WebSVN – ALCASAR – Diff – /alcasar.sh



#!/bin/bash
#  $Id: alcasar.sh 793 2012-01-16 22:31:32Z richard $ 
 
# alcasar.sh
# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
# This script is distributed under the Gnu General Public License (GPL)
 

IPV6TO4INIT=no
ACCOUNTING=no
USERCTL=no
EOF
# Configuration de l'interface eth1 (réseau de consultation)
# utile uniquement pour le mode bypass (cf. alcasar-bypass.sh)
	rm -f /etc/sysconfig/network-scripts/ifcfg-$INTIF
	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
DEVICE=$INTIF
BOOTPROTO=static
IPADDR=$PRIVATE_IP
NETMASK=$PRIVATE_NETMASK
ONBOOT=yes

radiusauthport	1812
radiusacctport	1813
uamserver	https://$HOSTNAME/intercept.php
radiusnasid	$HOSTNAME
uamsecret	$secretuam
uamallowed	alcasar
coaport		3799
include		$DIR_DEST_ETC/alcasar-uamallowed
include		$DIR_DEST_ETC/alcasar-uamdomain
include		$DIR_DEST_ETC/alcasar-macallowed
EOF

	cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh
	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
	[ -e /etc/ssh/sshd_config.default ] || cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
# postfix banner anonymisation
	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
# sshd écoute côté LAN et WAN
	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config 
	# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on)
	/sbin/chkconfig --del sshd

	$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd
# On affecte le niveau de sécurité du système : type "fileserver"
	$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf
# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )
	$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver
 
# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)
# Apply French Security Agency rules (sysctl + msec when possible)
# ignorer les broadcast ICMP. (attaque smurf) 
$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver
sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1

timeout_established=`grep timeout_established /etc/sysctl.conf|wc -l`
	if [ "$timeout_established" == "0" ]
	then
		echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
	else
		$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
	fi
# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée) 
sysctl -w net.ipv4.conf.all.log_martians=0
$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver
 
 
# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
	$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
# On mets en place la sécurité sur les fichiers
# des modif par rapport à radius update
	cat <<EOF > /etc/security/msec/perm.local

	$SED "s?^6.*?#&?g" /etc/inittab
# On limite le temps d'attente de grub (3s) et on change la résolution d'écran
$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst
# On supprime les services et les utilisateurs inutiles
for svc in alsa sound dm atd bootlogd stop-bootlogd
do
	/sbin/chkconfig --del $svc
done
for rm_users in avahi-autoipd avahi icapd
do

