantime = 3m?g" /etc/fail2ban/jail.conf`	-
1845	`$SED "s?^findtime =.*?findtime = 5m?g" /etc/fail2ban/jail.conf`	-
1846		1848
1847	`# add 5 jails and their filters`	1849	`# add 5 jails and their filters`
1848	`## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.`	1850	`## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.`
1849	`cat << EOF > /etc/fail2ban/jail.d/01alcasar_sshd.conf`	1851	`cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf`
1850	`[sshd]`	1852	`[sshd]`
1851	`enabled = true`	1853	`enabled = true`
1852	`#enabled = false`	1854	`#enabled = false`
1853	`maxretry = 3`	1855	`maxretry = 3`
-		1856	`bantime = 3m`
-		1857	`findtime = 5m`
1854	`EOF`	1858	`EOF`
1855		1859
1856	`## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.`	1860	`## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.`
1857	`cat << EOF > /etc/fail2ban/jail.d/02alcasar_lighttpd-auth.conf`	1861	`cat << EOF > /etc/fail2ban/jail.d/02-alcasar_lighttpd-auth.conf`
1858	`[lighttpd-auth]`	1862	`[lighttpd-auth]`
1859	`enabled = true`	1863	`enabled = true`
1860	`#enabled = false`	1864	`#enabled = false`
1861	`maxretry = 3`	1865	`maxretry = 3`
-		1866	`bantime = 3m`
-		1867	`findtime = 3m`
1862	`EOF`	1868	`EOF`
1863		1869
1864	`## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)`	1870	`## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)`
1865	`cat << EOF > /etc/fail2ban/jail.d/03alcasar_mod-evasive.conf`	1871	`cat << EOF > /etc/fail2ban/jail.d/03-alcasar_mod-evasive.conf`
1866	`[alcasar_mod-evasive]`	1872	`[alcasar_mod-evasive]`
1867	`#enabled = true`	1873	`#enabled = true`
1868	`enabled = false`	1874	`enabled = false`
1869	`backend = auto`	1875	`backend = auto`
1870	`filter = alcasar_mod-evasive`	1876	`filter = alcasar_mod-evasive`
1871	`action = iptables-allports[name=alcasar_mod-evasive]`	1877	`action = iptables-allports[name=alcasar_mod-evasive]`
1872	`logpath = /var/log/lighttpd/access.log`	1878	`logpath = /var/log/lighttpd/access.log`
1873	`maxretry = 3`	1879	`maxretry = 3`
-		1880	`bantime = 3m`
-		1881	`findtime = 3m`
1874	`EOF`	1882	`EOF`
1875	`cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf`	1883	`cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf`
1876	`[Definition]`	1884	`[Definition]`
1877	`failregex = <HOST> .+\] "[^"]+" 403`	1885	`failregex = <HOST> .+\] "[^"]+" 403`
1878	`ignoreregex =`	1886	`ignoreregex =`
1879	`EOF`	1887	`EOF`
1880		1888
1881	`### alcasar_intercept : ban after 5 failed user login attemps on intercept.php`	1889	`### alcasar_intercept : ban after 5 failed user login attemps on intercept.php`
1882	`cat << EOF > /etc/fail2ban/jail.d/04alcasar_intercept.conf`	1890	`cat << EOF > /etc/fail2ban/jail.d/04-alcasar_intercept.conf`
1883	`[alcasar_intercept]`	1891	`[alcasar_intercept]`
1884	`enabled = true`	1892	`enabled = true`
1885	`#enabled = false`	1893	`#enabled = false`
1886	`backend = auto`	1894	`backend = auto`
1887	`filter = alcasar_intercept`	1895	`filter = alcasar_intercept`
1888	`action = iptables-allports[name=alcasar_intercept]`	1896	`action = iptables-allports[name=alcasar_intercept]`
1889	`logpath = /var/log/lighttpd/access.log`	1897	`logpath = /var/log/lighttpd/access.log`
1890	`maxretry = 5`	1898	`maxretry = 5`
-		1899	`bantime = 3m`
-		1900	`findtime = 3m`
-		1901	`EOF`
1891	`cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf`	1902	`cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf`
1892	`[Definition]`	1903	`[Definition]`
1893	`failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject`	1904	`failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject`
1894	`ignoreregex =`	1905	`ignoreregex =`
1895	`EOF`	1906	`EOF`
1896		1907
1897	`## alcasar_change-pwd : ban after 5 failed user change password attempts`	1908	`## alcasar_change-pwd : ban after 5 failed user change password attempts`
1898	`cat << EOF > /etc/fail2ban/jail.d/05alcasar_change-pwd.conf`	1909	`cat << EOF > /etc/fail2ban/jail.d/05-alcasar_change-pwd.conf`
1899	`[alcasar_change-pwd]`	1910	`[alcasar_change-pwd]`
1900	`enabled = true`	1911	`enabled = true`
1901	`#enabled = false`	1912	`#enabled = false`
1902	`backend = auto`	1913	`backend = auto`
1903	`filter = alcasar_change-pwd`	1914	`filter = alcasar_change-pwd`
1904	`action = iptables-allports[name=alcasar_change-pwd]`	1915	`action = iptables-allports[name=alcasar_change-pwd]`
1905	`logpath = /var/log/lighttpd/access.log`	1916	`logpath = /var/log/lighttpd/access.log`
1906	`maxretry = 5`	1917	`maxretry = 5`
-		1918	`bantime = 3m`
-		1919	`findtime = 3m`
1907	`EOF`	1920	`EOF`
1908	`cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf`	1921	`cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf`
1909	`[Definition]`	1922	`[Definition]`
1910	`failregex = <HOST> .* \"POST \/password\.php`	1923	`failregex = <HOST> .* \"POST \/password\.php`
1911	`ignoreregex =`	1924	`ignoreregex =`
Line 1931...	Line 1944...
1931	`#########################################################`	1944	`#########################################################`
1932	`gammu_smsd()`	1945	`gammu_smsd()`
1933	`{`	1946	`{`
1934	`# Create 'gammu' system user`	1947	`# Create 'gammu' system user`
1935	`groupadd -f gammu_smsd`	1948	`groupadd -f gammu_smsd`
1936	`useradd --system -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd`	1949	`useradd -r -g gammu_smsd -s /bin/false -c "system user for gammu_smsd" gammu_smsd`
1937	`usermod -a -G dialout gammu_smsd`	1950	`usermod -a -G dialout gammu_smsd`
1938		1951
1939	`# Create 'gammu' database`	1952	`# Create 'gammu' database`
1940	`MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"`	1953	`MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --execute"`
1941	`$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"`	1954	`$MYSQL "CREATE DATABASE IF NOT EXISTS $DB_GAMMU; GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd'; FLUSH PRIVILEGES;"`

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 2867 → 2868