WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1165 2013-08-16 13:19:54Z crox53 $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1159	crox53	23	# Coovachilli (a fork of chillispot), freeradius, mysql, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav and firewalleyes
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
29	richard	30	# testing : Tests de connectivité et de téléchargement avant installation
1	root	31	# init : Installation des RPM et des scripts
		32	# network : Paramètrage du réseau
		33	# gestion : Installation de l'interface de gestion
		34	# AC : Initialisation de l'autorité de certification. Création des certificats
		35	# init_db : Création de la base 'radius' sur le serveur MySql
		36	# param_radius : Configuration du serveur d'authentification FreeRadius
		37	# param_web_radius: Configuration de l'interface de gestion de FreeRadius (dialupadmin)
		38	# param_chilli : Configuration du daemon 'coova-chilli' et de la page d'authentification
		39	# param_squid : Configuration du proxy squid en mode 'cache'
		40	# param_dansguardian : Configuration de l'analyseur de contenu DansGuardian
479	richard	41	# antivirus : Installation havp + libclamav
1159	crox53	42	# param_nfsen : Configuration du grapheur nfsen pour apache
297	richard	43	# dnsmasq : Configuration du serveur de noms et du serveur dhcp de secours
308	richard	44	# BL : Configuration de la BlackList
1	root	45	# cron : Mise en place des exports de logs (+ chiffrement)
1163	crox53	46	# fail2ban : Installation et configuration de Fail2Ban
532	richard	47	# post_install : Finalisation environnement ( sécurité, bannières, rotation logs, ...)
1	root	48
		49	DATE=`date '+%d %B %Y - %Hh%M'`
		50	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	51	Lang=`echo $LANG\|cut -c 1-2`
1	root	52	# ***** Files parameters - paramètres fichiers *******
1015	richard	53	DIR_INSTALL=`pwd` # current directory
		54	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		55	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		56	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		57	DIR_WEB="/var/www/html" # directory of APACHE
		58	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		59	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		60	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		61	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		62	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		63	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		64	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		65	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	66	# ***** DBMS parameters - paramètres SGBD ******
		67	DB_RADIUS="radius" # nom de la base de données utilisée par le serveur FreeRadius
		68	DB_USER="radius" # nom de l'utilisateur de la base de données
		69	# ***** Network parameters - paramètres réseau *****
503	richard	70	HOSTNAME="alcasar" #
1	root	71	DOMAIN="localdomain" # domaine local
		72	EXTIF="eth0" # ETH0 est l'interface connectée à Internet (Box FAI)
1148	crox53	73	MTU="1500"
1157	stephane	74	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1	root	75	INTIF="eth1" # ETH1 est l'interface connectée au réseau local de consultation
597	richard	76	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # adresse d'ALCASAR (+masque) proposée par défaut sur le réseau de consultation
1	root	77	# **** Paths - chemin des commandes *****
		78	SED="/bin/sed -i"
		79	# **************** End of global parameters *******************
		80
959	franck	81	license ()
		82	{
		83	if [ $Lang == "fr" ]
967	franck	84	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		85	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	86	fi
975	franck	87	echo "Taper sur Entrée pour continuer !"
		88	echo "Enter to continue."
959	franck	89	read a
		90	}
		91
1	root	92	header_install ()
		93	{
		94	clear
		95	echo "-----------------------------------------------------------------------------"
460	richard	96	echo " ALCASAR V$VERSION Installation"
1	root	97	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		98	echo "-----------------------------------------------------------------------------"
		99	} # End of header_install ()
		100
		101	##################################################################
1005	richard	102	## Function TESTING ##
		103	## - Test of Internet access ##
29	richard	104	##################################################################
		105	testing ()
		106	{
595	richard	107	if [ $Lang == "fr" ]
784	richard	108	then echo -n "Tests des paramètres réseau : "
595	richard	109	else echo -n "Network parameters tests : "
		110	fi
784	richard	111	# We test eth0 config files
		112	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		113	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		114	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		115	then
		116	if [ $Lang == "fr" ]
		117	then
		118	echo "Échec"
		119	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		120	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	121	echo "Appliquez les changements : 'service network restart'"
784	richard	122	else
		123	echo "Failed"
		124	echo "The Internet connected network card ($EXTIF) isn't well configured."
		125	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	126	echo "Apply the new configuration 'service network restart'"
784	richard	127	fi
830	richard	128	echo "DEVICE=$EXTIF"
784	richard	129	echo "IPADDR="
		130	echo "NETMASK="
		131	echo "GATEWAY="
		132	echo "DNS1="
		133	echo "DNS2="
830	richard	134	echo "ONBOOT=yes"
784	richard	135	exit 0
		136	fi
		137	echo -n "."
460	richard	138	# We test the Ethernet links state
29	richard	139	for i in $EXTIF $INTIF
		140	do
294	richard	141	/sbin/ip link set $i up
306	richard	142	sleep 3
1031	richard	143	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		144	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	145	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	146	then
595	richard	147	if [ $Lang == "fr" ]
		148	then
		149	echo "Échec"
		150	echo "Le lien réseau de la carte $i n'est pas actif."
		151	echo "Réglez ce problème puis relancez ce script."
		152	else
		153	echo "Failed"
		154	echo "The link state of $i interface id down."
		155	echo "Resolv this problem, then restart this script."
		156	fi
29	richard	157	exit 0
		158	fi
308	richard	159	echo -n "."
29	richard	160	done
		161	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	162	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	163	if [ $Lang == "fr" ]
		164	then
		165	echo "Échec"
		166	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		167	echo "Réglez ce problème puis relancez ce script."
		168	else
		169	echo "Failed"
		170	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		171	echo "Resolv this problem, then restart this script."
		172	fi
29	richard	173	exit 0
		174	fi
308	richard	175	echo -n "."
978	franck	176	# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines versions de BIOS et de VirtualBox)
784	richard	177	if [ `ip route list\|grep ^default\|grep -c eth1` -eq "1" ] ; then
595	richard	178	if [ $Lang == "fr" ]
		179	then echo "La configuration des cartes réseau va être corrigée."
		180	else echo "The Ethernet card configuration will be corrected."
		181	fi
29	richard	182	/etc/init.d/network stop
		183	mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
		184	$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
		185	/etc/init.d/network start
		186	echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
		187	sleep 2
595	richard	188	if [ $Lang == "fr" ]
		189	then echo "Configuration corrigée"
		190	else echo "Configuration updated"
		191	fi
29	richard	192	sleep 2
595	richard	193	if [ $Lang == "fr" ]
		194	then echo "Vous pouvez relancer ce script."
		195	else echo "You can restart this script."
		196	fi
29	richard	197	exit 0
		198	fi
308	richard	199	echo -n "."
978	franck	200	# On teste le lien vers le routeur par defaut
308	richard	201	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		202	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	203	if [ $(expr $arp_reply) -eq 0 ]
308	richard	204	then
595	richard	205	if [ $Lang == "fr" ]
		206	then
		207	echo "Échec"
		208	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		209	echo "Réglez ce problème puis relancez ce script."
		210	else
		211	echo "Failed"
		212	echo "The Internet gateway doesn't answered"
		213	echo "Resolv this problem, then restart this script."
		214	fi
308	richard	215	exit 0
		216	fi
		217	echo -n "."
421	franck	218	# On teste la connectivité Internet
29	richard	219	rm -rf /tmp/con_ok.html
308	richard	220	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	221	if [ ! -e /tmp/con_ok.html ]
		222	then
595	richard	223	if [ $Lang == "fr" ]
		224	then
		225	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		226	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		227	echo "Vérifiez la validité des adresses IP des DNS."
