Subversion Repositories ALCASAR

Rev

Rev 3190 | Rev 3192 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 3190 Rev 3191
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 3190 2024-04-07 22:35:03Z rexy $
 2 
#  $Id: alcasar.sh 3191 2024-04-14 22:31:49Z rexy $
3 
 
 3 
 
4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 4 
# ALCASAR is a Free and open source NAC (Network Access Controler) created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
 5 
# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares Coovachilli, freeradius, mariaDB, lighttpd, php, netfilter, e2guardian, ntpd, openssl, unbound, gammu, Ulog, fail2ban, vnstat, wkhtml2pdf, ipt_NETFLOW, NFsen and NFdump
6 
# contact : info@alcasar.net
 6 
# contact : info@alcasar.net
7 
 
 7 
 
Line 847... Line 847...
847 
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
 847 
	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
848 
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
 848 
	$SED "s?^allow_url_fopen.*?allow_url_fopen = Off?" /etc/php.ini
849 
# Configuring & securing Lighttpd
 849 
# Configuring & securing Lighttpd
850 
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
 850 
	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
851 
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
 851 
	[ -e /etc/lighttpd/lighttpd.conf.default ] || cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.default
852 
	$SED "s?^server\.use-ipv6.*?server\.use-ipv6 = \"disable\"?g" /etc/lighttpd/lighttpd.conf
 - 
 
853 
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
 852 
	$SED "s?^#server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
854 
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
 853 
	$SED "s?^server\.bind.*?server\.bind = \"$PRIVATE_IP\"?g" /etc/lighttpd/lighttpd.conf
855 
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
 854 
	$SED "s?^#server\.tag.*?server\.tag = \"\"?g" /etc/lighttpd/lighttpd.conf
856 
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
 855 
	echo "include \"vhosts.d/alcasar.conf\"" >> /etc/lighttpd/lighttpd.conf
857 
 
 856 
 
Line 859... Line 858...
859 
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
 858 
	$SED "s?^#[ ]*\"mod_auth\",.*?\"mod_auth\",?g" /etc/lighttpd/modules.conf
860 
	$SED "s?^#[ ]*\"mod_authn_file\",.*?\"mod_authn_file\",?g" /etc/lighttpd/modules.conf
 859 
	$SED "s?^#[ ]*\"mod_authn_file\",.*?\"mod_authn_file\",?g" /etc/lighttpd/modules.conf
861 
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
 860 
	$SED "s?^#[ ]*\"mod_alias\",.*?\"mod_alias\",?g" /etc/lighttpd/modules.conf
862 
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
 861 
	$SED "s?^#[ ]*\"mod_redirect\",.*?\"mod_redirect\",?g" /etc/lighttpd/modules.conf
863 
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
 862 
	$SED "/^[ ]*\"mod_redirect\",/a\"mod_openssl\"," /etc/lighttpd/modules.conf
864 
	$SED "s?^#include \"conf.d/fastcgi.conf\".*?include \"conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
 863 
	$SED "s?^#include conf_dir + \"/conf.d/fastcgi.conf\".*?include conf_dir + \"/conf.d/fastcgi.conf\"?g" /etc/lighttpd/modules.conf
865 
 
 864 
 
866 
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
 865 
	[ -e /etc/lighttpd/conf.d/fastcgi.conf.default ] || cp /etc/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf.default
867 
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
 866 
	cp $DIR_CONF/lighttpd/conf.d/fastcgi.conf /etc/lighttpd/conf.d/fastcgi.conf
868 
 
 867 
 
869 
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
 868 
	[ -e /etc/php-fpm.conf.default ] || cp /etc/php-fpm.conf /etc/php-fpm.conf.default
Line 918... Line 917...
918 
##                     "time_server"                       ##
 917 
##                     "time_server"                       ##
919 
## - Configuring NTP server                                ##
 918 
## - Configuring NTP server                                ##
920 
#############################################################
 919 
#############################################################
921 
time_server()
 920 
time_server()
922 
{
 921 
{
923 
# Set the Internet time server
 - 
 
924 
	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
 - 
 
925 
	cat <<EOF > /etc/ntp/step-tickers
 - 
 
926 
0.fr.pool.ntp.org	# adapt to your country
 - 
 
927 
1.fr.pool.ntp.org
 - 
 
928 
2.fr.pool.ntp.org
 - 
 
929 
EOF
 - 
 
930 
	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default
 - 
 
931 
	cat <<EOF > /etc/ntp.conf
 - 
 
932 
server 0.fr.pool.ntp.org	# adapt to your country
 - 
 
933 
server 1.fr.pool.ntp.org
 - 
 
934 
server 2.fr.pool.ntp.org
 - 
 
935 
server 127.127.1.0   		# local clock si NTP internet indisponible ...
 - 
 
936 
fudge 127.127.1.0 stratum 10
 - 
 
937 
restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
 - 
 
938 
restrict 127.0.0.1
 - 
 
939 
driftfile /var/lib/ntp/drift
 - 
 
940 
logfile /var/log/ntp.log
 - 
 
941 
disable monitor
 - 
 
942 
EOF
 - 
 
943 
	chown -R ntp:ntp /var/lib/ntp
 - 
 
944 
# Synchronize now
 922 
# Synchronize now
945 
	ntpd -4 -q -g &
 923 
	ntpdate pool.ntp.org &
946 
} # End of time_server()
 924 
} # End of time_server()
947 
 
 925 
 
948 
#####################################################################
 926 
#####################################################################
949 
##                           "init_db"                             ##
 927 
##                           "init_db"                             ##
950 
## - Mysql initialization                                          ##
 928 
## - Mysql initialization                                          ##
Line 1816... Line 1794...
1816 
########################################################################
 1794 
########################################################################
1817 
fail2ban()
 1795 
fail2ban()
1818 
{
 1796 
{
1819 
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
 1797 
# adapt fail2ban to Mageia (fedora like) & ALCASAR behaviour
1820 
	[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
 1798 
	[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
1821 
	$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
 1799 
	$SED "s?^before =.*?before = paths-mageia.conf?g" /etc/fail2ban/jail.conf
1822 
 
 1800 
 
1823 
# add 5 jails and their filters
 1801 
# add 5 jails and their filters
1824 
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
 1802 
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
1825 
	cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
 1803 
	cat << EOF > /etc/fail2ban/jail.d/01-alcasar_sshd.conf
1826 
[sshd]
 1804 
[sshd]