WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1342 2014-05-06 10:10:39Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1221	richard	30	# testing : connectivity tests and downloading before intall
		31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
		36	# param_radius : FreeRadius initialisation
		37	# param_web_radius : copy ans modifiy original "freeradius web" in ACC
		38	# param_chilli : coovachilli initialisation (+authentication page)
		39	# param_dansguardian : DansGuardian filtering HTTP proxy configuration
		40	# antivirus : HAVP + libclamav configuration
		41	# param_nfsen : Configuration du grapheur nfsen pour apache
1253	richard	42	# dnsmasq : Name server configuration
		43	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	44	# cron : Logs export + watchdog + connexion statistics
1253	richard	45	# fail2ban : Fail2ban installation and configuration
1266	richard	46	# post_install : Security, log rotation, etc.
1	root	47
		48	DATE=`date '+%d %B %Y - %Hh%M'`
		49	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	50	Lang=`echo $LANG\|cut -c 1-2`
1	root	51	# ***** Files parameters - paramètres fichiers *******
1015	richard	52	DIR_INSTALL=`pwd` # current directory
		53	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		54	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		55	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		56	DIR_WEB="/var/www/html" # directory of APACHE
		57	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		58	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		59	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		60	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		61	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		62	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		63	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		64	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	65	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	66	DB_RADIUS="radius" # database name used by FreeRadius server
		67	DB_USER="radius" # user name allows to request the users database
1	root	68	# ***** Network parameters - paramètres réseau *****
1211	crox53	69	HOSTNAME="alcasar" #
1243	richard	70	DOMAIN="localdomain" # default local domain
1336	richard	71	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		72	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	73	MTU="1500"
1157	stephane	74	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	75	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	76	# **** Paths - chemin des commandes *****
		77	SED="/bin/sed -i"
		78	# **************** End of global parameters *******************
		79
959	franck	80	license ()
		81	{
		82	if [ $Lang == "fr" ]
967	franck	83	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		84	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	85	fi
975	franck	86	echo "Taper sur Entrée pour continuer !"
		87	echo "Enter to continue."
959	franck	88	read a
		89	}
		90
1	root	91	header_install ()
		92	{
		93	clear
		94	echo "-----------------------------------------------------------------------------"
460	richard	95	echo " ALCASAR V$VERSION Installation"
1	root	96	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		97	echo "-----------------------------------------------------------------------------"
		98	} # End of header_install ()
		99
1174	crox53	100
1	root	101	##################################################################
1221	richard	102	## Function "testing" ##
1342	richard	103	## - Test of free space on /var (>10G) ##
1005	richard	104	## - Test of Internet access ##
29	richard	105	##################################################################
		106	testing ()
		107	{
1342	richard	108	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		109	if [ $free_space -lt 10 ]
		110	then
		111	if [ $Lang == "fr" ]
		112	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		113	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		114	fi
		115	exit 0
		116	fi
		117	if [ $Lang == "fr" ]
784	richard	118	then echo -n "Tests des paramètres réseau : "
595	richard	119	else echo -n "Network parameters tests : "
		120	fi
1336	richard	121	# We test EXTIF config files
		122
784	richard	123	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		124	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		125	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		126	then
		127	if [ $Lang == "fr" ]
		128	then
		129	echo "Échec"
		130	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		131	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	132	echo "Appliquez les changements : 'service network restart'"
784	richard	133	else
		134	echo "Failed"
		135	echo "The Internet connected network card ($EXTIF) isn't well configured."
		136	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	137	echo "Apply the new configuration 'service network restart'"
784	richard	138	fi
830	richard	139	echo "DEVICE=$EXTIF"
784	richard	140	echo "IPADDR="
		141	echo "NETMASK="
		142	echo "GATEWAY="
		143	echo "DNS1="
		144	echo "DNS2="
830	richard	145	echo "ONBOOT=yes"
784	richard	146	exit 0
		147	fi
		148	echo -n "."
460	richard	149	# We test the Ethernet links state
29	richard	150	for i in $EXTIF $INTIF
		151	do
294	richard	152	/sbin/ip link set $i up
306	richard	153	sleep 3
1031	richard	154	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		155	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	156	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	157	then
595	richard	158	if [ $Lang == "fr" ]
		159	then
		160	echo "Échec"
		161	echo "Le lien réseau de la carte $i n'est pas actif."
		162	echo "Réglez ce problème puis relancez ce script."
		163	else
		164	echo "Failed"
		165	echo "The link state of $i interface id down."
		166	echo "Resolv this problem, then restart this script."
		167	fi
29	richard	168	exit 0
		169	fi
308	richard	170	echo -n "."
29	richard	171	done
		172	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	173	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	174	if [ $Lang == "fr" ]
		175	then
		176	echo "Échec"
		177	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		178	echo "Réglez ce problème puis relancez ce script."
		179	else
		180	echo "Failed"
		181	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		182	echo "Resolv this problem, then restart this script."
		183	fi
29	richard	184	exit 0
		185	fi
308	richard	186	echo -n "."
978	franck	187	# On teste le lien vers le routeur par defaut
308	richard	188	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		189	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	190	if [ $(expr $arp_reply) -eq 0 ]
308	richard	191	then
595	richard	192	if [ $Lang == "fr" ]
		193	then
		194	echo "Échec"
		195	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		196	echo "Réglez ce problème puis relancez ce script."
		197	else
		198	echo "Failed"
		199	echo "The Internet gateway doesn't answered"
		200	echo "Resolv this problem, then restart this script."
		201	fi
308	richard	202	exit 0
		203	fi
		204	echo -n "."
421	franck	205	# On teste la connectivité Internet
29	richard	206	rm -rf /tmp/con_ok.html
308	richard	207	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	208	if [ ! -e /tmp/con_ok.html ]
		209	then
595	richard	210	if [ $Lang == "fr" ]
		211	then
		212	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		213	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		214	echo "Vérifiez la validité des adresses IP des DNS."
		215	else
		216	echo "The Internet connection try failed (google.fr)."
		217	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		218	echo "Verify the DNS IP addresses"
		219	fi
29	richard	220	exit 0
		221	fi
		222	rm -rf /tmp/con_ok.html
308	richard	223	echo ". : ok"
302	richard	224	} # end of testing
		225
		226	##################################################################
1221	richard	227	## Function "init" ##
302	richard	228	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		229	## - Installation et modification des scripts du portail ##
		230	##################################################################
		231	init ()
		232	{
527	richard	233	if [ "$mode" != "update" ]
302	richard	234	then
		235	# On affecte le nom d'organisme
597	richard	236	header_install
302	richard	237	ORGANISME=!
