source: server/lib/security-config

qndtest
Last change on this file was 0fd42f4, checked in by Irina Gómez <irinagomez@…>, 5 years ago

#928 Multicast ports are allowed from 9000 to 9098. Port 9100 is assigned to bacula Director.
  • Property mode set to 100755
File size: 2.9 KB
Line 
1#!/bin/bash
2#/**
3#@file    security-config
4#@brief   OpenGnsys Server security configuration.
5#@note    Security configuration tipsx for UFW, FirewallD and SELinux.
6#@version 1.1.0 - Initial version.
7#@author  Ramón M. Gómez, ETSII Univ. Sevilla
8#@date    2016-04-18
9#*/ ##
10
11
12# Variables.
13PROG=$(basename "$0")
14OPENGNSYS=/opt/opengnsys
15# Errors control.
16if [ "$USER" != "root" ]; then
17        echo "$PROG: Need to be root." >&2
18        exit 1
19fi
20
21# UFW configuration.
22if which ufw &>/dev/null; then
23        echo "Configuring UFW."
24        # Adding active services.
25        ufw allow "Apache Secure"
26        ufw allow from 127.0.0.1/8 to any port mysql proto tcp    # MySQL from the loopback
27        ufw allow OpenSSH
28        ufw allow Samba
29        ufw allow rsync
30        ufw allow tftp
31        ufw allow 67,68/udp             # DHCP
32        ufw allow 2008,2009,2011/tcp    # OpenGnsys services
33        ufw allow 6881:6999/udp         # BitTorrent
34        ufw allow 9000/tcp              # PHP-FPM
35        ufw allow 9000:9099/udp         # Multicast
36        # Applying configuration.
37        ufw enable
38# FirewallD configuration.
39elif which firewall-cmd &>/dev/null; then
40        echo "Configuring FirewallD."
41        # Defining services.
42        python -c "
43import firewall.core.io.service as ios
44s=ios.Service()
45s.short = 'OpenGnsys Services'
46s.name = 'opengnsys'
47s.ports = [('2008', 'tcp'), ('2009', 'tcp'), ('2011', 'tcp')]
48ios.service_writer(s, '/etc/firewalld/services')
49s.name = 'php-fpm'
50s.ports = [('9000', 'tcp')]
51ios.service_writer(s, '/etc/firewalld/services')"
52        # Adding active services.
53        firewall-cmd --permanent --add-service=dhcp
54        firewall-cmd --permanent --add-service=https
55        firewall-cmd --permanent --add-service=mysql --zone internal
56        firewall-cmd --permanent --add-service=opengnsys
57        firewall-cmd --permanent --add-service=php-fpm
58        # Ubuntu 14.04 does not define "rsyncd" service.
59        firewall-cmd --permanent --add-service=rsyncd || \
60                firewall-cmd --permanent --add-port=873/tcp
61        firewall-cmd --permanent --add-service=samba
62        firewall-cmd --permanent --add-service=ssh
63        firewall-cmd --permanent --add-service=tftp
64        # Adding Multicast ports.
65        firewall-cmd --permanent --add-port=9000-9051/udp
66        # Adding BitTorent ports.
67        firewall-cmd --permanent --add-port=6881-6999/udp
68        # Applying configuration.
69        firewall-cmd --reload
70else
71        echo "$PROG: Warning: Firewall won't be configured (neither ufw or firewalld are installed)."
72fi
73
74# SELinux configuration.
75if which setsebool &>/dev/null; then
76        if selinuxenabled; then
77                echo "Configuring SELinux."
78                # Configuring Apache.
79                setsebool -P httpd_can_connect_ldap on
80                semanage fcontext -at httpd_sys_content_t "$OPENGNSYS/www(/.*)?"
81                # Configuring Samba.
82                setsebool -P samba_export_all_ro=1 samba_export_all_rw=1
83                semanage fcontext -at samba_share_t "$OPENGNSYS/client(/.*)?"
84                semanage fcontext -at samba_share_t "$OPENGNSYS/images(/.*)?"
85                # Applying configuration.
86                restorecon -R $OPENGNSYS
87        else
88                echo "$PROG: Warning: SELinux is disabled, it won't be configured."
89        fi
90else
91        echo "$PROG: Warning: SELinux won't be configured (policycoreutils is not installed)."
92fi
93
Note: See TracBrowser for help on using the repository browser.