Subversion Repositories ALCASAR

Rev

Rev 2866 | Rev 2868 | Go to most recent revision | Show entire file | Ignore whitespace | Details | Blame | Last modification | View Log

Rev 2866 Rev 2867
Line 1... Line 1...
1 
#!/bin/bash
 1 
#!/bin/bash
2 
#  $Id: alcasar.sh 2866 2020-10-21 22:04:01Z rexy $
 2 
#  $Id: alcasar.sh 2867 2020-10-24 14:33:04Z rexy $
3 
 
 3 
 
4 
# alcasar.sh
 4 
# alcasar.sh
5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
 5 
# ALCASAR is a Free and open source NAC created by Franck BOUIJOUX (3abtux), Pascal LEVANT and Richard REY (Rexy)
6 
# This script is distributed under the Gnu General Public License (GPL)
 6 
# This script is distributed under the Gnu General Public License (GPL)
7 
#  team@alcasar.net
 7 
#  team@alcasar.net
Line 1284... Line 1284...
1284 
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
 1284 
	[ -e $DIR_DG/e2guardianf1.conf.default ] || cp $DIR_DG/e2guardianf1.conf $DIR_DG/e2guardianf1.conf.default
1285 
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
 1285 
	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/e2guardianf1.conf
1286 
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
 1286 
	$SED "s/^groupname =.*/groupname = 'blacklisted users'/g" $DIR_DG/e2guardianf1.conf
1287 
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
 1287 
	$SED "s/^#htmltemplate =.*/htmltemplate = 'alcasar-e2g.html'/g" $DIR_DG/e2guardianf1.conf
1288 
 
 1288 
 
1289 
# copy HTML templates
 1289 
# copy & adapt HTML templates
1290 
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
 1290 
	cp $DIR_CONF/alcasar-e2g-fr.html /usr/share/e2guardian/languages/french/alcasar-e2g.html
1291 
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
 1291 
	cp $DIR_CONF/alcasar-e2g-en.html /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
- 
 
 1292 
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/french/alcasar-e2g.html
- 
 
 1293 
	$SED "s?\/\/[a-z.]*\/?\/\/$HOSTNAME.$DOMAIN\/?g" /usr/share/e2guardian/languages/ukenglish/alcasar-e2g.html
1292 
 
 1294 
 
1293 
###### ALCASAR special filtering ####
 1295 
###### ALCASAR special filtering ####
1294 
# RAZ bannedphraselist
 1296 
# RAZ bannedphraselist
1295 
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
 1297 
	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
1296 
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
 1298 
	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (comment what is not)
Line 1827... Line 1829...
1827 
EOF
 1829 
EOF
1828 
# removing the users crons
 1830 
# removing the users crons
1829 
	rm -f /var/spool/cron/*
 1831 
	rm -f /var/spool/cron/*
1830 
} # End of cron()
 1832 
} # End of cron()
1831 
 
 1833 
 
1832 
######################################################################
 1834 
########################################################################
1833 
##                      Fonction "Fail2Ban"                         ##
 1835 
##                        Fonction "Fail2Ban"                         ##
1834 
##- Adapt conf file to ALCASAR                                      ##
 1836 
##- Adapt conf file to ALCASAR                                        ##
1835 
##- Secure items : DDOS, SSH-Brute-Force, Intercept.php Brute-Force ##
 1837 
##- Secure items : DDOS, SSH-Brute-Force, Intercept & ACC brute-Force ##
1836 
######################################################################
 1838 
########################################################################
1837 
fail2ban()
 1839 
fail2ban()
1838 
{
 1840 
{
- 
 
 1841 
# adapt fail2ban.conf to Mageia (fedora like) & ALCASAR behaviour
- 
 
 1842 
[ -e /etc/fail2ban/jail.conf.default ] || cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.default
- 
 
 1843 
$SED "s?^before =.*?before = paths-fedora.conf?g" /etc/fail2ban/jail.conf
- 
 
 1844 
$SED "s?^bantime =.*?bantime = 3m?g" /etc/fail2ban/jail.conf
- 
 
 1845 
$SED "s?^findtime =.*?findtime = 5m?g" /etc/fail2ban/jail.conf
- 
 
 1846 
 
1839 
	/usr/bin/sh $DIR_CONF/fail2ban.sh
 1847 
# add 5 jails and their filters
- 
 
 1848 
## sshd : Ban after 3 failed attempts (ie. brute-force). This "jail" uses the default "sshd" f2b filter.
- 
 