		238	PTN='^[a-zA-Z0-9-]*$'
580	richard	239	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	240	do
595	richard	241	if [ $Lang == "fr" ]
597	richard	242	then echo -n "Entrez le nom de votre organisme : "
		243	else echo -n "Enter the name of your organism : "
595	richard	244	fi
330	franck	245	read ORGANISME
613	richard	246	if [ "$ORGANISME" == "" ]
330	franck	247	then
		248	ORGANISME=!
		249	fi
		250	done
302	richard	251	fi
1	root	252	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	253	rm -f $PASSWD_FILE
59	richard	254	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	255	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		256	echo "$grubpwd" >> $PASSWD_FILE
59	richard	257	md5_grubpwd=`/usr/bin/md5pass $grubpwd`
384	richard	258	$SED "/^password.*/d" /boot/grub/menu.lst
		259	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	260	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	261	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	262	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	263	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	264	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	265	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	266	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	267	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		268	echo "$secretuam" >> $PASSWD_FILE
1	root	269	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	270	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		271	echo "$secretradius" >> $PASSWD_FILE
		272	chmod 640 $PASSWD_FILE
977	richard	273	# Scripts and conf files copy
		274	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	275	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	276	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	277	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	278	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	279	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	280	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		281	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	282	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		283	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	284	# generate central conf file
		285	cat <<EOF > $CONF_FILE
612	richard	286	##########################################
		287	## ##
		288	## ALCASAR Parameters ##
		289	## ##
		290	##########################################
1	root	291
612	richard	292	INSTALL_DATE=$DATE
		293	VERSION=$VERSION
		294	ORGANISM=$ORGANISME
923	franck	295	DOMAIN=$DOMAIN
612	richard	296	EOF
628	richard	297	chmod o-rwx $CONF_FILE
1	root	298	} # End of init ()
		299
		300	##################################################################
1221	richard	301	## Function "network" ##
1	root	302	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	303	## - Nommage DNS du système ##
1336	richard	304	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	305	## - Modification du fichier /etc/hosts ##
		306	## - Configuration du serveur de temps (NTP) ##
		307	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		308	##################################################################
		309	network ()
		310	{
		311	header_install
636	richard	312	if [ "$mode" != "update" ]
		313	then
		314	if [ $Lang == "fr" ]
		315	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		316	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		317	fi
		318	response=0
		319	PTN='^[oOyYnN]$'
		320	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	321	do
595	richard	322	if [ $Lang == "fr" ]
659	richard	323	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	324	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	325	fi
1	root	326	read response
		327	done
636	richard	328	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		329	then
		330	PRIVATE_IP_MASK="0"
		331	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		332	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	333	do
595	richard	334	if [ $Lang == "fr" ]
597	richard	335	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		336	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	337	fi
597	richard	338	read PRIVATE_IP_MASK
1	root	339	done
636	richard	340	else
		341	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		342	fi
595	richard	343	else
637	richard	344	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		345	rm -rf conf/etc/alcasar.conf
1	root	346	fi
861	richard	347	# Define LAN side global parameters
1243	richard	348	hostname $HOSTNAME.$DOMAIN
		349	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	350	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		351	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		352	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		353	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		354	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		355	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		356	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		357	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		358	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		359	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	360	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	361	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	362	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	363	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	364	# Define Internet parameters
14	richard	365	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		366	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		367	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	368	DNS1=${DNS1:=208.67.220.220}
		369	DNS2=${DNS2:=208.67.222.222}
597	richard	370	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	371	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	372	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	373	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	374	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	375	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	376	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	377	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		378	echo "DNS1=$DNS1" >> $CONF_FILE
		379	echo "DNS2=$DNS2" >> $CONF_FILE
		380	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	381	echo "DHCP=full" >> $CONF_FILE
914	franck	382	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		383	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		384	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	385	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	386	# config network
1	root	387	cat <<EOF > /etc/sysconfig/network
		388	NETWORKING=yes
1243	richard	389	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	390	FORWARD_IPV4=true
		391	EOF
841	richard	392	# config /etc/hosts
1	root	393	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		394	cat <<EOF > /etc/hosts
503	richard	395	127.0.0.1 localhost
1250	richard	396	$PRIVATE_IP $HOSTNAME.$DOMAIN
1	root	397	EOF
1336	richard	398	# Config EXTIF (Internet)
14	richard	399	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		400	DEVICE=$EXTIF
		401	BOOTPROTO=static
597	richard	402	IPADDR=$PUBLIC_IP
		403	NETMASK=$PUBLIC_NETMASK
		404	GATEWAY=$PUBLIC_GATEWAY
14	richard	405	DNS1=127.0.0.1
		406	ONBOOT=yes
		407	METRIC=10
		408	NOZEROCONF=yes
		409	MII_NOT_SUPPORTED=yes
		410	IPV6INIT=no
		411	IPV6TO4INIT=no
		412	ACCOUNTING=no
		413	USERCTL=no
994	franck	414	MTU=$MTU
14	richard	415	EOF
1336	richard	416	# Config INTIF (consultation LAN) in normal mode
841	richard	417	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		418	DEVICE=$INTIF
		419	BOOTPROTO=static
		420	ONBOOT=yes
		421	NOZEROCONF=yes
		422	MII_NOT_SUPPORTED=yes
		423	IPV6INIT=no
		424	IPV6TO4INIT=no
		425	ACCOUNTING=no
		426	USERCTL=no
1157	stephane	427	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	428	EOF
1336	richard	429	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	430	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	431	DEVICE=$INTIF
		432	BOOTPROTO=static
		433	IPADDR=$PRIVATE_IP
604	richard	434	NETMASK=$PRIVATE_NETMASK
1	root	435	ONBOOT=yes
		436	METRIC=10
		437	NOZEROCONF=yes
		438	MII_NOT_SUPPORTED=yes
14	richard	439	IPV6INIT=no
		440	IPV6TO4INIT=no
		441	ACCOUNTING=no
		442	USERCTL=no
1	root	443	EOF
440	franck	444	# Mise à l'heure du serveur
		445	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		446	cat <<EOF > /etc/ntp/step-tickers
455	franck	447	0.fr.pool.ntp.org # adapt to your country
		448	1.fr.pool.ntp.org
		449	2.fr.pool.ntp.org
440	franck	450	EOF
		451	# Configuration du serveur de temps (sur lui même)
1	root	452	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		453	cat <<EOF > /etc/ntp.conf
456	franck	454	server 0.fr.pool.ntp.org # adapt to your country
447	franck	455	server 1.fr.pool.ntp.org
		456	server 2.fr.pool.ntp.org
		457	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	458	fudge 127.127.1.0 stratum 10
604	richard	459	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	460	restrict 127.0.0.1
310	richard	461	driftfile /var/lib/ntp/drift
1	root	462	logfile /var/log/ntp.log
		463	EOF
440	franck	464
310	richard	465	chown -R ntp:ntp /var/lib/ntp
1	root	466	# Renseignement des fichiers hosts.allow et hosts.deny
		467	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		468	cat <<EOF > /etc/hosts.allow
