WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1294 2014-01-12 23:03:00Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1221	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1221	richard	30	# testing : connectivity tests and downloading before intall
		31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
		36	# param_radius : FreeRadius initialisation
		37	# param_web_radius : copy ans modifiy original "freeradius web" in ACC
		38	# param_chilli : coovachilli initialisation (+authentication page)
		39	# param_squid : Squid cache proxy configuration
		40	# param_dansguardian : DansGuardian filtering HTTP proxy configuration
		41	# antivirus : HAVP + libclamav configuration
		42	# param_nfsen : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
		44	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1253	richard	46	# fail2ban : Fail2ban installation and configuration
1266	richard	47	# post_install : Security, log rotation, etc.
1	root	48
		49	DATE=`date '+%d %B %Y - %Hh%M'`
		50	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	51	Lang=`echo $LANG\|cut -c 1-2`
1	root	52	# ***** Files parameters - paramètres fichiers *******
1015	richard	53	DIR_INSTALL=`pwd` # current directory
		54	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		55	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		56	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		57	DIR_WEB="/var/www/html" # directory of APACHE
		58	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		59	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		60	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		61	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		62	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		63	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		64	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		65	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	66	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	67	DB_RADIUS="radius" # database name used by FreeRadius server
		68	DB_USER="radius" # user name allows to request the users database
1	root	69	# ***** Network parameters - paramètres réseau *****
1211	crox53	70	HOSTNAME="alcasar" #
1243	richard	71	DOMAIN="localdomain" # default local domain
		72	EXTIF="eth0" # ETH0 is connected to the ISP broadband modem/router (In France : Box-FAI )
1148	crox53	73	MTU="1500"
1157	stephane	74	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	75	INTIF="eth1" # ETH1 is connected to the consultation network
		76	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	77	# **** Paths - chemin des commandes *****
		78	SED="/bin/sed -i"
		79	# **************** End of global parameters *******************
		80
959	franck	81	license ()
		82	{
		83	if [ $Lang == "fr" ]
967	franck	84	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		85	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	86	fi
975	franck	87	echo "Taper sur Entrée pour continuer !"
		88	echo "Enter to continue."
959	franck	89	read a
		90	}
		91
1	root	92	header_install ()
		93	{
		94	clear
		95	echo "-----------------------------------------------------------------------------"
460	richard	96	echo " ALCASAR V$VERSION Installation"
1	root	97	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		98	echo "-----------------------------------------------------------------------------"
		99	} # End of header_install ()
		100
1174	crox53	101	#Launch network service (useful only when Mageia is running in SafeFail mode)
		102	service network start
		103
1	root	104	##################################################################
1221	richard	105	## Function "testing" ##
1005	richard	106	## - Test of Internet access ##
29	richard	107	##################################################################
		108	testing ()
		109	{
595	richard	110	if [ $Lang == "fr" ]
784	richard	111	then echo -n "Tests des paramètres réseau : "
595	richard	112	else echo -n "Network parameters tests : "
		113	fi
784	richard	114	# We test eth0 config files
		115	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		116	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		117	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		118	then
		119	if [ $Lang == "fr" ]
		120	then
		121	echo "Échec"
		122	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		123	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	124	echo "Appliquez les changements : 'service network restart'"
784	richard	125	else
		126	echo "Failed"
		127	echo "The Internet connected network card ($EXTIF) isn't well configured."
		128	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	129	echo "Apply the new configuration 'service network restart'"
784	richard	130	fi
830	richard	131	echo "DEVICE=$EXTIF"
784	richard	132	echo "IPADDR="
		133	echo "NETMASK="
		134	echo "GATEWAY="
		135	echo "DNS1="
		136	echo "DNS2="
830	richard	137	echo "ONBOOT=yes"
784	richard	138	exit 0
		139	fi
		140	echo -n "."
460	richard	141	# We test the Ethernet links state
29	richard	142	for i in $EXTIF $INTIF
		143	do
294	richard	144	/sbin/ip link set $i up
306	richard	145	sleep 3
1031	richard	146	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		147	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	148	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	149	then
595	richard	150	if [ $Lang == "fr" ]
		151	then
		152	echo "Échec"
		153	echo "Le lien réseau de la carte $i n'est pas actif."
		154	echo "Réglez ce problème puis relancez ce script."
		155	else
		156	echo "Failed"
		157	echo "The link state of $i interface id down."
		158	echo "Resolv this problem, then restart this script."
		159	fi
29	richard	160	exit 0
		161	fi
308	richard	162	echo -n "."
29	richard	163	done
		164	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	165	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	166	if [ $Lang == "fr" ]
		167	then
		168	echo "Échec"
		169	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		170	echo "Réglez ce problème puis relancez ce script."
		171	else
		172	echo "Failed"
		173	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		174	echo "Resolv this problem, then restart this script."
		175	fi
29	richard	176	exit 0
		177	fi
308	richard	178	echo -n "."
978	franck	179	# On traite le cas où l'interface configurée lors de l'installation est "eth1" au lieu de "eth0" (mystère sur certaines versions de BIOS et de VirtualBox)
784	richard	180	if [ `ip route list\|grep ^default\|grep -c eth1` -eq "1" ] ; then
595	richard	181	if [ $Lang == "fr" ]
		182	then echo "La configuration des cartes réseau va être corrigée."
		183	else echo "The Ethernet card configuration will be corrected."
		184	fi
29	richard	185	/etc/init.d/network stop
		186	mv -f /etc/sysconfig/network-scripts/ifcfg-eth1 /etc/sysconfig/network-scripts/ifcfg-eth0
		187	$SED "s?eth1?eth0?g" /etc/sysconfig/network-scripts/ifcfg-eth0
		188	/etc/init.d/network start
		189	echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
		190	sleep 2
595	richard	191	if [ $Lang == "fr" ]
		192	then echo "Configuration corrigée"
		193	else echo "Configuration updated"
		194	fi
29	richard	195	sleep 2
595	richard	196	if [ $Lang == "fr" ]
		197	then echo "Vous pouvez relancer ce script."
		198	else echo "You can restart this script."
		199	fi
29	richard	200	exit 0
		201	fi
308	richard	202	echo -n "."
978	franck	203	# On teste le lien vers le routeur par defaut
308	richard	204	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		205	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	206	if [ $(expr $arp_reply) -eq 0 ]
308	richard	207	then
595	richard	208	if [ $Lang == "fr" ]
		209	then
		210	echo "Échec"
		211	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		212	echo "Réglez ce problème puis relancez ce script."
		213	else
		214	echo "Failed"
		215	echo "The Internet gateway doesn't answered"
		216	echo "Resolv this problem, then restart this script."
		217	fi
308	richard	218	exit 0
		219	fi
		220	echo -n "."
421	franck	221	# On teste la connectivité Internet
29	richard	222	rm -rf /tmp/con_ok.html
308	richard	223	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	224	if [ ! -e /tmp/con_ok.html ]
		225	then
595	richard	226	if [ $Lang == "fr" ]
		227	then
		228	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		229	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		230	echo "Vérifiez la validité des adresses IP des DNS."
		231	else
		232	echo "The Internet connection try failed (google.fr)."