Rev 790	Rev 793
Line 1...	Line 1...
1	`#!/bin/bash`	1	`#!/bin/bash`
2	`# $Id: alcasar.sh 790 2012-01-12 23:23:59Z richard $`	2	`# $Id: alcasar.sh 793 2012-01-16 22:31:32Z richard $`
3		3
4	`# alcasar.sh`	4	`# alcasar.sh`
5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`	5	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
6	`# This script is distributed under the Gnu General Public License (GPL)`	6	`# This script is distributed under the Gnu General Public License (GPL)`
7		7
Line 394...	Line 394...
394	`IPV6TO4INIT=no`	394	`IPV6TO4INIT=no`
395	`ACCOUNTING=no`	395	`ACCOUNTING=no`
396	`USERCTL=no`	396	`USERCTL=no`
397	`EOF`	397	`EOF`
398	`# Configuration de l'interface eth1 (réseau de consultation)`	398	`# Configuration de l'interface eth1 (réseau de consultation)`
-		399	`# utile uniquement pour le mode bypass (cf. alcasar-bypass.sh)`
-		400	`rm -f /etc/sysconfig/network-scripts/ifcfg-$INTIF`
399	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF`	401	`cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF`
400	`DEVICE=$INTIF`	402	`DEVICE=$INTIF`
401	`BOOTPROTO=static`	403	`BOOTPROTO=static`
402	`IPADDR=$PRIVATE_IP`	404	`IPADDR=$PRIVATE_IP`
403	`NETMASK=$PRIVATE_NETMASK`	405	`NETMASK=$PRIVATE_NETMASK`
404	`ONBOOT=yes`	406	`ONBOOT=yes`
Line 846...	Line 848...
846	`radiusauthport 1812`	848	`radiusauthport 1812`
847	`radiusacctport 1813`	849	`radiusacctport 1813`
848	`uamserver https://$HOSTNAME/intercept.php`	850	`uamserver https://$HOSTNAME/intercept.php`
849	`radiusnasid $HOSTNAME`	851	`radiusnasid $HOSTNAME`
850	`uamsecret $secretuam`	852	`uamsecret $secretuam`
-		853	`uamallowed alcasar`
851	`coaport 3799`	854	`coaport 3799`
852	`include $DIR_DEST_ETC/alcasar-uamallowed`	855	`include $DIR_DEST_ETC/alcasar-uamallowed`
853	`include $DIR_DEST_ETC/alcasar-uamdomain`	856	`include $DIR_DEST_ETC/alcasar-uamdomain`
854	`include $DIR_DEST_ETC/alcasar-macallowed`	857	`include $DIR_DEST_ETC/alcasar-macallowed`
855	`EOF`	858	`EOF`
Line 1294...	Line 1297...
1294	`cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh`	1297	`cp /etc/mandriva-release /etc/ssh/alcasar-banner-ssh`
1295	`chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh`	1298	`chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh`
1296	`[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default`	1299	`[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default`
1297	`$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config`	1300	`$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config`
1298	`$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config`	1301	`$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config`
-		1302	`# postfix banner anonymisation`
-		1303	`$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf`
1299	`# sshd écoute côté LAN et WAN`	1304	`# sshd écoute côté LAN et WAN`
1300	`$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config`	1305	`$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config`
1301	`$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config`	1306	`$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config`
1302	`# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on)`	1307	`# Put the default value in conf file (sshd, QOS and protocols/dns/ext_LAN filtering are off)(web antivirus is on)`
1303	`/sbin/chkconfig --del sshd`	1308	`/sbin/chkconfig --del sshd`
Line 1342...	Line 1347...
1342	`$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd`	1347	`$SED "s?^# Should-Stop.*?# Should-Stop: radiusd ldap?g" /etc/init.d/httpd`
1343	`# On affecte le niveau de sécurité du système : type "fileserver"`	1348	`# On affecte le niveau de sécurité du système : type "fileserver"`
1344	`$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf`	1349	`$SED "s?BASE_LEVEL=.*?BASE_LEVEL=fileserver?g" /etc/security/msec/security.conf`
1345	`# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )`	1350	`# On supprime la vérification du mode promiscious des interfaces réseaux ( nombreuses alertes sur eth1 dûes à Tun0 )`
1346	`$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver`	1351	`$SED "s?CHECK_PROMISC=.*?CHECK_PROMISC=no?g" /etc/security/msec/level.fileserver`
1347		-
1348	`# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)`	1352	`# On applique les préconisations ANSSI (sysctl + msec quand c'est possible)`
1349	`# Apply French Security Agency rules (sysctl + msec when possible)`	1353	`# Apply French Security Agency rules (sysctl + msec when possible)`
1350	`# ignorer les broadcast ICMP. (attaque smurf)`	1354	`# ignorer les broadcast ICMP. (attaque smurf)`
1351	`$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver`	1355	`$SED "s?^ACCEPT_BROADCASTED_ICMP_ECHO=.*?ACCEPT_BROADCASTED_ICMP_ECHO=no?g" /etc/security/msec/level.fileserver`
1352	`sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1`	1356	`sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1`
Line 1396...	Line 1400...
1396	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`	1400	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
1397	`if [ "$timeout_established" == "0" ]`	1401	`if [ "$timeout_established" == "0" ]`
1398	`then`	1402	`then`
1399	`echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf`	1403	`echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf`
1400	`else`	1404	`else`
1401	`$SED "s?timeout_established.*?itimeout_established = 3600?g" /etc/sysctl.conf`	1405	`$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf`
1402	`fi`	1406	`fi`
1403	`# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)`	1407	`# suppression des log_martians (ALCASAR est souvent entre deux réseaux en adressage privée)`
1404	`sysctl -w net.ipv4.conf.all.log_martians=0`	1408	`sysctl -w net.ipv4.conf.all.log_martians=0`
1405	`$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver`	1409	`$SED "s?^ENABLE_LOG_STRANGE_PACKETS=.*?ENABLE_LOG_STRANGE_PACKETS=no?g" /etc/security/msec/level.fileserver`
1406		1410
-		1411
1407	`# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys`	1412	`# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys`
1408	`$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver`	1413	`$SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver`
1409	`# On mets en place la sécurité sur les fichiers`	1414	`# On mets en place la sécurité sur les fichiers`
1410	`# des modif par rapport à radius update`	1415	`# des modif par rapport à radius update`
1411	`cat <<EOF > /etc/security/msec/perm.local`	1416	`cat <<EOF > /etc/security/msec/perm.local`
Line 1437...	Line 1442...
1437	`$SED "s?^6.*?#&?g" /etc/inittab`	1442	`$SED "s?^6.*?#&?g" /etc/inittab`
1438	`# On limite le temps d'attente de grub (3s) et on change la résolution d'écran`	1443	`# On limite le temps d'attente de grub (3s) et on change la résolution d'écran`
1439	`$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst`	1444	`$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst`
1440	`$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst`	1445	`$SED "s?^kernel.*?& vga=791?g" /boot/grub/menu.lst`
1441	`# On supprime les services et les utilisateurs inutiles`	1446	`# On supprime les services et les utilisateurs inutiles`
1442	`for svc in alsa sound dm atd netfs bootlogd stop-bootlogd`	1447	`for svc in alsa sound dm atd bootlogd stop-bootlogd`
1443	`do`	1448	`do`
1444	`/sbin/chkconfig --del $svc`	1449	`/sbin/chkconfig --del $svc`
1445	`done`	1450	`done`
1446	`for rm_users in avahi-autoipd avahi icapd`	1451	`for rm_users in avahi-autoipd avahi icapd`
1447	`do`	1452	`do`

Subversion Repositories ALCASAR

(root)/alcasar.sh – Rev 790 → 793