		469	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	470	sshd: ALL
1	root	471	ntpd: $PRIVATE_NETWORK_SHORT
		472	EOF
		473	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		474	cat <<EOF > /etc/hosts.deny
		475	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		476	EOF
604	richard	477	# Firewall config
790	richard	478	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		479	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		480	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	481	# create the filter exception file and ip_bloqued file
790	richard	482	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	483	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	484	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	485	# load conntrack ftp module
		486	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		487	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	488	# load ipt_NETFLOW module
		489	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	490	#
860	richard	491	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	492	} # End of network ()
		493
		494	##################################################################
1221	richard	495	## Function "ACC" ##
		496	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	497	## - configuration du serveur web (Apache) ##
		498	## - définition du 1er comptes de gestion ##
		499	## - sécurisation des accès ##
		500	##################################################################
1221	richard	501	ACC ()
1	root	502	{
		503	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		504	mkdir $DIR_WEB
		505	# Copie et configuration des fichiers du centre de gestion
316	richard	506	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	507	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	508	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		509	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		510	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		511	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		512	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	513	chown -R apache:apache $DIR_WEB/*
1342	richard	514	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	515	do
		516	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		517	done
5	franck	518	chown -R root:apache $DIR_SAVE
71	richard	519	# Configuration et sécurisation php
		520	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	521	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		522	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	523	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		524	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	525	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		526	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		527	# Configuration et sécurisation Apache
790	richard	528	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	529	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	530	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	531	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	532	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		533	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		534	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	535	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		536	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		537	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		538	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		539	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		540	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	541	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	542	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		543	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		544	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		545	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		546	cat <<EOF > /var/www/error/include/bottom.html
		547	</body>
		548	</html>
		549	EOF
		550	# Définition du premier compte lié au profil 'admin'
509	richard	551	header_install
510	richard	552	if [ "$mode" = "install" ]
		553	then
613	richard	554	admin_portal=!
		555	PTN='^[a-zA-Z0-9-]*$'
		556	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		557	do
		558	header_install
		559	if [ $Lang == "fr" ]
		560	then
		561	echo ""
		562	echo "Définissez un premier compte d'administration du portail :"
		563	echo
		564	echo -n "Nom : "
		565	else
		566	echo ""
		567	echo "Define the first account allow to administrate the portal :"
		568	echo
		569	echo -n "Account : "
		570	fi
		571	read admin_portal
		572	if [ "$admin_portal" == "" ]
		573	then
		574	admin_portal=!
		575	fi
		576	done
1268	richard	577	# Creation of keys file for the admin account ("admin")
510	richard	578	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		579	mkdir -p $DIR_DEST_ETC/digest
		580	chmod 755 $DIR_DEST_ETC/digest
		581	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		582	do
1243	richard	583	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	584	done
		585	$DIR_DEST_SBIN/alcasar-profil.sh --list
		586	fi
434	richard	587	# synchronisation horaire
		588	ntpd -q -g &
1	root	589	# Sécurisation du centre
988	franck	590	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	591	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	592	<Directory $DIR_ACC>
1	root	593	SSLRequireSSL
		594	AllowOverride None
		595	Order deny,allow
		596	Deny from all
		597	Allow from 127.0.0.1
		598	Allow from $PRIVATE_NETWORK_MASK
990	franck	599	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	600	require valid-user
		601	AuthType digest
1243	richard	602	AuthName $HOSTNAME.$DOMAIN
1	root	603	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	604	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	605	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	606	</Directory>
316	richard	607	<Directory $DIR_ACC/admin>
1	root	608	SSLRequireSSL
		609	AllowOverride None
		610	Order deny,allow
		611	Deny from all
		612	Allow from 127.0.0.1
		613	Allow from $PRIVATE_NETWORK_MASK
990	franck	614	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	615	require valid-user
		616	AuthType digest
1243	richard	617	AuthName $HOSTNAME.$DOMAIN
1	root	618	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	619	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	620	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	621	</Directory>
344	richard	622	<Directory $DIR_ACC/manager>
1	root	623	SSLRequireSSL
		624	AllowOverride None
		625	Order deny,allow
		626	Deny from all
		627	Allow from 127.0.0.1
		628	Allow from $PRIVATE_NETWORK_MASK
990	franck	629	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	630	require valid-user
		631	AuthType digest
1243	richard	632	AuthName $HOSTNAME.$DOMAIN
1	root	633	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	634	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	635	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	636	</Directory>
316	richard	637	<Directory $DIR_ACC/backup>
		638	SSLRequireSSL
		639	AllowOverride None
		640	Order deny,allow
		641	Deny from all
		642	Allow from 127.0.0.1
		643	Allow from $PRIVATE_NETWORK_MASK
990	franck	644	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	645	require valid-user
		646	AuthType digest
1243	richard	647	AuthName $HOSTNAME.$DOMAIN
316	richard	648	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	649	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	650	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	651	</Directory>
811	richard	652	Alias /save/ "$DIR_SAVE/"
		653	<Directory $DIR_SAVE>
		654	SSLRequireSSL
		655	Options Indexes
		656	Order deny,allow
		657	Deny from all
		658	Allow from 127.0.0.1
		659	Allow from $PRIVATE_NETWORK_MASK
990	franck	660	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	661	require valid-user
		662	AuthType digest
1243	richard	663	AuthName $HOSTNAME.$DOMAIN
811	richard	664	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	665	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	666	</Directory>
1	root	667	EOF
1221	richard	668	} # End of ACC()
1	root	669
		670	##########################################################################################
1221	richard	671	## Fonction "CA" ##
1	root	672	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		673	##########################################################################################
1221	richard	674	CA ()
1	root	675	{
		676	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	677	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	678	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	679	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		680	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		681	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	682	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	683	chown -R root:apache /etc/pki
1	root	684	chmod -R 750 /etc/pki
1221	richard	685	} # End CA ()
1	root	686
		687	##########################################################################################
1221	richard	688	## Fonction "init_db" ##
1	root	689	## - Initialisation de la base Mysql ##
		690	## - Affectation du mot de passe de l'administrateur (root) ##
		691	## - Suppression des bases et des utilisateurs superflus ##
		692	## - Création de la base 'radius' ##
		693	## - Installation du schéma de cette base ##