		228	else
		229	echo "The Internet connection try failed (google.fr)."
		230	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		231	echo "Verify the DNS IP addresses"
		232	fi
29	richard	233	exit 0
		234	fi
		235	rm -rf /tmp/con_ok.html
308	richard	236	echo ". : ok"
302	richard	237	} # end of testing
		238
		239	##################################################################
		240	## Fonction INIT ##
		241	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		242	## - Installation et modification des scripts du portail ##
		243	##################################################################
		244	init ()
		245	{
527	richard	246	if [ "$mode" != "update" ]
302	richard	247	then
		248	# On affecte le nom d'organisme
597	richard	249	header_install
302	richard	250	ORGANISME=!
		251	PTN='^[a-zA-Z0-9-]*$'
580	richard	252	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	253	do
595	richard	254	if [ $Lang == "fr" ]
597	richard	255	then echo -n "Entrez le nom de votre organisme : "
		256	else echo -n "Enter the name of your organism : "
595	richard	257	fi
330	franck	258	read ORGANISME
613	richard	259	if [ "$ORGANISME" == "" ]
330	franck	260	then
		261	ORGANISME=!
		262	fi
		263	done
302	richard	264	fi
1	root	265	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	266	rm -f $PASSWD_FILE
59	richard	267	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	268	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		269	echo "$grubpwd" >> $PASSWD_FILE
59	richard	270	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	271	$SED "/^password.*/d" /boot/grub/menu.lst
		272	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	273	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	274	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	275	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	276	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	277	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	278	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	279	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	280	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		281	echo "$secretuam" >> $PASSWD_FILE
1	root	282	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	283	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		284	echo "$secretradius" >> $PASSWD_FILE
		285	chmod 640 $PASSWD_FILE
977	richard	286	# Scripts and conf files copy
		287	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	288	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	289	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	290	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	291	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	292	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	293	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		294	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	295	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		296	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	297	# generate central conf file
		298	cat <<EOF > $CONF_FILE
612	richard	299	##########################################
		300	## ##
		301	## ALCASAR Parameters ##
		302	## ##
		303	##########################################
1	root	304
612	richard	305	INSTALL_DATE=$DATE
		306	VERSION=$VERSION
		307	ORGANISM=$ORGANISME
923	franck	308	DOMAIN=$DOMAIN
612	richard	309	EOF
628	richard	310	chmod o-rwx $CONF_FILE
1	root	311	} # End of init ()
		312
		313	##################################################################
		314	## Fonction network ##
		315	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	316	## - Nommage DNS du système ##
1	root	317	## - Configuration de l'interface eth1 (réseau de consultation) ##
		318	## - Modification du fichier /etc/hosts ##
		319	## - Configuration du serveur de temps (NTP) ##
		320	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		321	##################################################################
		322	network ()
		323	{
		324	header_install
636	richard	325	if [ "$mode" != "update" ]
		326	then
		327	if [ $Lang == "fr" ]
		328	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		329	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		330	fi
		331	response=0
		332	PTN='^[oOyYnN]$'
		333	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	334	do
595	richard	335	if [ $Lang == "fr" ]
659	richard	336	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	337	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	338	fi
1	root	339	read response
		340	done
636	richard	341	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		342	then
		343	PRIVATE_IP_MASK="0"
		344	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		345	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	346	do
595	richard	347	if [ $Lang == "fr" ]
597	richard	348	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		349	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	350	fi
597	richard	351	read PRIVATE_IP_MASK
1	root	352	done
636	richard	353	else
		354	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		355	fi
595	richard	356	else
637	richard	357	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		358	rm -rf conf/etc/alcasar.conf
1	root	359	fi
861	richard	360	# Define LAN side global parameters
1	root	361	hostname $HOSTNAME
1033	richard	362	echo $HOSTNAME > /etc/hostname
977	richard	363	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		364	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		365	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		366	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		367	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		368	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		369	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		370	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		371	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		372	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	373	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	374	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	375	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
977	richard	376	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF (eth1)
841	richard	377	# Define Internet parameters
14	richard	378	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		379	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		380	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	381	DNS1=${DNS1:=208.67.220.220}
		382	DNS2=${DNS2:=208.67.222.222}
597	richard	383	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	384	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	385	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	386	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	387	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	388	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	389	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	390	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		391	echo "DNS1=$DNS1" >> $CONF_FILE
		392	echo "DNS2=$DNS2" >> $CONF_FILE
		393	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	394	echo "DHCP=full" >> $CONF_FILE
914	franck	395	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		396	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		397	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	398	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	399	# config network
1	root	400	cat <<EOF > /etc/sysconfig/network
		401	NETWORKING=yes
		402	HOSTNAME="$HOSTNAME"
		403	FORWARD_IPV4=true
		404	EOF
841	richard	405	# config /etc/hosts
1	root	406	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		407	cat <<EOF > /etc/hosts
503	richard	408	127.0.0.1 localhost
914	franck	409	$PRIVATE_IP $HOSTNAME $HOSTNAME.$DOMAIN
1	root	410	EOF
841	richard	411	# Config eth0 (Internet)
14	richard	412	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		413	DEVICE=$EXTIF
		414	BOOTPROTO=static
597	richard	415	IPADDR=$PUBLIC_IP
		416	NETMASK=$PUBLIC_NETMASK
		417	GATEWAY=$PUBLIC_GATEWAY
14	richard	418	DNS1=127.0.0.1
		419	ONBOOT=yes
		420	METRIC=10
		421	NOZEROCONF=yes
		422	MII_NOT_SUPPORTED=yes
		423	IPV6INIT=no
		424	IPV6TO4INIT=no
		425	ACCOUNTING=no
		426	USERCTL=no
994	franck	427	MTU=$MTU
14	richard	428	EOF
841	richard	429	# Config eth1 (consultation LAN) in normal mode
		430	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		431	DEVICE=$INTIF
		432	BOOTPROTO=static
		433	ONBOOT=yes
		434	NOZEROCONF=yes
		435	MII_NOT_SUPPORTED=yes
		436	IPV6INIT=no
		437	IPV6TO4INIT=no
		438	ACCOUNTING=no
		439	USERCTL=no
1157	stephane	440	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	441	EOF
		442	# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
793	richard	443	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	444	DEVICE=$INTIF
		445	BOOTPROTO=static
		446	IPADDR=$PRIVATE_IP
604	richard	447	NETMASK=$PRIVATE_NETMASK
1	root	448	ONBOOT=yes
		449	METRIC=10
		450	NOZEROCONF=yes
		451	MII_NOT_SUPPORTED=yes
14	richard	452	IPV6INIT=no
		453	IPV6TO4INIT=no
		454	ACCOUNTING=no
		455	USERCTL=no
1	root	456	EOF
440	franck	457	# Mise à l'heure du serveur
		458	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		459	cat <<EOF > /etc/ntp/step-tickers
455	franck	460	0.fr.pool.ntp.org # adapt to your country
		461	1.fr.pool.ntp.org
		462	2.fr.pool.ntp.org
440	franck	463	EOF
		464	# Configuration du serveur de temps (sur lui même)
1	root	465	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		466	cat <<EOF > /etc/ntp.conf
456	franck	467	server 0.fr.pool.ntp.org # adapt to your country
447	franck	468	server 1.fr.pool.ntp.org
		469	server 2.fr.pool.ntp.org
		470	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	471	fudge 127.127.1.0 stratum 10
604	richard	472	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	473	restrict 127.0.0.1
310	richard	474	driftfile /var/lib/ntp/drift
