source: server/lib/security-config @ 37481d8

918-git-images-111dconfigfileconfigure-oglivegit-imageslgromero-new-oglivemainmaint-cronmount-efivarfsmultivmmultivm-ogboot-installerogClonningEngineogboot-installer-jenkinsoglive-ipv6test-python-scriptsticket-301ticket-50ticket-50-oldticket-577ticket-585ticket-611ticket-612ticket-693ticket-700ubu24tplunification2use-local-agent-oglivevarios-instalacionwebconsole3
Last change on this file since 37481d8 was b351d8a, checked in by Ramón M. Gómez <ramongomez@…>, 6 years ago

#875: Removing old ogAdmRepo service.
  • Property mode set to 100755
File size: 2.4 KB
Line 
1#!/bin/bash
2#/**
3#@file    security-config
4#@brief   OpenGnsys Server security configuration.
5#@note    Security configuration tipsx for UFW, FirewallD and SELinux.
6#@version 1.1.0 - Initial version.
7#@author  Ramón M. Gómez, ETSII Univ. Sevilla
8#@date    2016-04-18
9#*/ ##
10
11
12# Variables.
13PROG=$(basename "$0")
14OPENGNSYS=/opt/opengnsys
15# Errors control.
16if [ "$USER" != "root" ]; then
17        echo "$PROG: Need to be root." >&2
18        exit 1
19fi
20
21# UFW configuration.
22if which ufw 2>/dev/null; then
23        # Adding active services.
24        ufw allow "Apache Secure"
25        ufw allow OpenSSH
26        ufw allow Samba
27        ufw allow mysql
28        ufw allow rsync
29        ufw allow tftp
30        ufw allow 67,68/udp             # DHCP
31        ufw allow 2002,2008/tcp         # OpenGnsys services
32        ufw allow 9000:9051/udp         # Multicast
33        ufw allow 6881:6999/udp         # BitTorrent
34        # Applying configuration.
35        ufw enable
36# FirewallD configuration.
37elif which firewall-cmd 2>/dev/null; then
38        # Defining OpenGnsys services.
39        python -c "
40import firewall.core.io.service as ios
41s=ios.Service()
42s.short = 'OpenGnsys Server'
43s.name = 'ogAdmServer'
44s.ports = [('2008', 'tcp')]
45ios.service_writer(s, '/etc/firewalld/services')"
46        # Adding active services.
47        firewall-cmd --permanent --add-service=dhcp
48        firewall-cmd --permanent --add-service=https
49        firewall-cmd --permanent --add-service=mysql --zone internal
50        firewall-cmd --permanent --add-service=ogAdmServer
51        # Ubuntu 14.04 does not define "rsyncd" service.
52        firewall-cmd --permanent --add-service=rsyncd || \
53                firewall-cmd --permanent --add-port=873/tcp
54        firewall-cmd --permanent --add-service=samba
55        firewall-cmd --permanent --add-service=ssh
56        firewall-cmd --permanent --add-service=tftp
57        # Adding Multicast ports.
58        firewall-cmd --permanent --add-port=9000-9051/udp
59        # Adding BitTorent ports.
60        firewall-cmd --permanent --add-port=6881-6999/udp
61        # Applying configuration.
62        firewall-cmd --reload
63else
64        echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
65fi
66
67# SELinux configuration.
68if which setsebool 2>/dev/null; then
69        # Configuring Apache.
70        setsebool -P httpd_can_connect_ldap on
71        semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
72        # Configuring Samba.
73        setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
74        semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
75        semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
76        # Applying configuration.
77        restorecon -R $OPENGNSYS
78else
79        echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
80fi
81
Note: See TracBrowser for help on using the repository browser.