Subversion Repositories ALCASAR

#!/bin/bash

#  $Id: alcasar.sh 1358 2014-05-23 12:26:25Z richard $ 

# alcasar.sh

# ALCASAR Install script -  CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...] 

# Ce programme est un logiciel libre ; This software is free and open source

# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence. 

# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ; 

# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE. 

# Voir la Licence Publique Générale GNU pour plus de détails. 

#  team@alcasar.net

# by Franck BOUIJOUX, Pascal LEVANT and Richard REY

# This script is distributed under the Gnu General Public License (GPL)

# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)

# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :

# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)

# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :

#

# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump

# Options :

#       -i or --install

#       -u or --uninstall

# Functions :

#	testing			: connectivity tests and downloading before intall

#	init			: Installation of RPM and scripts

#	network			: Network parameters

#	ACC			: ALCASAR Control Center installation

#	CA			: Certification Authority initialization

#	init_db			: Initilization of radius database managed with MariaDB

#	param_radius		: FreeRadius initialisation

#	param_web_radius	: copy ans modifiy original "freeradius web" in ACC

#	param_chilli		: coovachilli initialisation (+authentication page)

#	param_dansguardian	: DansGuardian filtering HTTP proxy configuration

#	antivirus		: HAVP + libclamav configuration

#	param_nfsen		: Configuration du grapheur nfsen pour apache 

#	dnsmasq			: Name server configuration

#	BL			: BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)

#	cron			: Logs export + watchdog + connexion statistics

#	fail2ban		: Fail2ban installation and configuration

#	post_install		: Security, log rotation, etc.

#	gammu_smsd			: Autoregister addon (gammu-smsd)

DATE=`date '+%d %B %Y - %Hh%M'`

DATE_SHORT=`date '+%d/%m/%Y'`

Lang=`echo $LANG|cut -c 1-2`

# ******* Files parameters - paramètres fichiers *********

DIR_INSTALL=`pwd`				# current directory 

DIR_CONF="$DIR_INSTALL/conf"			# install directory (with conf files)

DIR_SCRIPTS="$DIR_INSTALL/scripts"		# install directory (with script files)

DIR_SAVE="/var/Save"				# backup directory (system_backup, user_db_backup, logs)

DIR_WEB="/var/www/html"				# directory of APACHE

DIR_DG="/etc/dansguardian"			# directory of DansGuardian

DIR_ACC="$DIR_WEB/acc"				# directory of the 'ALCASAR Control Center'

DIR_DEST_BIN="/usr/local/bin"			# directory of ALCASAR scripts

DIR_DEST_SBIN="/usr/local/sbin"			# directory of ALCASAR admin scripts

DIR_DEST_ETC="/usr/local/etc"			# directory of ALCASAR conf files

DIR_DEST_SHARE="/usr/local/share"		# directory of share files used by ALCASAR (dnsmasq for instance)

CONF_FILE="$DIR_DEST_ETC/alcasar.conf"		# central ALCASAR conf file

PASSWD_FILE="/root/ALCASAR-passwords.txt"	# text file with the passwords and shared secrets

# ******* DBMS parameters - paramètres SGBD ********

DB_RADIUS="radius"				# database name used by FreeRadius server

DB_USER="radius"				# user name allows to request the users database

DB_GAMMU="gammu"				# database name used by Gammu-smsd

# ******* Network parameters - paramètres réseau *******

HOSTNAME="alcasar"				# 

DOMAIN="localdomain"				# default local domain

EXTIF=`/sbin/ip route|grep default|cut -d" " -f5`	# EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)

INTIF=`/sbin/ip	link|grep '^[[:digit:]]:'|grep -v "lo\|$EXTIF"|cut -d" " -f2|tr -d ":"`		# INTIF is connected to the consultation network

MTU="1500"

ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'

DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24"	# Default ALCASAR IP address

# ****** Paths - chemin des commandes *******

SED="/bin/sed -i"

# ****************** End of global parameters *********************

license ()

{

	if [ $Lang == "fr" ]

	then cat $DIR_INSTALL/gpl-3.0.fr.txt | more

	else cat $DIR_INSTALL/gpl-3.0.txt | more

	fi

	echo "Taper sur Entrée pour continuer !"

	echo "Enter to continue."

	read a

}

header_install ()

