#!/bin/sh ### Network Configure. ### # Network Address 192.168.253. # Subnet Mask 255.255.255.0 # SSID1 RPi-SSID1 # wpa_passphrase1 YourPassPhrase1 ############################### ## EXEC fstrim. sync /sbin/fstrim / sync ## Create ifcfg-wlan0. touch /etc/sysconfig/network cat < /etc/sysconfig/network-scripts/ifcfg-wlan0 # wlan0 DEVICE="wlan0" NAME="wlan0" TYPE="Wireless" MODE="Auto" NM_CONTROLLED="no" BOOTPROTO="none" BROADCAST="192.168.253.255" IPADDR="192.168.253.1" NETMASK="255.255.255.0" NETWORK="192.168.253.0" DEFROUTE="no" ONBOOT="yes" #HWADDR="`cat /sys/class/net/wlan0/address`" UUID="`uuidgen`" EOF ## Restart wlan0. ifdown wlan0 ifup wlan0 ## Enable IP Forward. echo "net.ipv4.ip_forward = 1" > /etc/sysctl.d/router.conf sysctl -p /etc/sysctl.d/router.conf ## Configure iptables. mkdir /root/sbin cat < /root/sbin/iptables.sh #! /bin/sh # Stop firewall. (Rule flush) /bin/systemctl stop iptables.service # Configure Default Rule. iptables -P INPUT DROP # Drop input. iptables -P OUTPUT ACCEPT # Allow send. iptables -P FORWARD DROP # Drop forward. # Allow localhost. iptables -A INPUT -i lo -j ACCEPT # Allow localnet and Trusted segment. iptables -A INPUT -s 192.168.253.0/255.255.255.0 -j ACCEPT # Allow established. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Enable SYN Cookies. # Mitigate for TCP SYN Flood attack. sed -i '/net.ipv4.tcp_syncookies/d' /etc/sysctl.d/router.conf echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/router.conf # Reject echo for broadcast ping. # Mitigate for Smurf attack. sed -i '/net.ipv4.icmp_echo_ignore_broadcasts/d' /etc/sysctl.d/router.conf echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.d/router.conf # Drop ICMP Redirect. sed -i '/net.ipv4.conf.*.accept_redirects/d' /etc/sysctl.d/router.conf for dev in \`ls /proc/sys/net/ipv4/conf/\` do sysctl -w net.ipv4.conf.\$dev.accept_redirects=0 > /dev/null echo "net.ipv4.conf.\$dev.accept_redirects=0" >> /etc/sysctl.d/router.conf done # Drop Source Routed. sed -i '/net.ipv4.conf.*.accept_source_route/d' /etc/sysctl.d/router.conf for dev in \`ls /proc/sys/net/ipv4/conf/\` do sysctl -w net.ipv4.conf.\$dev.accept_source_route=0 > /dev/null echo "net.ipv4.conf.\$dev.accept_source_route=0" >> /etc/sysctl.d/router.conf done sysctl -p /etc/sysctl.d/router.conf # Drop fragmented packet. #iptables -A INPUT -f -j LOG --log-level debug --log-prefix '[IPTABLES FRAGMENT] : ' #iptables -A INPUT -f -j DROP # Drop NetBIOS packets. iptables -A INPUT ! -s 192.168.253.0/255.255.255.0 -p tcp -m multiport --dports 135,137,138,139,445 -j DROP iptables -A INPUT ! -s 192.168.253.0/255.255.255.0 -p udp -m multiport --dports 135,137,138,139,445 -j DROP iptables -A OUTPUT ! -d 192.168.253.0/255.255.255.0 -p tcp -m multiport --sports 135,137,138,139,445 -j DROP iptables -A OUTPUT ! -d 192.168.253.0/255.255.255.0 -p udp -m multiport --sports 135,137,138,139,445 -j DROP # Drop broadcast packets. iptables -A INPUT -d 255.255.255.255 -j DROP iptables -A INPUT -d 224.0.0.1 -j DROP # Configure for Router mode. iptables -N POSTROUTING iptables -t nat -A POSTROUTING -s 192.168.253.0/255.255.255.0 ! -d 192.168.253.0/255.255.255.0 -j MASQUERADE iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited iptables -A FORWARD -d 192.168.253.0/255.255.255.0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 192.168.253.0/255.255.255.0 -i wlan0 -j ACCEPT iptables -A FORWARD -i wlan0 -o wlan0 -j ACCEPT iptables -A FORWARD -o wlan0 -j REJECT --reject-with icmp-port-unreachable iptables -A FORWARD -i wlan0 -j REJECT --reject-with