		694	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		695	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		696	##########################################################################################
		697	init_db ()
		698	{
		699	mkdir -p /var/lib/mysql/.tmp
1008	richard	700	chown -R mysql:mysql /var/lib/mysql/
227	franck	701	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	702	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		703	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		704	/etc/init.d/mysqld start
		705	sleep 4
		706	mysqladmin -u root password $mysqlpwd
		707	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	708	# Delete exemple databases if exist
1	root	709	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	710	# Create 'radius' database
1317	richard	711	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	712	# Add an empty radius database structure
364	franck	713	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	714	# modify the start script in order to close accounting connexion when the system is comming down or up
		715	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		716	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		717	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	718	} # End init_db ()
		719
		720	##########################################################################
1221	richard	721	## Fonction "param_radius" ##
1	root	722	## - Paramètrage des fichiers de configuration FreeRadius ##
		723	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		724	## - Modification de fichier de conf pour l'accès à Mysql ##
		725	##########################################################################
		726	param_radius ()
		727	{
		728	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		729	chown -R radius:radius /etc/raddb
		730	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	731	# Set radius.conf parameters
1	root	732	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		733	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		734	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	735	# remove the proxy function
1	root	736	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		737	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	738	# remove EAP module
654	richard	739	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	740	# listen on loopback (should be modified later if EAP enabled)
1	root	741	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	742	# enable the SQL module (and SQL counter)
1	root	743	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		744	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		745	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	746	# remvove virtual server and copy our conf file
1	root	747	rm -f /etc/raddb/sites-enabled/*
1278	richard	748	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	749	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		750	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		751	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		752	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	753	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	754	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	755	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	756	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		757	cat << EOF > /etc/raddb/clients.conf
		758	client 127.0.0.1 {
		759	secret = $secretradius
		760	shortname = localhost
		761	}
		762	EOF
1278	richard	763	# sql.conf modification
1	root	764	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		765	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		766	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		767	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		768	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	769	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	770	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	771	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		772	# counter.conf modification (change the Max-All-Session-Time counter)
		773	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		774	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		775	chown -R radius:radius /etc/raddb/sql/mysql/*
1114	richard	776	# insures that mysql is up before radius start
1184	crox53	777	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1157	stephane	778
1	root	779	} # End param_radius ()
		780
		781	##########################################################################
1221	richard	782	## Function "param_web_radius" ##
1	root	783	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		784	## - Création du lien vers la page de changement de mot de passe ##
		785	##########################################################################
		786	param_web_radius ()
		787	{
		788	# copie de l'interface d'origine dans la structure Alcasar
316	richard	789	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		790	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		791	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	792	# copie des fichiers modifiés
		793	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	794	chown -R apache:apache $DIR_ACC/manager/
344	richard	795	# Modification des fichiers de configuration
1	root	796	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	797	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	798	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		799	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		800	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		801	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		802	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		803	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		804	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	805	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	806	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	807	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	808	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	809	nas1_name: alcasar-$ORGANISME
1	root	810	nas1_model: Portail captif
		811	nas1_ip: $PRIVATE_IP
		812	nas1_port_num: 0
		813	nas1_community: public
		814	EOF
		815	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		816	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	817	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	818	# Ajout du mappage des attributs chillispot
		819	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	820	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	821	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	822	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	823	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		824	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	825	chown -R apache:apache /etc/freeradius-web
1	root	826	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		827	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	828	<Directory $DIR_WEB/pass>
1	root	829	SSLRequireSSL
		830	AllowOverride None
		831	Order deny,allow
		832	Deny from all
		833	Allow from 127.0.0.1
		834	Allow from $PRIVATE_NETWORK_MASK
1243	richard	835	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	836	</Directory>
		837	EOF
		838	} # End of param_web_radius ()
		839
799	richard	840	##################################################################################
1221	richard	841	## Fonction "param_chilli" ##
799	richard	842	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		843	## - Paramètrage de la page d'authentification (intercept.php) ##
		844	##################################################################################
1	root	845	param_chilli ()
		846	{
799	richard	847	# init file creation
461	richard	848	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	849	cat <<EOF > /etc/init.d/chilli
		850	#!/bin/sh
		851	#
		852	# chilli CoovaChilli init
		853	#
		854	# chkconfig: 2345 65 35
		855	# description: CoovaChilli
		856	### BEGIN INIT INFO
		857	# Provides: chilli
		858	# Required-Start: network
		859	# Should-Start:
		860	# Required-Stop: network
		861	# Should-Stop:
		862	# Default-Start: 2 3 5
		863	# Default-Stop:
		864	# Description: CoovaChilli access controller
		865	### END INIT INFO
		866
		867	[ -f /usr/sbin/chilli ] \|\| exit 0
		868	. /etc/init.d/functions
		869	CONFIG=/etc/chilli.conf
		870	pidfile=/var/run/chilli.pid
		871	[ -f \$CONFIG ] \|\| {
		872	echo "\$CONFIG Not found"
		873	exit 0
		874	}
		875	RETVAL=0
		876	prog="chilli"
		877	case \$1 in
		878	start)
		879	if [ -f \$pidfile ] ; then
		880	gprintf "chilli is already running"
		881	else
		882	gprintf "Starting \$prog: "
		883	rm -f /var/run/chilli* # cleaning
		884	/sbin/modprobe tun >/dev/null 2>&1
		885	echo 1 > /proc/sys/net/ipv4/ip_forward
		886	[ -e /dev/net/tun ] \|\| {
		887	(cd /dev;
		888	mkdir net;
		889	cd net;
		890	mknod tun c 10 200)
		891	}
1336	richard	892	ifconfig $INTIF 0.0.0.0
799	richard	893	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		894	RETVAL=$?
		895	fi
		896	;;
		897
		898	reload)
		899	killall -HUP chilli
		900	;;
		901
		902	restart)
		903	\$0 stop
		904	sleep 2
		905	\$0 start
		906	;;
		907
		908	status)
		909	status chilli
		910	RETVAL=0
		911	;;
		912
		913	stop)
		914	if [ -f \$pidfile ] ; then
		915	gprintf "Shutting down \$prog: "
