source: server/lib/security-config @ 7082c6f

918-git-images-111dconfigfileconfigure-oglivegit-imageslgromero-new-oglivemainmaint-cronmount-efivarfsmultivmmultivm-ogboot-installerogClonningEngineogboot-installer-jenkinsoglive-ipv6test-python-scriptsticket-301ticket-50ticket-50-oldticket-577ticket-585ticket-611ticket-612ticket-693ticket-700ubu24tplunification2use-local-agent-oglivevarios-instalacionwebconsole3
Last change on this file since 7082c6f was c5fcac1, checked in by Ramón M. Gómez <ramongomez@…>, 6 years ago

#875: Update list of enabled ports.
  • Property mode set to 100755
File size: 2.7 KB
Line 
1#!/bin/bash
2#/**
3#@file    security-config
4#@brief   OpenGnsys Server security configuration.
5#@note    Security configuration tipsx for UFW, FirewallD and SELinux.
6#@version 1.1.0 - Initial version.
7#@author  Ramón M. Gómez, ETSII Univ. Sevilla
8#@date    2016-04-18
9#*/ ##
10
11
12# Variables.
13PROG=$(basename "$0")
14OPENGNSYS=/opt/opengnsys
15# Errors control.
16if [ "$USER" != "root" ]; then
17        echo "$PROG: Need to be root." >&2
18        exit 1
19fi
20
21# UFW configuration.
22if which ufw &>/dev/null; then
23        echo "Configuring UFW."
24        # Adding active services.
25        ufw allow "Apache Secure"
26        ufw allow OpenSSH
27        ufw allow Samba
28        ufw allow mysql
29        ufw allow rsync
30        ufw allow tftp
31        ufw allow 67,68/udp             # DHCP
32        ufw allow 2008/tcp              # OpenGnsys service
33        ufw allow 6881:6999/udp         # BitTorrent
34        ufw allow 9000/tcp              # PHP-FPM
35        ufw allow 9000:9051/udp         # Multicast
36        # Applying configuration.
37        ufw enable
38# FirewallD configuration.
39elif which firewall-cmd &>/dev/null; then
40        echo "Configuring FirewallD."
41        # Defining services.
42        python -c "
43import firewall.core.io.service as ios
44s=ios.Service()
45s.short = 'OpenGnsys Server'
46s.name = 'ogAdmServer'
47s.ports = [('2008', 'tcp')]
48ios.service_writer(s, '/etc/firewalld/services')
49s.name = 'php-fpm'
50s.ports = [('9000', 'tcp')]
51ios.service_writer(s, '/etc/firewalld/services')"
52        # Adding active services.
53        firewall-cmd --permanent --add-service=dhcp
54        firewall-cmd --permanent --add-service=https
55        firewall-cmd --permanent --add-service=php-fpm
56        firewall-cmd --permanent --add-service=mysql --zone internal
57        firewall-cmd --permanent --add-service=ogAdmServer
58        # Ubuntu 14.04 does not define "rsyncd" service.
59        firewall-cmd --permanent --add-service=rsyncd || \
60                firewall-cmd --permanent --add-port=873/tcp
61        firewall-cmd --permanent --add-service=samba
62        firewall-cmd --permanent --add-service=ssh
63        firewall-cmd --permanent --add-service=tftp
64        # Adding Multicast ports.
65        firewall-cmd --permanent --add-port=9000-9051/udp
66        # Adding BitTorent ports.
67        firewall-cmd --permanent --add-port=6881-6999/udp
68        # Applying configuration.
69        firewall-cmd --reload
70else
71        echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
72fi
73
74# SELinux configuration.
75if which setsebool &>/dev/null; then
76        echo "Configuring SELinux."
77        # Configuring Apache.
78        setsebool -P httpd_can_connect_ldap on
79        semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
80        # Configuring Samba.
81        setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
82        semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
83        semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
84        # Applying configuration.
85        restorecon -R $OPENGNSYS
86else
87        echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
88fi
89
Note: See TracBrowser for help on using the repository browser.