From d0975f771974ff637f8b4ec617b1fa4128c4f6fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 15 Mar 2018 16:13:20 +0100 Subject: [PATCH 1/4] First implementatio for IS_EVOMAINTENANCE_FW We check if there is at least the 4 evomaintenance rules. --- evocheck.sh | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 24f919d..5e0659d 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -99,6 +99,7 @@ IS_MONGO_BACKUP=1 IS_MOUNT_FSTAB=1 IS_NETWORK_INTERFACES=1 IS_EVOBACKUP=1 +IS_EVOMAINTENANCE_FW=1 #Proper to OpenBSD IS_SOFTDEP=1 @@ -350,7 +351,20 @@ if [ -e /etc/debian_version ]; then && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \ && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' ) fi - + + if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then + is_debianversion squeeze && f=/etc/firewall.rc + is_debianversion wheezy && f=/etc/firewall.rc + is_debianversion jessie && f=/etc/default/minifirewall + is_debianversion stretch && f=/etc/default/minifirewall + if [ -f "$f" ]; then + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$f") + if [ "$rulesNumber" -lt 4 ]; then + echo 'IS_EVOMAINTENANCE_FW FAILED!' + fi + fi + fi + # Verification de la conf et de l'activation de mod-deflate if [ "$IS_MODDEFLATE" = 1 ]; then f=/etc/apache2/mods-enabled/deflate.conf From 75fbba7644a232cbe02ce2b214b704f42fd34a0e Mon Sep 17 00:00:00 2001 From: Daniel Jakots Date: Thu, 15 Mar 2018 11:29:15 -0400 Subject: [PATCH 2/4] Set at the beginning $MINIFW_FILE and use it --- evocheck.sh | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 5e0659d..0ba252b 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -150,6 +150,11 @@ is_debianversion(){ #Vérifie si c'est une debian et fait les tests appropriés. #----------------------------------------------------------- +is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc +is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc +is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall +is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall + if [ -e /etc/debian_version ]; then if [ "$IS_DPKGWARNING" = 1 ]; then @@ -285,10 +290,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_MINIFWPERMS" = 1 ]; then - is_debianversion squeeze && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion wheezy && ( ls -l /etc/firewall.rc | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion jessie && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) - is_debianversion stretch && ( ls -l /etc/default/minifirewall | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' ) + ls -l "$MINIFW_FILE" | grep -q -- -rw------- || echo 'IS_MINIFWPERMS FAILED!' fi if [ "$IS_NRPEDISKS" = 1 ]; then @@ -341,24 +343,17 @@ if [ -e /etc/debian_version ]; then # Verification de l'activation de Squid dans le cas d'un pack mail if [ "$IS_SQUID" = 1 ]; then squidconffile=/etc/squid*/squid.conf - is_debianversion squeeze && f=/etc/firewall.rc - is_debianversion wheezy && f=/etc/firewall.rc - is_debianversion jessie && f=/etc/default/minifirewall - is_debianversion stretch && f=/etc/default/minifirewall && squidconffile=/etc/squid/evolinux-custom.conf + is_debianversion stretch && squidconffile=/etc/squid/evolinux-custom.conf is_pack_web && ( is_installed squid || is_installed squid3 \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $f \ - && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $f || echo 'IS_SQUID FAILED!' ) + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -m owner --uid-owner proxy -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d `hostname -i` -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -d 127.0.0.(1|0/8) -j ACCEPT" $MINIFW_FILE \ + && grep -qE "^[^#]*iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port.* `grep http_port $squidconffile | cut -f 2 -d " "`" $MINIFW_FILE || echo 'IS_SQUID FAILED!' ) fi if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then - is_debianversion squeeze && f=/etc/firewall.rc - is_debianversion wheezy && f=/etc/firewall.rc - is_debianversion jessie && f=/etc/default/minifirewall - is_debianversion stretch && f=/etc/default/minifirewall if [ -f "$f" ]; then - rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$f") + rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") if [ "$rulesNumber" -lt 4 ]; then echo 'IS_EVOMAINTENANCE_FW FAILED!' fi From e5594f3f1b84633ef573e805d9a6564398473c65 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 15 Mar 2018 17:51:12 +0100 Subject: [PATCH 3/4] IS_EVOMAINTENANCE_FW: Fix wrong variable --- evocheck.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/evocheck.sh b/evocheck.sh index 0ba252b..5480464 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -352,7 +352,7 @@ if [ -e /etc/debian_version ]; then fi if [ "$IS_EVOMAINTENANCE_FW" = 1 ]; then - if [ -f "$f" ]; then + if [ -f "$MINIFW_FILE" ]; then rulesNumber=$(grep -c "/sbin/iptables -A INPUT -p tcp --sport 5432 --dport 1024:65535 -s .* -m state --state ESTABLISHED,RELATED -j ACCEPT" "$MINIFW_FILE") if [ "$rulesNumber" -lt 4 ]; then echo 'IS_EVOMAINTENANCE_FW FAILED!' From 8963a85269070c64da9b6d2d2477f941aa54c64d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beno=C3=AEt=20S?= Date: Thu, 15 Mar 2018 17:53:58 +0100 Subject: [PATCH 4/4] Move the detection of minifirewall config --- evocheck.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/evocheck.sh b/evocheck.sh index 5480464..466ec7a 100755 --- a/evocheck.sh +++ b/evocheck.sh @@ -146,15 +146,15 @@ is_debianversion(){ [ $(lsb_release -c -s) = $1 ] && return 0 } -#----------------------------------------------------------- -#Vérifie si c'est une debian et fait les tests appropriés. -#----------------------------------------------------------- - is_debianversion squeeze && MINIFW_FILE=/etc/firewall.rc is_debianversion wheezy && MINIFW_FILE=/etc/firewall.rc is_debianversion jessie && MINIFW_FILE=/etc/default/minifirewall is_debianversion stretch && MINIFW_FILE=/etc/default/minifirewall +#----------------------------------------------------------- +#Vérifie si c'est une debian et fait les tests appropriés. +#----------------------------------------------------------- + if [ -e /etc/debian_version ]; then if [ "$IS_DPKGWARNING" = 1 ]; then