		233	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		234	echo "Verify the DNS IP addresses"
		235	fi
29	richard	236	exit 0
		237	fi
		238	rm -rf /tmp/con_ok.html
308	richard	239	echo ". : ok"
302	richard	240	} # end of testing
		241
		242	##################################################################
1221	richard	243	## Function "init" ##
302	richard	244	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		245	## - Installation et modification des scripts du portail ##
		246	##################################################################
		247	init ()
		248	{
527	richard	249	if [ "$mode" != "update" ]
302	richard	250	then
		251	# On affecte le nom d'organisme
597	richard	252	header_install
302	richard	253	ORGANISME=!
		254	PTN='^[a-zA-Z0-9-]*$'
580	richard	255	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	256	do
595	richard	257	if [ $Lang == "fr" ]
597	richard	258	then echo -n "Entrez le nom de votre organisme : "
		259	else echo -n "Enter the name of your organism : "
595	richard	260	fi
330	franck	261	read ORGANISME
613	richard	262	if [ "$ORGANISME" == "" ]
330	franck	263	then
		264	ORGANISME=!
		265	fi
		266	done
302	richard	267	fi
1	root	268	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	269	rm -f $PASSWD_FILE
59	richard	270	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	271	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		272	echo "$grubpwd" >> $PASSWD_FILE
59	richard	273	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	274	$SED "/^password.*/d" /boot/grub/menu.lst
		275	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	276	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	277	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	278	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	279	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	280	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	281	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	282	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	283	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		284	echo "$secretuam" >> $PASSWD_FILE
1	root	285	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	286	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		287	echo "$secretradius" >> $PASSWD_FILE
		288	chmod 640 $PASSWD_FILE
977	richard	289	# Scripts and conf files copy
		290	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	291	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	292	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	293	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	294	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	295	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	296	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		297	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	298	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		299	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	300	# generate central conf file
		301	cat <<EOF > $CONF_FILE
612	richard	302	##########################################
		303	## ##
		304	## ALCASAR Parameters ##
		305	## ##
		306	##########################################
1	root	307
612	richard	308	INSTALL_DATE=$DATE
		309	VERSION=$VERSION
		310	ORGANISM=$ORGANISME
923	franck	311	DOMAIN=$DOMAIN
612	richard	312	EOF
628	richard	313	chmod o-rwx $CONF_FILE
1	root	314	} # End of init ()
		315
		316	##################################################################
1221	richard	317	## Function "network" ##
1	root	318	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	319	## - Nommage DNS du système ##
1	root	320	## - Configuration de l'interface eth1 (réseau de consultation) ##
		321	## - Modification du fichier /etc/hosts ##
		322	## - Configuration du serveur de temps (NTP) ##
		323	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		324	##################################################################
		325	network ()
		326	{
		327	header_install
636	richard	328	if [ "$mode" != "update" ]
		329	then
		330	if [ $Lang == "fr" ]
		331	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		332	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		333	fi
		334	response=0
		335	PTN='^[oOyYnN]$'
		336	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	337	do
595	richard	338	if [ $Lang == "fr" ]
659	richard	339	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	340	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	341	fi
1	root	342	read response
		343	done
636	richard	344	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		345	then
		346	PRIVATE_IP_MASK="0"
		347	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		348	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	349	do
595	richard	350	if [ $Lang == "fr" ]
597	richard	351	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		352	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	353	fi
597	richard	354	read PRIVATE_IP_MASK
1	root	355	done
636	richard	356	else
		357	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		358	fi
595	richard	359	else
637	richard	360	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		361	rm -rf conf/etc/alcasar.conf
1	root	362	fi
861	richard	363	# Define LAN side global parameters
1243	richard	364	hostname $HOSTNAME.$DOMAIN
		365	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	366	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		367	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		368	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		369	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		370	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		371	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		372	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		373	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		374	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		375	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	376	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	377	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	378	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
977	richard	379	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF (eth1)
841	richard	380	# Define Internet parameters
14	richard	381	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		382	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		383	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	384	DNS1=${DNS1:=208.67.220.220}
		385	DNS2=${DNS2:=208.67.222.222}
597	richard	386	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	387	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	388	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	389	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	390	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	391	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	392	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	393	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		394	echo "DNS1=$DNS1" >> $CONF_FILE
		395	echo "DNS2=$DNS2" >> $CONF_FILE
		396	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	397	echo "DHCP=full" >> $CONF_FILE
914	franck	398	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		399	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		400	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	401	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	402	# config network
1	root	403	cat <<EOF > /etc/sysconfig/network
		404	NETWORKING=yes
1243	richard	405	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	406	FORWARD_IPV4=true
		407	EOF
841	richard	408	# config /etc/hosts
1	root	409	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		410	cat <<EOF > /etc/hosts
503	richard	411	127.0.0.1 localhost
1250	richard	412	$PRIVATE_IP $HOSTNAME.$DOMAIN
1	root	413	EOF
841	richard	414	# Config eth0 (Internet)
14	richard	415	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		416	DEVICE=$EXTIF
		417	BOOTPROTO=static
597	richard	418	IPADDR=$PUBLIC_IP
		419	NETMASK=$PUBLIC_NETMASK
		420	GATEWAY=$PUBLIC_GATEWAY
14	richard	421	DNS1=127.0.0.1
		422	ONBOOT=yes
		423	METRIC=10
		424	NOZEROCONF=yes
		425	MII_NOT_SUPPORTED=yes
		426	IPV6INIT=no
		427	IPV6TO4INIT=no
		428	ACCOUNTING=no
		429	USERCTL=no
994	franck	430	MTU=$MTU
14	richard	431	EOF
841	richard	432	# Config eth1 (consultation LAN) in normal mode
		433	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		434	DEVICE=$INTIF
		435	BOOTPROTO=static
		436	ONBOOT=yes
		437	NOZEROCONF=yes
		438	MII_NOT_SUPPORTED=yes
		439	IPV6INIT=no
		440	IPV6TO4INIT=no
		441	ACCOUNTING=no
		442	USERCTL=no
1157	stephane	443	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	444	EOF
		445	# Config of eth1 in bypass mode (see "alcasar-bypass.sh")
793	richard	446	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	447	DEVICE=$INTIF
		448	BOOTPROTO=static
		449	IPADDR=$PRIVATE_IP
604	richard	450	NETMASK=$PRIVATE_NETMASK
1	root	451	ONBOOT=yes
		452	METRIC=10
		453	NOZEROCONF=yes
		454	MII_NOT_SUPPORTED=yes
14	richard	455	IPV6INIT=no
		456	IPV6TO4INIT=no
		457	ACCOUNTING=no
		458	USERCTL=no
1	root	459	EOF
440	franck	460	# Mise à l'heure du serveur
		461	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		462	cat <<EOF > /etc/ntp/step-tickers
455	franck	463	0.fr.pool.ntp.org # adapt to your country
		464	1.fr.pool.ntp.org
		465	2.fr.pool.ntp.org
440	franck	466	EOF
		467	# Configuration du serveur de temps (sur lui même)
1	root	468	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		469	cat <<EOF > /etc/ntp.conf
456	franck	470	server 0.fr.pool.ntp.org # adapt to your country
447	franck	471	server 1.fr.pool.ntp.org
		472	server 2.fr.pool.ntp.org
