Subversion Repositories ALCASAR

Rev

Rev 3190 | Rev 3192 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3190 Rev 3191
Line 1... Line 1...
1
#!/bin/bash
1
#!/bin/bash
2
#  $Id: alcasar.sh 3190 2024-04-07 22:35:03Z rexy $
2
#  $Id: alcasar.sh 3191 2024-04-14 22:31:49Z rexy $
3
 
3
 
4
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
4
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
5
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
6
# contact : info@alcasar.net
6
# contact : info@alcasar.net
7
 
7
 
Line 847... Line 847...
847
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
847
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
848
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
848
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
849
# Configuring & securing Lighttpd
849
# Configuring & securing Lighttpd
850
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
850
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
851
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
851
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
852
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
-
 
853
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
852
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
854
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
853
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
855
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
854
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
856
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
855
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
857
 
856
 
Line 859... Line 858...
859
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
858
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
860
	$SED "s?^#[ ]*\"mod_authn_file\",.*?\"mod_authn_file\",?g" /etc/lighttpd/modules.conf
859
	$SED "s?^#[ ]*\"mod_authn_file\",.*?\"mod_authn_file\",?g" /etc/lighttpd/modules.conf
861
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
860
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
862
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
861
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
863
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
862
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
864
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
863
	$SED "s?^#include conf_dir + \"/conf.d/fastcgi.conf\".*?include conf_dir + \"/conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
865
 
864
 
866
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
865
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
867
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
866
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
868
 
867
 
869
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
868
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
Line 918... Line 917...
918
##                     "time_server"                       ##
917
##                     "time_server"                       ##
919
## - Configuring NTP server                                ##
918
## - Configuring NTP server                                ##
920
#############################################################
919
#############################################################
921
time_server()
920
time_server()
922
{
921
{
923
# Set the Internet time server
-
 
924
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
-
 
925
	cat <<EOF > /etc/ntp/step-tickers
-
 
926
0.fr.pool.ntp.org	# adapt to your country
-
 
927
1.fr.pool.ntp.org
-
 
928
2.fr.pool.ntp.org
-
 
929
EOF
-
 
930
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
-
 
931
	cat <<EOF > /etc/ntp.conf
-
 
932
server 0.fr.pool.ntp.org	# adapt to your country
-
 
933
server 1.fr.pool.ntp.org
-
 
934
server 2.fr.pool.ntp.org
-
 
935
server 127.127.1.0   		# local clock si NTP internet indisponible ...
-
 
936
fudge 127.127.1.0 stratum 10
-
 
937
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
-
 
938
restrict 127.0.0.1
-
 
939
driftfile /var/lib/ntp/drift
-
 
940
logfile /var/log/ntp.log
-
 
941
disable monitor
-
 
942
EOF
-
 
943
	chown -R ntp:ntp /var/lib/ntp
-
 
944
# Synchronize now
922
# Synchronize now
945
	ntpd -4 -q -g &
923
	ntpdate pool.ntp.org &
946
} # End of time_server()
924
} # End of time_server()
947
 
925
 
948
#####################################################################
926
#####################################################################
949
##                           "init_db"                             ##
927
##                           "init_db"                             ##
950
## - Mysql initialization                                          ##
928
## - Mysql initialization                                          ##
Line 1816... Line 1794...
1816
########################################################################
1794
########################################################################
1817
fail2ban()
1795
fail2ban()
1818
{
1796
{
1819
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1797
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1820
	[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1798
	[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1821
	$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
1799
	$SED "s?^before =.*?before = paths-mageia.conf?g" /etc/fail2ban/jail.conf
1822
 
1800
 
1823
# add 5 jails and their filters
1801
# add 5 jails and their filters
1824
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1802
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1825
	cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1803
	cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1826
[sshd]
1804
[sshd]