		916	killproc /usr/sbin/chilli
		917	RETVAL=\$?
		918	[ \$RETVAL = 0 ] && rm -f $pidfile
		919	else
		920	gprintf "chilli is not running"
		921	fi
		922	;;
		923
		924	*)
		925	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		926	exit 1
		927	esac
		928	echo
		929	EOF
		930
		931	# conf file creation
346	richard	932	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		933	cat <<EOF > /etc/chilli.conf
		934	# coova config for ALCASAR
		935	cmdsocket /var/run/chilli.sock
1336	richard	936	unixipc chilli.$INTIF.ipc
		937	pidfile /var/run/chilli.$INTIF.pid
346	richard	938	net $PRIVATE_NETWORK_MASK
595	richard	939	dhcpif $INTIF
841	richard	940	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	941	#nodynip
865	richard	942	#statip
		943	dynip $PRIVATE_NETWORK_MASK
1249	richard	944	domain $DOMAIN
355	richard	945	dns1 $PRIVATE_IP
		946	dns2 $PRIVATE_IP
346	richard	947	uamlisten $PRIVATE_IP
503	richard	948	uamport 3990
837	richard	949	macauth
		950	macpasswd password
1243	richard	951	locationname $HOSTNAME.$DOMAIN
346	richard	952	radiusserver1 127.0.0.1
		953	radiusserver2 127.0.0.1
		954	radiussecret $secretradius
		955	radiusauthport 1812
		956	radiusacctport 1813
1243	richard	957	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		958	radiusnasid $HOSTNAME.$DOMAIN
346	richard	959	uamsecret $secretuam
1249	richard	960	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	961	coaport 3799
1299	richard	962	#conup $DIR_DEST_BIN/alcasar-conup.sh
		963	#condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	964	include $DIR_DEST_ETC/alcasar-uamallowed
		965	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	966	#dhcpgateway
1157	stephane	967	#dhcprelayagent
		968	#dhcpgatewayport
346	richard	969	EOF
1336	richard	970	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	971	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	972	# create files for trusted domains and urls
1148	crox53	973	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	974	chown root:apache $DIR_DEST_ETC/alcasar-*
		975	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	976	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	977	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		978	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	979	# user 'chilli' creation (in order to run conup/off and up/down scripts
		980	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		981	if [ "$chilli_exist" == "1" ]
		982	then
		983	userdel -r chilli 2>/dev/null
		984	fi
		985	groupadd -f chilli
		986	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	987	} # End of param_chilli ()
		988
		989	##################################################################
1221	richard	990	## Fonction "param_dansguardian" ##
1	root	991	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		992	##################################################################
		993	param_dansguardian ()
		994	{
		995	mkdir /var/dansguardian
		996	chown dansguardian /var/dansguardian
497	richard	997	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	998	# By default the filter is off
497	richard	999	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1000	# French deny HTML page
497	richard	1001	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1002	# Listen only on LAN side
497	richard	1003	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1004	# DG send its flow to HAVP
		1005	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1006	# replace the default deny HTML page
1	root	1007	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1008	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1009	# Don't log
		1010	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1011	# Run 10 daemons (20 in largest server)
659	richard	1012	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1013	# on désactive par défaut le controle de contenu des pages html
497	richard	1014	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1015	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1016	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1017	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1018	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1019	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1020	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1021	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1022	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1023	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1024	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1025	touch $DIR_DG/lists/bannedextensionlist
		1026	touch $DIR_DG/lists/bannedmimetypelist
		1027	# 'Safesearch' regex actualisation
498	richard	1028	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1029	# empty LAN IP list that won't be WEB filtered
		1030	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1031	touch $DIR_DG/lists/exceptioniplist
		1032	# Keep a copy of URL & domain filter configuration files
		1033	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1034	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1035	} # End of param_dansguardian ()
		1036
71	richard	1037	##################################################################
1221	richard	1038	## Fonction "antivirus" ##
479	richard	1039	## - configuration havp + libclamav ##
71	richard	1040	##################################################################
		1041	antivirus ()
		1042	{
288	richard	1043	# création de l'usager 'havp'
		1044	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1045	if [ "$havp_exist" == "1" ]
288	richard	1046	then
478	richard	1047	userdel -r havp 2>/dev/null
894	richard	1048	groupdel havp 2>/dev/null
288	richard	1049	fi
307	richard	1050	groupadd -f havp
796	richard	1051	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1052	mkdir -p /var/tmp/havp /var/log/havp
		1053	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1054	# configuration d'HAVP
		1055	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1056	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1057	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1058	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1059	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1060	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1061	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1062	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1063	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1064	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1065	# skip checking of youtube flow (too heavy load / risk too low)
		1066	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1067	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1068	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1069	# remplacement du fichier d'initialisation
335	richard	1070	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1071	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1072	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1073	# on remplace la page d'interception (template)
		1074	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1075	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1076	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1077	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1078	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1079	# Virus database update
		1080	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1081	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1082	/usr/bin/freshclam
71	richard	1083	}
		1084
1	root	1085	##################################################################################
1221	richard	1086	## function "param_ulogd" ##
476	richard	1087	## - Ulog config for multi-log files ##
		1088	##################################################################################
		1089	param_ulogd ()
		1090	{
		1091	# Three instances of ulogd (three different logfiles)
		1092	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1093	nl=1
1244	richard	1094	for log_type in tracability ssh ext-access
478	richard	1095	do
		1096	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1097	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1098	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1099	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1100	cat << EOF >> /etc/ulogd-$log_type.conf
		1101	[LOGEMU]
		1102	file="/var/log/firewall/$log_type.log"
		1103	sync=1
		1104	EOF
		1105	nl=`expr $nl + 1`
		1106	done
476	richard	1107	chown -R root:apache /var/log/firewall
		1108	chmod 750 /var/log/firewall
		1109	chmod 640 /var/log/firewall/*
		1110	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1111	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1112	} # End of param_ulogd ()
		1113
1159	crox53	1114
		1115	##########################################################
1221	richard	1116	## Function "param_nfsen" ##
1159	crox53	1117	##########################################################
		1118	param_nfsen()
1	root	1119	{
1159	crox53	1120	#Decompression tarball
1221	richard	1121	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1159	crox53	1122	#Création groupe et utilisteur
1221	richard	1123	if grep "^www-data:" /etc/group > /dev/null; then
		1124	echo "Group already exists !"
		1125	else
		1126	groupadd www-data
		1127	echo "Group 'www-data' created !"
		1128	fi
		1129	if grep "^nfsen:" /etc/passwd > /dev/null; then
		1130	echo "User already exists !"
		1131	else
		1132	useradd -m nfsen
		1133	echo "User 'nfsen' created !"