{

	clear

	echo "-----------------------------------------------------------------------------"

	echo "                     ALCASAR V$VERSION Installation"

	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"

	echo "-----------------------------------------------------------------------------"

} # End of header_install ()

##################################################################

##			Function "testing"			##

## - Test of free space on /var  (>10G)				##

## - Test of Internet access					##

##################################################################

testing ()

{

	free_space=`df -BG --output=avail /var|tail -1|tr -d [:space:]G`

	if [ $free_space -lt 10 ]

		then

		if [ $Lang == "fr" ]

			then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"

			else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"

		fi

		exit 0

	fi

if [ $Lang == "fr" ]

		then echo -n "Tests des paramètres réseau : "

		else echo -n "Network parameters tests : "

	fi

# We test EXTIF config files

	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`

	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF|cut -d"=" -f2`

	if [ `echo $PUBLIC_IP|wc -c` -lt 7 ] || [ `echo $PUBLIC_GATEWAY|wc -c` -lt 7 ]

		then

		if [ $Lang == "fr" ]

		then 

			echo "Échec"

			echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."

			echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"

			echo "Appliquez les changements : 'service network restart'"

		else

			echo "Failed"

			echo "The Internet connected network card ($EXTIF) isn't well configured."

			echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"

			echo "Apply the new configuration 'service network restart'"

		fi

		echo "DEVICE=$EXTIF"

		echo "IPADDR="

		echo "NETMASK="

		echo "GATEWAY="

		echo "DNS1="

		echo "DNS2="

		echo "ONBOOT=yes"

		exit 0

	fi

	echo -n "."

# We test the Ethernet links state

	for i in $EXTIF $INTIF

	do

		/sbin/ip link set $i up

		sleep 3

		CMD=`/usr/sbin/ethtool $i |egrep 'Link detected'| awk '{print $NF}'`

		CMD2=`/sbin/mii-tool $i | grep link | awk '{print $NF}'`

		if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]

			then

			if [ $Lang == "fr" ]

			then 

				echo "Échec"

				echo "Le lien réseau de la carte $i n'est pas actif."

				echo "Réglez ce problème puis relancez ce script."

			else

				echo "Failed"

				echo "The link state of $i interface id down."

				echo "Resolv this problem, then restart this script."

			fi

			exit 0

		fi

	echo -n "."

	done

# On teste la présence d'un routeur par défaut (Box FAI)

	if [ `ip route list|grep -c ^default` -ne "1" ] ; then

		if [ $Lang == "fr" ]

		then 

			echo "Échec"

			echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."

			echo "Réglez ce problème puis relancez ce script."

		else

			echo "Failed"

			echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"

			echo "Resolv this problem, then restart this script."

		fi

		exit 0

	fi

	echo -n "."

# On teste le lien vers le routeur par defaut

	IP_GW=`ip route list|grep ^default|cut -d" " -f3`

	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW|grep response|cut -d" " -f2`

	if [ $(expr $arp_reply) -eq 0 ]

	       	then

		if [ $Lang == "fr" ]

		then 

			echo "Échec"

			echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."

			echo "Réglez ce problème puis relancez ce script."

		else

			echo "Failed"

			echo "The Internet gateway doesn't answered"

			echo "Resolv this problem, then restart this script."

		fi

		exit 0

	fi

	echo -n "."

# On teste la connectivité Internet

	rm -rf /tmp/con_ok.html

	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html

	if [ ! -e /tmp/con_ok.html ]

	then

		if [ $Lang == "fr" ]

		then 

			echo "La tentative de connexion vers Internet a échoué (google.fr)."

			echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."

			echo "Vérifiez la validité des adresses IP des DNS."

		else

			echo "The Internet connection try failed (google.fr)."

			echo "Please, verify that the $EXTIF card is connected with the Internet gateway."

			echo "Verify the DNS IP addresses"

		fi

		exit 0

	fi

	rm -rf /tmp/con_ok.html

	echo ". : ok"

} # end of testing

##################################################################

##			Function "init"				##

## - Création du fichier "/root/ALCASAR_parametres.txt"		##

## - Installation et modification des scripts du portail	##

##################################################################

init ()

{

	if [ "$mode" != "update" ]

	then

# On affecte le nom d'organisme

		header_install

		ORGANISME=!