		473	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	474	fudge 127.127.1.0 stratum 10
604	richard	475	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	476	restrict 127.0.0.1
310	richard	477	driftfile /var/lib/ntp/drift
1	root	478	logfile /var/log/ntp.log
		479	EOF
440	franck	480
310	richard	481	chown -R ntp:ntp /var/lib/ntp
1	root	482	# Renseignement des fichiers hosts.allow et hosts.deny
		483	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		484	cat <<EOF > /etc/hosts.allow
		485	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	486	sshd: ALL
1	root	487	ntpd: $PRIVATE_NETWORK_SHORT
		488	EOF
		489	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		490	cat <<EOF > /etc/hosts.deny
		491	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		492	EOF
604	richard	493	# Firewall config
790	richard	494	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		495	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		496	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	497	# create the filter exception file and ip_bloqued file
790	richard	498	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	499	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	500	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	501	# load conntrack ftp module
		502	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		503	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	504	# load ipt_NETFLOW module
		505	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	506	#
860	richard	507	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	508	} # End of network ()
		509
		510	##################################################################
1221	richard	511	## Function "ACC" ##
		512	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	513	## - configuration du serveur web (Apache) ##
		514	## - définition du 1er comptes de gestion ##
		515	## - sécurisation des accès ##
		516	##################################################################
1221	richard	517	ACC ()
1	root	518	{
		519	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		520	mkdir $DIR_WEB
		521	# Copie et configuration des fichiers du centre de gestion
316	richard	522	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	523	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	524	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		525	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		526	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		527	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
1243	richard	528	$SED "s?\$hostname =.*?\$hostname = \"$HOSTNAME.$DOMAIN\";?g" $DIR_WEB/index.php
316	richard	529	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	530	chown -R apache:apache $DIR_WEB/*
840	richard	531	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1	root	532	do
		533	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		534	done
5	franck	535	chown -R root:apache $DIR_SAVE
71	richard	536	# Configuration et sécurisation php
		537	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	538	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		539	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	540	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		541	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	542	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		543	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		544	# Configuration et sécurisation Apache
790	richard	545	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	546	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	547	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	548	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	549	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		550	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		551	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	552	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		553	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		554	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		555	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		556	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		557	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	558	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	559	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		560	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		561	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		562	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		563	cat <<EOF > /var/www/error/include/bottom.html
		564	</body>
		565	</html>
		566	EOF
		567	# Définition du premier compte lié au profil 'admin'
509	richard	568	header_install
510	richard	569	if [ "$mode" = "install" ]
		570	then
613	richard	571	admin_portal=!
		572	PTN='^[a-zA-Z0-9-]*$'
		573	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		574	do
		575	header_install
		576	if [ $Lang == "fr" ]
		577	then
		578	echo ""
		579	echo "Définissez un premier compte d'administration du portail :"
		580	echo
		581	echo -n "Nom : "
		582	else
		583	echo ""
		584	echo "Define the first account allow to administrate the portal :"
		585	echo
		586	echo -n "Account : "
		587	fi
		588	read admin_portal
		589	if [ "$admin_portal" == "" ]
		590	then
		591	admin_portal=!
		592	fi
		593	done
1268	richard	594	# Creation of keys file for the admin account ("admin")
510	richard	595	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		596	mkdir -p $DIR_DEST_ETC/digest
		597	chmod 755 $DIR_DEST_ETC/digest
		598	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		599	do
1243	richard	600	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	601	done
		602	$DIR_DEST_SBIN/alcasar-profil.sh --list
		603	fi
434	richard	604	# synchronisation horaire
		605	ntpd -q -g &
1	root	606	# Sécurisation du centre
988	franck	607	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	608	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	609	<Directory $DIR_ACC>
1	root	610	SSLRequireSSL
		611	AllowOverride None
		612	Order deny,allow
		613	Deny from all
		614	Allow from 127.0.0.1
		615	Allow from $PRIVATE_NETWORK_MASK
990	franck	616	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	617	require valid-user
		618	AuthType digest
1243	richard	619	AuthName $HOSTNAME.$DOMAIN
1	root	620	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	621	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	622	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	623	</Directory>
316	richard	624	<Directory $DIR_ACC/admin>
1	root	625	SSLRequireSSL
		626	AllowOverride None
		627	Order deny,allow
		628	Deny from all
		629	Allow from 127.0.0.1
		630	Allow from $PRIVATE_NETWORK_MASK
990	franck	631	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	632	require valid-user
		633	AuthType digest
1243	richard	634	AuthName $HOSTNAME.$DOMAIN
1	root	635	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	636	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	637	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	638	</Directory>
344	richard	639	<Directory $DIR_ACC/manager>
1	root	640	SSLRequireSSL
		641	AllowOverride None
		642	Order deny,allow
		643	Deny from all
		644	Allow from 127.0.0.1
		645	Allow from $PRIVATE_NETWORK_MASK
990	franck	646	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	647	require valid-user
		648	AuthType digest
1243	richard	649	AuthName $HOSTNAME.$DOMAIN
1	root	650	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	651	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	652	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	653	</Directory>
316	richard	654	<Directory $DIR_ACC/backup>
		655	SSLRequireSSL
		656	AllowOverride None
		657	Order deny,allow
		658	Deny from all
		659	Allow from 127.0.0.1
		660	Allow from $PRIVATE_NETWORK_MASK
990	franck	661	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	662	require valid-user
		663	AuthType digest
1243	richard	664	AuthName $HOSTNAME.$DOMAIN
316	richard	665	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	666	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	667	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	668	</Directory>
811	richard	669	Alias /save/ "$DIR_SAVE/"
		670	<Directory $DIR_SAVE>
		671	SSLRequireSSL
		672	Options Indexes
		673	Order deny,allow
		674	Deny from all
		675	Allow from 127.0.0.1
		676	Allow from $PRIVATE_NETWORK_MASK
990	franck	677	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	678	require valid-user
		679	AuthType digest
1243	richard	680	AuthName $HOSTNAME.$DOMAIN
811	richard	681	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	682	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	683	</Directory>
1	root	684	EOF
1221	richard	685	} # End of ACC()
1	root	686
		687	##########################################################################################
1221	richard	688	## Fonction "CA" ##
1	root	689	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		690	##########################################################################################
1221	richard	691	CA ()
1	root	692	{
		693	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	694	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	695	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	696	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		697	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		698	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	699	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	700	chown -R root:apache /etc/pki
1	root	701	chmod -R 750 /etc/pki
1221	richard	702	} # End CA ()
1	root	703
		704	##########################################################################################