		1134	fi
		1135	usermod -G www-data nfsen
1159	crox53	1136	#Ajout du plugin nfsen : PortTracker
1221	richard	1137	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1138	chown -R nfsen:www-data /var/www/nfsen
		1139	chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
		1140	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1159	crox53	1141	#Copie du fichier de conf modifié de nfsen
1221	richard	1142	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1159	crox53	1143	#Copie du script d'initialisation de nfsen
1221	richard	1144	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1159	crox53	1145	#Installation de nfsen via le scrip Perl
1221	richard	1146	DirTmp=$(pwd)
		1147	cd /tmp/nfsen-1.3.6p1/
		1148	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
		1149	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
1159	crox53	1150	#Création de la DB pour rrdtool
1221	richard	1151	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1152	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
		1153	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
		1154	chown -R apache:www-data /var/log/netflow/porttracker/
		1155	chmod -R 775 /var/log/netflow/porttracker
1159	crox53	1156	#Configuration du fichier de conf d'apache
1221	richard	1157	if [ -f /etc/httpd/conf.d/nfsen.conf ];then
		1158	rm -f /etc/httpd/conf.d/nfsen.conf
		1159	fi
		1160	cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
1159	crox53	1161	Alias /nfsen /var/www/nfsen
		1162	<Directory /var/www/nfsen/>
		1163	DirectoryIndex nfsen.php
		1164	Options -Indexes
		1165	AllowOverride all
		1166	order allow,deny
		1167	allow from all
		1168	AddType application/x-httpd-php .php
		1169	php_flag magic_quotes_gpc on
		1170	php_flag track_vars on
1	root	1171	</Directory>
		1172	EOF
1223	crox53	1173	#Ajout du paramètre : IP d'écoute pour le collecteur (nfcapd)
1229	crox53	1174	$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
1210	crox53	1175	#Configuration du délais d'expiration des captures du profile "live"
1250	richard	1176	nfsen -m live -e 62d 2>/dev/null
1159	crox53	1177	#Suppression des sources de nfsen
1221	richard	1178	cd $DirTmp
		1179	rm -rf /tmp/nfsen-1.3.6p1/
1159	crox53	1180	} # End of param_nfsen
1	root	1181
		1182	##########################################################
1221	richard	1183	## Function "param_dnsmasq" ##
1	root	1184	##########################################################
219	jeremy	1185	param_dnsmasq ()
		1186	{
		1187	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1188	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1189	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1190	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1191	cat << EOF > /etc/dnsmasq.conf
520	richard	1192	# Configuration file for "dnsmasq in forward mode"
503	richard	1193	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1194	listen-address=$PRIVATE_IP
		1195	listen-address=127.0.0.1
286	richard	1196	no-dhcp-interface=$INTIF
259	richard	1197	bind-interfaces
		1198	cache-size=256
		1199	domain=$DOMAIN
		1200	domain-needed
		1201	expand-hosts
		1202	bogus-priv
		1203	filterwin2k
		1204	server=$DNS1
		1205	server=$DNS2
498	richard	1206	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1207	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1208	dhcp-option=option:router,$PRIVATE_IP
259	richard	1209	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1210
291	franck	1211	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1212	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1213	EOF
520	richard	1214	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1215	cat << EOF > /etc/dnsmasq-blackhole.conf
		1216	# Configuration file for "dnsmasq with blackhole"
		1217	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1218	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1219	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1220	listen-address=$PRIVATE_IP
		1221	port=54
		1222	no-dhcp-interface=$INTIF
		1223	bind-interfaces
		1224	cache-size=256
		1225	domain=$DOMAIN
		1226	domain-needed
		1227	expand-hosts
		1228	bogus-priv
		1229	filterwin2k
		1230	server=$DNS1
		1231	server=$DNS2
		1232	EOF
718	franck	1233
800	richard	1234	# Init file modification
1221	richard	1235	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1236	# Start and stop a 2nd process for the "DNS blackhole"
1221	richard	1237	cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
800	richard	1238	# Start after chilli (65) which create tun0
1221	richard	1239	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1240	# Optionnellement on pré-active les logs DNS des clients
1221	richard	1241	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
		1242	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
1157	stephane	1243	# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
1221	richard	1244	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
933	franck	1245	# Optionnellement, exemple de configuration avec un A.D.
1221	richard	1246	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
308	richard	1247	} # End dnsmasq
		1248
		1249	##########################################################
1221	richard	1250	## Fonction "BL" ##
308	richard	1251	##########################################################
		1252	BL ()
		1253	{
		1254	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1255	rm -rf $DIR_DG/lists/blacklists
		1256	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1257	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1258	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1259	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1260	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1261	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1262	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1263	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1264	touch $DIR_DG/lists/exceptionsitelist
		1265	touch $DIR_DG/lists/exceptionurllist
311	richard	1266	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1267	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1268	# Dansguardian filter config for ALCASAR
		1269	EOF
648	richard	1270	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1271	# Dansguardian domain filter config for ALCASAR
		1272	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1273	#**
		1274	# block all SSL and CONNECT tunnels
		1275	**s
		1276	# block all SSL and CONNECT tunnels specified only as an IP
		1277	*ips
		1278	# block all sites specified only by an IP
		1279	*ip
		1280	EOF
1000	richard	1281	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1282	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1283	# Bing - add 'adlt=strict'
		1284	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1285	# Youtube - add 'edufilter=your_ID'
885	richard	1286	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1287	EOF
1000	richard	1288	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1289	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1290	chown -R dansguardian:apache $DIR_DG
		1291	chmod -R g+rw $DIR_DG
786	richard	1292	# On adapte la BL de Toulouse à notre structure
654	richard	1293	if [ "$mode" != "update" ]; then
		1294	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1295	fi
308	richard	1296	}
219	jeremy	1297
1	root	1298	##########################################################
1221	richard	1299	## Fonction "cron" ##
1	root	1300	## - Mise en place des différents fichiers de cron ##
		1301	##########################################################
		1302	cron ()
		1303	{
		1304	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1305	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1306	cat <<EOF > /etc/crontab
		1307	SHELL=/bin/bash
		1308	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1309	MAILTO=root
		1310	HOME=/
		1311
		1312	# run-parts
		1313	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1314	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1315	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1316	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1317	EOF
		1318	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1319	cat <<EOF >> /etc/anacrontab
667	franck	1320	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1321	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1322	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1323	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1324	EOF
1247	crox53	1325
811	richard	1326	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1327	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1328	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1329	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1330	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1331	EOF
952	franck	1332	cat <<EOF > /etc/cron.d/alcasar-archive
		1333	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1334	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1335	EOF
667	franck	1336	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1337	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1338	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1339	EOF
722	franck	1340	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1341	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1342	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1343	EOF
1247	crox53	1344	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1345	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1346	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1347	#EOF