1	root	475	logfile /var/log/ntp.log
		476	EOF
440	franck	477
310	richard	478	chown -R ntp:ntp /var/lib/ntp
1	root	479	# Renseignement des fichiers hosts.allow et hosts.deny
		480	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		481	cat <<EOF > /etc/hosts.allow
		482	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	483	sshd: ALL
1	root	484	ntpd: $PRIVATE_NETWORK_SHORT
		485	EOF
		486	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		487	cat <<EOF > /etc/hosts.deny
		488	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		489	EOF
604	richard	490	# Firewall config
790	richard	491	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		492	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		493	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	494	# create the filter exception file and ip_bloqued file
790	richard	495	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	496	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	497	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	498	# load conntrack ftp module
		499	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		500	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	501	# load ipt_NETFLOW module
		502	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	503	#
860	richard	504	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	505	} # End of network ()
		506
		507	##################################################################
		508	## Fonction gestion ##
		509	## - installation du centre de gestion ##
		510	## - configuration du serveur web (Apache) ##
		511	## - définition du 1er comptes de gestion ##
		512	## - sécurisation des accès ##
		513	##################################################################
		514	gestion()
		515	{
		516	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		517	mkdir $DIR_WEB
		518	# Copie et configuration des fichiers du centre de gestion
316	richard	519	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	520	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	521	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		522	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		523	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		524	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
498	richard	525	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME\";?g" $DIR_WEB/index.php
316	richard	526	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	527	chown -R apache:apache $DIR_WEB/*
840	richard	528	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1	root	529	do
		530	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		531	done
5	franck	532	chown -R root:apache $DIR_SAVE
71	richard	533	# Configuration et sécurisation php
		534	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	535	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		536	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	537	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		538	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	539	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		540	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		541	# Configuration et sécurisation Apache
790	richard	542	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	543	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
580	richard	544	$SED "s?^#ServerName.*?ServerName $HOSTNAME?g" /etc/httpd/conf/httpd.conf
303	richard	545	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	546	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		547	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		548	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	549	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		550	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		551	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		552	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		553	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		554	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	555	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	556	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		557	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		558	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		559	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		560	cat <<EOF > /var/www/error/include/bottom.html
		561	</body>
		562	</html>
		563	EOF
		564	# Définition du premier compte lié au profil 'admin'
509	richard	565	header_install
510	richard	566	if [ "$mode" = "install" ]
		567	then
613	richard	568	admin_portal=!
		569	PTN='^[a-zA-Z0-9-]*$'
		570	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		571	do
		572	header_install
		573	if [ $Lang == "fr" ]
		574	then
		575	echo ""
		576	echo "Définissez un premier compte d'administration du portail :"
		577	echo
		578	echo -n "Nom : "
		579	else
		580	echo ""
		581	echo "Define the first account allow to administrate the portal :"
		582	echo
		583	echo -n "Account : "
		584	fi
		585	read admin_portal
		586	if [ "$admin_portal" == "" ]
		587	then
		588	admin_portal=!
		589	fi
		590	done
1	root	591	# Création du fichier de clés de ce compte dans le profil "admin"
510	richard	592	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		593	mkdir -p $DIR_DEST_ETC/digest
		594	chmod 755 $DIR_DEST_ETC/digest
		595	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		596	do
613	richard	597	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	598	done
		599	$DIR_DEST_SBIN/alcasar-profil.sh --list
595	richard	600	else # mise à jour des versions < 2.1
1010	richard	601	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 1 ])
510	richard	602	then
613	richard	603	if [ $Lang == "fr" ]
		604	then
		605	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		606	echo
		607	echo -n "Nom : "
		608	else
		609	echo "This update need to redefine the first admin account"
		610	echo
		611	echo -n "Account : "
		612	fi
		613	read admin_portal
510	richard	614	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		615	mkdir -p $DIR_DEST_ETC/digest
		616	chmod 755 $DIR_DEST_ETC/digest
		617	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		618	do
613	richard	619	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME $admin_portal
510	richard	620	done
		621	$DIR_DEST_SBIN/alcasar-profil.sh --list
		622	fi
		623	fi
434	richard	624	# synchronisation horaire
		625	ntpd -q -g &
1	root	626	# Sécurisation du centre
988	franck	627	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	628	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	629	<Directory $DIR_ACC>
1	root	630	SSLRequireSSL
		631	AllowOverride None
		632	Order deny,allow
		633	Deny from all
		634	Allow from 127.0.0.1
		635	Allow from $PRIVATE_NETWORK_MASK
990	franck	636	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	637	require valid-user
		638	AuthType digest
		639	AuthName $HOSTNAME
		640	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	641	AuthUserFile $DIR_DEST_ETC/digest/key_all
580	richard	642	ErrorDocument 404 https://$HOSTNAME/
1	root	643	</Directory>
316	richard	644	<Directory $DIR_ACC/admin>
1	root	645	SSLRequireSSL
		646	AllowOverride None
		647	Order deny,allow
		648	Deny from all
		649	Allow from 127.0.0.1
		650	Allow from $PRIVATE_NETWORK_MASK
990	franck	651	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	652	require valid-user
		653	AuthType digest
		654	AuthName $HOSTNAME
		655	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	656	AuthUserFile $DIR_DEST_ETC/digest/key_admin
580	richard	657	ErrorDocument 404 https://$HOSTNAME/
1	root	658	</Directory>
344	richard	659	<Directory $DIR_ACC/manager>
1	root	660	SSLRequireSSL
		661	AllowOverride None
		662	Order deny,allow
		663	Deny from all
		664	Allow from 127.0.0.1
		665	Allow from $PRIVATE_NETWORK_MASK
990	franck	666	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	667	require valid-user
		668	AuthType digest
		669	AuthName $HOSTNAME
		670	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	671	AuthUserFile $DIR_DEST_ETC/digest/key_manager
580	richard	672	ErrorDocument 404 https://$HOSTNAME/
1	root	673	</Directory>
316	richard	674	<Directory $DIR_ACC/backup>
		675	SSLRequireSSL
		676	AllowOverride None
		677	Order deny,allow
		678	Deny from all
		679	Allow from 127.0.0.1
		680	Allow from $PRIVATE_NETWORK_MASK
990	franck	681	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	682	require valid-user
		683	AuthType digest
		684	AuthName $HOSTNAME
		685	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	686	AuthUserFile $DIR_DEST_ETC/digest/key_backup
580	richard	687	ErrorDocument 404 https://$HOSTNAME/
316	richard	688	</Directory>
811	richard	689	Alias /save/ "$DIR_SAVE/"
		690	<Directory $DIR_SAVE>
		691	SSLRequireSSL
		692	Options Indexes
		693	Order deny,allow
		694	Deny from all
		695	Allow from 127.0.0.1
		696	Allow from $PRIVATE_NETWORK_MASK
990	franck	697	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	698	require valid-user
		699	AuthType digest
		700	AuthName $HOSTNAME
		701	AuthUserFile $DIR_DEST_ETC/digest/key_backup
		702	ErrorDocument 404 https://$HOSTNAME/
		703	</Directory>
1	root	704	EOF
		705	} # End of gestion ()
		706
		707	##########################################################################################
		708	## Fonction AC() ##
		709	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		710	##########################################################################################
		711	AC ()
		712	{
		713	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	714	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	715	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	716	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		717	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		718	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	719	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	720	chown -R root:apache /etc/pki