1221	richard	705	## Fonction "init_db" ##
1	root	706	## - Initialisation de la base Mysql ##
		707	## - Affectation du mot de passe de l'administrateur (root) ##
		708	## - Suppression des bases et des utilisateurs superflus ##
		709	## - Création de la base 'radius' ##
		710	## - Installation du schéma de cette base ##
		711	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		712	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		713	##########################################################################################
		714	init_db ()
		715	{
		716	mkdir -p /var/lib/mysql/.tmp
1008	richard	717	chown -R mysql:mysql /var/lib/mysql/
227	franck	718	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	719	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		720	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		721	/etc/init.d/mysqld start
		722	sleep 4
		723	mysqladmin -u root password $mysqlpwd
		724	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	725	# Delete exemple databases if exist
1	root	726	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	727	# Create 'radius' database
1	root	728	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
615	richard	729	# Add an empty radius database structure
364	franck	730	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	731	# modify the start script in order to close accounting connexion when the system is comming down or up
		732	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		733	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		734	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	735	} # End init_db ()
		736
		737	##########################################################################
1221	richard	738	## Fonction "param_radius" ##
1	root	739	## - Paramètrage des fichiers de configuration FreeRadius ##
		740	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		741	## - Modification de fichier de conf pour l'accès à Mysql ##
		742	##########################################################################
		743	param_radius ()
		744	{
		745	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		746	chown -R radius:radius /etc/raddb
		747	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	748	# Set radius.conf parameters
1	root	749	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		750	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		751	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	752	# remove the proxy function
1	root	753	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		754	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	755	# remove EAP module
654	richard	756	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	757	# listen on loopback (should be modified later if EAP enabled)
1	root	758	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	759	# enable the SQL module (and SQL counter)
1	root	760	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		761	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		762	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	763	# remvove virtual server and copy our conf file
1	root	764	rm -f /etc/raddb/sites-enabled/*
1278	richard	765	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	766	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		767	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		768	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		769	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	770	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	771	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	772	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	773	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		774	cat << EOF > /etc/raddb/clients.conf
		775	client 127.0.0.1 {
		776	secret = $secretradius
		777	shortname = localhost
		778	}
		779	EOF
1278	richard	780	# sql.conf modification
1	root	781	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		782	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		783	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		784	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		785	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	786	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	787	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	788	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		789	# counter.conf modification (change the Max-All-Session-Time counter)
		790	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		791	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		792	chown -R radius:radius /etc/raddb/sql/mysql/*
1114	richard	793	# insures that mysql is up before radius start
1184	crox53	794	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1157	stephane	795
1	root	796	} # End param_radius ()
		797
		798	##########################################################################
1221	richard	799	## Function "param_web_radius" ##
1	root	800	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		801	## - Création du lien vers la page de changement de mot de passe ##
		802	##########################################################################
		803	param_web_radius ()
		804	{
		805	# copie de l'interface d'origine dans la structure Alcasar
316	richard	806	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		807	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		808	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	809	# copie des fichiers modifiés
		810	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	811	chown -R apache:apache $DIR_ACC/manager/
344	richard	812	# Modification des fichiers de configuration
1	root	813	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	814	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	815	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		816	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		817	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		818	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		819	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		820	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		821	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	822	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	823	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	824	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	825	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	826	nas1_name: alcasar-$ORGANISME
1	root	827	nas1_model: Portail captif
		828	nas1_ip: $PRIVATE_IP
		829	nas1_port_num: 0
		830	nas1_community: public
		831	EOF
		832	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		833	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	834	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	835	# Ajout du mappage des attributs chillispot
		836	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	837	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	838	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	839	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	840	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		841	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	842	chown -R apache:apache /etc/freeradius-web
1	root	843	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		844	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	845	<Directory $DIR_WEB/pass>
1	root	846	SSLRequireSSL
		847	AllowOverride None
		848	Order deny,allow
		849	Deny from all
		850	Allow from 127.0.0.1
		851	Allow from $PRIVATE_NETWORK_MASK
1243	richard	852	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	853	</Directory>
		854	EOF
		855	} # End of param_web_radius ()
		856
799	richard	857	##################################################################################
1221	richard	858	## Fonction "param_chilli" ##
799	richard	859	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		860	## - Paramètrage de la page d'authentification (intercept.php) ##
		861	##################################################################################
1	root	862	param_chilli ()
		863	{
799	richard	864	# init file creation
461	richard	865	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	866	cat <<EOF > /etc/init.d/chilli
		867	#!/bin/sh
		868	#
		869	# chilli CoovaChilli init
		870	#
		871	# chkconfig: 2345 65 35
		872	# description: CoovaChilli
		873	### BEGIN INIT INFO
		874	# Provides: chilli
		875	# Required-Start: network
		876	# Should-Start:
		877	# Required-Stop: network
		878	# Should-Stop:
		879	# Default-Start: 2 3 5
		880	# Default-Stop:
		881	# Description: CoovaChilli access controller
		882	### END INIT INFO
		883
		884	[ -f /usr/sbin/chilli ] \|\| exit 0
		885	. /etc/init.d/functions
		886	CONFIG=/etc/chilli.conf
		887	pidfile=/var/run/chilli.pid
		888	[ -f \$CONFIG ] \|\| {
		889	echo "\$CONFIG Not found"
		890	exit 0
		891	}
		892	RETVAL=0
		893	prog="chilli"
		894	case \$1 in
		895	start)
		896	if [ -f \$pidfile ] ; then
		897	gprintf "chilli is already running"
		898	else
		899	gprintf "Starting \$prog: "
		900	rm -f /var/run/chilli* # cleaning
		901	/sbin/modprobe tun >/dev/null 2>&1
		902	echo 1 > /proc/sys/net/ipv4/ip_forward
		903	[ -e /dev/net/tun ] \|\| {
		904	(cd /dev;
		905	mkdir net;
		906	cd net;
		907	mknod tun c 10 200)
		908	}
		909	ifconfig eth1 0.0.0.0
		910	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		911	RETVAL=$?
		912	fi
		913	;;
		914
		915	reload)
		916	killall -HUP chilli
		917	;;
		918
		919	restart)
		920	\$0 stop
		921	sleep 2
		922	\$0 start
		923	;;
		924
		925	status)
		926	status chilli
		927	RETVAL=0
		928	;;
		929
		930	stop)
		931	if [ -f \$pidfile ] ; then
		932	gprintf "Shutting down \$prog: "
