630,7 → 630,7 |
[ -e /etc/httpd/conf/vhosts-ssl.default ] || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default |
$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL |
$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL |
$SED "s^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL |
chown -R root:apache /etc/pki |
chmod -R 750 /etc/pki |
} # End AC () |
1305,40 → 1305,53 |
$SED "s?^ACCEPT_BOGUS_ERROR_RESPONSES=.*?ACCEPT_BOGUS_ERROR_RESPONSES=no?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 |
# désactiver l'envoi et la réponse aux ICMP redirects |
sysctl -w net.ipv4.conf.all.accept_redirects=0 |
accept_redirect=`grep accept_redirect /etc/sysctl.conf|wc -l` |
if [ "$accept_redirect" == "0" ] |
then |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf |
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf |
else |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf |
fi |
sysctl -w net.ipv4.conf.all.send_redirects=0 |
send_redirect=`grep send_redirect /etc/sysctl.conf|wc -l` |
if [ "$send_redirect" == "0" ] |
then |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf |
echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf |
else |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf |
fi |
$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf |
$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf |
sysctl -w net.ipv4.conf.all.accept_redirects=0 |
sysctl -w net.ipv4.conf.all.send_redirects=0 |
# activer les SYN Cookies (attaque syn flood) |
sysctl -w net.ipv4.tcp_syncookies=1 |
tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf|wc -l` |
if [ "$tcp_syncookies" == "0" ] |
then |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf |
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf |
else |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
fi |
$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf |
sysctl -w net.ipv4.tcp_syncookies=1 |
# activer l'antispoofing niveau Noyau |
$SED "s?^ENABLE_IP_SPOOFING_PROTECTION.*?ENABLE_IP_SPOOFING_PROTECTION=yes?g" /etc/security/msec/level.fileserver |
sysctl -w net.ipv4.conf.all.rp_filter=1 |
# ignorer le source routing |
sysctl -w net.ipv4.conf.all.accept_source_route=0 |
accept_source_route=`grep accept_source_route /etc/sysctl.conf|wc -l` |
if [ "$accept_source_route" == "0" ] |
then |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf |
echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf |
else |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf |
fi |
$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf |
sysctl -w net.ipv4.conf.all.accept_source_route=0 |
# On supprime les log_martians (ALCASAR est souvent entre deux réseaux dont les plans d'adressage sont de type 'privée') |
# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines |
sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600 |
timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l` |
if [ "$timeout_established" == "0" ] |
then |
echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf |
else |
$SED "s?timeout_established.*?itimeout_established = 3600?g" /etc/sysctl.conf |
fi |
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) |
sysctl -w net.ipv4.conf.all.log_martians=0 |
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver |
|