icmp-port-unreachable # Drop other. iptables -A INPUT -m limit --limit 1/s -j LOG --log-level debug --log-prefix '[IPTABLES INPUT] : ' iptables -A INPUT -j DROP iptables -A FORWARD -m limit --limit 1/s -j LOG --log-level debug --log-prefix '[IPTABLES FORWARD] : ' iptables -A FORWARD -j DROP # Save rules. /usr/libexec/iptables/iptables.init save # Boot firewall. /bin/systemctl start iptables.service EOF chmod 700 /root/sbin/iptables.sh /root/sbin/iptables.sh systemctl enable iptables.service systemctl start iptables.service ## Install DHCP Server. yum -y install dhcp cp -piav /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.org echo "option domain-name \"`hostname -s`.private\";" >> /etc/dhcp/dhcpd.conf echo "option domain-name-servers 192.168.253.1;" >> /etc/dhcp/dhcpd.conf echo "default-lease-time 600;" >> /etc/dhcp/dhcpd.conf echo "max-lease-time 7200;" >> /etc/dhcp/dhcpd.conf echo "authoritative;" >> /etc/dhcp/dhcpd.conf echo "subnet 192.168.253.0 netmask 255.255.255.0 {" >> /etc/dhcp/dhcpd.conf echo " range dynamic-bootp 192.168.253.50 192.168.253.99;" >> /etc/dhcp/dhcpd.conf echo " option broadcast-address 192.168.253.255;" >> /etc/dhcp/dhcpd.conf echo " option routers 192.168.253.1;" >> /etc/dhcp/dhcpd.conf echo "}" >> /etc/dhcp/dhcpd.conf systemctl enable dhcpd.service systemctl start dhcpd.service ## Install DNS Server. yum -y install bind-chroot cp -piav /etc/named.conf /etc/named.conf.org cat < /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { version "unknown"; listen-on port 53 { any; }; listen-on-v6 port 53 { none; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // Those options should be used carefully because they disable port // randomization // query-source port 53; // query-source-v6 port 53; allow-query { any; }; allow-query-cache { any; }; max-cache-size 128M; max-ncache-ttl 300; // max-cache-ttl 3600; lame-ttl 600; notify no; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; recursive-clients 10240; clients-per-query 5120; max-clients-per-query 10240; empty-zones-enable yes; masterfile-format text; // forward only; // forwarders{ // XXX.XXX.XXX.XXX; // }; // filter-aaaa-on-v4 no; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside no; // /* Path to ISC DLV key */ // bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; ////////////// // rndc key // ////////////// include "/etc/rndc.key"; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; // inet ::1 port 953 allow { ::1; } keys { "rndc-key"; }; }; ///////// // log // ///////// logging { channel default_syslog { syslog daemon; severity info; }; channel default_logfile { file "/var/log/bind/bind.log" versions 10; severity dynamic; print-category yes; print-severity yes; print-time yes; }; channel query_logfile { file "/var/log/bind/query.log" versions 10 size 10m; severity info; print-severity yes; print-time yes; }; channel notify_logfile { file "/var/log/bind/notify.log" versions 10 size 5m; severity dynamic; print-severity yes; print-time yes; }; channel xfer-in_logfile { file "/var/log/bind/xfer-in.log" versions 10 size 5m; severity dynamic; print-severity yes; print-time yes; }; channel xfer-out_logfile { file "/var/log/bind/xfer-out.log" versions 10 size 5m; severity dynamic; print-severity yes; print-time yes; }; channel security_logfile { file "/var/log/bind/security.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel update_logfile { file "/var/log/bind/update.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel update-security_logfile { file "/var/log/bind/update-security.