WebSVN – ALCASAR – Diff – /alcasar.sh

 #!/bin/bash
-#  $Id: alcasar.sh 786 2012-01-02 22:50:31Z richard $
+#  $Id: alcasar.sh 790 2012-01-12 23:23:59Z richard $
 # alcasar.sh
 # by Franck BOUIJOUX, Pascal LEVANT and Richard REY
 # This script is distributed under the Gnu General Public License (GPL)
 	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default
 	cat <<EOF > /etc/hosts.deny
 ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
 EOF
 # Firewall config
-$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
+	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
-$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
+	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh
-chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
+	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
-# création du fichier d'exception au filtrage
+# create the filter exxeption file
-touch $DIR_DEST_ETC/alcasar-filter-exceptions
+	touch $DIR_DEST_ETC/alcasar-filter-exceptions
+# load conntrack ftp module
+	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default
+	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload
 # le script $DIR_DEST_BIN/alcasar-iptables.sh est lancé à la fin (pour ne pas perturber une mise à jour via ssh)
 } # End of network ()
 ##################################################################
 ##			Fonction gestion			##
 ## - définition du 1er comptes de gestion 			##
 ## - sécurisation des accès					##
 ##################################################################
 gestion()
+{
-# Suppression des CGI et des pages WEB installés par défaut
-	rm -rf /var/www/cgi-bin/*
 	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
 	mkdir $DIR_WEB
 # Copie et configuration des fichiers du centre de gestion
 	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
 	echo "$VERSION du $DATE" > $DIR_WEB/VERSION
 	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
 	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
 	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
 	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
 # Configuration et sécurisation Apache
+	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
 	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
 	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
 	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
 	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
 	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
 	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
+	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
+	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
+	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
+	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
+	$SED "s?^LoadModule cgi_module.*?#LoadModule cgi_module modules/mod_cgi.so?g" /etc/httpd/conf/httpd.conf
+	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
+	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
 	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
 	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
 	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
 	[ -e /var/www/error/include/bottom.html.default ] || mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
 	cat <<EOF > /var/www/error/include/bottom.html
 	AuthName $HOSTNAME
 	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
 	AuthUserFile $DIR_DEST_ETC/digest/key_backup
 	ErrorDocument 404 https://$HOSTNAME/
 </Directory>
-Alias /save/ "$DIR_SAVE/"
-<Directory $DIR_SAVE>
-	SSLRequireSSL
-	Options Indexes
-	Order deny,allow
-	Deny from all
-	Allow from 127.0.0.1
-	Allow from $PRIVATE_NETWORK_MASK
-	require valid-user
-	AuthType digest
-	AuthName $HOSTNAME
-	AuthUserFile $DIR_DEST_ETC/digest/key_backup
-	ErrorDocument 404 https://$HOSTNAME/
-	ReadmeName	/readmeSave.html
-</Directory>
 EOF
 } # End of gestion ()
 ##########################################################################################
 ##				Fonction AC()						##
 	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
 	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
 # sshd écoute côté LAN et WAN
 	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
 	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
-# Put the default value in conf file (sshd, QOS, protocols filter and dns filter are off)(web antivirus is on)
+	# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on)
 	/sbin/chkconfig --del sshd
 	echo "SSH=off" >> $CONF_FILE
 	echo 'Admin_from_IP="0.0.0.0/0.0.0.0"' >> $CONF_FILE
 	echo "QOS=off" >> $CONF_FILE
 	echo "LDAP=off" >> $CONF_FILE
 	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
 	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
+	echo "EXT_LAN_FILTERING=off" >> $CONF_FILE
 	echo "DNS_FILTERING=off" >> $CONF_FILE
 	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
 # Coloration des prompts
 	[ -e /etc/bashrc.default ]  || cp /etc/bashrc /etc/bashrc.default
 	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 786 → 790