		PTN='^[a-zA-Z0-9-]*$'

		until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]

                do

			if [ $Lang == "fr" ]

			       	then echo -n "Entrez le nom de votre organisme : "

				else echo -n "Enter the name of your organism : "

			fi

			read ORGANISME

			if [ "$ORGANISME" == "" ]

				then

				ORGANISME=!

			fi

		done

	fi

# On crée aléatoirement les mots de passe et les secrets partagés

	rm -f $PASSWD_FILE

	grubpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`

	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE

	echo "$grubpwd" >> $PASSWD_FILE

	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`

	$SED "/^password.*/d" /boot/grub/menu.lst

	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst

	mysqlpwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`

	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE

	echo "root / $mysqlpwd" >> $PASSWD_FILE

	radiuspwd=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`

	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE

	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE

	secretuam=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`

	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE

	echo "$secretuam" >> $PASSWD_FILE

	secretradius=`cat /dev/urandom | tr -dc [:alnum:] | head -c8`

	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE

	echo "$secretradius" >> $PASSWD_FILE

	chmod 640 $PASSWD_FILE

# Scripts and conf files copy 

#  - in /usr/local/bin :  alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}

	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*

#  - in /usr/local/sbin :  alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}

	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*

#  - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}

	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*

	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh

	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh

	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh

	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh

# generate central conf file

	cat <<EOF > $CONF_FILE

##########################################

##                                      ##

##          ALCASAR Parameters          ##

##                                      ##

##########################################

INSTALL_DATE=$DATE

VERSION=$VERSION

ORGANISM=$ORGANISME

DOMAIN=$DOMAIN

EOF

	chmod o-rwx $CONF_FILE

} # End of init ()

##################################################################

##			Function "network"			##

## - Définition du plan d'adressage du réseau de consultation	##

## - Nommage DNS du système 					##

## - Configuration de l'interface INTIF (réseau de consultation)##

## - Modification du fichier /etc/hosts				##

## - Configuration du serveur de temps (NTP)			##

## - Renseignement des fichiers hosts.allow et hosts.deny	##

##################################################################

network ()

{

	header_install

	if [ "$mode" != "update" ]

		then

		if [ $Lang == "fr" ]

			then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"

			else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"

		fi

		response=0

		PTN='^[oOyYnN]$'

		until [[ $(expr $response : $PTN) -gt 0 ]]

		do

			if [ $Lang == "fr" ]

				then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "

				else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "

			fi

			read response

		done

		if [ "$response" = "n" ] || [ "$response" = "N" ]

		then

			PRIVATE_IP_MASK="0"

			PTN='^\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\).\([01]\?[[:digit:]][[:digit:]]\?\|2[0-4][[:digit:]]\|25[0-5]\)/[012]\?[[:digit:]]$'

			until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]

			do

				if [ $Lang == "fr" ]

					then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "

					else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "

				fi

				read PRIVATE_IP_MASK

			done

		else

       			PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK

		fi

	else

		PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf|cut -d"=" -f2` 

		rm -rf conf/etc/alcasar.conf

	fi

# Define LAN side global parameters

	hostname $HOSTNAME.$DOMAIN

	echo $HOSTNAME.$DOMAIN > /etc/hostname

	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network address (ie.: 192.168.182.0)

	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK | cut -d"=" -f2`				# private network mask (ie.: 255.255.255.0)

	PRIVATE_IP=`echo $PRIVATE_IP_MASK | cut -d"/" -f1`						# ALCASAR private ip address (consultation LAN side)

	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK |cut -d"=" -f2`					# network prefix (ie. 24)

	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX						# ie.: 192.168.182.0/24

	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2`	# ie.: 2=classe B, 3=classe C

	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK | cut -d"." -f1-$classe`.				# compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)

	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK | cut -d"=" -f2`			# private network broadcast (ie.: 192.168.182.255)

	private_network_ending=`echo $PRIVATE_NETWORK | cut -d"." -f$classe_sup`			# last octet of LAN address

	private_broadcast_ending=`echo $PRIVATE_BROADCAST | cut -d"." -f$classe_sup`			# last octet of LAN broadcast

	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 1`		# First network address (ex.: 192.168.182.1)

	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK | cut -d"." -f1-3`"."`expr $private_network_ending + 2`	# second network address (ex.: 192.168.182.2)

