1540,7 → 1540,6 |
# Configuration file of ALCASAR main domains for $INTIF |
cat << EOF > /etc/unbound/conf.d/common/local-dns/${INTIF}.conf |
server: |
local-zone: "$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN" |
EOF |
1552,8 → 1551,9 |
access-control-view: 127.0.0.1/8 lo |
view: |
name: "lo" |
local-zone: "$DOMAIN" static |
local-data: "$HOSTNAME A 127.0.0.1" |
local-data: "$HOSTNAME.$DOMAIN A 127.0.0.1" |
local-data-ptr: "127.0.0.1 $HOSTNAME.$DOMAIN" |
view-first: yes |
EOF |
|
1635,7 → 1635,7 |
include: /usr/local/share/unbound-wl-enabled/* |
forward-zone: |
name: "." |
forward-addr: 127.0.0.1@55 |
forward-addr: 127.0.0.1@53 |
EOF |
|
# Configuration file for $INTIF of blackhole unbound |
1647,9 → 1647,6 |
name: "$INTIF" |
local-zone: "." redirect |
local-data: ". A $PRIVATE_IP" |
local-zone: "$DOMAIN" static |
local-data: "$HOSTNAME.$DOMAIN A $PRIVATE_IP" |
local-data-ptr: "$PRIVATE_IP $HOSTNAME.$DOMAIN" |
EOF |
|
# Configuration file for blackhole unbound |
2136,7 → 2133,7 |
/usr/bin/systemctl -q disable $i.service |
done |
|
# Apply French Security Agency (ANSSI) rules |
# Apply some security rules (some are from French cybersecurity Agency - ANSSI) |
# ignore ICMP broadcast (smurf attack) |
echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf |
# ignore ICMP errors bogus |
2165,6 → 2162,10 |
echo "net.ipv6.conf.default.autoconf = 0" >> /etc/sysctl.d/alcasar.conf |
# switch to multi-users runlevel (instead of x11) |
ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target |
# disable Core dump file |
[ -e /etc/security/limits.conf.default ] || cp /etc/security/limits.conf /etc/security/limits.conf.default |
$SED "/^# End of file.*/i*\tsoft\tcore\t0\n*\thard\tcore\t0" /etc/security/limits.conf |
|
# GRUB2 modifications (Wait time : 3s - ALCASAR entry - VGA=791 - Change the default banner |
[ -e /etc/default/grub.default ] || cp /etc/default/grub /etc/default/grub.default |
$SED "s?^GRUB_TIMEOUT=.*?GRUB_TIMEOUT=3?g" /etc/default/grub |