1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
#!/bin/bash
#/**
#@file security-config
#@brief OpenGnsys Server security configuration.
#@note Security configuration tipsx for UFW, FirewallD and SELinux.
#@version 1.1.0 - Initial version.
#@author Ramón M. Gómez, ETSII Univ. Sevilla
#@date 2016-04-18
#*/ ##
# Variables.
PROG=$(basename "$0")
OPENGNSYS=/opt/opengnsys
# Errors control.
if [ "$USER" != "root" ]; then
echo "$PROG: Need to be root." >&2
exit 1
fi
# UFW configuration.
if which ufw &>/dev/null; then
echo "Configuring UFW."
# Adding active services.
ufw allow "Apache Secure"
ufw allow from 127.0.0.1/8 to any port mysql proto tcp # MySQL from the loopback
ufw allow OpenSSH
ufw allow Samba
ufw allow rsync
ufw allow tftp
ufw allow 67,68/udp # DHCP
ufw allow 2008,2009,2011/tcp # OpenGnsys services
ufw allow 6881:6999/udp # BitTorrent
ufw allow 9000/tcp # PHP-FPM
ufw allow 9000:9051/udp # Multicast
# Applying configuration.
ufw enable
# FirewallD configuration.
elif which firewall-cmd &>/dev/null; then
echo "Configuring FirewallD."
# Defining services.
python -c "
import firewall.core.io.service as ios
s=ios.Service()
s.short = 'OpenGnsys Services'
s.name = 'opengnsys'
s.ports = [('2008', 'tcp'), ('2009', 'tcp'), ('2011', 'tcp')]
ios.service_writer(s, '/etc/firewalld/services')
s.name = 'php-fpm'
s.ports = [('9000', 'tcp')]
ios.service_writer(s, '/etc/firewalld/services')"
# Adding active services.
firewall-cmd --permanent --add-service=dhcp
firewall-cmd --permanent --add-service=https
firewall-cmd --permanent --add-service=mysql --zone internal
firewall-cmd --permanent --add-service=opengnsys
firewall-cmd --permanent --add-service=php-fpm
# Ubuntu 14.04 does not define "rsyncd" service.
firewall-cmd --permanent --add-service=rsyncd || \
firewall-cmd --permanent --add-port=873/tcp
firewall-cmd --permanent --add-service=samba
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=tftp
# Adding Multicast ports.
firewall-cmd --permanent --add-port=9000-9051/udp
# Adding BitTorent ports.
firewall-cmd --permanent --add-port=6881-6999/udp
# Applying configuration.
firewall-cmd --reload
else
echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
fi
# SELinux configuration.
if which setsebool &>/dev/null; then
if selinuxenabled; then
echo "Configuring SELinux."
# Configuring Apache.
setsebool -P httpd_can_connect_ldap on
semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
# Configuring Samba.
setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
# Applying configuration.
restorecon -R $OPENGNSYS
else
echo "$PROG: Warning: SELinux is disabled, it won't be configured."
fi
else
echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
fi
|