close Warning: Failed to sync with repository "ogBrowser-Git": (1366, "Incorrect string value: '\\xF0\\x9F\\x93\\xA6 I...' for column 'message' at row 1"); repository information may be out of date. Look in the Trac log for more information including mitigation strategies.

source: server/lib/security-config @ 7082c6f

918-git-images-111dconfigfileconfigure-oglivegit-imageslgromero-new-oglivemainmaint-cronmount-efivarfsmultivmmultivm-ogboot-installerogClonningEngineogboot-installer-jenkinsoglive-ipv6test-python-scriptsticket-301ticket-50ticket-50-oldticket-577ticket-585ticket-611ticket-612ticket-693ticket-700ubu24tplunification2use-local-agent-oglivevarios-instalacionwebconsole3
Last change on this file since 7082c6f was c5fcac1, checked in by Ramón M. Gómez <ramongomez@…>, 7 years ago

#875: Update list of enabled ports.
  • Property mode set to 100755
File size: 2.7 KB
RevLine 
[4db1b6e]1#!/bin/bash
2#/**
3#@file    security-config
4#@brief   OpenGnsys Server security configuration.
[b37d5cb]5#@note    Security configuration tipsx for UFW, FirewallD and SELinux.
[9ddd0ff]6#@version 1.1.0 - Initial version.
7#@author  Ramón M. Gómez, ETSII Univ. Sevilla
8#@date    2016-04-18
[4db1b6e]9#*/ ##
10
11
12# Variables.
13PROG=$(basename "$0")
14OPENGNSYS=/opt/opengnsys
15# Errors control.
16if [ "$USER" != "root" ]; then
17        echo "$PROG: Need to be root." >&2
18        exit 1
19fi
20
[9ddd0ff]21# UFW configuration.
[c5fcac1]22if which ufw &>/dev/null; then
23        echo "Configuring UFW."
[9ddd0ff]24        # Adding active services.
25        ufw allow "Apache Secure"
26        ufw allow OpenSSH
27        ufw allow Samba
28        ufw allow mysql
29        ufw allow rsync
30        ufw allow tftp
31        ufw allow 67,68/udp             # DHCP
[c5fcac1]32        ufw allow 2008/tcp              # OpenGnsys service
[9ddd0ff]33        ufw allow 6881:6999/udp         # BitTorrent
[c5fcac1]34        ufw allow 9000/tcp              # PHP-FPM
35        ufw allow 9000:9051/udp         # Multicast
[9ddd0ff]36        # Applying configuration.
37        ufw enable
[4db1b6e]38# FirewallD configuration.
[c5fcac1]39elif which firewall-cmd &>/dev/null; then
40        echo "Configuring FirewallD."
41        # Defining services.
[4db1b6e]42        python -c "
43import firewall.core.io.service as ios
44s=ios.Service()
45s.short = 'OpenGnsys Server'
46s.name = 'ogAdmServer'
47s.ports = [('2008', 'tcp')]
[c5fcac1]48ios.service_writer(s, '/etc/firewalld/services')
49s.name = 'php-fpm'
50s.ports = [('9000', 'tcp')]
[b73502c1]51ios.service_writer(s, '/etc/firewalld/services')"
[4db1b6e]52        # Adding active services.
53        firewall-cmd --permanent --add-service=dhcp
54        firewall-cmd --permanent --add-service=https
[c5fcac1]55        firewall-cmd --permanent --add-service=php-fpm
[4db1b6e]56        firewall-cmd --permanent --add-service=mysql --zone internal
57        firewall-cmd --permanent --add-service=ogAdmServer
58        # Ubuntu 14.04 does not define "rsyncd" service.
59        firewall-cmd --permanent --add-service=rsyncd || \
60                firewall-cmd --permanent --add-port=873/tcp
61        firewall-cmd --permanent --add-service=samba
62        firewall-cmd --permanent --add-service=ssh
63        firewall-cmd --permanent --add-service=tftp
64        # Adding Multicast ports.
65        firewall-cmd --permanent --add-port=9000-9051/udp
[9ddd0ff]66        # Adding BitTorent ports.
67        firewall-cmd --permanent --add-port=6881-6999/udp
[4db1b6e]68        # Applying configuration.
69        firewall-cmd --reload
70else
[9ddd0ff]71        echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
[4db1b6e]72fi
73
74# SELinux configuration.
[c5fcac1]75if which setsebool &>/dev/null; then
76        echo "Configuring SELinux."
[4db1b6e]77        # Configuring Apache.
78        setsebool -P httpd_can_connect_ldap on
79        semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
80        # Configuring Samba.
81        setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
82        semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
83        semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
84        # Applying configuration.
85        restorecon -R $OPENGNSYS
86else
87        echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
88fi
89
Note: See TracBrowser for help on using the repository browser.