		933	killproc /usr/sbin/chilli
		934	RETVAL=\$?
		935	[ \$RETVAL = 0 ] && rm -f $pidfile
		936	else
		937	gprintf "chilli is not running"
		938	fi
		939	;;
		940
		941	*)
		942	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		943	exit 1
		944	esac
		945	echo
		946	EOF
		947
		948	# conf file creation
346	richard	949	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		950	cat <<EOF > /etc/chilli.conf
		951	# coova config for ALCASAR
		952	cmdsocket /var/run/chilli.sock
		953	unixipc chilli.eth1.ipc
		954	pidfile /var/run/chilli.eth1.pid
		955	net $PRIVATE_NETWORK_MASK
595	richard	956	dhcpif $INTIF
841	richard	957	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	958	#nodynip
865	richard	959	#statip
		960	dynip $PRIVATE_NETWORK_MASK
1249	richard	961	domain $DOMAIN
355	richard	962	dns1 $PRIVATE_IP
		963	dns2 $PRIVATE_IP
346	richard	964	uamlisten $PRIVATE_IP
503	richard	965	uamport 3990
837	richard	966	macauth
		967	macpasswd password
1243	richard	968	locationname $HOSTNAME.$DOMAIN
346	richard	969	radiusserver1 127.0.0.1
		970	radiusserver2 127.0.0.1
		971	radiussecret $secretradius
		972	radiusauthport 1812
		973	radiusacctport 1813
1243	richard	974	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		975	radiusnasid $HOSTNAME.$DOMAIN
346	richard	976	uamsecret $secretuam
1249	richard	977	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	978	coaport 3799
1294	richard	979	conup $DIR_DEST_BIN/alcasar-conup.sh
		980	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	981	include $DIR_DEST_ETC/alcasar-uamallowed
		982	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	983	#dhcpgateway
1157	stephane	984	#dhcprelayagent
		985	#dhcpgatewayport
346	richard	986	EOF
977	richard	987	# create file for DHCP static ip. Reserve the second IP address for eth1 (the first one is for tun0)
		988	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	989	# create files for trusted domains and urls
1148	crox53	990	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	991	chown root:apache $DIR_DEST_ETC/alcasar-*
		992	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	993	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	994	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		995	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	996	# user 'chilli' creation (in order to run conup/off and up/down scripts
		997	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		998	if [ "$chilli_exist" == "1" ]
		999	then
		1000	userdel -r chilli 2>/dev/null
		1001	fi
		1002	groupadd -f chilli
		1003	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1004	} # End of param_chilli ()
		1005
		1006	##########################################################
1221	richard	1007	## Fonction "param_squid" ##
1	root	1008	## - Paramètrage du proxy 'squid' en mode 'cache' ##
		1009	## - Initialisation de la base de données ##
		1010	##########################################################
		1011	param_squid ()
		1012	{
		1013	# paramètrage de Squid (connecté en série derrière Dansguardian)
		1014	[ -e /etc/squid/squid.conf.default ] \|\| cp /etc/squid/squid.conf /etc/squid/squid.conf.default
		1015	# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
		1016	$SED "/^acl localnet/d" /etc/squid/squid.conf
		1017	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
		1018	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
		1019	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
		1020	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
		1021	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
		1022	# mode 'proxy transparent local'
595	richard	1023	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726	franck	1024	# Configuration du cache local
749	franck	1025	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
1159	crox53	1026	# désactivation des "access log"
		1027	echo '#Disable access log' >> /etc/squid/squid.conf
		1028	echo "access_log none" >> /etc/squid/squid.conf
835	richard	1029	# anonymisation of squid version
813	richard	1030	echo "via off" >> /etc/squid/squid.conf
835	richard	1031	# remove the 'X_forwarded' http option
812	richard	1032	echo "forwarded_for delete" >> /etc/squid/squid.conf
835	richard	1033	# linked squid output in HAVP input
		1034	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
		1035	echo "never_direct allow all" >> /etc/squid/squid.conf
		1036	# avoid error messages on network interfaces state changes
313	richard	1037	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
894	richard	1038	# reduce squid shutdown time (100 to 50)
		1039	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
		1040
835	richard	1041	# Squid cache init
1	root	1042	/usr/sbin/squid -z
		1043	} # End of param_squid ()
		1044
		1045	##################################################################
1221	richard	1046	## Fonction "param_dansguardian" ##
1	root	1047	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1048	##################################################################
		1049	param_dansguardian ()
		1050	{
		1051	mkdir /var/dansguardian
		1052	chown dansguardian /var/dansguardian
497	richard	1053	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1054	# By default the filter is off
497	richard	1055	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1056	# French deny HTML page
497	richard	1057	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1058	# Listen only on LAN side
497	richard	1059	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1293	richard	1060	# DG send its flow to SQUID
835	richard	1061	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1293	richard	1062	# replace the default deny HTML page
1	root	1063	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1064	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1065	# Don't log
		1066	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1067	# Run 10 daemons (20 in largest server)
659	richard	1068	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1069	# on désactive par défaut le controle de contenu des pages html
497	richard	1070	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1071	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1072	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1073	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1074	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1075	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1076	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1077	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1078	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1079	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1080	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1081	touch $DIR_DG/lists/bannedextensionlist
		1082	touch $DIR_DG/lists/bannedmimetypelist
		1083	# 'Safesearch' regex actualisation
498	richard	1084	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1085	# empty LAN IP list that won't be WEB filtered
		1086	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1087	touch $DIR_DG/lists/exceptioniplist
		1088	# Keep a copy of URL & domain filter configuration files
		1089	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1090	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1091	} # End of param_dansguardian ()
		1092
71	richard	1093	##################################################################
1221	richard	1094	## Fonction "antivirus" ##
479	richard	1095	## - configuration havp + libclamav ##
71	richard	1096	##################################################################
		1097	antivirus ()
		1098	{
288	richard	1099	# création de l'usager 'havp'
		1100	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1101	if [ "$havp_exist" == "1" ]
288	richard	1102	then
478	richard	1103	userdel -r havp 2>/dev/null
894	richard	1104	groupdel havp 2>/dev/null
288	richard	1105	fi
307	richard	1106	groupadd -f havp
796	richard	1107	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1108	mkdir -p /var/tmp/havp /var/log/havp
		1109	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1110	# configuration d'HAVP
		1111	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1112	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1113	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1114	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1115	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1116	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1117	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1118	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1119	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1120	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1121	# skip checking of youtube flow (too heavy load / risk too low)
		1122	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1123	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1124	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1125	# remplacement du fichier d'initialisation
335	richard	1126	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1127	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1128	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1129	# on remplace la page d'interception (template)
		1130	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1131	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1132	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1133	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1134	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1135	# Virus database update
		1136	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1137	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1138	/usr/bin/freshclam
71	richard	1139	}
		1140
1	root	1141	##################################################################################
1221	richard	1142	## function "param_ulogd" ##
476	richard	1143	## - Ulog config for multi-log files ##
		1144	##################################################################################
		1145	param_ulogd ()
		1146	{
		1147	# Three instances of ulogd (three different logfiles)
		1148	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1149	nl=1
1244	richard	1150	for log_type in tracability ssh ext-access
478	richard	1151	do
		1152	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1153	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1154	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1155	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1156	cat << EOF >> /etc/ulogd-$log_type.conf
		1157	[LOGEMU]
		1158	file="/var/log/firewall/$log_type.log"
		1159	sync=1
		1160	EOF
		1161	nl=`expr $nl + 1`
		1162	done
476	richard	1163	chown -R root:apache /var/log/firewall
		1164	chmod 750 /var/log/firewall
		1165	chmod 640 /var/log/firewall/*
		1166	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1167	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1168	} # End of param_ulogd ()
		1169
1159	crox53	1170
		1171	##########################################################
1221	richard	1172	## Function "param_nfsen" ##
1159	crox53	1173	##########################################################
		1174	param_nfsen()
1	root	1175	{
1159	crox53	1176	#Decompression tarball
1221	richard	1177	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1159	crox53	1178	#Création groupe et utilisteur
1221	richard	1179	if grep "^www-data:" /etc/group > /dev/null; then
		1180	echo "Group already exists !"
		1181	else
		1182	groupadd www-data
		1183	echo "Group 'www-data' created !"
		1184	fi
		1185	if grep "^nfsen:" /etc/passwd > /dev/null; then
		1186	echo "User already exists !"