 1849 
cat << EOF > /etc/fail2ban/jail.d/01alcasar_sshd.conf
- 
 
 1850 
[sshd]
- 
 
 1851 
enabled = true
- 
 
 1852 
#enabled  = false
- 
 
 1853 
maxretry = 3
- 
 
 1854 
EOF
- 
 
 1855 
 
- 
 
 1856 
## lighttpd-auth : Ban after 3 failed attempts on ACC. This "jail" uses the default "lighttpd-auth" f2b filter.
- 
 
 1857 
cat << EOF > /etc/fail2ban/jail.d/02alcasar_lighttpd-auth.conf
- 
 
 1858 
[lighttpd-auth]
- 
 
 1859 
enabled = true
- 
 
 1860 
#enabled  = false
- 
 
 1861 
maxretry = 3
- 
 
 1862 
EOF
- 
 
 1863 
 
- 
 
 1864 
## mod-evasive : Ban after 3 failed retrieve page attempts (ie : unknown page)
- 
 
 1865 
cat << EOF > /etc/fail2ban/jail.d/03alcasar_mod-evasive.conf
- 
 
 1866 
[alcasar_mod-evasive]
- 
 
 1867 
#enabled = true
- 
 
 1868 
enabled = false
- 
 
 1869 
backend = auto
- 
 
 1870 
filter = alcasar_mod-evasive
- 
 
 1871 
action = iptables-allports[name=alcasar_mod-evasive]
- 
 
 1872 
logpath = /var/log/lighttpd/access.log
- 
 
 1873 
maxretry = 3
- 
 
 1874 
EOF
- 
 
 1875 
cat << EOF > /etc/fail2ban/filter.d/alcasar_mod-evasive.conf
- 
 
 1876 
[Definition]
- 
 
 1877 
failregex =  <HOST> .+\] "[^"]+" 403
- 
 
 1878 
ignoreregex =
- 
 
 1879 
EOF
- 
 
 1880 
 
- 
 
 1881 
### alcasar_intercept : ban after 5 failed user login attemps on intercept.php
- 
 
 1882 
cat << EOF > /etc/fail2ban/jail.d/04alcasar_intercept.conf
- 
 
 1883 
[alcasar_intercept]
- 
 
 1884 
enabled = true
- 
 
 1885 
#enabled = false
- 
 
 1886 
backend = auto
- 
 
 1887 
filter = alcasar_intercept
- 
 
 1888 
action = iptables-allports[name=alcasar_intercept]
- 
 
 1889 
logpath = /var/log/lighttpd/access.log
- 
 
 1890 
maxretry = 5
- 
 
 1891 
cat << EOF > /etc/fail2ban/filter.d/alcasar_intercept.conf
- 
 
 1892 
[Definition]
- 
 
 1893 
failregex = <HOST> .* \"GET \/intercept\.php\?res=failed\&reason=reject
- 
 
 1894 
ignoreregex =
- 
 
 1895 
EOF
- 
 
 1896 
 
- 
 
 1897 
## alcasar_change-pwd : ban after 5 failed user change password attempts
- 
 
 1898 
cat << EOF > /etc/fail2ban/jail.d/05alcasar_change-pwd.conf
- 
 
 1899 
[alcasar_change-pwd]
- 
 
 1900 
enabled = true
- 
 
 1901 
#enabled = false
- 
 
 1902 
backend = auto
- 
 
 1903 
filter = alcasar_change-pwd
- 
 
 1904 
action = iptables-allports[name=alcasar_change-pwd]
- 
 
 1905 
logpath = /var/log/lighttpd/access.log
- 
 
 1906 
maxretry = 5
- 
 
 1907 
EOF
- 
 
 1908 
cat << EOF > /etc/fail2ban/filter.d/alcasar_change-pwd.conf
- 
 
 1909 
[Definition]
- 
 
 1910 
failregex = <HOST> .* \"POST \/password\.php
- 
 
 1911 
ignoreregex =
- 
 
 1912 
EOF
- 
 
 1913 
 
1840 
# allow reading of 2 log files (fail2ban & watchdog).
 1914 
# allow reading of 2 log files (fail2ban & watchdog).
1841 
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
 1915 
	[ -e /var/log/fail2ban.log ] || /usr/bin/touch /var/log/fail2ban.log
1842 
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
 1916 
	[ -e /var/Save/security/watchdog.log ] || /usr/bin/touch /var/Save/security/watchdog.log
1843 
	chmod 644 /var/log/fail2ban.log
 1917 
	chmod 644 /var/log/fail2ban.log
1844 
	chmod 644 /var/Save/security/watchdog.log
 1918 
	chmod 644 /var/Save/security/watchdog.log