	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST | cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1`	# last network address (ex.: 192.168.182.254)

	PRIVATE_MAC=`/sbin/ip link show $INTIF | grep ether | cut -d" " -f6`				# MAC address of INTIF

# Define Internet parameters

	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] || cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF

	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 1er DNS

	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2` 	# @ip 2ème DNS

	DNS1=${DNS1:=208.67.220.220}

	DNS2=${DNS2:=208.67.222.222}

	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF|cut -d"=" -f2`

	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP | cut -d"=" -f2`

	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}

	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK|cut -d"=" -f2`

	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX|cut -d"=" -f2`

	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE

	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE

	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE 

	echo "DNS1=$DNS1" >> $CONF_FILE

	echo "DNS2=$DNS2" >> $CONF_FILE

	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE

	echo "DHCP=full" >> $CONF_FILE

	echo "EXT_DHCP_IP=none" >> $CONF_FILE

	echo "RELAY_DHCP_IP=none" >> $CONF_FILE

	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE

	[ -e /etc/sysconfig/network.default ] || cp /etc/sysconfig/network /etc/sysconfig/network.default

# config network

	cat <<EOF > /etc/sysconfig/network

NETWORKING=yes

HOSTNAME="$HOSTNAME.$DOMAIN"

FORWARD_IPV4=true

EOF

# config /etc/hosts

	[ -e /etc/hosts.default ] || cp /etc/hosts /etc/hosts.default

	cat <<EOF > /etc/hosts

127.0.0.1	localhost

$PRIVATE_IP	$HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME

EOF

# Config EXTIF (Internet)

	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF

DEVICE=$EXTIF

BOOTPROTO=static

IPADDR=$PUBLIC_IP

NETMASK=$PUBLIC_NETMASK

GATEWAY=$PUBLIC_GATEWAY

DNS1=127.0.0.1

ONBOOT=yes

METRIC=10

NOZEROCONF=yes

MII_NOT_SUPPORTED=yes

IPV6INIT=no

IPV6TO4INIT=no

ACCOUNTING=no

USERCTL=no

MTU=$MTU

EOF

# Config INTIF (consultation LAN) in normal mode

	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF

DEVICE=$INTIF

BOOTPROTO=static

ONBOOT=yes

NOZEROCONF=yes

MII_NOT_SUPPORTED=yes

IPV6INIT=no

IPV6TO4INIT=no

ACCOUNTING=no

USERCTL=no

ETHTOOL_OPTS=$ETHTOOL_OPTS

EOF

# Config of INTIF in bypass mode (see "alcasar-bypass.sh")

	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF

DEVICE=$INTIF

BOOTPROTO=static

IPADDR=$PRIVATE_IP

NETMASK=$PRIVATE_NETMASK

ONBOOT=yes

METRIC=10

NOZEROCONF=yes

MII_NOT_SUPPORTED=yes

IPV6INIT=no

IPV6TO4INIT=no

ACCOUNTING=no

USERCTL=no

EOF

# Mise à l'heure du serveur

	[ -e /etc/ntp/step-tickers.default ] || cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default

	cat <<EOF > /etc/ntp/step-tickers

0.fr.pool.ntp.org	# adapt to your country

1.fr.pool.ntp.org

2.fr.pool.ntp.org

EOF

# Configuration du serveur de temps (sur lui même)

	[ -e /etc/ntp.conf.default ] || cp /etc/ntp.conf /etc/ntp.conf.default

	cat <<EOF > /etc/ntp.conf

server 0.fr.pool.ntp.org	# adapt to your country

server 1.fr.pool.ntp.org

server 2.fr.pool.ntp.org

server 127.127.1.0   		# local clock si NTP internet indisponible ...

fudge 127.127.1.0 stratum 10

restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap

restrict 127.0.0.1

driftfile /var/lib/ntp/drift

logfile /var/log/ntp.log

EOF

	chown -R ntp:ntp /var/lib/ntp

# Renseignement des fichiers hosts.allow et hosts.deny

	[ -e /etc/hosts.allow.default ]  || cp /etc/hosts.allow /etc/hosts.allow.default

	cat <<EOF > /etc/hosts.allow

ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP

sshd: ALL

ntpd: $PRIVATE_NETWORK_SHORT

EOF

	[ -e /etc/host.deny.default ]  || cp /etc/hosts.deny /etc/hosts.deny.default

	cat <<EOF > /etc/hosts.deny

ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" | /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &

EOF

# Firewall config

	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh

	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh  $DIR_DEST_BIN/alcasar-iptables-bypass.sh

	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)

# create the filter exception file and ip_bloqued file

	touch $DIR_DEST_ETC/alcasar-filter-exceptions

# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)

	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked

# load conntrack ftp module

	[ -e /etc/modprobe.preload.default ] || cp /etc/modprobe.preload /etc/modprobe.preload.default

	echo "ip_conntrack_ftp" >>  /etc/modprobe.preload

# load ipt_NETFLOW module

	echo "ipt_NETFLOW" >>  /etc/modprobe.preload

# 

# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh

} # End of network ()

##################################################################

##			Function "ACC"				##

## - installation du centre de gestion (ALCASAR Control Center)	##

## - configuration du serveur web (Apache)			##

## - définition du 1er comptes de gestion 			##

## - sécurisation des accès					##

##################################################################

ACC ()

{

	[ -d $DIR_WEB ] && rm -rf $DIR_WEB

	mkdir $DIR_WEB

# Copie et configuration des fichiers du centre de gestion

	cp -rf $DIR_INSTALL/web/* $DIR_WEB/

	echo "$VERSION" > $DIR_WEB/VERSION

	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php

	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php

	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php

	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php

	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php

	chown -R apache:apache $DIR_WEB/*

	for i in system_backup base logs/firewall logs/httpd logs/security;

	do

		[ -d $DIR_SAVE/$i ] || mkdir -p $DIR_SAVE/$i

	done

	chown -R root:apache $DIR_SAVE

# Configuration et sécurisation php

	[ -e /etc/php.ini.default ] || cp /etc/php.ini /etc/php.ini.default

	timezone=`cat /etc/sysconfig/clock|grep ZONE|cut -d"=" -f2`

	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini

	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini

	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini

	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini

	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini

# Configuration et sécurisation Apache

	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*

	[ -e /etc/httpd/conf/httpd.conf.default ] || cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default

	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf

	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf

	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf

	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf

	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf

	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf

	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf

	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf

	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf

	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf

	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf

	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf

	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`

	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF

	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html

	[ -e /var/www/error/include/bottom.html.default ] || mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default

	cat <<EOF > /var/www/error/include/bottom.html

</body>

</html>

EOF

# Définition du premier compte lié au profil 'admin'

	header_install

	if [ "$mode" = "install" ]

	then

		admin_portal=!

		PTN='^[a-zA-Z0-9-]*$'

		until [[ $(expr $admin_portal : $PTN) -gt 0 ]]

                	do

			header_install

			if [ $Lang == "fr" ]

			then 

				echo ""

				echo "Définissez un premier compte d'administration du portail :"

				echo

				echo -n "Nom : "

			else

				echo ""

				echo "Define the first account allow to administrate the portal :"

				echo

				echo -n "Account : "

			fi

			read admin_portal

			if [ "$admin_portal" == "" ]

				then

				admin_portal=!

			fi

			done

# Creation of keys file for the admin account ("admin")

		[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest

		mkdir -p $DIR_DEST_ETC/digest

		chmod 755 $DIR_DEST_ETC/digest

		until [ -s $DIR_DEST_ETC/digest/key_admin ]

