Context Navigation

security-config @ 7082c6f

Visit:

918-git-images-111dconfigfileconfigure-oglivegit-imageslgromero-new-oglivemainmaint-cronmount-efivarfsmultivmmultivm-ogboot-installerogClonningEngineogboot-installer-jenkinsoglive-ipv6test-python-scriptsticket-301ticket-50ticket-50-oldticket-577ticket-585ticket-611ticket-612ticket-693ticket-700ubu24tplunification2use-local-agent-oglivevarios-instalacionwebconsole3

Last change on this file since 7082c6f was c5fcac1, checked in by Ramón M. Gómez <ramongomez@…>, 6 years ago
#875: Update list of enabled ports.
Property mode set to `100755`
File size: 2.7 KB

Rev	Line
[4db1b6e]	1	#!/bin/bash
	2	#/**
	3	#@file security-config
	4	#@brief OpenGnsys Server security configuration.
[b37d5cb]	5	#@note Security configuration tipsx for UFW, FirewallD and SELinux.
[9ddd0ff]	6	#@version 1.1.0 - Initial version.
	7	#@author Ramón M. Gómez, ETSII Univ. Sevilla
	8	#@date 2016-04-18
[4db1b6e]	9	#*/ ##
	10
	11
	12	# Variables.
	13	PROG=$(basename "$0")
	14	OPENGNSYS=/opt/opengnsys
	15	# Errors control.
	16	if [ "$USER" != "root" ]; then
	17	echo "$PROG: Need to be root." >&2
	18	exit 1
	19	fi
	20
[9ddd0ff]	21	# UFW configuration.
[c5fcac1]	22	if which ufw &>/dev/null; then
	23	echo "Configuring UFW."
[9ddd0ff]	24	# Adding active services.
	25	ufw allow "Apache Secure"
	26	ufw allow OpenSSH
	27	ufw allow Samba
	28	ufw allow mysql
	29	ufw allow rsync
	30	ufw allow tftp
	31	ufw allow 67,68/udp # DHCP
[c5fcac1]	32	ufw allow 2008/tcp # OpenGnsys service
[9ddd0ff]	33	ufw allow 6881:6999/udp # BitTorrent
[c5fcac1]	34	ufw allow 9000/tcp # PHP-FPM
	35	ufw allow 9000:9051/udp # Multicast
[9ddd0ff]	36	# Applying configuration.
	37	ufw enable
[4db1b6e]	38	# FirewallD configuration.
[c5fcac1]	39	elif which firewall-cmd &>/dev/null; then
	40	echo "Configuring FirewallD."
	41	# Defining services.
[4db1b6e]	42	python -c "
	43	import firewall.core.io.service as ios
	44	s=ios.Service()
	45	s.short = 'OpenGnsys Server'
	46	s.name = 'ogAdmServer'
	47	s.ports = [('2008', 'tcp')]
[c5fcac1]	48	ios.service_writer(s, '/etc/firewalld/services')
	49	s.name = 'php-fpm'
	50	s.ports = [('9000', 'tcp')]
[b73502c1]	51	ios.service_writer(s, '/etc/firewalld/services')"
[4db1b6e]	52	# Adding active services.
	53	firewall-cmd --permanent --add-service=dhcp
	54	firewall-cmd --permanent --add-service=https
[c5fcac1]	55	firewall-cmd --permanent --add-service=php-fpm
[4db1b6e]	56	firewall-cmd --permanent --add-service=mysql --zone internal
	57	firewall-cmd --permanent --add-service=ogAdmServer
	58	# Ubuntu 14.04 does not define "rsyncd" service.
	59	firewall-cmd --permanent --add-service=rsyncd \|\| \
	60	firewall-cmd --permanent --add-port=873/tcp
	61	firewall-cmd --permanent --add-service=samba
	62	firewall-cmd --permanent --add-service=ssh
	63	firewall-cmd --permanent --add-service=tftp
	64	# Adding Multicast ports.
	65	firewall-cmd --permanent --add-port=9000-9051/udp
[9ddd0ff]	66	# Adding BitTorent ports.
	67	firewall-cmd --permanent --add-port=6881-6999/udp
[4db1b6e]	68	# Applying configuration.
	69	firewall-cmd --reload
	70	else
[9ddd0ff]	71	echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
[4db1b6e]	72	fi
	73
	74	# SELinux configuration.
[c5fcac1]	75	if which setsebool &>/dev/null; then
	76	echo "Configuring SELinux."
[4db1b6e]	77	# Configuring Apache.
	78	setsebool -P httpd_can_connect_ldap on
	79	semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
	80	# Configuring Samba.
	81	setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
	82	semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
	83	semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
	84	# Applying configuration.
	85	restorecon -R $OPENGNSYS
	86	else
	87	echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
	88	fi
	89

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format