1	root	721	chmod -R 750 /etc/pki
		722	} # End AC ()
		723
		724	##########################################################################################
		725	## Fonction init_db() ##
		726	## - Initialisation de la base Mysql ##
		727	## - Affectation du mot de passe de l'administrateur (root) ##
		728	## - Suppression des bases et des utilisateurs superflus ##
		729	## - Création de la base 'radius' ##
		730	## - Installation du schéma de cette base ##
		731	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		732	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		733	##########################################################################################
		734	init_db ()
		735	{
		736	mkdir -p /var/lib/mysql/.tmp
1008	richard	737	chown -R mysql:mysql /var/lib/mysql/
227	franck	738	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	739	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		740	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		741	/etc/init.d/mysqld start
		742	sleep 4
		743	mysqladmin -u root password $mysqlpwd
		744	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	745	# Delete exemple databases if exist
1	root	746	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	747	# Create 'radius' database
1	root	748	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
615	richard	749	# Add an empty radius database structure
364	franck	750	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	751	# modify the start script in order to close accounting connexion when the system is comming down or up
		752	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		753	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		754	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	755	} # End init_db ()
		756
		757	##########################################################################
		758	## Fonction param_radius ##
		759	## - Paramètrage des fichiers de configuration FreeRadius ##
		760	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		761	## - Modification de fichier de conf pour l'accès à Mysql ##
		762	##########################################################################
		763	param_radius ()
		764	{
		765	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		766	chown -R radius:radius /etc/raddb
		767	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
		768	# paramètrage radius.conf
		769	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		770	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		771	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
		772	# suppression de la fonction proxy
		773	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		774	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
654	richard	775	# suppression du module EAP
		776	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1	root	777	# écoute sur loopback uniquement (à modifier plus tard pour l'EAP)
		778	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
		779	# prise en compte du module SQL et des compteurs SQL
		780	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		781	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		782	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
		783	# purge du répertoire des serveurs virtuels et copie du fichier de configuration d'Alcasar
		784	rm -f /etc/raddb/sites-enabled/*
		785	cp $DIR_CONF/alcasar-radius /etc/raddb/sites-available/alcasar
		786	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		787	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		788	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		789	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	790	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	791	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
		792	# configuration du fichier client.conf (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
		793	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		794	cat << EOF > /etc/raddb/clients.conf
		795	client 127.0.0.1 {
		796	secret = $secretradius
		797	shortname = localhost
		798	}
		799	EOF
		800	# modif sql.conf
		801	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		802	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		803	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		804	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		805	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
		806	# modif dialup.conf
		807	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
		808	cp -f $DIR_CONF/dialup.conf /etc/raddb/sql/mysql/dialup.conf
1114	richard	809	# insures that mysql is up before radius start
		810	$SED "s?^# Should-Start.*?# Should-Start: \$network mysqld?" /etc/init.d/radiusd
		811	$SED "s?^# Should-Stop.*?# Should-Start: \$network mysqld?" /etc/init.d/radiusd
1157	stephane	812
1	root	813	} # End param_radius ()
		814
		815	##########################################################################
		816	## Fonction param_web_radius ##
		817	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		818	## - Création du lien vers la page de changement de mot de passe ##
		819	##########################################################################
		820	param_web_radius ()
		821	{
		822	# copie de l'interface d'origine dans la structure Alcasar
316	richard	823	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		824	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		825	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	826	# copie des fichiers modifiés
		827	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	828	chown -R apache:apache $DIR_ACC/manager/
344	richard	829	# Modification des fichiers de configuration
1	root	830	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	831	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	832	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		833	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		834	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		835	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		836	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		837	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		838	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	839	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	840	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
		841	cp -f $DIR_CONF/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	842	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	843	nas1_name: alcasar-$ORGANISME
1	root	844	nas1_model: Portail captif
		845	nas1_ip: $PRIVATE_IP
		846	nas1_port_num: 0
		847	nas1_community: public
		848	EOF
		849	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		850	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
		851	cp -f $DIR_CONF/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	852	# Ajout du mappage des attributs chillispot
		853	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
		854	cp -f $DIR_CONF/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	855	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
		856	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/user_edit.attrs.default
		857	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		858	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	859	chown -R apache:apache /etc/freeradius-web
1	root	860	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		861	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	862	<Directory $DIR_WEB/pass>
1	root	863	SSLRequireSSL
		864	AllowOverride None
		865	Order deny,allow
		866	Deny from all
		867	Allow from 127.0.0.1
		868	Allow from $PRIVATE_NETWORK_MASK
580	richard	869	ErrorDocument 404 https://$HOSTNAME
1	root	870	</Directory>
		871	EOF
		872	} # End of param_web_radius ()
		873
799	richard	874	##################################################################################
		875	## Fonction param_chilli ##
		876	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		877	## - Paramètrage de la page d'authentification (intercept.php) ##
		878	##################################################################################
1	root	879	param_chilli ()
		880	{
799	richard	881	# init file creation
461	richard	882	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	883	cat <<EOF > /etc/init.d/chilli
		884	#!/bin/sh
		885	#
		886	# chilli CoovaChilli init
		887	#
		888	# chkconfig: 2345 65 35
		889	# description: CoovaChilli
		890	### BEGIN INIT INFO
		891	# Provides: chilli
		892	# Required-Start: network
		893	# Should-Start:
		894	# Required-Stop: network
		895	# Should-Stop:
		896	# Default-Start: 2 3 5
		897	# Default-Stop:
		898	# Description: CoovaChilli access controller
		899	### END INIT INFO
		900
		901	[ -f /usr/sbin/chilli ] \|\| exit 0
		902	. /etc/init.d/functions
		903	CONFIG=/etc/chilli.conf
		904	pidfile=/var/run/chilli.pid
		905	[ -f \$CONFIG ] \|\| {
		906	echo "\$CONFIG Not found"
		907	exit 0
		908	}
		909	RETVAL=0
		910	prog="chilli"
		911	case \$1 in
		912	start)
		913	if [ -f \$pidfile ] ; then
		914	gprintf "chilli is already running"
		915	else
		916	gprintf "Starting \$prog: "
		917	rm -f /var/run/chilli* # cleaning
		918	/sbin/modprobe tun >/dev/null 2>&1
		919	echo 1 > /proc/sys/net/ipv4/ip_forward
		920	[ -e /dev/net/tun ] \|\| {
		921	(cd /dev;
		922	mkdir net;
		923	cd net;
		924	mknod tun c 10 200)
		925	}
		926	ifconfig eth1 0.0.0.0
		927	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		928	RETVAL=$?
		929	fi
		930	;;
		931
		932	reload)
		933	killall -HUP chilli
		934	;;
		935
		936	restart)
		937	\$0 stop
		938	sleep 2
		939	\$0 start
		940	;;
		941
		942	status)
		943	status chilli
		944	RETVAL=0
		945	;;
		946
		947	stop)
		948	if [ -f \$pidfile ] ; then
		949	gprintf "Shutting down \$prog: "