		1187	else
		1188	useradd -m nfsen
		1189	echo "User 'nfsen' created !"
		1190	fi
		1191	usermod -G www-data nfsen
1159	crox53	1192	#Ajout du plugin nfsen : PortTracker
1221	richard	1193	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1194	chown -R nfsen:www-data /var/www/nfsen
		1195	chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
		1196	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1159	crox53	1197	#Copie du fichier de conf modifié de nfsen
1221	richard	1198	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1159	crox53	1199	#Copie du script d'initialisation de nfsen
1221	richard	1200	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1159	crox53	1201	#Installation de nfsen via le scrip Perl
1221	richard	1202	DirTmp=$(pwd)
		1203	cd /tmp/nfsen-1.3.6p1/
		1204	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
		1205	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
1159	crox53	1206	#Création de la DB pour rrdtool
1221	richard	1207	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1208	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
		1209	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
		1210	chown -R apache:www-data /var/log/netflow/porttracker/
		1211	chmod -R 775 /var/log/netflow/porttracker
1159	crox53	1212	#Configuration du fichier de conf d'apache
1221	richard	1213	if [ -f /etc/httpd/conf.d/nfsen.conf ];then
		1214	rm -f /etc/httpd/conf.d/nfsen.conf
		1215	fi
		1216	cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
1159	crox53	1217	Alias /nfsen /var/www/nfsen
		1218	<Directory /var/www/nfsen/>
		1219	DirectoryIndex nfsen.php
		1220	Options -Indexes
		1221	AllowOverride all
		1222	order allow,deny
		1223	allow from all
		1224	AddType application/x-httpd-php .php
		1225	php_flag magic_quotes_gpc on
		1226	php_flag track_vars on
1	root	1227	</Directory>
		1228	EOF
1223	crox53	1229	#Ajout du paramètre : IP d'écoute pour le collecteur (nfcapd)
1229	crox53	1230	$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
1210	crox53	1231	#Configuration du délais d'expiration des captures du profile "live"
1250	richard	1232	nfsen -m live -e 62d 2>/dev/null
1159	crox53	1233	#Suppression des sources de nfsen
1221	richard	1234	cd $DirTmp
		1235	rm -rf /tmp/nfsen-1.3.6p1/
1159	crox53	1236	} # End of param_nfsen
1	root	1237
		1238	##########################################################
1221	richard	1239	## Function "param_dnsmasq" ##
1	root	1240	##########################################################
219	jeremy	1241	param_dnsmasq ()
		1242	{
		1243	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1244	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1245	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1246	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1247	cat << EOF > /etc/dnsmasq.conf
520	richard	1248	# Configuration file for "dnsmasq in forward mode"
503	richard	1249	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1250	listen-address=$PRIVATE_IP
		1251	listen-address=127.0.0.1
286	richard	1252	no-dhcp-interface=$INTIF
259	richard	1253	bind-interfaces
		1254	cache-size=256
		1255	domain=$DOMAIN
		1256	domain-needed
		1257	expand-hosts
		1258	bogus-priv
		1259	filterwin2k
		1260	server=$DNS1
		1261	server=$DNS2
498	richard	1262	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1263	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1264	dhcp-option=option:router,$PRIVATE_IP
259	richard	1265	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1266
291	franck	1267	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1268	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1269	EOF
520	richard	1270	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1271	cat << EOF > /etc/dnsmasq-blackhole.conf
		1272	# Configuration file for "dnsmasq with blackhole"
		1273	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1274	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1275	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1276	listen-address=$PRIVATE_IP
		1277	port=54
		1278	no-dhcp-interface=$INTIF
		1279	bind-interfaces
		1280	cache-size=256
		1281	domain=$DOMAIN
		1282	domain-needed
		1283	expand-hosts
		1284	bogus-priv
		1285	filterwin2k
		1286	server=$DNS1
		1287	server=$DNS2
		1288	EOF
718	franck	1289
800	richard	1290	# Init file modification
1221	richard	1291	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1292	# Start and stop a 2nd process for the "DNS blackhole"
1221	richard	1293	cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
800	richard	1294	# Start after chilli (65) which create tun0
1221	richard	1295	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1296	# Optionnellement on pré-active les logs DNS des clients
1221	richard	1297	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
		1298	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
1157	stephane	1299	# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
1221	richard	1300	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
933	franck	1301	# Optionnellement, exemple de configuration avec un A.D.
1221	richard	1302	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
308	richard	1303	} # End dnsmasq
		1304
		1305	##########################################################
1221	richard	1306	## Fonction "BL" ##
308	richard	1307	##########################################################
		1308	BL ()
		1309	{
		1310	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1311	rm -rf $DIR_DG/lists/blacklists
		1312	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1313	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1314	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1315	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1316	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1317	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1318	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1319	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1320	touch $DIR_DG/lists/exceptionsitelist
		1321	touch $DIR_DG/lists/exceptionurllist
311	richard	1322	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1323	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1324	# Dansguardian filter config for ALCASAR
		1325	EOF
648	richard	1326	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1327	# Dansguardian domain filter config for ALCASAR
		1328	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1329	#**
		1330	# block all SSL and CONNECT tunnels
		1331	**s
		1332	# block all SSL and CONNECT tunnels specified only as an IP
		1333	*ips
		1334	# block all sites specified only by an IP
		1335	*ip
		1336	EOF
1000	richard	1337	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1338	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1339	# Bing - add 'adlt=strict'
		1340	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1341	# Youtube - add 'edufilter=your_ID'
885	richard	1342	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1343	EOF
1000	richard	1344	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1345	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1346	chown -R dansguardian:apache $DIR_DG
		1347	chmod -R g+rw $DIR_DG
786	richard	1348	# On adapte la BL de Toulouse à notre structure
654	richard	1349	if [ "$mode" != "update" ]; then
		1350	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1351	fi
308	richard	1352	}
219	jeremy	1353
1	root	1354	##########################################################
1221	richard	1355	## Fonction "cron" ##
1	root	1356	## - Mise en place des différents fichiers de cron ##
		1357	##########################################################
		1358	cron ()
		1359	{
		1360	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1361	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1362	cat <<EOF > /etc/crontab
		1363	SHELL=/bin/bash
		1364	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1365	MAILTO=root
		1366	HOME=/
		1367
		1368	# run-parts
		1369	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1370	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1371	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1372	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1373	EOF
		1374	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1375	cat <<EOF >> /etc/anacrontab
667	franck	1376	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1377	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1378	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1379	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1380	EOF
1247	crox53	1381
811	richard	1382	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1383	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1384	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1385	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1386	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1387	EOF
952	franck	1388	cat <<EOF > /etc/cron.d/alcasar-archive
		1389	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1390	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1391	EOF
667	franck	1392	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1393	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1394	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1395	EOF
722	franck	1396	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1397	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1398	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1399	EOF
