| Line 1... |
Line 1... |
| 1 |
#!/bin/bash
|
1 |
#!/bin/bash
|
| 2 |
# $Id: alcasar.sh 675 2011-07-18 21:24:19Z richard $
|
2 |
# $Id: alcasar.sh 679 2011-07-21 17:53:48Z richard $
|
| 3 |
|
3 |
|
| 4 |
# alcasar.sh
|
4 |
# alcasar.sh
|
| 5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
5 |
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
|
| 6 |
# This script is distributed under the Gnu General Public License (GPL)
|
6 |
# This script is distributed under the Gnu General Public License (GPL)
|
| 7 |
|
7 |
|
| Line 628... |
Line 628... |
| 628 |
$DIR_DEST_BIN/alcasar-CA.sh
|
628 |
$DIR_DEST_BIN/alcasar-CA.sh
|
| 629 |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl*`
|
629 |
FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl*`
|
| 630 |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
|
630 |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
|
| 631 |
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
|
631 |
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
|
| 632 |
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
|
632 |
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
|
| 633 |
$SED "s^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
|
633 |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
|
| 634 |
chown -R root:apache /etc/pki
|
634 |
chown -R root:apache /etc/pki
|
| 635 |
chmod -R 750 /etc/pki
|
635 |
chmod -R 750 /etc/pki
|
| 636 |
} # End AC ()
|
636 |
} # End AC ()
|
| 637 |
|
637 |
|
| 638 |
##########################################################################################
|
638 |
##########################################################################################
|
| Line 1303... |
Line 1303... |
| 1303 |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
|
1303 |
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
|
| 1304 |
# ignorer les erreurs ICMP bogus
|
1304 |
# ignorer les erreurs ICMP bogus
|
| 1305 |
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
|
1305 |
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver
|
| 1306 |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
|
1306 |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
|
| 1307 |
# désactiver l'envoi et la réponse aux ICMP redirects
|
1307 |
# désactiver l'envoi et la réponse aux ICMP redirects
|
| - |
|
1308 |
sysctl -w net.ipv4.conf.all.accept_redirects=0
|
| 1308 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
|
1309 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l`
|
| 1309 |
if [ "$accept_redirect" == "0" ]
|
1310 |
if [ "$accept_redirect" == "0" ]
|
| 1310 |
then
|
1311 |
then
|
| 1311 |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
|
1312 |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
|
| - |
|
1313 |
else
|
| - |
|
1314 |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
|
| 1312 |
fi
|
1315 |
fi
|
| - |
|
1316 |
sysctl -w net.ipv4.conf.all.send_redirects=0
|
| 1313 |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
|
1317 |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l`
|
| 1314 |
if [ "$send_redirect" == "0" ]
|
1318 |
if [ "$send_redirect" == "0" ]
|
| 1315 |
then
|
1319 |
then
|
| 1316 |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
|
1320 |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
|
| - |
|
1321 |
else
|
| - |
|
1322 |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
|
| 1317 |
fi
|
1323 |
fi
|
| 1318 |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
|
- |
|
| 1319 |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
|
- |
|
| 1320 |
sysctl -w net.ipv4.conf.all.accept_redirects=0
|
- |
|
| 1321 |
sysctl -w net.ipv4.conf.all.send_redirects=0
|
- |
|
| 1322 |
# activer les SYN Cookies (attaque syn flood)
|
1324 |
# activer les SYN Cookies (attaque syn flood)
|
| - |
|
1325 |
sysctl -w net.ipv4.tcp_syncookies=1
|
| 1323 |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
|
1326 |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l`
|
| 1324 |
if [ "$tcp_syncookies" == "0" ]
|
1327 |
if [ "$tcp_syncookies" == "0" ]
|
| 1325 |
then
|
1328 |
then
|
| 1326 |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
|
1329 |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
|
| - |
|
1330 |
else
|
| - |
|
1331 |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
|
| 1327 |
fi
|
1332 |
fi
|
| 1328 |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
|
- |
|
| 1329 |
sysctl -w net.ipv4.tcp_syncookies=1
|
- |
|
| 1330 |
# activer l'antispoofing niveau Noyau
|
1333 |
# activer l'antispoofing niveau Noyau
|
| 1331 |
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
|
1334 |
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver
|
| 1332 |
sysctl -w net.ipv4.conf.all.rp_filter=1
|
1335 |
sysctl -w net.ipv4.conf.all.rp_filter=1
|
| 1333 |
# ignorer le source routing
|
1336 |
# ignorer le source routing
|
| - |
|
1337 |
sysctl -w net.ipv4.conf.all.accept_source_route=0
|
| 1334 |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
|
1338 |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l`
|
| 1335 |
if [ "$accept_source_route" == "0" ]
|
1339 |
if [ "$accept_source_route" == "0" ]
|
| 1336 |
then
|
1340 |
then
|
| 1337 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
|
1341 |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
|
| - |
|
1342 |
else
|
| - |
|
1343 |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
|
| 1338 |
fi
|
1344 |
fi
|
| 1339 |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
|
1345 |
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
|
| 1340 |
sysctl -w net.ipv4.conf.all.accept_source_route=0
|
1346 |
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
|
| - |
|
1347 |
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
|
| - |
|
1348 |
if [ "$timeout_established" == "0" ]
|
| - |
|
1349 |
then
|
| - |
|
1350 |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
|
| - |
|
1351 |
else
|
| - |
|
1352 |
$SED "s?timeout_established.*?itimeout_established = 3600?g" /etc/sysctl.conf
|
| - |
|
1353 |
fi
|
| 1341 |
# On supprime les log_martians (ALCASAR est souvent entre deux réseaux dont les plans d'adressage sont de type 'privée')
|
1354 |
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)
|
| 1342 |
sysctl -w net.ipv4.conf.all.log_martians=0
|
1355 |
sysctl -w net.ipv4.conf.all.log_martians=0
|
| 1343 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
|
1356 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
|
| 1344 |
|
1357 |
|
| 1345 |
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
|
1358 |
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
|
| 1346 |
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
|
1359 |
$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
|