		950	killproc /usr/sbin/chilli
		951	RETVAL=\$?
		952	[ \$RETVAL = 0 ] && rm -f $pidfile
		953	else
		954	gprintf "chilli is not running"
		955	fi
		956	;;
		957
		958	*)
		959	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		960	exit 1
		961	esac
		962	echo
		963	EOF
		964
		965	# conf file creation
346	richard	966	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		967	cat <<EOF > /etc/chilli.conf
		968	# coova config for ALCASAR
		969	cmdsocket /var/run/chilli.sock
		970	unixipc chilli.eth1.ipc
		971	pidfile /var/run/chilli.eth1.pid
		972	net $PRIVATE_NETWORK_MASK
595	richard	973	dhcpif $INTIF
841	richard	974	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	975	#nodynip
865	richard	976	#statip
		977	dynip $PRIVATE_NETWORK_MASK
346	richard	978	domain localdomain
355	richard	979	dns1 $PRIVATE_IP
		980	dns2 $PRIVATE_IP
346	richard	981	uamlisten $PRIVATE_IP
503	richard	982	uamport 3990
837	richard	983	macauth
		984	macpasswd password
346	richard	985	locationname $HOSTNAME
		986	radiusserver1 127.0.0.1
		987	radiusserver2 127.0.0.1
		988	radiussecret $secretradius
		989	radiusauthport 1812
		990	radiusacctport 1813
467	richard	991	uamserver https://$HOSTNAME/intercept.php
346	richard	992	radiusnasid $HOSTNAME
		993	uamsecret $secretuam
793	richard	994	uamallowed alcasar
346	richard	995	coaport 3799
503	richard	996	include $DIR_DEST_ETC/alcasar-uamallowed
		997	include $DIR_DEST_ETC/alcasar-uamdomain
1157	stephane	998	#dhcpgateway
		999	#dhcprelayagent
		1000	#dhcpgatewayport
346	richard	1001	EOF
977	richard	1002	# create file for DHCP static ip. Reserve the second IP address for eth1 (the first one is for tun0)
		1003	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1004	# create files for trusted domains and urls
1148	crox53	1005	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1006	chown root:apache $DIR_DEST_ETC/alcasar-*
		1007	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1008	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1009	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1010	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1011	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1012	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1013	if [ "$chilli_exist" == "1" ]
		1014	then
		1015	userdel -r chilli 2>/dev/null
		1016	fi
		1017	groupadd -f chilli
		1018	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1019	} # End of param_chilli ()
		1020
		1021	##########################################################
		1022	## Fonction param_squid ##
		1023	## - Paramètrage du proxy 'squid' en mode 'cache' ##
		1024	## - Initialisation de la base de données ##
		1025	##########################################################
		1026	param_squid ()
		1027	{
		1028	# paramètrage de Squid (connecté en série derrière Dansguardian)
		1029	[ -e /etc/squid/squid.conf.default ] \|\| cp /etc/squid/squid.conf /etc/squid/squid.conf.default
		1030	# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
		1031	$SED "/^acl localnet/d" /etc/squid/squid.conf
		1032	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
		1033	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
		1034	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
		1035	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
		1036	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
		1037	# mode 'proxy transparent local'
595	richard	1038	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726	franck	1039	# Configuration du cache local
749	franck	1040	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
1159	crox53	1041	# désactivation des "access log"
		1042	echo '#Disable access log' >> /etc/squid/squid.conf
		1043	echo "access_log none" >> /etc/squid/squid.conf
835	richard	1044	# anonymisation of squid version
813	richard	1045	echo "via off" >> /etc/squid/squid.conf
835	richard	1046	# remove the 'X_forwarded' http option
812	richard	1047	echo "forwarded_for delete" >> /etc/squid/squid.conf
835	richard	1048	# linked squid output in HAVP input
		1049	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
		1050	echo "never_direct allow all" >> /etc/squid/squid.conf
		1051	# avoid error messages on network interfaces state changes
313	richard	1052	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
894	richard	1053	# reduce squid shutdown time (100 to 50)
		1054	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
		1055
835	richard	1056	# Squid cache init
1	root	1057	/usr/sbin/squid -z
		1058	} # End of param_squid ()
		1059
		1060	##################################################################
		1061	## Fonction param_dansguardian ##
		1062	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1063	##################################################################
		1064	param_dansguardian ()
		1065	{
		1066	mkdir /var/dansguardian
		1067	chown dansguardian /var/dansguardian
497	richard	1068	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
307	richard	1069	# Le filtrage est désactivé par défaut
497	richard	1070	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1	root	1071	# la page d'interception est en français
497	richard	1072	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1	root	1073	# on limite l'écoute de Dansguardian côté LAN
497	richard	1074	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
835	richard	1075	# on chaîne Dansguardian au proxy cache SQUID
		1076	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1	root	1077	# on remplace la page d'interception (template)
		1078	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1079	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
		1080	# on ne loggue que les deny (pour le reste, on a squid)
497	richard	1081	$SED "s?^loglevel =.*?loglevel = 1?g" $DIR_DG/dansguardian.conf
659	richard	1082	# lauch of 10 daemons (20 in largest server)
		1083	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1084	# on désactive par défaut le controle de contenu des pages html
497	richard	1085	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1086	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1087	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1088	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1089	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1090	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1091	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1092	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1093	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1094	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1095	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1096	touch $DIR_DG/lists/bannedextensionlist
		1097	touch $DIR_DG/lists/bannedmimetypelist
		1098	# 'Safesearch' regex actualisation
498	richard	1099	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1100	# empty LAN IP list that won't be WEB filtered
		1101	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1102	touch $DIR_DG/lists/exceptioniplist
		1103	# Keep a copy of URL & domain filter configuration files
		1104	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1105	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1106	} # End of param_dansguardian ()
		1107
71	richard	1108	##################################################################
		1109	## Fonction antivirus ##
479	richard	1110	## - configuration havp + libclamav ##
71	richard	1111	##################################################################
		1112	antivirus ()
		1113	{
288	richard	1114	# création de l'usager 'havp'
		1115	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1116	if [ "$havp_exist" == "1" ]
288	richard	1117	then
478	richard	1118	userdel -r havp 2>/dev/null
894	richard	1119	groupdel havp 2>/dev/null
288	richard	1120	fi
307	richard	1121	groupadd -f havp
796	richard	1122	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1123	mkdir -p /var/tmp/havp /var/log/havp
		1124	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1125	# configuration d'HAVP
		1126	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1127	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1128	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1129	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1130	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1131	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1132	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1133	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1134	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1135	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1136	# skip checking of youtube flow (too heavy load / risk too low)
		1137	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1138	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1139	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1140	# remplacement du fichier d'initialisation
335	richard	1141	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1142	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1143	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1144	# on remplace la page d'interception (template)
		1145	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1146	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1147	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1148	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1149	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1150	# Virus database update
		1151	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1152	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1153	/usr/bin/freshclam
71	richard	1154	}
		1155
1	root	1156	##################################################################################
476	richard	1157	## param_ulogd function ##
		1158	## - Ulog config for multi-log files ##
		1159	##################################################################################
		1160	param_ulogd ()
		1161	{
		1162	# Three instances of ulogd (three different logfiles)
		1163	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1164	nl=1
		1165	for log_type in tracability ssh ext-access
		1166	do
		1167	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1168	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1169	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1170	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1171	cat << EOF >> /etc/ulogd-$log_type.conf
		1172	[LOGEMU]
		1173	file="/var/log/firewall/$log_type.log"
		1174	sync=1
		1175	EOF
		1176	nl=`expr $nl + 1`
		1177	done
476	richard	1178	chown -R root:apache /var/log/firewall
		1179	chmod 750 /var/log/firewall
		1180	chmod 640 /var/log/firewall/*
		1181	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1182	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1183	} # End of param_ulogd ()
		1184
1159	crox53	1185
		1186	##########################################################
		1187	## Fonction param_nfsen ##
		1188	##########################################################
		1189	param_nfsen()
1	root	1190	{
1159	crox53	1191	#Decompression tarball
		1192	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
		1193	#Création groupe et utilisteur
		1194	if grep "^www-data:" /etc/group > /dev/null; then
		1195	echo "Group already exists !"
		1196	else
		1197	groupadd www-data
		1198	echo "Group 'www-data' created !"
		1199	fi
		1200	if grep "^nfsen:" /etc/passwd > /dev/null; then
		1201	echo "User already exists !"