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel lame-servers_logfile { file "/var/log/bind/lame-servers.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel dnssec_logfile { file "/var/log/bind/dnssec.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel edns-disabled_logfile { file "/var/log/bind/edns-disabled.log" versions 10 size 10m; severity dynamic; print-severity yes; print-time yes; }; channel null { null; }; category default { default_logfile; }; category general { default_logfile; }; category config { default_logfile; }; category queries { query_logfile; }; category notify { notify_logfile; }; category xfer-in { xfer-in_logfile; }; category xfer-out { xfer-out_logfile; }; category security { security_logfile; }; category update { update_logfile; }; category update-security { update-security_logfile; }; category lame-servers { lame-servers_logfile; }; category dnssec { dnssec_logfile; }; category edns-disabled { edns-disabled_logfile; }; category resolver { null; }; }; /////////////// // View List // /////////////// //zone "." IN { // type hint; // file "named.ca"; //}; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named/icann.zones"; EOF cat < /etc/named/icann.zones zone "." IN { type slave; file "/var/named/slaves/root.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "in-addr.arpa" IN { type slave; file "/var/named/slaves/in-addr.arpa"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "arpa" IN { type slave; file "/var/named/slaves/arpa.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "root-servers.net" IN { type slave; file "/var/named/slaves/root-servers.net.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "ip6.arpa" IN { type slave; file "/var/named/slaves/ip6.arpa.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "ip6-servers.arpa" IN { type slave; file "/var/named/slaves/ip6-servers.arpa.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; zone "mcast.net" IN { type slave; file "/var/named/slaves/mcast.net.zone"; masters { 192.0.32.132; // lax.xfr.dns.icann.org. 192.0.47.132; // iad.xfr.dns.icann.org. }; }; EOF mkdir /var/named/chroot/var/log/bind chown named. /var/named/chroot/var/log/bind ln -s /var/named/chroot/var/log/bind /var/log/bind cp -piav /etc/sysconfig/named /etc/sysconfig/named.org echo OPTIONS=\"-4 -S 10240\" >> /etc/sysconfig/named systemctl enable named-chroot systemctl start named-chroot ## Install Web Server. yum -y install httpd perl-Net-SSLeay cp -piav /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.org sed -i -e 's/#AddHandler cgi-script .cgi/#AddHandler cgi-script .cgi\n AddHandler cgi-script .cgi/g' /etc/httpd/conf/httpd.conf sed -i -e 's/^AddDefaultCharset UTF-8/#AddDefaultCharset UTF-8/g' /etc/httpd/conf/httpd.conf systemctl enable httpd.service systemctl start httpd.service ## Set index.html. cat < /var/www/html/index.html

Web Proxy

EOF ## Set Web Proxy. cd /var/www/cgi-bin/ mkdir ./web_proxy cd ./web_proxy/ wget -N http://ftp.vector.co.jp/36/14/1344/web_proxy_1_7_8.zip unzip web_proxy_1_7_8.zip chmod 705 ./web_proxy.cgi chmod 707 ./sysdata/ chmod 707 ./sysdata/logs/ chmod 707 ./sysdata/session/ ## Setup EPEL Repository. cat < /etc/yum.repos.d/epel.repo [epel] name=Extra Packages for Enterprise Linux 7 - x86_64 #baseurl=http://download.fedoraproject.org/pub/epel/7/x86_64 mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=x86_64 failovermethod=priority enabled=0 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [epel-debuginfo] name=Extra Packages for Enterprise Linux 7 - x86_64 - Debug #baseurl=http://download.fedoraproject.org/pub/epel/7/x86_64/debug mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=x86_64 failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1 [epel-source] name=Extra Packages for Enterprise Linux 7 - x86_64 - Source #baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS mirrorlist=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=x86_64 failovermethod=priority enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 gpgcheck=1 EOF cd /etc/pki/rpm-gpg/ wget -N https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-7 rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 ## Install Wi-Fi Access Point Server (hostapd). su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; yumdownloader --disablerepo=\* --enablerepo=epel-source --source hostapd" su - admin -c "rpm -ivh /home/admin/rpmbuild/SRPMS/hostapd*.src.rpm" yum-builddep -y /home/admin/rpmbuild/SPECS/hostapd.spec su - admin -c "rpmbuild --rebuild /home/admin/rpmbuild/SRPMS/hostapd*.src.rpm" su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; createrepo ." su - admin -c "cd /home/admin/rpmbuild/RPMS/ ; createrepo ." yum --disablerepo=\* --enablerepo=tsc,tsc-source clean all yum -y install hostapd cp -piav /etc/hostapd/hostapd.conf /etc/hostapd/hostapd.conf.org cat < /etc/hostapd/hostapd.conf # # This will give you a minimal, insecure wireless network. # # DO NOT BE SATISFIED WITH THAT!!! # # A complete, well commented example configuration file is # available here: # # /usr/share/doc/hostapd/hostapd.conf # # For more information, look here: # # http://wireless.kernel.org/en/users/Documentation/hostapd # ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel # Some usable default settings... macaddr_acl=0 auth_algs=1 ignore_broadcast_ssid=0 # Uncomment these for base WPA & WPA2 support with a pre-shared key #wpa=3 #wpa_key_mgmt=WPA-PSK #wpa_pairwise=TKIP #rsn_pairwise=CCMP wpa=2 wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP # DO NOT FORGET TO SET A WPA PASSPHRASE!! #wpa_passphrase=YourPassPhrase wpa_passphrase=YourPassPhrase1 # Most modern wireless drivers in the kernel need driver=nl80211 driver=nl80211 # Customize these for your local configuration... interface=wlan0 hw_mode=g channel=13 #hw_mode=a #channel=36 ssid=RPi-SSID1 country_code=JP ieee80211d=1 ieee80211n=1 wmm_enabled=1 ht_capab=[SHORT-GI-20][DSSS_CCK-40] logger_syslog=-1 logger_syslog_level=3 EOF systemctl enable hostapd.service systemctl start hostapd.service ## Install Package iftop. su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; yumdownloader --disablerepo=\* --enablerepo=epel-source --source iftop" su - admin -c "rpm -ivh /home/admin/rpmbuild/SRPMS/iftop*.src.rpm" yum-builddep -y /home/admin/rpmbuild/SPECS/iftop.spec su - admin -c "rpmbuild --rebuild /home/admin/rpmbuild/SRPMS/iftop*.src.rpm" su - admin -c "cd /home/admin/rpmbuild/SRPMS/ ; createrepo ." su - admin -c "cd /home/admin/rpmbuild/RPMS/ ; createrepo ." yum --disablerepo=\* --enablerepo=tsc,tsc-source clean all yum -y install iftop ## Install Package webmin. cat < /etc/yum.repos.d/webmin.repo [webmin] name=Webmin Packages baseurl=http://download.webmin.com/download/yum/ failovermethod=priority enabled=1 gpgcheck=0 EOF yum -y install webmin chkconfig webmin on cp -piav /etc/webmin/miniserv.conf /etc/webmin/miniserv.conf.org sed -i -e 's/^ssl=1/ssl=0/g' /etc/webmin/miniserv.conf echo "logouttime=60" >> /etc/webmin/miniserv.conf ## Enable tsc-kernel repository. yum-config-manager --enable tsc-kernel ## Update kernel. yum -y update