1159	crox53	1348
1	root	1349	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1350	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1351	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1352	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1353	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1354	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1355	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1356	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1357	rm -f /etc/cron.daily/freeradius-web
		1358	rm -f /etc/cron.monthly/freeradius-web
		1359	cat << EOF > /etc/cron.d/freeradius-web
		1360	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1361	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1362	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1363	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1364	EOF
671	franck	1365	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1366	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1367	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1368	EOF
808	franck	1369	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1370	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1371	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1372	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1373	EOF
522	richard	1374	# suppression des crons usagers
		1375	rm -f /var/spool/cron/*
1	root	1376	} # End cron
		1377
		1378	##################################################################
1221	richard	1379	## Fonction "Fail2Ban" ##
1163	crox53	1380	##- Modification de la configuration de fail2ban ##
		1381	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1382	##################################################################
		1383	fail2ban()
		1384	{
1191	crox53	1385	$DIR_CONF/fail2ban.sh
1192	crox53	1386	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1387	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1388	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1389	chmod 644 /var/log/fail2ban.log
1192	crox53	1390	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1391	} #Fin de fail2ban_install()
		1392
		1393	##################################################################
1221	richard	1394	## Fonction "post_install" ##
1	root	1395	## - Modification des bannières (locales et ssh) et des prompts ##
		1396	## - Installation de la structure de chiffrement pour root ##
		1397	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1398	## - Mise en place du la rotation des logs ##
5	franck	1399	## - Configuration dans le cas d'une mise à jour ##
1	root	1400	##################################################################
		1401	post_install()
		1402	{
		1403	# adaptation du script "chien de garde" (watchdog)
376	franck	1404	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1405	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1406	# création de la bannière locale
1007	richard	1407	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1408	cp -f $DIR_CONF/banner /etc/mageia-release
		1409	echo " V$VERSION" >> /etc/mageia-release
1	root	1410	# création de la bannière SSH
1007	richard	1411	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1412	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1413	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1414	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1415	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1416	# postfix banner anonymisation
		1417	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1418	# sshd écoute côté LAN et WAN
1	root	1419	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1420	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1421	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1422	echo "SSH=off" >> $CONF_FILE
1063	richard	1423	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1424	echo "QOS=off" >> $CONF_FILE
		1425	echo "LDAP=off" >> $CONF_FILE
786	richard	1426	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1427	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1428	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1429	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1430	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1431	echo "MULTIWAN=off" >> $CONF_FILE
		1432	echo "FAILOVER=30" >> $CONF_FILE
		1433	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1434	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1435	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1436	# Coloration des prompts
		1437	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1438	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1439	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1440	# Droits d'exécution pour utilisateur apache et sysadmin
		1441	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1442	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1443	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1444	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1445	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1446	chmod 644 /etc/logrotate.d/*
714	franck	1447	# rectification sur versions précédentes de la compression des logs
706	franck	1448	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1449	# actualisation des fichiers logs compressés
1342	richard	1450	for dir in firewall dansguardian httpd
706	franck	1451	do
714	franck	1452	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1453	done
1221	richard	1454	# create the alcasar-load_balancing unit
		1455	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1456	# This file is part of systemd.
		1457	#
		1458	# systemd is free software; you can redistribute it and/or modify it
		1459	# under the terms of the GNU General Public License as published by
		1460	# the Free Software Foundation; either version 2 of the License, or
		1461	# (at your option) any later version.
		1462
		1463	# This unit lauches alcasar-load-balancing.sh script.
		1464	[Unit]
		1465	Description=alcasar-load_balancing.sh execution
		1466	After=network.target iptables.service
		1467
		1468	[Service]
		1469	Type=oneshot
		1470	RemainAfterExit=yes
		1471	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1472	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1473	TimeoutSec=0
		1474	SysVStartPriority=99
		1475
		1476	[Install]
		1477	WantedBy=multi-user.target
1157	stephane	1478	EOF
1221	richard	1479	# processes launched at boot time (SYSV)
1342	richard	1480	for i in ntpd iptables ulogd dnsmasq chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1221	richard	1481	do
		1482	/sbin/chkconfig --add $i
		1483	done
		1484	# processes launched at boot time (Systemctl)
		1485	for i in alcasar-load_balancing.service nfsen.service
953	franck	1486
1221	richard	1487	do
		1488	systemctl enable $i
		1489	done
		1490	# Apply French Security Agency (ANSSI) rules
568	richard	1491	# ignorer les broadcast ICMP. (attaque smurf)
1221	richard	1492	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
568	richard	1493	# ignorer les erreurs ICMP bogus
1221	richard	1494	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1495	# désactiver l'envoi et la réponse aux ICMP redirects
1221	richard	1496	sysctl -w net.ipv4.conf.all.accept_redirects=0
		1497	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
568	richard	1498	if [ "$accept_redirect" == "0" ]
		1499	then
679	richard	1500	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1501	else
		1502	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1503	fi
1221	richard	1504	sysctl -w net.ipv4.conf.all.send_redirects=0
		1505	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
568	richard	1506	if [ "$send_redirect" == "0" ]
		1507	then
679	richard	1508	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1509	else
		1510	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1511	fi
		1512	# activer les SYN Cookies (attaque syn flood)
1221	richard	1513	sysctl -w net.ipv4.tcp_syncookies=1
		1514	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
568	richard	1515	if [ "$tcp_syncookies" == "0" ]
		1516	then
679	richard	1517	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1518	else
		1519	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1520	fi
595	richard	1521	# activer l'antispoofing niveau Noyau
1221	richard	1522	sysctl -w net.ipv4.conf.all.rp_filter=1
568	richard	1523	# ignorer le source routing
1221	richard	1524	sysctl -w net.ipv4.conf.all.accept_source_route=0
		1525	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
568	richard	1526	if [ "$accept_source_route" == "0" ]
		1527	then
679	richard	1528	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1529	else
		1530	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1531	fi
679	richard	1532	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1221	richard	1533	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1534	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
679	richard	1535	if [ "$timeout_established" == "0" ]
		1536	then
		1537	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1538	else
793	richard	1539	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1540	fi
1157	stephane	1541	# disable log_martians (ALCASAR is often installed between two private network addresses)
1221	richard	1542	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1543	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1544	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1003	richard	1545	# switch to multi-users runlevel (instead of x11)