		1202	else
		1203	useradd -m nfsen
		1204	echo "User 'nfsen' created !"
		1205	fi
		1206	usermod -G www-data nfsen
		1207	#Ajout du plugin nfsen : PortTracker
		1208	mkdir -p /var/www/nfsen/plugins
		1209	chown -R nfsen:www-data /var/www/nfsen
		1210	#Ajout du plugin PortTracker
		1211	mkdir -p /var/log/netflow/porttracker
		1212	mkdir -p /usr/share/nfsen/plugins
		1213	chown -R apache:apache /usr/share/nfsen
		1214	cp -f ./conf/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
		1215	chown apache /var/log/netflow/porttracker
		1216	#Copie du fichier de conf modifié de nfsen
		1217	cp ./conf/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
		1218	#Copie du script d'initialisation de nfsen
		1219	cp ./conf/nfsen/nfsen-init /etc/init.d/nfsen
		1220	#Installation de nfsen via le scrip Perl
		1221	cd /tmp/nfsen-1.3.6p1/
		1222	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
		1223	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
		1224	#Création de la DB pour rrdtool
		1225	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1226	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
		1227	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
		1228	chown -R apache:www-data /var/log/netflow/porttracker/
		1229	chmod -R 775 /var/log/netflow/porttracker
		1230	#Configuration du fichier de conf d'apache
		1231	if [ -f /etc/httpd/conf.d/nfsen.conf ];then
		1232	rm -f /etc/httpd/conf.d/nfsen.conf
		1233	fi
		1234	cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
		1235	Alias /nfsen /var/www/nfsen
		1236	<Directory /var/www/nfsen/>
		1237	DirectoryIndex nfsen.php
		1238	Options -Indexes
		1239	AllowOverride all
		1240	order allow,deny
		1241	allow from all
		1242	AddType application/x-httpd-php .php
		1243	php_flag magic_quotes_gpc on
		1244	php_flag track_vars on
1	root	1245	</Directory>
		1246	EOF
1159	crox53	1247	#Configuration du délais d'expiration des captures du profile "ALCASAR"
		1248	nfsen -m ALCASAR -e 365d
		1249	#Suppression des sources de nfsen
		1250	rm -rf /tmp/nfsen-1.3.6p1/
		1251	} # End of param_nfsen
1	root	1252
		1253	##########################################################
235	richard	1254	## Fonction param_dnsmasq ##
1	root	1255	##########################################################
219	jeremy	1256	param_dnsmasq ()
		1257	{
		1258	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1259	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1260	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1261	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1262	cat << EOF > /etc/dnsmasq.conf
520	richard	1263	# Configuration file for "dnsmasq in forward mode"
503	richard	1264	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1265	listen-address=$PRIVATE_IP
		1266	listen-address=127.0.0.1
286	richard	1267	no-dhcp-interface=$INTIF
259	richard	1268	bind-interfaces
		1269	cache-size=256
		1270	domain=$DOMAIN
		1271	domain-needed
		1272	expand-hosts
		1273	bogus-priv
		1274	filterwin2k
		1275	server=$DNS1
		1276	server=$DNS2
498	richard	1277	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1278	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1279	dhcp-option=option:router,$PRIVATE_IP
259	richard	1280	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1281
291	franck	1282	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1283	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1284	EOF
520	richard	1285	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1286	cat << EOF > /etc/dnsmasq-blackhole.conf
		1287	# Configuration file for "dnsmasq with blackhole"
		1288	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1289	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1290	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1291	listen-address=$PRIVATE_IP
		1292	port=54
		1293	no-dhcp-interface=$INTIF
		1294	bind-interfaces
		1295	cache-size=256
		1296	domain=$DOMAIN
		1297	domain-needed
		1298	expand-hosts
		1299	bogus-priv
		1300	filterwin2k
		1301	server=$DNS1
		1302	server=$DNS2
		1303	EOF
718	franck	1304
800	richard	1305	# Init file modification
503	richard	1306	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1307	# Start and stop a 2nd process for the "DNS blackhole"
520	richard	1308	$SED "/daemon/a \$dnsmasq -C /etc/dnsmasq-blackhole.conf \$OPTIONS" /etc/init.d/dnsmasq
503	richard	1309	$SED "/killproc \$DAEMON_NAME/a killproc \$DAEMON_NAME" /etc/init.d/dnsmasq
800	richard	1310	# Start after chilli (65) which create tun0
		1311	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1312	# Optionnellement on pré-active les logs DNS des clients
786	richard	1313	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
933	franck	1314	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
1157	stephane	1315	# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
		1316	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
933	franck	1317	# Optionnellement, exemple de configuration avec un A.D.
1157	stephane	1318	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
308	richard	1319	} # End dnsmasq
		1320
		1321	##########################################################
		1322	## Fonction BL (BlackList) ##
		1323	##########################################################
		1324	BL ()
		1325	{
		1326	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1327	rm -rf $DIR_DG/lists/blacklists
		1328	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1329	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1330	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1331	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1332	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1333	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1334	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1335	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1336	touch $DIR_DG/lists/exceptionsitelist
		1337	touch $DIR_DG/lists/exceptionurllist
311	richard	1338	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1339	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1340	# Dansguardian filter config for ALCASAR
		1341	EOF
648	richard	1342	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1343	# Dansguardian domain filter config for ALCASAR
		1344	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1345	#**
		1346	# block all SSL and CONNECT tunnels
		1347	**s
		1348	# block all SSL and CONNECT tunnels specified only as an IP
		1349	*ips
		1350	# block all sites specified only by an IP
		1351	*ip
		1352	EOF
1000	richard	1353	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1354	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1355	# Bing - add 'adlt=strict'
		1356	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1357	# Youtube - add 'edufilter=your_ID'
885	richard	1358	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1359	EOF
1000	richard	1360	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1361	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1362	chown -R dansguardian:apache $DIR_DG
		1363	chmod -R g+rw $DIR_DG
786	richard	1364	# On adapte la BL de Toulouse à notre structure
654	richard	1365	if [ "$mode" != "update" ]; then
		1366	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1367	fi
308	richard	1368	}
219	jeremy	1369
1	root	1370	##########################################################
		1371	## Fonction cron ##
		1372	## - Mise en place des différents fichiers de cron ##
		1373	##########################################################
		1374	cron ()
		1375	{
		1376	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1377	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1378	cat <<EOF > /etc/crontab
		1379	SHELL=/bin/bash
		1380	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1381	MAILTO=root
		1382	HOME=/
		1383
		1384	# run-parts
		1385	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1386	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1387	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1388	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1389	EOF
		1390	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1391	cat <<EOF >> /etc/anacrontab
667	franck	1392	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1393	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1394	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1395	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1396	EOF
667	franck	1397	cat <<EOF > /etc/cron.d/alcasar-clean_log
713	franck	1398	# suppression des fichiers de logs de plus d'un an (tous les lundi à 4h30)
865	richard	1399	30 4 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --clean
1	root	1400	EOF
811	richard	1401	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1402	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1403	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1404	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1405	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1406	EOF
667	franck	1407	cat <<EOF > /etc/cron.d/alcasar-export_log
713	franck	1408	# export des log squid, firewall et apache (tous les lundi à 5h00)
865	richard	1409	00 5 * * 1 root $DIR_DEST_BIN/alcasar-log.sh --export
1	root	1410	EOF
952	franck	1411	cat <<EOF > /etc/cron.d/alcasar-archive
		1412	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1413	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1414	EOF