			do

				/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal

			done

		$DIR_DEST_SBIN/alcasar-profil.sh --list

	fi

# synchronisation horaire

	ntpd -q -g &

# Sécurisation du centre

	rm -f /etc/httpd/conf/webapps.d/alcasar*

	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf

<Directory $DIR_ACC>

	SSLRequireSSL

	AllowOverride None

	Order deny,allow

	Deny from all

	Allow from 127.0.0.1

	Allow from $PRIVATE_NETWORK_MASK

#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP

	require valid-user

	AuthType digest

	AuthName $HOSTNAME.$DOMAIN

	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

	AuthUserFile $DIR_DEST_ETC/digest/key_all

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/

</Directory>

<Directory $DIR_ACC/admin>

	SSLRequireSSL

	AllowOverride None

	Order deny,allow

	Deny from all

	Allow from 127.0.0.1

	Allow from $PRIVATE_NETWORK_MASK

#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP

	require valid-user

	AuthType digest

	AuthName $HOSTNAME.$DOMAIN

	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

	AuthUserFile $DIR_DEST_ETC/digest/key_admin

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/

</Directory>

<Directory $DIR_ACC/manager>

	SSLRequireSSL

	AllowOverride None

	Order deny,allow

	Deny from all

	Allow from 127.0.0.1

	Allow from $PRIVATE_NETWORK_MASK

#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP

	require valid-user

	AuthType digest

	AuthName $HOSTNAME.$DOMAIN

	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

	AuthUserFile $DIR_DEST_ETC/digest/key_manager

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/

</Directory>

<Directory $DIR_ACC/backup>

	SSLRequireSSL

	AllowOverride None

	Order deny,allow

	Deny from all

	Allow from 127.0.0.1

	Allow from $PRIVATE_NETWORK_MASK

#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP

	require valid-user

	AuthType digest

	AuthName $HOSTNAME.$DOMAIN

	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On

	AuthUserFile $DIR_DEST_ETC/digest/key_backup

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/

</Directory>

Alias /save/ "$DIR_SAVE/"

<Directory $DIR_SAVE>

	SSLRequireSSL

	Options Indexes

	Order deny,allow

	Deny from all

	Allow from 127.0.0.1

	Allow from $PRIVATE_NETWORK_MASK

#	Allow from AA.BB.CC.DD/32	# Allow from specific @IP

	require valid-user

	AuthType digest

	AuthName $HOSTNAME.$DOMAIN

	AuthUserFile $DIR_DEST_ETC/digest/key_backup

	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/

</Directory>

EOF

} # End of ACC()

##########################################################################################

##				Fonction "CA"						##

## - Création d'une Autorité de Certification et du certificat serveur pour apache 	##

##########################################################################################

CA ()

{

	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh

	$DIR_DEST_BIN/alcasar-CA.sh

	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`

	[ -e /etc/httpd/conf/vhosts-ssl.default ]  || cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default

	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL

	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL

	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL

	chown -R root:apache /etc/pki

	chmod -R 750 /etc/pki

} # End CA ()

##########################################################################################

##			Fonction "init_db"						##

## - Initialisation de la base Mysql							##

## - Affectation du mot de passe de l'administrateur (root)				##

## - Suppression des bases et des utilisateurs superflus				##

## - Création de la base 'radius'							##

## - Installation du schéma de cette base						##

## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo)	##

##       ces table proviennent de 'dialupadmin' (paquetage freeradius-web)		##

##########################################################################################

init_db ()

{

	rm -rf /var/lib/mysql # to be sure that there is no former installation

	[ -e /etc/my.cnf.default ] || cp /etc/my.cnf /etc/my.cnf.default

	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf

	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf

	systemctl start mysqld.service

	sleep 4

	mysqladmin -u root password $mysqlpwd

	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"

# Secure the server

	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"

	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;" 

# Create 'radius' database

	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"

# Add an empty radius database structure

	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql

# modify the start script in order to close accounting connexion when the system is comming down or up

	[ -e /lib/systemd/system/mysqld.service.default ] || cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default

	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service

	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service

	systemctl daemon-reload

} # End init_db ()

##########################################################################

##			Fonction "param_radius"				##

## - Paramètrage des fichiers de configuration FreeRadius		##

## - Affectation du secret partagé entre coova-chilli et freeradius	##

## - Modification de fichier de conf pour l'accès à Mysql		##

##########################################################################

param_radius ()

{

	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/

	chown -R radius:radius /etc/raddb

	[ -e /etc/raddb/radiusd.conf.default ] || cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default

# Set radius.conf parameters

	$SED "s?^[\t ]*#[\t ]*user =.*?user = radius?g" /etc/raddb/radiusd.conf

	$SED "s?^[\t ]*#[\t ]*group =.*?group = radius?g" /etc/raddb/radiusd.conf

	$SED "s?^[\t ]*status_server =.*?status_server = no?g" /etc/raddb/radiusd.conf

# remove the proxy function

	$SED "s?^[\t ]*proxy_requests.*?proxy_requests = no?g" /etc/raddb/radiusd.conf

	$SED "s?^[\t ]*\$INCLUDE proxy.conf.*?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf