WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1336 2014-04-28 17:07:37Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1221	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, squid, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1221	richard	30	# testing : connectivity tests and downloading before intall
		31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
		36	# param_radius : FreeRadius initialisation
		37	# param_web_radius : copy ans modifiy original "freeradius web" in ACC
		38	# param_chilli : coovachilli initialisation (+authentication page)
		39	# param_squid : Squid cache proxy configuration
		40	# param_dansguardian : DansGuardian filtering HTTP proxy configuration
		41	# antivirus : HAVP + libclamav configuration
		42	# param_nfsen : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
		44	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1253	richard	46	# fail2ban : Fail2ban installation and configuration
1266	richard	47	# post_install : Security, log rotation, etc.
1	root	48
		49	DATE=`date '+%d %B %Y - %Hh%M'`
		50	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	51	Lang=`echo $LANG\|cut -c 1-2`
1	root	52	# ***** Files parameters - paramètres fichiers *******
1015	richard	53	DIR_INSTALL=`pwd` # current directory
		54	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		55	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		56	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		57	DIR_WEB="/var/www/html" # directory of APACHE
		58	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		59	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		60	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		61	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		62	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		63	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		64	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		65	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	66	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	67	DB_RADIUS="radius" # database name used by FreeRadius server
		68	DB_USER="radius" # user name allows to request the users database
1	root	69	# ***** Network parameters - paramètres réseau *****
1211	crox53	70	HOSTNAME="alcasar" #
1243	richard	71	DOMAIN="localdomain" # default local domain
1336	richard	72	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		73	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	74	MTU="1500"
1157	stephane	75	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	76	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	77	# **** Paths - chemin des commandes *****
		78	SED="/bin/sed -i"
		79	# **************** End of global parameters *******************
		80
959	franck	81	license ()
		82	{
		83	if [ $Lang == "fr" ]
967	franck	84	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		85	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	86	fi
975	franck	87	echo "Taper sur Entrée pour continuer !"
		88	echo "Enter to continue."
959	franck	89	read a
		90	}
		91
1	root	92	header_install ()
		93	{
		94	clear
		95	echo "-----------------------------------------------------------------------------"
460	richard	96	echo " ALCASAR V$VERSION Installation"
1	root	97	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		98	echo "-----------------------------------------------------------------------------"
		99	} # End of header_install ()
		100
1174	crox53	101
1	root	102	##################################################################
1221	richard	103	## Function "testing" ##
1005	richard	104	## - Test of Internet access ##
29	richard	105	##################################################################
		106	testing ()
		107	{
595	richard	108	if [ $Lang == "fr" ]
784	richard	109	then echo -n "Tests des paramètres réseau : "
595	richard	110	else echo -n "Network parameters tests : "
		111	fi
1336	richard	112	# We test EXTIF config files
		113
784	richard	114	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		115	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		116	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		117	then
		118	if [ $Lang == "fr" ]
		119	then
		120	echo "Échec"
		121	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		122	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	123	echo "Appliquez les changements : 'service network restart'"
784	richard	124	else
		125	echo "Failed"
		126	echo "The Internet connected network card ($EXTIF) isn't well configured."
		127	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	128	echo "Apply the new configuration 'service network restart'"
784	richard	129	fi
830	richard	130	echo "DEVICE=$EXTIF"
784	richard	131	echo "IPADDR="
		132	echo "NETMASK="
		133	echo "GATEWAY="
		134	echo "DNS1="
		135	echo "DNS2="
830	richard	136	echo "ONBOOT=yes"
784	richard	137	exit 0
		138	fi
		139	echo -n "."
460	richard	140	# We test the Ethernet links state
29	richard	141	for i in $EXTIF $INTIF
		142	do
294	richard	143	/sbin/ip link set $i up
306	richard	144	sleep 3
1031	richard	145	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		146	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	147	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	148	then
595	richard	149	if [ $Lang == "fr" ]
		150	then
		151	echo "Échec"
		152	echo "Le lien réseau de la carte $i n'est pas actif."
		153	echo "Réglez ce problème puis relancez ce script."
		154	else
		155	echo "Failed"
		156	echo "The link state of $i interface id down."
		157	echo "Resolv this problem, then restart this script."
		158	fi
29	richard	159	exit 0
		160	fi
308	richard	161	echo -n "."
29	richard	162	done
		163	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	164	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	165	if [ $Lang == "fr" ]
		166	then
		167	echo "Échec"
		168	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		169	echo "Réglez ce problème puis relancez ce script."
		170	else
		171	echo "Failed"
		172	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		173	echo "Resolv this problem, then restart this script."
		174	fi
29	richard	175	exit 0
		176	fi
308	richard	177	echo -n "."
978	franck	178	# On teste le lien vers le routeur par defaut
308	richard	179	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		180	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	181	if [ $(expr $arp_reply) -eq 0 ]
308	richard	182	then
595	richard	183	if [ $Lang == "fr" ]
		184	then
		185	echo "Échec"
		186	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		187	echo "Réglez ce problème puis relancez ce script."
		188	else
		189	echo "Failed"
		190	echo "The Internet gateway doesn't answered"
		191	echo "Resolv this problem, then restart this script."
		192	fi
308	richard	193	exit 0
		194	fi
		195	echo -n "."
421	franck	196	# On teste la connectivité Internet
29	richard	197	rm -rf /tmp/con_ok.html
308	richard	198	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	199	if [ ! -e /tmp/con_ok.html ]
		200	then
595	richard	201	if [ $Lang == "fr" ]
		202	then
		203	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		204	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		205	echo "Vérifiez la validité des adresses IP des DNS."
		206	else
		207	echo "The Internet connection try failed (google.fr)."
		208	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		209	echo "Verify the DNS IP addresses"
		210	fi
29	richard	211	exit 0
		212	fi
		213	rm -rf /tmp/con_ok.html
308	richard	214	echo ". : ok"
302	richard	215	} # end of testing
		216
		217	##################################################################
1221	richard	218	## Function "init" ##
302	richard	219	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		220	## - Installation et modification des scripts du portail ##
		221	##################################################################
		222	init ()
		223	{
527	richard	224	if [ "$mode" != "update" ]
302	richard	225	then
		226	# On affecte le nom d'organisme
597	richard	227	header_install
302	richard	228	ORGANISME=!
		229	PTN='^[a-zA-Z0-9-]*$'
580	richard	230	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	231	do
595	richard	232	if [ $Lang == "fr" ]
597	richard	233	then echo -n "Entrez le nom de votre organisme : "
		234	else echo -n "Enter the name of your organism : "
595	richard	235	fi
330	franck	236	read ORGANISME
613	richard	237	if [ "$ORGANISME" == "" ]
330	franck	238	then
		239	ORGANISME=!
		240	fi
		241	done
302	richard	242	fi
1	root	243	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	244	rm -f $PASSWD_FILE
59	richard	245	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	246	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		247	echo "$grubpwd" >> $PASSWD_FILE
59	richard	248	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	249	$SED "/^password.*/d" /boot/grub/menu.lst
		250	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	251	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	252	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	253	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	254	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	255	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	256	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	257	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	258	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		259	echo "$secretuam" >> $PASSWD_FILE
1	root	260	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	261	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		262	echo "$secretradius" >> $PASSWD_FILE
		263	chmod 640 $PASSWD_FILE
977	richard	264	# Scripts and conf files copy
		265	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	266	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	267	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	268	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	269	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	270	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	271	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		272	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	273	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		274	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	275	# generate central conf file
		276	cat <<EOF > $CONF_FILE
612	richard	277	##########################################
		278	## ##
		279	## ALCASAR Parameters ##
		280	## ##
		281	##########################################
1	root	282
612	richard	283	INSTALL_DATE=$DATE
		284	VERSION=$VERSION
		285	ORGANISM=$ORGANISME
923	franck	286	DOMAIN=$DOMAIN
612	richard	287	EOF
628	richard	288	chmod o-rwx $CONF_FILE
1	root	289	} # End of init ()
		290
		291	##################################################################
1221	richard	292	## Function "network" ##
1	root	293	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	294	## - Nommage DNS du système ##
1336	richard	295	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	296	## - Modification du fichier /etc/hosts ##
		297	## - Configuration du serveur de temps (NTP) ##
		298	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		299	##################################################################
		300	network ()
		301	{
		302	header_install
636	richard	303	if [ "$mode" != "update" ]
		304	then
		305	if [ $Lang == "fr" ]
		306	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		307	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		308	fi
		309	response=0
		310	PTN='^[oOyYnN]$'
		311	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	312	do
595	richard	313	if [ $Lang == "fr" ]
659	richard	314	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	315	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	316	fi
1	root	317	read response
		318	done
636	richard	319	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		320	then
		321	PRIVATE_IP_MASK="0"
		322	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		323	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	324	do
595	richard	325	if [ $Lang == "fr" ]
597	richard	326	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		327	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	328	fi
597	richard	329	read PRIVATE_IP_MASK
1	root	330	done
636	richard	331	else
		332	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		333	fi
595	richard	334	else
637	richard	335	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		336	rm -rf conf/etc/alcasar.conf
1	root	337	fi
861	richard	338	# Define LAN side global parameters
1243	richard	339	hostname $HOSTNAME.$DOMAIN
		340	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	341	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		342	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		343	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		344	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		345	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		346	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		347	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		348	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		349	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		350	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	351	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	352	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	353	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	354	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	355	# Define Internet parameters
14	richard	356	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		357	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		358	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	359	DNS1=${DNS1:=208.67.220.220}
		360	DNS2=${DNS2:=208.67.222.222}
597	richard	361	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	362	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	363	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	364	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	365	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	366	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	367	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	368	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		369	echo "DNS1=$DNS1" >> $CONF_FILE
		370	echo "DNS2=$DNS2" >> $CONF_FILE
		371	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	372	echo "DHCP=full" >> $CONF_FILE
914	franck	373	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		374	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		375	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	376	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	377	# config network
1	root	378	cat <<EOF > /etc/sysconfig/network
		379	NETWORKING=yes
1243	richard	380	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	381	FORWARD_IPV4=true
		382	EOF
841	richard	383	# config /etc/hosts
1	root	384	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		385	cat <<EOF > /etc/hosts
503	richard	386	127.0.0.1 localhost
1250	richard	387	$PRIVATE_IP $HOSTNAME.$DOMAIN
1	root	388	EOF
1336	richard	389	# Config EXTIF (Internet)
14	richard	390	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		391	DEVICE=$EXTIF
		392	BOOTPROTO=static
597	richard	393	IPADDR=$PUBLIC_IP
		394	NETMASK=$PUBLIC_NETMASK
		395	GATEWAY=$PUBLIC_GATEWAY
14	richard	396	DNS1=127.0.0.1
		397	ONBOOT=yes
		398	METRIC=10
		399	NOZEROCONF=yes
		400	MII_NOT_SUPPORTED=yes
		401	IPV6INIT=no
		402	IPV6TO4INIT=no
		403	ACCOUNTING=no
		404	USERCTL=no
994	franck	405	MTU=$MTU
14	richard	406	EOF
1336	richard	407	# Config INTIF (consultation LAN) in normal mode
841	richard	408	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		409	DEVICE=$INTIF
		410	BOOTPROTO=static
		411	ONBOOT=yes
		412	NOZEROCONF=yes
		413	MII_NOT_SUPPORTED=yes
		414	IPV6INIT=no
		415	IPV6TO4INIT=no
		416	ACCOUNTING=no
		417	USERCTL=no
1157	stephane	418	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	419	EOF
1336	richard	420	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	421	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	422	DEVICE=$INTIF
		423	BOOTPROTO=static
		424	IPADDR=$PRIVATE_IP
604	richard	425	NETMASK=$PRIVATE_NETMASK
1	root	426	ONBOOT=yes
		427	METRIC=10
		428	NOZEROCONF=yes
		429	MII_NOT_SUPPORTED=yes
14	richard	430	IPV6INIT=no
		431	IPV6TO4INIT=no
		432	ACCOUNTING=no
		433	USERCTL=no
1	root	434	EOF
440	franck	435	# Mise à l'heure du serveur
		436	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		437	cat <<EOF > /etc/ntp/step-tickers
455	franck	438	0.fr.pool.ntp.org # adapt to your country
		439	1.fr.pool.ntp.org
		440	2.fr.pool.ntp.org
440	franck	441	EOF
		442	# Configuration du serveur de temps (sur lui même)
1	root	443	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		444	cat <<EOF > /etc/ntp.conf
456	franck	445	server 0.fr.pool.ntp.org # adapt to your country
447	franck	446	server 1.fr.pool.ntp.org
		447	server 2.fr.pool.ntp.org
		448	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	449	fudge 127.127.1.0 stratum 10
604	richard	450	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	451	restrict 127.0.0.1
310	richard	452	driftfile /var/lib/ntp/drift
1	root	453	logfile /var/log/ntp.log
		454	EOF
440	franck	455
310	richard	456	chown -R ntp:ntp /var/lib/ntp
1	root	457	# Renseignement des fichiers hosts.allow et hosts.deny
		458	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		459	cat <<EOF > /etc/hosts.allow
		460	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	461	sshd: ALL
1	root	462	ntpd: $PRIVATE_NETWORK_SHORT
		463	EOF
		464	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		465	cat <<EOF > /etc/hosts.deny
		466	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		467	EOF
604	richard	468	# Firewall config
790	richard	469	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		470	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		471	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	472	# create the filter exception file and ip_bloqued file
790	richard	473	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	474	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	475	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	476	# load conntrack ftp module
		477	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		478	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	479	# load ipt_NETFLOW module
		480	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	481	#
860	richard	482	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	483	} # End of network ()
		484
		485	##################################################################
1221	richard	486	## Function "ACC" ##
		487	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	488	## - configuration du serveur web (Apache) ##
		489	## - définition du 1er comptes de gestion ##
		490	## - sécurisation des accès ##
		491	##################################################################
1221	richard	492	ACC ()
1	root	493	{
		494	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		495	mkdir $DIR_WEB
		496	# Copie et configuration des fichiers du centre de gestion
316	richard	497	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	498	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	499	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		500	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		501	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		502	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		503	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	504	chown -R apache:apache $DIR_WEB/*
840	richard	505	for i in system_backup base logs/firewall logs/httpd logs/squid logs/security;
1	root	506	do
		507	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		508	done
5	franck	509	chown -R root:apache $DIR_SAVE
71	richard	510	# Configuration et sécurisation php
		511	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	512	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		513	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	514	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		515	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	516	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		517	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		518	# Configuration et sécurisation Apache
790	richard	519	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	520	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	521	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	522	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	523	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		524	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		525	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	526	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		527	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		528	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		529	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		530	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		531	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	532	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	533	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		534	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		535	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		536	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		537	cat <<EOF > /var/www/error/include/bottom.html
		538	</body>
		539	</html>
		540	EOF
		541	# Définition du premier compte lié au profil 'admin'
509	richard	542	header_install
510	richard	543	if [ "$mode" = "install" ]
		544	then
613	richard	545	admin_portal=!
		546	PTN='^[a-zA-Z0-9-]*$'
		547	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		548	do
		549	header_install
		550	if [ $Lang == "fr" ]
		551	then
		552	echo ""
		553	echo "Définissez un premier compte d'administration du portail :"
		554	echo
		555	echo -n "Nom : "
		556	else
		557	echo ""
		558	echo "Define the first account allow to administrate the portal :"
		559	echo
		560	echo -n "Account : "
		561	fi
		562	read admin_portal
		563	if [ "$admin_portal" == "" ]
		564	then
		565	admin_portal=!
		566	fi
		567	done
1268	richard	568	# Creation of keys file for the admin account ("admin")
510	richard	569	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		570	mkdir -p $DIR_DEST_ETC/digest
		571	chmod 755 $DIR_DEST_ETC/digest
		572	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		573	do
1243	richard	574	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	575	done
		576	$DIR_DEST_SBIN/alcasar-profil.sh --list
		577	fi
434	richard	578	# synchronisation horaire
		579	ntpd -q -g &
1	root	580	# Sécurisation du centre
988	franck	581	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	582	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	583	<Directory $DIR_ACC>
1	root	584	SSLRequireSSL
		585	AllowOverride None
		586	Order deny,allow
		587	Deny from all
		588	Allow from 127.0.0.1
		589	Allow from $PRIVATE_NETWORK_MASK
990	franck	590	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	591	require valid-user
		592	AuthType digest
1243	richard	593	AuthName $HOSTNAME.$DOMAIN
1	root	594	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	595	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	596	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	597	</Directory>
316	richard	598	<Directory $DIR_ACC/admin>
1	root	599	SSLRequireSSL
		600	AllowOverride None
		601	Order deny,allow
		602	Deny from all
		603	Allow from 127.0.0.1
		604	Allow from $PRIVATE_NETWORK_MASK
990	franck	605	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	606	require valid-user
		607	AuthType digest
1243	richard	608	AuthName $HOSTNAME.$DOMAIN
1	root	609	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	610	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	611	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	612	</Directory>
344	richard	613	<Directory $DIR_ACC/manager>
1	root	614	SSLRequireSSL
		615	AllowOverride None
		616	Order deny,allow
		617	Deny from all
		618	Allow from 127.0.0.1
		619	Allow from $PRIVATE_NETWORK_MASK
990	franck	620	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	621	require valid-user
		622	AuthType digest
1243	richard	623	AuthName $HOSTNAME.$DOMAIN
1	root	624	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	625	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	626	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	627	</Directory>
316	richard	628	<Directory $DIR_ACC/backup>
		629	SSLRequireSSL
		630	AllowOverride None
		631	Order deny,allow
		632	Deny from all
		633	Allow from 127.0.0.1
		634	Allow from $PRIVATE_NETWORK_MASK
990	franck	635	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	636	require valid-user
		637	AuthType digest
1243	richard	638	AuthName $HOSTNAME.$DOMAIN
316	richard	639	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	640	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	641	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	642	</Directory>
811	richard	643	Alias /save/ "$DIR_SAVE/"
		644	<Directory $DIR_SAVE>
		645	SSLRequireSSL
		646	Options Indexes
		647	Order deny,allow
		648	Deny from all
		649	Allow from 127.0.0.1
		650	Allow from $PRIVATE_NETWORK_MASK
990	franck	651	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	652	require valid-user
		653	AuthType digest
1243	richard	654	AuthName $HOSTNAME.$DOMAIN
811	richard	655	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	656	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	657	</Directory>
1	root	658	EOF
1221	richard	659	} # End of ACC()
1	root	660
		661	##########################################################################################
1221	richard	662	## Fonction "CA" ##
1	root	663	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		664	##########################################################################################
1221	richard	665	CA ()
1	root	666	{
		667	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	668	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	669	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	670	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		671	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		672	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	673	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	674	chown -R root:apache /etc/pki
1	root	675	chmod -R 750 /etc/pki
1221	richard	676	} # End CA ()
1	root	677
		678	##########################################################################################
1221	richard	679	## Fonction "init_db" ##
1	root	680	## - Initialisation de la base Mysql ##
		681	## - Affectation du mot de passe de l'administrateur (root) ##
		682	## - Suppression des bases et des utilisateurs superflus ##
		683	## - Création de la base 'radius' ##
		684	## - Installation du schéma de cette base ##
		685	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		686	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		687	##########################################################################################
		688	init_db ()
		689	{
		690	mkdir -p /var/lib/mysql/.tmp
1008	richard	691	chown -R mysql:mysql /var/lib/mysql/
227	franck	692	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	693	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		694	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		695	/etc/init.d/mysqld start
		696	sleep 4
		697	mysqladmin -u root password $mysqlpwd
		698	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	699	# Delete exemple databases if exist
1	root	700	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	701	# Create 'radius' database
1317	richard	702	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	703	# Add an empty radius database structure
364	franck	704	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	705	# modify the start script in order to close accounting connexion when the system is comming down or up
		706	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		707	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		708	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	709	} # End init_db ()
		710
		711	##########################################################################
1221	richard	712	## Fonction "param_radius" ##
1	root	713	## - Paramètrage des fichiers de configuration FreeRadius ##
		714	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		715	## - Modification de fichier de conf pour l'accès à Mysql ##
		716	##########################################################################
		717	param_radius ()
		718	{
		719	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		720	chown -R radius:radius /etc/raddb
		721	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	722	# Set radius.conf parameters
1	root	723	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		724	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		725	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	726	# remove the proxy function
1	root	727	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		728	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	729	# remove EAP module
654	richard	730	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	731	# listen on loopback (should be modified later if EAP enabled)
1	root	732	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	733	# enable the SQL module (and SQL counter)
1	root	734	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		735	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		736	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	737	# remvove virtual server and copy our conf file
1	root	738	rm -f /etc/raddb/sites-enabled/*
1278	richard	739	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	740	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		741	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		742	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		743	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	744	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	745	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	746	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	747	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		748	cat << EOF > /etc/raddb/clients.conf
		749	client 127.0.0.1 {
		750	secret = $secretradius
		751	shortname = localhost
		752	}
		753	EOF
1278	richard	754	# sql.conf modification
1	root	755	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		756	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		757	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		758	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		759	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	760	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	761	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	762	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		763	# counter.conf modification (change the Max-All-Session-Time counter)
		764	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		765	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		766	chown -R radius:radius /etc/raddb/sql/mysql/*
1114	richard	767	# insures that mysql is up before radius start
1184	crox53	768	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1157	stephane	769
1	root	770	} # End param_radius ()
		771
		772	##########################################################################
1221	richard	773	## Function "param_web_radius" ##
1	root	774	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		775	## - Création du lien vers la page de changement de mot de passe ##
		776	##########################################################################
		777	param_web_radius ()
		778	{
		779	# copie de l'interface d'origine dans la structure Alcasar
316	richard	780	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		781	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		782	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	783	# copie des fichiers modifiés
		784	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	785	chown -R apache:apache $DIR_ACC/manager/
344	richard	786	# Modification des fichiers de configuration
1	root	787	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	788	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	789	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		790	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		791	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		792	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		793	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		794	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		795	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	796	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	797	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	798	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	799	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	800	nas1_name: alcasar-$ORGANISME
1	root	801	nas1_model: Portail captif
		802	nas1_ip: $PRIVATE_IP
		803	nas1_port_num: 0
		804	nas1_community: public
		805	EOF
		806	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		807	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	808	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	809	# Ajout du mappage des attributs chillispot
		810	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	811	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	812	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	813	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	814	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		815	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	816	chown -R apache:apache /etc/freeradius-web
1	root	817	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		818	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	819	<Directory $DIR_WEB/pass>
1	root	820	SSLRequireSSL
		821	AllowOverride None
		822	Order deny,allow
		823	Deny from all
		824	Allow from 127.0.0.1
		825	Allow from $PRIVATE_NETWORK_MASK
1243	richard	826	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	827	</Directory>
		828	EOF
		829	} # End of param_web_radius ()
		830
799	richard	831	##################################################################################
1221	richard	832	## Fonction "param_chilli" ##
799	richard	833	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		834	## - Paramètrage de la page d'authentification (intercept.php) ##
		835	##################################################################################
1	root	836	param_chilli ()
		837	{
799	richard	838	# init file creation
461	richard	839	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	840	cat <<EOF > /etc/init.d/chilli
		841	#!/bin/sh
		842	#
		843	# chilli CoovaChilli init
		844	#
		845	# chkconfig: 2345 65 35
		846	# description: CoovaChilli
		847	### BEGIN INIT INFO
		848	# Provides: chilli
		849	# Required-Start: network
		850	# Should-Start:
		851	# Required-Stop: network
		852	# Should-Stop:
		853	# Default-Start: 2 3 5
		854	# Default-Stop:
		855	# Description: CoovaChilli access controller
		856	### END INIT INFO
		857
		858	[ -f /usr/sbin/chilli ] \|\| exit 0
		859	. /etc/init.d/functions
		860	CONFIG=/etc/chilli.conf
		861	pidfile=/var/run/chilli.pid
		862	[ -f \$CONFIG ] \|\| {
		863	echo "\$CONFIG Not found"
		864	exit 0
		865	}
		866	RETVAL=0
		867	prog="chilli"
		868	case \$1 in
		869	start)
		870	if [ -f \$pidfile ] ; then
		871	gprintf "chilli is already running"
		872	else
		873	gprintf "Starting \$prog: "
		874	rm -f /var/run/chilli* # cleaning
		875	/sbin/modprobe tun >/dev/null 2>&1
		876	echo 1 > /proc/sys/net/ipv4/ip_forward
		877	[ -e /dev/net/tun ] \|\| {
		878	(cd /dev;
		879	mkdir net;
		880	cd net;
		881	mknod tun c 10 200)
		882	}
1336	richard	883	ifconfig $INTIF 0.0.0.0
799	richard	884	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		885	RETVAL=$?
		886	fi
		887	;;
		888
		889	reload)
		890	killall -HUP chilli
		891	;;
		892
		893	restart)
		894	\$0 stop
		895	sleep 2
		896	\$0 start
		897	;;
		898
		899	status)
		900	status chilli
		901	RETVAL=0
		902	;;
		903
		904	stop)
		905	if [ -f \$pidfile ] ; then
		906	gprintf "Shutting down \$prog: "
		907	killproc /usr/sbin/chilli
		908	RETVAL=\$?
		909	[ \$RETVAL = 0 ] && rm -f $pidfile
		910	else
		911	gprintf "chilli is not running"
		912	fi
		913	;;
		914
		915	*)
		916	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		917	exit 1
		918	esac
		919	echo
		920	EOF
		921
		922	# conf file creation
346	richard	923	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		924	cat <<EOF > /etc/chilli.conf
		925	# coova config for ALCASAR
		926	cmdsocket /var/run/chilli.sock
1336	richard	927	unixipc chilli.$INTIF.ipc
		928	pidfile /var/run/chilli.$INTIF.pid
346	richard	929	net $PRIVATE_NETWORK_MASK
595	richard	930	dhcpif $INTIF
841	richard	931	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	932	#nodynip
865	richard	933	#statip
		934	dynip $PRIVATE_NETWORK_MASK
1249	richard	935	domain $DOMAIN
355	richard	936	dns1 $PRIVATE_IP
		937	dns2 $PRIVATE_IP
346	richard	938	uamlisten $PRIVATE_IP
503	richard	939	uamport 3990
837	richard	940	macauth
		941	macpasswd password
1243	richard	942	locationname $HOSTNAME.$DOMAIN
346	richard	943	radiusserver1 127.0.0.1
		944	radiusserver2 127.0.0.1
		945	radiussecret $secretradius
		946	radiusauthport 1812
		947	radiusacctport 1813
1243	richard	948	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		949	radiusnasid $HOSTNAME.$DOMAIN
346	richard	950	uamsecret $secretuam
1249	richard	951	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	952	coaport 3799
1299	richard	953	#conup $DIR_DEST_BIN/alcasar-conup.sh
		954	#condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	955	include $DIR_DEST_ETC/alcasar-uamallowed
		956	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	957	#dhcpgateway
1157	stephane	958	#dhcprelayagent
		959	#dhcpgatewayport
346	richard	960	EOF
1336	richard	961	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	962	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	963	# create files for trusted domains and urls
1148	crox53	964	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	965	chown root:apache $DIR_DEST_ETC/alcasar-*
		966	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	967	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	968	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		969	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	970	# user 'chilli' creation (in order to run conup/off and up/down scripts
		971	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		972	if [ "$chilli_exist" == "1" ]
		973	then
		974	userdel -r chilli 2>/dev/null
		975	fi
		976	groupadd -f chilli
		977	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	978	} # End of param_chilli ()
		979
		980	##########################################################
1221	richard	981	## Fonction "param_squid" ##
1	root	982	## - Paramètrage du proxy 'squid' en mode 'cache' ##
		983	## - Initialisation de la base de données ##
		984	##########################################################
		985	param_squid ()
		986	{
		987	# paramètrage de Squid (connecté en série derrière Dansguardian)
		988	[ -e /etc/squid/squid.conf.default ] \|\| cp /etc/squid/squid.conf /etc/squid/squid.conf.default
		989	# suppression des références 'localnet', 'icp', 'htcp' et 'always_direct'
		990	$SED "/^acl localnet/d" /etc/squid/squid.conf
		991	$SED "/^icp_access allow localnet/d" /etc/squid/squid.conf
		992	$SED "/^icp_port 3130/d" /etc/squid/squid.conf
		993	$SED "/^http_access allow localnet/d" /etc/squid/squid.conf
		994	$SED "/^htcp_access allow localnet/d" /etc/squid/squid.conf
		995	$SED "/^always_direct allow localnet/d" /etc/squid/squid.conf
		996	# mode 'proxy transparent local'
595	richard	997	$SED "s?^http_port.*?http_port 127.0.0.1:3128 transparent?g" /etc/squid/squid.conf
726	franck	998	# Configuration du cache local
749	franck	999	$SED "s?^#cache_dir.*?cache_dir ufs \/var\/spool\/squid 256 16 256?g" /etc/squid/squid.conf
1159	crox53	1000	# désactivation des "access log"
		1001	echo '#Disable access log' >> /etc/squid/squid.conf
		1002	echo "access_log none" >> /etc/squid/squid.conf
835	richard	1003	# anonymisation of squid version
813	richard	1004	echo "via off" >> /etc/squid/squid.conf
835	richard	1005	# remove the 'X_forwarded' http option
812	richard	1006	echo "forwarded_for delete" >> /etc/squid/squid.conf
835	richard	1007	# linked squid output in HAVP input
		1008	echo "cache_peer 127.0.0.1 parent 8090 0 no-query default" >> /etc/squid/squid.conf
		1009	echo "never_direct allow all" >> /etc/squid/squid.conf
		1010	# avoid error messages on network interfaces state changes
313	richard	1011	$SED "s?^SQUID_AUTO_RELOAD.*?SQUID_AUTO_RELOAD=no?g" /etc/sysconfig/squid
894	richard	1012	# reduce squid shutdown time (100 to 50)
		1013	$SED "s?^SQUID_SHUTDOWN_TIMEOUT.*?SQUID_SHUTDOWN_TIMEOUT=50?g" /etc/sysconfig/squid
		1014
835	richard	1015	# Squid cache init
1	root	1016	/usr/sbin/squid -z
		1017	} # End of param_squid ()
		1018
		1019	##################################################################
1221	richard	1020	## Fonction "param_dansguardian" ##
1	root	1021	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1022	##################################################################
		1023	param_dansguardian ()
		1024	{
		1025	mkdir /var/dansguardian
		1026	chown dansguardian /var/dansguardian
497	richard	1027	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1028	# By default the filter is off
497	richard	1029	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1030	# French deny HTML page
497	richard	1031	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1032	# Listen only on LAN side
497	richard	1033	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1293	richard	1034	# DG send its flow to SQUID
835	richard	1035	$SED "s?^proxyport.*?proxyport = 3128?g" $DIR_DG/dansguardian.conf
1293	richard	1036	# replace the default deny HTML page
1	root	1037	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1038	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1039	# Don't log
		1040	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1041	# Run 10 daemons (20 in largest server)
659	richard	1042	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1043	# on désactive par défaut le controle de contenu des pages html
497	richard	1044	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1045	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1046	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1047	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1048	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1049	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1050	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1051	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1052	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1053	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1054	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1055	touch $DIR_DG/lists/bannedextensionlist
		1056	touch $DIR_DG/lists/bannedmimetypelist
		1057	# 'Safesearch' regex actualisation
498	richard	1058	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1059	# empty LAN IP list that won't be WEB filtered
		1060	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1061	touch $DIR_DG/lists/exceptioniplist
		1062	# Keep a copy of URL & domain filter configuration files
		1063	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1064	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1065	} # End of param_dansguardian ()
		1066
71	richard	1067	##################################################################
1221	richard	1068	## Fonction "antivirus" ##
479	richard	1069	## - configuration havp + libclamav ##
71	richard	1070	##################################################################
		1071	antivirus ()
		1072	{
288	richard	1073	# création de l'usager 'havp'
		1074	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1075	if [ "$havp_exist" == "1" ]
288	richard	1076	then
478	richard	1077	userdel -r havp 2>/dev/null
894	richard	1078	groupdel havp 2>/dev/null
288	richard	1079	fi
307	richard	1080	groupadd -f havp
796	richard	1081	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1082	mkdir -p /var/tmp/havp /var/log/havp
		1083	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1084	# configuration d'HAVP
		1085	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1086	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1087	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1088	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1089	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1090	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1091	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1092	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1093	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1094	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1095	# skip checking of youtube flow (too heavy load / risk too low)
		1096	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1097	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1098	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1099	# remplacement du fichier d'initialisation
335	richard	1100	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1101	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1102	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1103	# on remplace la page d'interception (template)
		1104	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1105	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1106	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1107	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1108	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1109	# Virus database update
		1110	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1111	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1112	/usr/bin/freshclam
71	richard	1113	}
		1114
1	root	1115	##################################################################################
1221	richard	1116	## function "param_ulogd" ##
476	richard	1117	## - Ulog config for multi-log files ##
		1118	##################################################################################
		1119	param_ulogd ()
		1120	{
		1121	# Three instances of ulogd (three different logfiles)
		1122	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1123	nl=1
1244	richard	1124	for log_type in tracability ssh ext-access
478	richard	1125	do
		1126	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1127	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1128	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1129	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1130	cat << EOF >> /etc/ulogd-$log_type.conf
		1131	[LOGEMU]
		1132	file="/var/log/firewall/$log_type.log"
		1133	sync=1
		1134	EOF
		1135	nl=`expr $nl + 1`
		1136	done
476	richard	1137	chown -R root:apache /var/log/firewall
		1138	chmod 750 /var/log/firewall
		1139	chmod 640 /var/log/firewall/*
		1140	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1141	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1142	} # End of param_ulogd ()
		1143
1159	crox53	1144
		1145	##########################################################
1221	richard	1146	## Function "param_nfsen" ##
1159	crox53	1147	##########################################################
		1148	param_nfsen()
1	root	1149	{
1159	crox53	1150	#Decompression tarball
1221	richard	1151	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1159	crox53	1152	#Création groupe et utilisteur
1221	richard	1153	if grep "^www-data:" /etc/group > /dev/null; then
		1154	echo "Group already exists !"
		1155	else
		1156	groupadd www-data
		1157	echo "Group 'www-data' created !"
		1158	fi
		1159	if grep "^nfsen:" /etc/passwd > /dev/null; then
		1160	echo "User already exists !"
		1161	else
		1162	useradd -m nfsen
		1163	echo "User 'nfsen' created !"
		1164	fi
		1165	usermod -G www-data nfsen
1159	crox53	1166	#Ajout du plugin nfsen : PortTracker
1221	richard	1167	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1168	chown -R nfsen:www-data /var/www/nfsen
		1169	chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
		1170	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1159	crox53	1171	#Copie du fichier de conf modifié de nfsen
1221	richard	1172	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1159	crox53	1173	#Copie du script d'initialisation de nfsen
1221	richard	1174	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1159	crox53	1175	#Installation de nfsen via le scrip Perl
1221	richard	1176	DirTmp=$(pwd)
		1177	cd /tmp/nfsen-1.3.6p1/
		1178	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
		1179	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
1159	crox53	1180	#Création de la DB pour rrdtool
1221	richard	1181	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1182	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
		1183	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
		1184	chown -R apache:www-data /var/log/netflow/porttracker/
		1185	chmod -R 775 /var/log/netflow/porttracker
1159	crox53	1186	#Configuration du fichier de conf d'apache
1221	richard	1187	if [ -f /etc/httpd/conf.d/nfsen.conf ];then
		1188	rm -f /etc/httpd/conf.d/nfsen.conf
		1189	fi
		1190	cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
1159	crox53	1191	Alias /nfsen /var/www/nfsen
		1192	<Directory /var/www/nfsen/>
		1193	DirectoryIndex nfsen.php
		1194	Options -Indexes
		1195	AllowOverride all
		1196	order allow,deny
		1197	allow from all
		1198	AddType application/x-httpd-php .php
		1199	php_flag magic_quotes_gpc on
		1200	php_flag track_vars on
1	root	1201	</Directory>
		1202	EOF
1223	crox53	1203	#Ajout du paramètre : IP d'écoute pour le collecteur (nfcapd)
1229	crox53	1204	$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
1210	crox53	1205	#Configuration du délais d'expiration des captures du profile "live"
1250	richard	1206	nfsen -m live -e 62d 2>/dev/null
1159	crox53	1207	#Suppression des sources de nfsen
1221	richard	1208	cd $DirTmp
		1209	rm -rf /tmp/nfsen-1.3.6p1/
1159	crox53	1210	} # End of param_nfsen
1	root	1211
		1212	##########################################################
1221	richard	1213	## Function "param_dnsmasq" ##
1	root	1214	##########################################################
219	jeremy	1215	param_dnsmasq ()
		1216	{
		1217	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1218	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1219	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1220	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1221	cat << EOF > /etc/dnsmasq.conf
520	richard	1222	# Configuration file for "dnsmasq in forward mode"
503	richard	1223	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1224	listen-address=$PRIVATE_IP
		1225	listen-address=127.0.0.1
286	richard	1226	no-dhcp-interface=$INTIF
259	richard	1227	bind-interfaces
		1228	cache-size=256
		1229	domain=$DOMAIN
		1230	domain-needed
		1231	expand-hosts
		1232	bogus-priv
		1233	filterwin2k
		1234	server=$DNS1
		1235	server=$DNS2
498	richard	1236	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1237	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1238	dhcp-option=option:router,$PRIVATE_IP
259	richard	1239	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1240
291	franck	1241	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1242	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1243	EOF
520	richard	1244	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1245	cat << EOF > /etc/dnsmasq-blackhole.conf
		1246	# Configuration file for "dnsmasq with blackhole"
		1247	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1248	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1249	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1250	listen-address=$PRIVATE_IP
		1251	port=54
		1252	no-dhcp-interface=$INTIF
		1253	bind-interfaces
		1254	cache-size=256
		1255	domain=$DOMAIN
		1256	domain-needed
		1257	expand-hosts
		1258	bogus-priv
		1259	filterwin2k
		1260	server=$DNS1
		1261	server=$DNS2
		1262	EOF
718	franck	1263
800	richard	1264	# Init file modification
1221	richard	1265	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1266	# Start and stop a 2nd process for the "DNS blackhole"
1221	richard	1267	cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
800	richard	1268	# Start after chilli (65) which create tun0
1221	richard	1269	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1270	# Optionnellement on pré-active les logs DNS des clients
1221	richard	1271	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
		1272	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
1157	stephane	1273	# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
1221	richard	1274	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
933	franck	1275	# Optionnellement, exemple de configuration avec un A.D.
1221	richard	1276	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
308	richard	1277	} # End dnsmasq
		1278
		1279	##########################################################
1221	richard	1280	## Fonction "BL" ##
308	richard	1281	##########################################################
		1282	BL ()
		1283	{
		1284	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1285	rm -rf $DIR_DG/lists/blacklists
		1286	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1287	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1288	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1289	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1290	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1291	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1292	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1293	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1294	touch $DIR_DG/lists/exceptionsitelist
		1295	touch $DIR_DG/lists/exceptionurllist
311	richard	1296	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1297	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1298	# Dansguardian filter config for ALCASAR
		1299	EOF
648	richard	1300	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1301	# Dansguardian domain filter config for ALCASAR
		1302	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1303	#**
		1304	# block all SSL and CONNECT tunnels
		1305	**s
		1306	# block all SSL and CONNECT tunnels specified only as an IP
		1307	*ips
		1308	# block all sites specified only by an IP
		1309	*ip
		1310	EOF
1000	richard	1311	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1312	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1313	# Bing - add 'adlt=strict'
		1314	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1315	# Youtube - add 'edufilter=your_ID'
885	richard	1316	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1317	EOF
1000	richard	1318	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1319	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1320	chown -R dansguardian:apache $DIR_DG
		1321	chmod -R g+rw $DIR_DG
786	richard	1322	# On adapte la BL de Toulouse à notre structure
654	richard	1323	if [ "$mode" != "update" ]; then
		1324	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1325	fi
308	richard	1326	}
219	jeremy	1327
1	root	1328	##########################################################
1221	richard	1329	## Fonction "cron" ##
1	root	1330	## - Mise en place des différents fichiers de cron ##
		1331	##########################################################
		1332	cron ()
		1333	{
		1334	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1335	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1336	cat <<EOF > /etc/crontab
		1337	SHELL=/bin/bash
		1338	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1339	MAILTO=root
		1340	HOME=/
		1341
		1342	# run-parts
		1343	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1344	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1345	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1346	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1347	EOF
		1348	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1349	cat <<EOF >> /etc/anacrontab
667	franck	1350	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1351	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1352	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1353	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1354	EOF
1247	crox53	1355
811	richard	1356	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1357	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1358	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1359	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1360	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1361	EOF
952	franck	1362	cat <<EOF > /etc/cron.d/alcasar-archive
		1363	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1364	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1365	EOF
667	franck	1366	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1367	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1368	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1369	EOF
722	franck	1370	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1371	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1372	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1373	EOF
1247	crox53	1374	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1375	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1376	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1377	#EOF
1159	crox53	1378
1	root	1379	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1380	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1381	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1382	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1383	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1384	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1385	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1386	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1387	rm -f /etc/cron.daily/freeradius-web
		1388	rm -f /etc/cron.monthly/freeradius-web
		1389	cat << EOF > /etc/cron.d/freeradius-web
		1390	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1391	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1392	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1393	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1394	EOF
671	franck	1395	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1396	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1397	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1398	EOF
808	franck	1399	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1400	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1401	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1402	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1403	EOF
522	richard	1404	# suppression des crons usagers
		1405	rm -f /var/spool/cron/*
1	root	1406	} # End cron
		1407
		1408	##################################################################
1221	richard	1409	## Fonction "Fail2Ban" ##
1163	crox53	1410	##- Modification de la configuration de fail2ban ##
		1411	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1412	##################################################################
		1413	fail2ban()
		1414	{
1191	crox53	1415	$DIR_CONF/fail2ban.sh
1192	crox53	1416	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1417	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1418	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1419	chmod 644 /var/log/fail2ban.log
1192	crox53	1420	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1421	} #Fin de fail2ban_install()
		1422
		1423	##################################################################
1221	richard	1424	## Fonction "post_install" ##
1	root	1425	## - Modification des bannières (locales et ssh) et des prompts ##
		1426	## - Installation de la structure de chiffrement pour root ##
		1427	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1428	## - Mise en place du la rotation des logs ##
5	franck	1429	## - Configuration dans le cas d'une mise à jour ##
1	root	1430	##################################################################
		1431	post_install()
		1432	{
		1433	# adaptation du script "chien de garde" (watchdog)
376	franck	1434	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1435	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1436	# création de la bannière locale
1007	richard	1437	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1438	cp -f $DIR_CONF/banner /etc/mageia-release
		1439	echo " V$VERSION" >> /etc/mageia-release
1	root	1440	# création de la bannière SSH
1007	richard	1441	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1442	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1443	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1444	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1445	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1446	# postfix banner anonymisation
		1447	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1448	# sshd écoute côté LAN et WAN
1	root	1449	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1450	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1451	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1452	echo "SSH=off" >> $CONF_FILE
1063	richard	1453	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1454	echo "QOS=off" >> $CONF_FILE
		1455	echo "LDAP=off" >> $CONF_FILE
786	richard	1456	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1457	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1458	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1459	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1460	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1461	echo "MULTIWAN=off" >> $CONF_FILE
		1462	echo "FAILOVER=30" >> $CONF_FILE
		1463	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1464	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1465	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1466	# Coloration des prompts
		1467	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1468	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1469	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1470	# Droits d'exécution pour utilisateur apache et sysadmin
		1471	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1472	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1473	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
132	franck	1474	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, squid, radiusd, ulogd)
1	root	1475	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1476	chmod 644 /etc/logrotate.d/*
714	franck	1477	# rectification sur versions précédentes de la compression des logs
706	franck	1478	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1479	# actualisation des fichiers logs compressés
714	franck	1480	for dir in firewall squid dansguardian httpd
706	franck	1481	do
714	franck	1482	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1483	done
1221	richard	1484	# create the alcasar-load_balancing unit
		1485	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1486	# This file is part of systemd.
		1487	#
		1488	# systemd is free software; you can redistribute it and/or modify it
		1489	# under the terms of the GNU General Public License as published by
		1490	# the Free Software Foundation; either version 2 of the License, or
		1491	# (at your option) any later version.
		1492
		1493	# This unit lauches alcasar-load-balancing.sh script.
		1494	[Unit]
		1495	Description=alcasar-load_balancing.sh execution
		1496	After=network.target iptables.service
		1497
		1498	[Service]
		1499	Type=oneshot
		1500	RemainAfterExit=yes
		1501	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1502	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1503	TimeoutSec=0
		1504	SysVStartPriority=99
		1505
		1506	[Install]
		1507	WantedBy=multi-user.target
1157	stephane	1508	EOF
1221	richard	1509	# processes launched at boot time (SYSV)
		1510	for i in ntpd iptables ulogd dnsmasq squid chilli httpd radiusd netfs mysqld dansguardian havp freshclam
		1511	do
		1512	/sbin/chkconfig --add $i
		1513	done
		1514	# processes launched at boot time (Systemctl)
		1515	for i in alcasar-load_balancing.service nfsen.service
953	franck	1516
1221	richard	1517	do
		1518	systemctl enable $i
		1519	done
		1520	# Apply French Security Agency (ANSSI) rules
568	richard	1521	# ignorer les broadcast ICMP. (attaque smurf)
1221	richard	1522	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
568	richard	1523	# ignorer les erreurs ICMP bogus
1221	richard	1524	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1525	# désactiver l'envoi et la réponse aux ICMP redirects
1221	richard	1526	sysctl -w net.ipv4.conf.all.accept_redirects=0
		1527	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
568	richard	1528	if [ "$accept_redirect" == "0" ]
		1529	then
679	richard	1530	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1531	else
		1532	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1533	fi
1221	richard	1534	sysctl -w net.ipv4.conf.all.send_redirects=0
		1535	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
568	richard	1536	if [ "$send_redirect" == "0" ]
		1537	then
679	richard	1538	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1539	else
		1540	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1541	fi
		1542	# activer les SYN Cookies (attaque syn flood)
1221	richard	1543	sysctl -w net.ipv4.tcp_syncookies=1
		1544	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
568	richard	1545	if [ "$tcp_syncookies" == "0" ]
		1546	then
679	richard	1547	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1548	else
		1549	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1550	fi
595	richard	1551	# activer l'antispoofing niveau Noyau
1221	richard	1552	sysctl -w net.ipv4.conf.all.rp_filter=1
568	richard	1553	# ignorer le source routing
1221	richard	1554	sysctl -w net.ipv4.conf.all.accept_source_route=0
		1555	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
568	richard	1556	if [ "$accept_source_route" == "0" ]
		1557	then
679	richard	1558	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1559	else
		1560	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1561	fi
679	richard	1562	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1221	richard	1563	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1564	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
679	richard	1565	if [ "$timeout_established" == "0" ]
		1566	then
		1567	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1568	else
793	richard	1569	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1570	fi
1157	stephane	1571	# disable log_martians (ALCASAR is often installed between two private network addresses)
1221	richard	1572	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1573	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1574	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1003	richard	1575	# switch to multi-users runlevel (instead of x11)
1221	richard	1576	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1577	# GRUB modifications
		1578	# limit wait time to 3s
		1579	# create an alcasar entry instead of linux-nonfb
		1580	# change display to 1024*768 (vga791)
1221	richard	1581	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1582	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1583	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1584	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1585	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1586	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1587	# Remove unused services and users
1221	richard	1588	for old_svc in alsa sound dm
		1589	do
		1590	/sbin/chkconfig --del $old_svc
		1591	done
		1592	for svc in snmpd.service sshd.service
		1593	do
		1594	/bin/systemctl disable $svc
		1595	done
		1596	for rm_users in avahi-autoipd avahi icapd
		1597	do
		1598	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1599	if [ "$user" == "$rm_users" ]
		1600	then
		1601	/usr/sbin/userdel -f $rm_users
		1602	fi
		1603	done
		1604	# Load and apply the previous conf file
		1605	if [ "$mode" = "update" ]
532	richard	1606	then
1266	richard	1607	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1608	$DIR_DEST_BIN/alcasar-conf.sh --load
		1609	PARENT_SCRIPT=`basename $0`
		1610	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1611	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1612	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1613	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1614	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1615	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1616	then
		1617	header_install
		1618	if [ $Lang == "fr" ]
		1619	then
		1620	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1621	echo
		1622	echo -n "Nom : "
		1623	else
		1624	echo "This update need to redefine the first admin account"
		1625	echo
		1626	echo -n "Account : "
		1627	fi
		1628	read admin_portal
		1629	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1630	mkdir -p $DIR_DEST_ETC/digest
		1631	chmod 755 $DIR_DEST_ETC/digest
		1632	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1633	do
		1634	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
		1635	done
		1636	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1637	fi
532	richard	1638	fi
1221	richard	1639	rm -f /tmp/alcasar-conf*
		1640	chown -R root:apache $DIR_DEST_ETC/*
		1641	chmod -R 660 $DIR_DEST_ETC/*
		1642	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1643	# Apply and save the firewall rules
		1644	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1645	sleep 2
1	root	1646	cd $DIR_INSTALL
5	franck	1647	echo ""
1	root	1648	echo "#############################################################################"
638	richard	1649	if [ $Lang == "fr" ]
		1650	then
		1651	echo "# Fin d'installation d'ALCASAR #"
		1652	echo "# #"
		1653	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1654	echo "# des Accès au Réseau ( ALCASAR ) #"
		1655	echo "# #"
		1656	echo "#############################################################################"
		1657	echo
		1658	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1659	echo
		1660	echo "- Lisez attentivement la documentation d'exploitation"
		1661	echo
		1662	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1663	echo
		1664	echo " Appuyez sur 'Entrée' pour continuer"
		1665	else
		1666	echo "# Enf of ALCASAR install process #"
		1667	echo "# #"
		1668	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1669	echo "# des Accès au Réseau ( ALCASAR ) #"
		1670	echo "# #"
		1671	echo "#############################################################################"
		1672	echo
		1673	echo "- The system will be rebooted in order to operate ALCASAR"
		1674	echo
		1675	echo "- Read the exploitation documentation"
		1676	echo
		1677	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1678	echo
		1679	echo " Hit 'Enter' to continue"
		1680	fi
815	richard	1681	sleep 2
		1682	if [ "$mode" != "update" ]
820	richard	1683	then
815	richard	1684	read a
		1685	fi
774	richard	1686	clear
1	root	1687	reboot
		1688	} # End post_install ()
		1689
		1690	#################################
1005	richard	1691	# Main Install loop #
1	root	1692	#################################
832	richard	1693	dir_exec=`dirname "$0"`
		1694	if [ $dir_exec != "." ]
		1695	then
		1696	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1697	echo "Launch this program from the ALCASAR archive directory"
		1698	exit 0
		1699	fi
		1700	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1701	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1702	nb_args=$#
		1703	args=$1
		1704	if [ $nb_args -eq 0 ]
		1705	then
		1706	nb_args=1
		1707	args="-h"
		1708	fi
1062	richard	1709	chmod -R u+x $DIR_SCRIPTS/*
1	root	1710	case $args in
		1711	-\? \| -h* \| --h*)
		1712	echo "$usage"
		1713	exit 0
		1714	;;
291	franck	1715	-i \| --install)
959	franck	1716	license
5	franck	1717	header_install
29	richard	1718	testing
1336	richard	1719	# Test if ALCASAR is already installed
1249	richard	1720	if [ -e $CONF_FILE ]
1	root	1721	then
1249	richard	1722	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
595	richard	1723	if [ $Lang == "fr" ]
1249	richard	1724	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		1725	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
595	richard	1726	fi
5	franck	1727	response=0
460	richard	1728	PTN='^[oOnNyY]$'
580	richard	1729	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1730	do
595	richard	1731	if [ $Lang == "fr" ]
		1732	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1733	else echo -n "Do you want to update (Y/n)?";
		1734	fi
5	franck	1735	read response
		1736	done
597	richard	1737	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1738	then
597	richard	1739	rm -f /tmp/alcasar-conf*
		1740	else
636	richard	1741	# Create a backup of running version importants files
389	franck	1742	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1743	mode="update"
5	franck	1744	fi
1	root	1745	fi
595	richard	1746	# RPMs install
1336	richard	1747	echo "STOP" ; read a
595	richard	1748	$DIR_SCRIPTS/alcasar-urpmi.sh
		1749	if [ "$?" != "0" ]
1	root	1750	then
595	richard	1751	exit 0
		1752	fi
1249	richard	1753	if [ -e $CONF_FILE ]
595	richard	1754	then
597	richard	1755	# Uninstall the running version
532	richard	1756	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1757	fi
636	richard	1758	# Test if manual update
1057	richard	1759	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595	richard	1760	then
636	richard	1761	header_install
595	richard	1762	if [ $Lang == "fr" ]
636	richard	1763	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1764	else echo "The configuration file of an old version has been found";
595	richard	1765	fi
597	richard	1766	response=0
		1767	PTN='^[oOnNyY]$'
		1768	until [[ $(expr $response : $PTN) -gt 0 ]]
		1769	do
		1770	if [ $Lang == "fr" ]
		1771	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1772	else echo -n "Do you want to use it (Y/n)?";
		1773	fi
		1774	read response
		1775	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1776	then rm -f /tmp/alcasar-conf*
		1777	fi
		1778	done
		1779	fi
636	richard	1780	# Test if update
1057	richard	1781	if [ -e /tmp/alcasar-conf* ]
597	richard	1782	then
		1783	if [ $Lang == "fr" ]
		1784	then echo "#### Installation avec mise à jour ####";
		1785	else echo "#### Installation with update ####";
		1786	fi
636	richard	1787	# Extract the central configuration file
1057	richard	1788	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1789	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1790	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1791	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1792	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1793	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1794	mode="update"
		1795	else
		1796	mode="install"
1	root	1797	fi
1221	richard	1798	for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_squid param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1799	do
		1800	$func
1221	richard	1801	# echo "* 'debug' : end of function $func *"; read a
14	richard	1802	done
5	franck	1803	;;
291	franck	1804	-u \| --uninstall)
5	franck	1805	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1806	then
597	richard	1807	if [ $Lang == "fr" ]
		1808	then echo "ALCASAR n'est pas installé!";
		1809	else echo "ALCASAR isn't installed!";
		1810	fi
1	root	1811	exit 0
		1812	fi
5	franck	1813	response=0
		1814	PTN='^[oOnN]$'
580	richard	1815	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1816	do
597	richard	1817	if [ $Lang == "fr" ]
		1818	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1819	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1820	fi
5	franck	1821	read response
		1822	done
1103	richard	1823	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1824	then
1103	richard	1825	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1826	else
		1827	rm -f /tmp/alcasar-conf*
1	root	1828	fi
597	richard	1829	# Uninstall the running version
65	richard	1830	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1831	;;
		1832	*)
		1833	echo "Argument inconnu :$1";
460	richard	1834	echo "Unknown argument :$1";
1	root	1835	echo "$usage"
		1836	exit 1
		1837	;;
		1838	esac
10	franck	1839	# end of script
366	franck	1840

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1336