1221	richard	1546	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1547	# GRUB modifications
		1548	# limit wait time to 3s
		1549	# create an alcasar entry instead of linux-nonfb
		1550	# change display to 1024*768 (vga791)
1221	richard	1551	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1552	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1553	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1554	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1555	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1556	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1557	# Remove unused services and users
1221	richard	1558	for old_svc in alsa sound dm
		1559	do
		1560	/sbin/chkconfig --del $old_svc
		1561	done
		1562	for svc in snmpd.service sshd.service
		1563	do
		1564	/bin/systemctl disable $svc
		1565	done
		1566	for rm_users in avahi-autoipd avahi icapd
		1567	do
		1568	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1569	if [ "$user" == "$rm_users" ]
		1570	then
		1571	/usr/sbin/userdel -f $rm_users
		1572	fi
		1573	done
		1574	# Load and apply the previous conf file
		1575	if [ "$mode" = "update" ]
532	richard	1576	then
1266	richard	1577	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1578	$DIR_DEST_BIN/alcasar-conf.sh --load
		1579	PARENT_SCRIPT=`basename $0`
		1580	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1581	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1582	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1583	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1584	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1585	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1586	then
		1587	header_install
		1588	if [ $Lang == "fr" ]
		1589	then
		1590	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1591	echo
		1592	echo -n "Nom : "
		1593	else
		1594	echo "This update need to redefine the first admin account"
		1595	echo
		1596	echo -n "Account : "
		1597	fi
		1598	read admin_portal
		1599	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1600	mkdir -p $DIR_DEST_ETC/digest
		1601	chmod 755 $DIR_DEST_ETC/digest
		1602	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1603	do
		1604	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
		1605	done
		1606	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1607	fi
532	richard	1608	fi
1221	richard	1609	rm -f /tmp/alcasar-conf*
		1610	chown -R root:apache $DIR_DEST_ETC/*
		1611	chmod -R 660 $DIR_DEST_ETC/*
		1612	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1613	# Apply and save the firewall rules
		1614	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1615	sleep 2
1	root	1616	cd $DIR_INSTALL
5	franck	1617	echo ""
1	root	1618	echo "#############################################################################"
638	richard	1619	if [ $Lang == "fr" ]
		1620	then
		1621	echo "# Fin d'installation d'ALCASAR #"
		1622	echo "# #"
		1623	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1624	echo "# des Accès au Réseau ( ALCASAR ) #"
		1625	echo "# #"
		1626	echo "#############################################################################"
		1627	echo
		1628	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1629	echo
		1630	echo "- Lisez attentivement la documentation d'exploitation"
		1631	echo
		1632	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1633	echo
		1634	echo " Appuyez sur 'Entrée' pour continuer"
		1635	else
		1636	echo "# Enf of ALCASAR install process #"
		1637	echo "# #"
		1638	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1639	echo "# des Accès au Réseau ( ALCASAR ) #"
		1640	echo "# #"
		1641	echo "#############################################################################"
		1642	echo
		1643	echo "- The system will be rebooted in order to operate ALCASAR"
		1644	echo
		1645	echo "- Read the exploitation documentation"
		1646	echo
		1647	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1648	echo
		1649	echo " Hit 'Enter' to continue"
		1650	fi
815	richard	1651	sleep 2
		1652	if [ "$mode" != "update" ]
820	richard	1653	then
815	richard	1654	read a
		1655	fi
774	richard	1656	clear
1	root	1657	reboot
		1658	} # End post_install ()
		1659
		1660	#################################
1005	richard	1661	# Main Install loop #
1	root	1662	#################################
832	richard	1663	dir_exec=`dirname "$0"`
		1664	if [ $dir_exec != "." ]
		1665	then
		1666	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1667	echo "Launch this program from the ALCASAR archive directory"
		1668	exit 0
		1669	fi
		1670	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1671	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1672	nb_args=$#
		1673	args=$1
		1674	if [ $nb_args -eq 0 ]
		1675	then
		1676	nb_args=1
		1677	args="-h"
		1678	fi
1062	richard	1679	chmod -R u+x $DIR_SCRIPTS/*
1	root	1680	case $args in
		1681	-\? \| -h* \| --h*)
		1682	echo "$usage"
		1683	exit 0
		1684	;;
291	franck	1685	-i \| --install)
959	franck	1686	license
5	franck	1687	header_install
29	richard	1688	testing
1336	richard	1689	# Test if ALCASAR is already installed
1249	richard	1690	if [ -e $CONF_FILE ]
1	root	1691	then
1249	richard	1692	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
595	richard	1693	if [ $Lang == "fr" ]
1249	richard	1694	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		1695	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
595	richard	1696	fi
5	franck	1697	response=0
460	richard	1698	PTN='^[oOnNyY]$'
580	richard	1699	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1700	do
595	richard	1701	if [ $Lang == "fr" ]
		1702	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1703	else echo -n "Do you want to update (Y/n)?";
		1704	fi
5	franck	1705	read response
		1706	done
597	richard	1707	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1708	then
597	richard	1709	rm -f /tmp/alcasar-conf*
		1710	else
636	richard	1711	# Create a backup of running version importants files
389	franck	1712	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1713	mode="update"
5	franck	1714	fi
1	root	1715	fi
595	richard	1716	# RPMs install
		1717	$DIR_SCRIPTS/alcasar-urpmi.sh
		1718	if [ "$?" != "0" ]
1	root	1719	then
595	richard	1720	exit 0
		1721	fi
1342	richard	1722	echo "STOP" ; read a
1249	richard	1723	if [ -e $CONF_FILE ]
595	richard	1724	then
597	richard	1725	# Uninstall the running version
532	richard	1726	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1727	fi
636	richard	1728	# Test if manual update
1057	richard	1729	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595	richard	1730	then
636	richard	1731	header_install
595	richard	1732	if [ $Lang == "fr" ]
636	richard	1733	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1734	else echo "The configuration file of an old version has been found";
595	richard	1735	fi
597	richard	1736	response=0
		1737	PTN='^[oOnNyY]$'
		1738	until [[ $(expr $response : $PTN) -gt 0 ]]
		1739	do
		1740	if [ $Lang == "fr" ]
		1741	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1742	else echo -n "Do you want to use it (Y/n)?";
		1743	fi
		1744	read response
		1745	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1746	then rm -f /tmp/alcasar-conf*
		1747	fi
		1748	done
		1749	fi
636	richard	1750	# Test if update
1057	richard	1751	if [ -e /tmp/alcasar-conf* ]
597	richard	1752	then
		1753	if [ $Lang == "fr" ]
		1754	then echo "#### Installation avec mise à jour ####";
		1755	else echo "#### Installation with update ####";
		1756	fi
636	richard	1757	# Extract the central configuration file
1057	richard	1758	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1759	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1760	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1761	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1762	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1763	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1764	mode="update"
		1765	else
		1766	mode="install"
1	root	1767	fi
1342	richard	1768	for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1769	do
		1770	$func
1221	richard	1771	# echo "* 'debug' : end of function $func *"; read a
14	richard	1772	done
5	franck	1773	;;
291	franck	1774	-u \| --uninstall)
5	franck	1775	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1776	then
597	richard	1777	if [ $Lang == "fr" ]
		1778	then echo "ALCASAR n'est pas installé!";
		1779	else echo "ALCASAR isn't installed!";
		1780	fi
1	root	1781	exit 0
		1782	fi
5	franck	1783	response=0
		1784	PTN='^[oOnN]$'
580	richard	1785	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1786	do
597	richard	1787	if [ $Lang == "fr" ]
		1788	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1789	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1790	fi
5	franck	1791	read response
		1792	done
1103	richard	1793	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1794	then
1103	richard	1795	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1796	else
		1797	rm -f /tmp/alcasar-conf*
1	root	1798	fi
597	richard	1799	# Uninstall the running version
65	richard	1800	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1801	;;
		1802	*)
		1803	echo "Argument inconnu :$1";
460	richard	1804	echo "Unknown argument :$1";
1	root	1805	echo "$usage"
		1806	exit 1
		1807	;;
		1808	esac
10	franck	1809	# end of script
366	franck	1810

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1342