667	franck	1415	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1416	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1417	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1418	EOF
722	franck	1419	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1420	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1421	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1422	EOF
1159	crox53	1423	cat << EOF > /etc/cron.d/alcasar-netflow
		1424	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
		1425	05 0 * * 5 root /usr/bin/nfexpire -e /var/log/nfsen/profiles-data/ALCASAR/ipt_netflow/ -t 1y -w 90
		1426	EOF
		1427
1	root	1428	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1429	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1430	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1431	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1432	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1433	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1434	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1435	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1436	rm -f /etc/cron.daily/freeradius-web
		1437	rm -f /etc/cron.monthly/freeradius-web
		1438	cat << EOF > /etc/cron.d/freeradius-web
		1439	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1440	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1441	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1442	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1443	EOF
671	franck	1444	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1445	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1446	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1447	EOF
808	franck	1448	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1449	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1450	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1451	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1452	EOF
522	richard	1453	# suppression des crons usagers
		1454	rm -f /var/spool/cron/*
1	root	1455	} # End cron
		1456
		1457	##################################################################
1163	crox53	1458	## Fonction Fail2Ban ##
		1459	##- Modification de la configuration de fail2ban ##
		1460	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1461	##################################################################
		1462	fail2ban()
		1463	{
		1464	echo "Installation de Fail2Ban"
		1465	$DIR_SCRIPTS/alcasar-fail2ban.sh
1165	crox53	1466	#Autorise la lecture seule des 3 fichiers de log concernés
		1467	chmod 644 /var/log/fail2ban.log
		1468	chmod 644 /var/log/havp/access.log
1163	crox53	1469	} #Fin de fail2ban_install()
		1470
		1471	##################################################################
1	root	1472	## Fonction post_install ##
		1473	## - Modification des bannières (locales et ssh) et des prompts ##
		1474	## - Installation de la structure de chiffrement pour root ##
		1475	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1476	## - Mise en place du la rotation des logs ##
5	franck	1477	## - Configuration dans le cas d'une mise à jour ##
1	root	1478	##################################################################
		1479	post_install()
		1480	{
		1481	# adaptation du script "chien de garde" (watchdog)
376	franck	1482	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1483	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1484	# création de la bannière locale
1007	richard	1485	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1486	cp -f $DIR_CONF/banner /etc/mageia-release
		1487	echo " V$VERSION" >> /etc/mageia-release
1	root	1488	# création de la bannière SSH
1007	richard	1489	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1490	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1491	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1492	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1493	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1494	# postfix banner anonymisation
		1495	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1496	# sshd écoute côté LAN et WAN
1	root	1497	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1498	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1499	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1500	echo "SSH=off" >> $CONF_FILE
1063	richard	1501	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1502	echo "QOS=off" >> $CONF_FILE
		1503	echo "LDAP=off" >> $CONF_FILE
786	richard	1504	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1505	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1506	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1507	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1508	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1509	echo "MULTIWAN=off" >> $CONF_FILE
		1510	echo "FAILOVER=30" >> $CONF_FILE
		1511	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
		1512	echo "#WAN1=\"1,eth0:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1513	echo "#WAN2=\"1,eth0:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1514	# Coloration des prompts
		1515	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1516	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1517	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1518	# Droits d'exécution pour utilisateur apache et sysadmin
		1519	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1520	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1521	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
132	franck	1522	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1	root	1523	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1524	chmod 644 /etc/logrotate.d/*
714	franck	1525	# rectification sur versions précédentes de la compression des logs
706	franck	1526	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1527	# actualisation des fichiers logs compressés
714	franck	1528	for dir in firewall squid dansguardian httpd
706	franck	1529	do
714	franck	1530	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1531	done
		1532	# export des logs en 'retard' dans /var/Save/logs
865	richard	1533	/usr/local/bin/alcasar-log.sh --export
1	root	1534	# processus lancés par défaut au démarrage
1159	crox53	1535	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam nfsen
1	root	1536	do
		1537	/sbin/chkconfig --add $i
		1538	done
1005	richard	1539
1157	stephane	1540	cat << EOF > /etc/rc.local
		1541	/usr/local/sbin/alcasar-load_balancing.sh start &
		1542	sleep 3
		1543	service radiusd restart
		1544	EOF
953	franck	1545
1005	richard	1546	# On applique les préconisations ANSSI
		1547	# Apply French Security Agency rules
568	richard	1548	# ignorer les broadcast ICMP. (attaque smurf)
		1549	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
		1550	# ignorer les erreurs ICMP bogus
		1551	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1552	# désactiver l'envoi et la réponse aux ICMP redirects
679	richard	1553	sysctl -w net.ipv4.conf.all.accept_redirects=0
568	richard	1554	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
		1555	if [ "$accept_redirect" == "0" ]
		1556	then
679	richard	1557	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1558	else
		1559	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1560	fi
679	richard	1561	sysctl -w net.ipv4.conf.all.send_redirects=0
568	richard	1562	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
		1563	if [ "$send_redirect" == "0" ]
		1564	then
679	richard	1565	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1566	else
		1567	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1568	fi
		1569	# activer les SYN Cookies (attaque syn flood)
679	richard	1570	sysctl -w net.ipv4.tcp_syncookies=1
568	richard	1571	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
		1572	if [ "$tcp_syncookies" == "0" ]
		1573	then
679	richard	1574	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1575	else
		1576	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1577	fi
595	richard	1578	# activer l'antispoofing niveau Noyau
568	richard	1579	sysctl -w net.ipv4.conf.all.rp_filter=1
		1580	# ignorer le source routing
679	richard	1581	sysctl -w net.ipv4.conf.all.accept_source_route=0
568	richard	1582	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
		1583	if [ "$accept_source_route" == "0" ]
		1584	then
679	richard	1585	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1586	else
		1587	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1588	fi
679	richard	1589	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
		1590	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1591	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
		1592	if [ "$timeout_established" == "0" ]
		1593	then
		1594	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1595	else
793	richard	1596	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1597	fi
1157	stephane	1598	# disable log_martians (ALCASAR is often installed between two private network addresses)
568	richard	1599	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1600	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1601	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
59	richard	1602	# modification /etc/inittab
		1603	[ -e /etc/inittab.default ] \|\| cp /etc/inittab /etc/inittab.default
