summaryrefslogtreecommitdiffstats
path: root/server/lib/security-config
blob: 76870b128d860ec19cd5b48efeeae3ccc4cfb3cc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/bin/bash
#/**
#@file    security-config
#@brief   OpenGnsys Server security configuration.
#@note    Security configuration tipsx for UFW, FirewallD and SELinux.
#@version 1.1.0 - Initial version.
#@author  Ramón M. Gómez, ETSII Univ. Sevilla
#@date    2016-04-18
#*/ ##


# Variables.
PROG=$(basename "$0")
OPENGNSYS=/opt/opengnsys
# Errors control.
if [ "$USER" != "root" ]; then
	echo "$PROG: Need to be root." >&2
	exit 1
fi

# UFW configuration.
if which ufw &>/dev/null; then
	echo "Configuring UFW."
	# Adding active services.
	ufw allow "Apache Secure"
	ufw allow from 127.0.0.1/8 to any port mysql proto tcp    # MySQL from the loopback
	ufw allow OpenSSH
	ufw allow Samba
	ufw allow rsync
	ufw allow tftp
	ufw allow 67,68/udp		# DHCP
	ufw allow 2008,2009,2011/tcp	# OpenGnsys services
	ufw allow 6881:6999/udp		# BitTorrent
	ufw allow 9000/tcp		# PHP-FPM
	ufw allow 9000:9051/udp		# Multicast
	# Applying configuration.
	ufw enable
# FirewallD configuration.
elif which firewall-cmd &>/dev/null; then
	echo "Configuring FirewallD."
	# Defining services.
	python -c "
import firewall.core.io.service as ios
s=ios.Service()
s.short = 'OpenGnsys Services'
s.name = 'opengnsys'
s.ports = [('2008', 'tcp'), ('2009', 'tcp'), ('2011', 'tcp')]
ios.service_writer(s, '/etc/firewalld/services')
s.name = 'php-fpm'
s.ports = [('9000', 'tcp')]
ios.service_writer(s, '/etc/firewalld/services')"
	# Adding active services.
	firewall-cmd --permanent --add-service=dhcp
	firewall-cmd --permanent --add-service=https
	firewall-cmd --permanent --add-service=mysql --zone internal
	firewall-cmd --permanent --add-service=opengnsys
	firewall-cmd --permanent --add-service=php-fpm
	# Ubuntu 14.04 does not define "rsyncd" service.
	firewall-cmd --permanent --add-service=rsyncd || \
		firewall-cmd --permanent --add-port=873/tcp
	firewall-cmd --permanent --add-service=samba
	firewall-cmd --permanent --add-service=ssh
	firewall-cmd --permanent --add-service=tftp
	# Adding Multicast ports.
	firewall-cmd --permanent --add-port=9000-9051/udp
	# Adding BitTorent ports.
	firewall-cmd --permanent --add-port=6881-6999/udp
	# Applying configuration.
	firewall-cmd --reload
else
	echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
fi

# SELinux configuration.
if which setsebool &>/dev/null; then
	if selinuxenabled; then
		echo "Configuring SELinux."
		# Configuring Apache.
		setsebool -P httpd_can_connect_ldap on
		semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
		# Configuring Samba.
		setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
		semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
		semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
		# Applying configuration.
		restorecon -R $OPENGNSYS
	else
		echo "$PROG: Warning: SELinux is disabled, it won't be configured."
	fi
else
	echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
fi