#!/bin/bash #/** #@file security-config #@brief OpenGnsys Server security configuration. #@note Security configuration tipsx for UFW, FirewallD and SELinux. #@version 1.1.0 - Initial version. #@author Ramón M. Gómez, ETSII Univ. Sevilla #@date 2016-04-18 #*/ ## # Variables. PROG=$(basename "$0") OPENGNSYS=/opt/opengnsys # Errors control. if [ "$USER" != "root" ]; then echo "$PROG: Need to be root." >&2 exit 1 fi # UFW configuration. if which ufw &>/dev/null; then echo "Configuring UFW." # Adding active services. ufw allow "Apache Secure" ufw allow from 127.0.0.1/8 to any port mysql proto tcp # MySQL from the loopback ufw allow OpenSSH ufw allow Samba ufw allow rsync ufw allow tftp ufw allow 67,68/udp # DHCP ufw allow 2008,2009,2011/tcp # OpenGnsys services ufw allow 6881:6999/udp # BitTorrent ufw allow 9000/tcp # PHP-FPM ufw allow 9000:9101/udp # Multicast # Applying configuration. ufw enable # FirewallD configuration. elif which firewall-cmd &>/dev/null; then echo "Configuring FirewallD." # Defining services. python -c " import firewall.core.io.service as ios s=ios.Service() s.short = 'OpenGnsys Services' s.name = 'opengnsys' s.ports = [('2008', 'tcp'), ('2009', 'tcp'), ('2011', 'tcp')] ios.service_writer(s, '/etc/firewalld/services') s.name = 'php-fpm' s.ports = [('9000', 'tcp')] ios.service_writer(s, '/etc/firewalld/services')" # Adding active services. firewall-cmd --permanent --add-service=dhcp firewall-cmd --permanent --add-service=https firewall-cmd --permanent --add-service=mysql --zone internal firewall-cmd --permanent --add-service=opengnsys firewall-cmd --permanent --add-service=php-fpm # Ubuntu 14.04 does not define "rsyncd" service. firewall-cmd --permanent --add-service=rsyncd || \ firewall-cmd --permanent --add-port=873/tcp firewall-cmd --permanent --add-service=samba firewall-cmd --permanent --add-service=ssh firewall-cmd --permanent --add-service=tftp # Adding Multicast ports. firewall-cmd --permanent --add-port=9000-9051/udp # Adding BitTorent ports. firewall-cmd --permanent --add-port=6881-6999/udp # Applying configuration. firewall-cmd --reload else echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)." fi # SELinux configuration. if which setsebool &>/dev/null; then if selinuxenabled; then echo "Configuring SELinux." # Configuring Apache. setsebool -P httpd_can_connect_ldap on semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?" # Configuring Samba. setsebool -P samba_export_all_ro=1 samba_export_all_rw=1 semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?" semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?" # Applying configuration. restorecon -R $OPENGNSYS else echo "$PROG: Warning: SELinux is disabled, it won't be configured." fi else echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)." fi