1003	richard	1604	# We keep only 3 TTYs
59	richard	1605	$SED "s?^4.*?#&?g" /etc/inittab
		1606	$SED "s?^5.*?#&?g" /etc/inittab
		1607	$SED "s?^6.*?#&?g" /etc/inittab
1003	richard	1608	# switch to multi-users runlevel (instead of x11)
		1609	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
		1610	$SED "s?^id.*?id:3:initdefault:?g" /etc/inittab
1005	richard	1611	# GRUB modifications
		1612	# limit wait time to 3s
		1613	# create an alcasar entry instead of linux-nonfb
		1614	# change display to 1024*768 (vga791)
470	richard	1615	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
1005	richard	1616	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1617	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1618	$SED "/^kernel/s/vga=.*/vga=791/" /boot/grub/menu.lst
1076	richard	1619	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
1007	richard	1620	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1005	richard	1621
1003	richard	1622	# Remove unused services and users
1007	richard	1623	for old_svc in alsa sound dm
532	richard	1624	do
1007	richard	1625	/sbin/chkconfig --del $old_svc
532	richard	1626	done
1008	richard	1627	for svc in snmpd.service sshd.service
1007	richard	1628	do
1008	richard	1629	/bin/systemctl disable $svc
1007	richard	1630	done
532	richard	1631	for rm_users in avahi-autoipd avahi icapd
		1632	do
		1633	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1634	if [ "$user" == "$rm_users" ]
		1635	then
		1636	/usr/sbin/userdel -f $rm_users
		1637	fi
		1638	done
1060	richard	1639	# Load and apply the previous conf file
5	franck	1640	if [ "$mode" = "update" ]
		1641	then
389	franck	1642	$DIR_DEST_BIN/alcasar-conf.sh --load
1060	richard	1643	PARENT_SCRIPT=`basename $0`
		1644	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1645	$DIR_DEST_BIN/alcasar-conf.sh --apply
628	richard	1646	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1647	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
5	franck	1648	fi
595	richard	1649	rm -f /tmp/alcasar-conf*
434	richard	1650	chown -R root:apache $DIR_DEST_ETC/*
512	richard	1651	chmod -R 660 $DIR_DEST_ETC/*
1041	richard	1652	chmod ug+x $DIR_DEST_ETC/digest
1157	stephane	1653
		1654	# Fix the Mageia bug in function "/etc/sysconfig/network-scripts/network-functions"
		1655	[ -e /sbin/ethtool ] \|\| ln -s /usr/sbin/ethtool /sbin/ethtool
		1656
1045	franck	1657	# Apply and save the firewall rules
		1658	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1659	sleep 2
1	root	1660	cd $DIR_INSTALL
5	franck	1661	echo ""
1	root	1662	echo "#############################################################################"
638	richard	1663	if [ $Lang == "fr" ]
		1664	then
		1665	echo "# Fin d'installation d'ALCASAR #"
		1666	echo "# #"
		1667	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1668	echo "# des Accès au Réseau ( ALCASAR ) #"
		1669	echo "# #"
		1670	echo "#############################################################################"
		1671	echo
		1672	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1673	echo
		1674	echo "- Lisez attentivement la documentation d'exploitation"
		1675	echo
		1676	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1677	echo
		1678	echo " Appuyez sur 'Entrée' pour continuer"
		1679	else
		1680	echo "# Enf of ALCASAR install process #"
		1681	echo "# #"
		1682	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1683	echo "# des Accès au Réseau ( ALCASAR ) #"
		1684	echo "# #"
		1685	echo "#############################################################################"
		1686	echo
		1687	echo "- The system will be rebooted in order to operate ALCASAR"
		1688	echo
		1689	echo "- Read the exploitation documentation"
		1690	echo
		1691	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1692	echo
		1693	echo " Hit 'Enter' to continue"
		1694	fi
815	richard	1695	sleep 2
		1696	if [ "$mode" != "update" ]
820	richard	1697	then
815	richard	1698	read a
		1699	fi
774	richard	1700	clear
1045	franck	1701
1	root	1702	reboot
		1703	} # End post_install ()
		1704
		1705	#################################
1005	richard	1706	# Main Install loop #
1	root	1707	#################################
832	richard	1708	dir_exec=`dirname "$0"`
		1709	if [ $dir_exec != "." ]
		1710	then
		1711	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1712	echo "Launch this program from the ALCASAR archive directory"
		1713	exit 0
		1714	fi
		1715	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1716	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1717	nb_args=$#
		1718	args=$1
		1719	if [ $nb_args -eq 0 ]
		1720	then
		1721	nb_args=1
		1722	args="-h"
		1723	fi
1062	richard	1724	chmod -R u+x $DIR_SCRIPTS/*
1	root	1725	case $args in
		1726	-\? \| -h* \| --h*)
		1727	echo "$usage"
		1728	exit 0
		1729	;;
291	franck	1730	-i \| --install)
959	franck	1731	license
5	franck	1732	header_install
29	richard	1733	testing
597	richard	1734	# Test if ALCASAR is already installed
5	franck	1735	if [ -e $DIR_WEB/VERSION ]
1	root	1736	then
460	richard	1737	actual_version=`cat $DIR_WEB/VERSION`
595	richard	1738	if [ $Lang == "fr" ]
		1739	then echo -n "La version "; echo -n $actual_version ; echo " d'ALCASAR est déjà installée";
		1740	else echo -n "ALCASAR Version "; echo -n $actual_version ; echo " is already installed";
		1741	fi
5	franck	1742	response=0
460	richard	1743	PTN='^[oOnNyY]$'
580	richard	1744	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1745	do
595	richard	1746	if [ $Lang == "fr" ]
		1747	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1748	else echo -n "Do you want to update (Y/n)?";
		1749	fi
5	franck	1750	read response
		1751	done
597	richard	1752	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1753	then
597	richard	1754	rm -f /tmp/alcasar-conf*
		1755	else
636	richard	1756	# Create a backup of running version importants files
389	franck	1757	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1758	mode="update"
5	franck	1759	fi
1	root	1760	fi
595	richard	1761	# RPMs install
		1762	$DIR_SCRIPTS/alcasar-urpmi.sh
1159	crox53	1763	echo "Mise à jour des modules noyau installés"
595	richard	1764	if [ "$?" != "0" ]
1	root	1765	then
595	richard	1766	exit 0
		1767	fi
		1768	if [ -e $DIR_WEB/VERSION ]
		1769	then
597	richard	1770	# Uninstall the running version
532	richard	1771	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1772	fi
636	richard	1773	# Test if manual update
1057	richard	1774	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595	richard	1775	then
636	richard	1776	header_install
595	richard	1777	if [ $Lang == "fr" ]
636	richard	1778	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1779	else echo "The configuration file of an old version has been found";
595	richard	1780	fi
597	richard	1781	response=0
		1782	PTN='^[oOnNyY]$'
		1783	until [[ $(expr $response : $PTN) -gt 0 ]]
		1784	do
		1785	if [ $Lang == "fr" ]
		1786	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1787	else echo -n "Do you want to use it (Y/n)?";
		1788	fi
		1789	read response
		1790	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1791	then rm -f /tmp/alcasar-conf*
		1792	fi
		1793	done
		1794	fi
636	richard	1795	# Test if update
1057	richard	1796	if [ -e /tmp/alcasar-conf* ]
597	richard	1797	then
		1798	if [ $Lang == "fr" ]
		1799	then echo "#### Installation avec mise à jour ####";
		1800	else echo "#### Installation with update ####";
		1801	fi
636	richard	1802	# Extract the central configuration file
1057	richard	1803	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1804	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1805	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1806	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1807	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1808	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1809	mode="update"
		1810	else
		1811	mode="install"
1	root	1812	fi
1163	crox53	1813	for func in init network gestion AC init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1814	do
		1815	$func
1157	stephane	1816	# echo "* 'debug' : end of function $func *"; read a
14	richard	1817	done
5	franck	1818	;;
291	franck	1819	-u \| --uninstall)
5	franck	1820	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1821	then
597	richard	1822	if [ $Lang == "fr" ]
		1823	then echo "ALCASAR n'est pas installé!";
		1824	else echo "ALCASAR isn't installed!";
		1825	fi
1	root	1826	exit 0
		1827	fi
5	franck	1828	response=0
		1829	PTN='^[oOnN]$'
580	richard	1830	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1831	do
597	richard	1832	if [ $Lang == "fr" ]
		1833	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1834	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1835	fi
5	franck	1836	read response
		1837	done
1103	richard	1838	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1839	then
1103	richard	1840	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1841	else
		1842	rm -f /tmp/alcasar-conf*
1	root	1843	fi
597	richard	1844	# Uninstall the running version
65	richard	1845	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1846	;;
		1847	*)
		1848	echo "Argument inconnu :$1";
460	richard	1849	echo "Unknown argument :$1";
1	root	1850	echo "$usage"
		1851	exit 1
		1852	;;
		1853	esac
10	franck	1854	# end of script
366	franck	1855

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1165