1247	crox53	1400	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1401	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1402	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1403	#EOF
1159	crox53	1404
1	root	1405	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1406	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1407	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1408	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1409	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1410	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1411	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1412	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1413	rm -f /etc/cron.daily/freeradius-web
		1414	rm -f /etc/cron.monthly/freeradius-web
		1415	cat << EOF > /etc/cron.d/freeradius-web
		1416	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1417	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1418	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1419	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1420	EOF
671	franck	1421	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1422	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1423	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1424	EOF
808	franck	1425	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1426	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1427	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1428	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1429	EOF
522	richard	1430	# suppression des crons usagers
		1431	rm -f /var/spool/cron/*
1	root	1432	} # End cron
		1433
		1434	##################################################################
1221	richard	1435	## Fonction "Fail2Ban" ##
1163	crox53	1436	##- Modification de la configuration de fail2ban ##
		1437	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1438	##################################################################
		1439	fail2ban()
		1440	{
1191	crox53	1441	$DIR_CONF/fail2ban.sh
1192	crox53	1442	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1443	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1444	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1445	chmod 644 /var/log/fail2ban.log
1192	crox53	1446	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1447	} #Fin de fail2ban_install()
		1448
		1449	##################################################################
1221	richard	1450	## Fonction "post_install" ##
1	root	1451	## - Modification des bannières (locales et ssh) et des prompts ##
		1452	## - Installation de la structure de chiffrement pour root ##
		1453	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1454	## - Mise en place du la rotation des logs ##
5	franck	1455	## - Configuration dans le cas d'une mise à jour ##
1	root	1456	##################################################################
		1457	post_install()
		1458	{
		1459	# adaptation du script "chien de garde" (watchdog)
376	franck	1460	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1461	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1462	# création de la bannière locale
1007	richard	1463	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1464	cp -f $DIR_CONF/banner /etc/mageia-release
		1465	echo " V$VERSION" >> /etc/mageia-release
1	root	1466	# création de la bannière SSH
1007	richard	1467	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1468	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1469	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1470	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1471	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1472	# postfix banner anonymisation
		1473	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1474	# sshd écoute côté LAN et WAN
1	root	1475	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1476	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1477	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1478	echo "SSH=off" >> $CONF_FILE
1063	richard	1479	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1480	echo "QOS=off" >> $CONF_FILE
		1481	echo "LDAP=off" >> $CONF_FILE
786	richard	1482	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1483	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1484	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1485	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1486	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1487	echo "MULTIWAN=off" >> $CONF_FILE
		1488	echo "FAILOVER=30" >> $CONF_FILE
		1489	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
		1490	echo "#WAN1=\"1,eth0:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1491	echo "#WAN2=\"1,eth0:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1492	# Coloration des prompts
		1493	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1494	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1495	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1496	# Droits d'exécution pour utilisateur apache et sysadmin
		1497	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1498	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1499	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
132	franck	1500	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1	root	1501	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1502	chmod 644 /etc/logrotate.d/*
714	franck	1503	# rectification sur versions précédentes de la compression des logs
706	franck	1504	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1505	# actualisation des fichiers logs compressés
714	franck	1506	for dir in firewall squid dansguardian httpd
706	franck	1507	do
714	franck	1508	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1509	done
1221	richard	1510	# create the alcasar-load_balancing unit
		1511	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1512	# This file is part of systemd.
		1513	#
		1514	# systemd is free software; you can redistribute it and/or modify it
		1515	# under the terms of the GNU General Public License as published by
		1516	# the Free Software Foundation; either version 2 of the License, or
		1517	# (at your option) any later version.
		1518
		1519	# This unit lauches alcasar-load-balancing.sh script.
		1520	[Unit]
		1521	Description=alcasar-load_balancing.sh execution
		1522	After=network.target iptables.service
		1523
		1524	[Service]
		1525	Type=oneshot
		1526	RemainAfterExit=yes
		1527	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1528	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1529	TimeoutSec=0
		1530	SysVStartPriority=99
		1531
		1532	[Install]
		1533	WantedBy=multi-user.target
1157	stephane	1534	EOF
1221	richard	1535	# processes launched at boot time (SYSV)
		1536	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
		1537	do
		1538	/sbin/chkconfig --add $i
		1539	done
		1540	# processes launched at boot time (Systemctl)
		1541	for i in alcasar-load_balancing.service nfsen.service
953	franck	1542
1221	richard	1543	do
		1544	systemctl enable $i
		1545	done
		1546	# Apply French Security Agency (ANSSI) rules
568	richard	1547	# ignorer les broadcast ICMP. (attaque smurf)
1221	richard	1548	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
568	richard	1549	# ignorer les erreurs ICMP bogus
1221	richard	1550	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1551	# désactiver l'envoi et la réponse aux ICMP redirects
1221	richard	1552	sysctl -w net.ipv4.conf.all.accept_redirects=0
		1553	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
568	richard	1554	if [ "$accept_redirect" == "0" ]
		1555	then
679	richard	1556	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1557	else
		1558	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1559	fi
1221	richard	1560	sysctl -w net.ipv4.conf.all.send_redirects=0
		1561	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
568	richard	1562	if [ "$send_redirect" == "0" ]
		1563	then
679	richard	1564	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1565	else
		1566	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1567	fi
		1568	# activer les SYN Cookies (attaque syn flood)
1221	richard	1569	sysctl -w net.ipv4.tcp_syncookies=1
		1570	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
568	richard	1571	if [ "$tcp_syncookies" == "0" ]
		1572	then
679	richard	1573	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1574	else
		1575	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1576	fi
595	richard	1577	# activer l'antispoofing niveau Noyau
1221	richard	1578	sysctl -w net.ipv4.conf.all.rp_filter=1
568	richard	1579	# ignorer le source routing
1221	richard	1580	sysctl -w net.ipv4.conf.all.accept_source_route=0
		1581	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
568	richard	1582	if [ "$accept_source_route" == "0" ]
		1583	then
679	richard	1584	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1585	else
		1586	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1587	fi
679	richard	1588	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1221	richard	1589	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1590	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
679	richard	1591	if [ "$timeout_established" == "0" ]
		1592	then
		1593	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1594	else
793	richard	1595	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1596	fi
1157	stephane	1597	# disable log_martians (ALCASAR is often installed between two private network addresses)
1221	richard	1598	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1599	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1600	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1003	richard	1601	# switch to multi-users runlevel (instead of x11)
1221	richard	1602	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1603	# GRUB modifications
		1604	# limit wait time to 3s
		1605	# create an alcasar entry instead of linux-nonfb
		1606	# change display to 1024*768 (vga791)
1221	richard	1607	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1608	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1609	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1610	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1611	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1612	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1613	# Remove unused services and users
1221	richard	1614	for old_svc in alsa sound dm
		1615	do
		1616	/sbin/chkconfig --del $old_svc
		1617	done
		1618	for svc in snmpd.service sshd.service
		1619	do
		1620	/bin/systemctl disable $svc
		1621	done
		1622	for rm_users in avahi-autoipd avahi icapd
		1623	do
		1624	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1625	if [ "$user" == "$rm_users" ]
		1626	then
		1627	/usr/sbin/userdel -f $rm_users
		1628	fi
		1629	done
		1630	# Load and apply the previous conf file
		1631	if [ "$mode" = "update" ]
532	richard	1632	then
1266	richard	1633	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1634	$DIR_DEST_BIN/alcasar-conf.sh --load
		1635	PARENT_SCRIPT=`basename $0`
		1636	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1637	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1638	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1639	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1640	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1641	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1642	then
		1643	header_install
		1644	if [ $Lang == "fr" ]
		1645	then
		1646	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1647	echo
		1648	echo -n "Nom : "
		1649	else
		1650	echo "This update need to redefine the first admin account"
		1651	echo
		1652	echo -n "Account : "
		1653	fi
		1654	read admin_portal
		1655	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1656	mkdir -p $DIR_DEST_ETC/digest
		1657	chmod 755 $DIR_DEST_ETC/digest
		1658	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1659	do
		1660	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
		1661	done
		1662	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1663	fi
532	richard	1664	fi
1221	richard	1665	rm -f /tmp/alcasar-conf*
		1666	chown -R root:apache $DIR_DEST_ETC/*
		1667	chmod -R 660 $DIR_DEST_ETC/*
		1668	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1669	# Apply and save the firewall rules
		1670	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1671	sleep 2
1	root	1672	cd $DIR_INSTALL
5	franck	1673	echo ""
1	root	1674	echo "#############################################################################"
638	richard	1675	if [ $Lang == "fr" ]
		1676	then
		1677	echo "# Fin d'installation d'ALCASAR #"
		1678	echo "# #"
		1679	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1680	echo "# des Accès au Réseau ( ALCASAR ) #"
		1681	echo "# #"
		1682	echo "#############################################################################"
		1683	echo
		1684	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1685	echo
		1686	echo "- Lisez attentivement la documentation d'exploitation"
		1687	echo
		1688	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1689	echo
		1690	echo " Appuyez sur 'Entrée' pour continuer"
		1691	else
		1692	echo "# Enf of ALCASAR install process #"
		1693	echo "# #"
		1694	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1695	echo "# des Accès au Réseau ( ALCASAR ) #"
		1696	echo "# #"
		1697	echo "#############################################################################"
		1698	echo
		1699	echo "- The system will be rebooted in order to operate ALCASAR"
		1700	echo
		1701	echo "- Read the exploitation documentation"
		1702	echo
		1703	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1704	echo
		1705	echo " Hit 'Enter' to continue"
		1706	fi
815	richard	1707	sleep 2
		1708	if [ "$mode" != "update" ]
820	richard	1709	then
815	richard	1710	read a
		1711	fi
774	richard	1712	clear
1	root	1713	reboot
		1714	} # End post_install ()
		1715
		1716	#################################
1005	richard	1717	# Main Install loop #
1	root	1718	#################################
832	richard	1719	dir_exec=`dirname "$0"`
		1720	if [ $dir_exec != "." ]
		1721	then
		1722	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1723	echo "Launch this program from the ALCASAR archive directory"
		1724	exit 0
		1725	fi
		1726	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1727	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1728	nb_args=$#
		1729	args=$1
		1730	if [ $nb_args -eq 0 ]
		1731	then
		1732	nb_args=1
		1733	args="-h"
		1734	fi
1062	richard	1735	chmod -R u+x $DIR_SCRIPTS/*
1	root	1736	case $args in
		1737	-\? \| -h* \| --h*)
		1738	echo "$usage"
		1739	exit 0
		1740	;;
291	franck	1741	-i \| --install)
959	franck	1742	license
5	franck	1743	header_install
29	richard	1744	testing
1249	richard	1745	# Test if ALCASAR is already installed (before v2.2, the conf file doesn't exist --> can't update)
		1746	if [ -e $CONF_FILE ]
1	root	1747	then
1249	richard	1748	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
595	richard	1749	if [ $Lang == "fr" ]
1249	richard	1750	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		1751	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
595	richard	1752	fi
5	franck	1753	response=0
460	richard	1754	PTN='^[oOnNyY]$'
580	richard	1755	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1756	do
595	richard	1757	if [ $Lang == "fr" ]
		1758	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1759	else echo -n "Do you want to update (Y/n)?";
		1760	fi
5	franck	1761	read response
		1762	done
597	richard	1763	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1764	then
597	richard	1765	rm -f /tmp/alcasar-conf*
		1766	else
636	richard	1767	# Create a backup of running version importants files
389	franck	1768	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1769	mode="update"
5	franck	1770	fi
1	root	1771	fi
595	richard	1772	# RPMs install
		1773	$DIR_SCRIPTS/alcasar-urpmi.sh
		1774	if [ "$?" != "0" ]
1	root	1775	then
595	richard	1776	exit 0
		1777	fi
1249	richard	1778	if [ -e $CONF_FILE ]
595	richard	1779	then
597	richard	1780	# Uninstall the running version
532	richard	1781	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1782	fi
636	richard	1783	# Test if manual update
1057	richard	1784	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595	richard	1785	then
636	richard	1786	header_install
595	richard	1787	if [ $Lang == "fr" ]
636	richard	1788	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1789	else echo "The configuration file of an old version has been found";
595	richard	1790	fi
597	richard	1791	response=0
		1792	PTN='^[oOnNyY]$'
		1793	until [[ $(expr $response : $PTN) -gt 0 ]]
		1794	do
		1795	if [ $Lang == "fr" ]
		1796	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1797	else echo -n "Do you want to use it (Y/n)?";
		1798	fi
		1799	read response
		1800	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1801	then rm -f /tmp/alcasar-conf*
		1802	fi
		1803	done
		1804	fi
636	richard	1805	# Test if update
1057	richard	1806	if [ -e /tmp/alcasar-conf* ]
597	richard	1807	then
		1808	if [ $Lang == "fr" ]
		1809	then echo "#### Installation avec mise à jour ####";
		1810	else echo "#### Installation with update ####";
		1811	fi
636	richard	1812	# Extract the central configuration file
1057	richard	1813	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1814	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1815	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1816	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1817	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1818	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1819	mode="update"
		1820	else
		1821	mode="install"
1	root	1822	fi
1221	richard	1823	for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1824	do
		1825	$func
1221	richard	1826	# echo "* 'debug' : end of function $func *"; read a
14	richard	1827	done
5	franck	1828	;;
291	franck	1829	-u \| --uninstall)
5	franck	1830	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1831	then
597	richard	1832	if [ $Lang == "fr" ]
		1833	then echo "ALCASAR n'est pas installé!";
		1834	else echo "ALCASAR isn't installed!";
		1835	fi
1	root	1836	exit 0
		1837	fi
5	franck	1838	response=0
		1839	PTN='^[oOnN]$'
580	richard	1840	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1841	do
597	richard	1842	if [ $Lang == "fr" ]
		1843	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1844	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1845	fi
5	franck	1846	read response
		1847	done
1103	richard	1848	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1849	then
1103	richard	1850	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1851	else
		1852	rm -f /tmp/alcasar-conf*
1	root	1853	fi
597	richard	1854	# Uninstall the running version
65	richard	1855	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1856	;;
		1857	*)
		1858	echo "Argument inconnu :$1";
460	richard	1859	echo "Unknown argument :$1";
1	root	1860	echo "$usage"
		1861	exit 1
		1862	;;
		1863	esac
10	franck	1864	# end of script
366	franck	1865

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1294