From 8e072b9aa5d9a472b7d05877880277a7b927f04a Mon Sep 17 00:00:00 2001 From: "Ramón M. Gómez" Date: Wed, 6 Feb 2019 13:35:47 +0100 Subject: #736: Updating security policies: restrict MySQL access from loopback, add auxiliary ports, check if SELinux is enabled. --- server/lib/security-config | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) (limited to 'server') diff --git a/server/lib/security-config b/server/lib/security-config index 11961758..c6f6fdfa 100755 --- a/server/lib/security-config +++ b/server/lib/security-config @@ -23,13 +23,13 @@ if which ufw &>/dev/null; then echo "Configuring UFW." # Adding active services. ufw allow "Apache Secure" + ufw allow from 127.0.0.1/8 to any port mysql proto tcp # MySQL from the loopback ufw allow OpenSSH ufw allow Samba - ufw allow mysql ufw allow rsync ufw allow tftp ufw allow 67,68/udp # DHCP - ufw allow 2008/tcp # OpenGnsys service + ufw allow 2008,2009,2011/tcp # OpenGnsys services ufw allow 6881:6999/udp # BitTorrent ufw allow 9000/tcp # PHP-FPM ufw allow 9000:9051/udp # Multicast @@ -42,9 +42,9 @@ elif which firewall-cmd &>/dev/null; then python -c " import firewall.core.io.service as ios s=ios.Service() -s.short = 'OpenGnsys Server' -s.name = 'ogAdmServer' -s.ports = [('2008', 'tcp')] +s.short = 'OpenGnsys Services' +s.name = 'opengnsys' +s.ports = [('2008', 'tcp'), ('2009', 'tcp'), ('2011', 'tcp')] ios.service_writer(s, '/etc/firewalld/services') s.name = 'php-fpm' s.ports = [('9000', 'tcp')] @@ -52,9 +52,9 @@ ios.service_writer(s, '/etc/firewalld/services')" # Adding active services. firewall-cmd --permanent --add-service=dhcp firewall-cmd --permanent --add-service=https - firewall-cmd --permanent --add-service=php-fpm firewall-cmd --permanent --add-service=mysql --zone internal - firewall-cmd --permanent --add-service=ogAdmServer + firewall-cmd --permanent --add-service=opengnsys + firewall-cmd --permanent --add-service=php-fpm # Ubuntu 14.04 does not define "rsyncd" service. firewall-cmd --permanent --add-service=rsyncd || \ firewall-cmd --permanent --add-port=873/tcp @@ -73,16 +73,20 @@ fi # SELinux configuration. if which setsebool &>/dev/null; then - echo "Configuring SELinux." - # Configuring Apache. - setsebool -P httpd_can_connect_ldap on - semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?" - # Configuring Samba. - setsebool -P samba_export_all_ro=1 samba_export_all_rw=1 - semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?" - semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?" - # Applying configuration. - restorecon -R $OPENGNSYS + if [ "$(getenforce)" != "Disabled" ]; then + echo "Configuring SELinux." + # Configuring Apache. + setsebool -P httpd_can_connect_ldap on + semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?" + # Configuring Samba. + setsebool -P samba_export_all_ro=1 samba_export_all_rw=1 + semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?" + semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?" + # Applying configuration. + restorecon -R $OPENGNSYS + else + echo "$PROG: Warning: SELinux is disabled, it won't be configured." + fi else echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)." fi -- cgit v1.2.3-18-g5258 From 6bd2e1e7ba1bb7f9911d95a3a4ed688b0cae1e58 Mon Sep 17 00:00:00 2001 From: "Ramón M. Gómez" Date: Thu, 7 Feb 2019 12:04:07 +0100 Subject: #736: Installer script no longer disables firewall or SELinux, and recommends using {{{security-config}}} script. --- server/lib/security-config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'server') diff --git a/server/lib/security-config b/server/lib/security-config index c6f6fdfa..76870b12 100755 --- a/server/lib/security-config +++ b/server/lib/security-config @@ -73,7 +73,7 @@ fi # SELinux configuration. if which setsebool &>/dev/null; then - if [ "$(getenforce)" != "Disabled" ]; then + if selinuxenabled; then echo "Configuring SELinux." # Configuring Apache. setsebool -P httpd_can_connect_ldap on -- cgit v1.2.3-18-g5258