WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1349 2014-05-14 14:52:19Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1221	richard	30	# testing : connectivity tests and downloading before intall
		31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
		36	# param_radius : FreeRadius initialisation
		37	# param_web_radius : copy ans modifiy original "freeradius web" in ACC
		38	# param_chilli : coovachilli initialisation (+authentication page)
		39	# param_dansguardian : DansGuardian filtering HTTP proxy configuration
		40	# antivirus : HAVP + libclamav configuration
		41	# param_nfsen : Configuration du grapheur nfsen pour apache
1253	richard	42	# dnsmasq : Name server configuration
		43	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	44	# cron : Logs export + watchdog + connexion statistics
1253	richard	45	# fail2ban : Fail2ban installation and configuration
1266	richard	46	# post_install : Security, log rotation, etc.
1349	richard	47	# gammu_smsd : Autoregister addon (gammu-smsd)
1	root	48
		49	DATE=`date '+%d %B %Y - %Hh%M'`
		50	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	51	Lang=`echo $LANG\|cut -c 1-2`
1	root	52	# ***** Files parameters - paramètres fichiers *******
1015	richard	53	DIR_INSTALL=`pwd` # current directory
		54	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		55	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		56	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		57	DIR_WEB="/var/www/html" # directory of APACHE
		58	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		59	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		60	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		61	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		62	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		63	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		64	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		65	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	66	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	67	DB_RADIUS="radius" # database name used by FreeRadius server
		68	DB_USER="radius" # user name allows to request the users database
1349	richard	69	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	70	# ***** Network parameters - paramètres réseau *****
1211	crox53	71	HOSTNAME="alcasar" #
1243	richard	72	DOMAIN="localdomain" # default local domain
1336	richard	73	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		74	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	75	MTU="1500"
1157	stephane	76	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	77	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	78	# **** Paths - chemin des commandes *****
		79	SED="/bin/sed -i"
		80	# **************** End of global parameters *******************
		81
959	franck	82	license ()
		83	{
		84	if [ $Lang == "fr" ]
967	franck	85	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		86	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	87	fi
975	franck	88	echo "Taper sur Entrée pour continuer !"
		89	echo "Enter to continue."
959	franck	90	read a
		91	}
		92
1	root	93	header_install ()
		94	{
		95	clear
		96	echo "-----------------------------------------------------------------------------"
460	richard	97	echo " ALCASAR V$VERSION Installation"
1	root	98	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		99	echo "-----------------------------------------------------------------------------"
		100	} # End of header_install ()
		101
1174	crox53	102
1	root	103	##################################################################
1221	richard	104	## Function "testing" ##
1342	richard	105	## - Test of free space on /var (>10G) ##
1005	richard	106	## - Test of Internet access ##
29	richard	107	##################################################################
		108	testing ()
		109	{
1342	richard	110	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		111	if [ $free_space -lt 10 ]
		112	then
		113	if [ $Lang == "fr" ]
		114	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		115	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		116	fi
		117	exit 0
		118	fi
		119	if [ $Lang == "fr" ]
784	richard	120	then echo -n "Tests des paramètres réseau : "
595	richard	121	else echo -n "Network parameters tests : "
		122	fi
1336	richard	123	# We test EXTIF config files
		124
784	richard	125	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		126	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		127	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		128	then
		129	if [ $Lang == "fr" ]
		130	then
		131	echo "Échec"
		132	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		133	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	134	echo "Appliquez les changements : 'service network restart'"
784	richard	135	else
		136	echo "Failed"
		137	echo "The Internet connected network card ($EXTIF) isn't well configured."
		138	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
830	richard	139	echo "Apply the new configuration 'service network restart'"
784	richard	140	fi
830	richard	141	echo "DEVICE=$EXTIF"
784	richard	142	echo "IPADDR="
		143	echo "NETMASK="
		144	echo "GATEWAY="
		145	echo "DNS1="
		146	echo "DNS2="
830	richard	147	echo "ONBOOT=yes"
784	richard	148	exit 0
		149	fi
		150	echo -n "."
460	richard	151	# We test the Ethernet links state
29	richard	152	for i in $EXTIF $INTIF
		153	do
294	richard	154	/sbin/ip link set $i up
306	richard	155	sleep 3
1031	richard	156	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		157	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	158	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	159	then
595	richard	160	if [ $Lang == "fr" ]
		161	then
		162	echo "Échec"
		163	echo "Le lien réseau de la carte $i n'est pas actif."
		164	echo "Réglez ce problème puis relancez ce script."
		165	else
		166	echo "Failed"
		167	echo "The link state of $i interface id down."
		168	echo "Resolv this problem, then restart this script."
		169	fi
29	richard	170	exit 0
		171	fi
308	richard	172	echo -n "."
29	richard	173	done
		174	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	175	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	176	if [ $Lang == "fr" ]
		177	then
		178	echo "Échec"
		179	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		180	echo "Réglez ce problème puis relancez ce script."
		181	else
		182	echo "Failed"
		183	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		184	echo "Resolv this problem, then restart this script."
		185	fi
29	richard	186	exit 0
		187	fi
308	richard	188	echo -n "."
978	franck	189	# On teste le lien vers le routeur par defaut
308	richard	190	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		191	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	192	if [ $(expr $arp_reply) -eq 0 ]
308	richard	193	then
595	richard	194	if [ $Lang == "fr" ]
		195	then
		196	echo "Échec"
		197	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		198	echo "Réglez ce problème puis relancez ce script."
		199	else
		200	echo "Failed"
		201	echo "The Internet gateway doesn't answered"
		202	echo "Resolv this problem, then restart this script."
		203	fi
308	richard	204	exit 0
		205	fi
		206	echo -n "."
421	franck	207	# On teste la connectivité Internet
29	richard	208	rm -rf /tmp/con_ok.html
308	richard	209	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	210	if [ ! -e /tmp/con_ok.html ]
		211	then
595	richard	212	if [ $Lang == "fr" ]
		213	then
		214	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		215	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		216	echo "Vérifiez la validité des adresses IP des DNS."
		217	else
		218	echo "The Internet connection try failed (google.fr)."
		219	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		220	echo "Verify the DNS IP addresses"
		221	fi
29	richard	222	exit 0
		223	fi
		224	rm -rf /tmp/con_ok.html
308	richard	225	echo ". : ok"
302	richard	226	} # end of testing
		227
		228	##################################################################
1221	richard	229	## Function "init" ##
302	richard	230	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		231	## - Installation et modification des scripts du portail ##
		232	##################################################################
		233	init ()
		234	{
527	richard	235	if [ "$mode" != "update" ]
302	richard	236	then
		237	# On affecte le nom d'organisme
597	richard	238	header_install
302	richard	239	ORGANISME=!
		240	PTN='^[a-zA-Z0-9-]*$'
580	richard	241	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	242	do
595	richard	243	if [ $Lang == "fr" ]
597	richard	244	then echo -n "Entrez le nom de votre organisme : "
		245	else echo -n "Enter the name of your organism : "
595	richard	246	fi
330	franck	247	read ORGANISME
613	richard	248	if [ "$ORGANISME" == "" ]
330	franck	249	then
		250	ORGANISME=!
		251	fi
		252	done
302	richard	253	fi
1	root	254	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	255	rm -f $PASSWD_FILE
59	richard	256	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de protection du menu Grub
628	richard	257	echo -n "Password to protect the boot menu (GRUB) : " > $PASSWD_FILE
		258	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	259	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	260	$SED "/^password.*/d" /boot/grub/menu.lst
		261	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1	root	262	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'administrateur Mysqld
1003	richard	263	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	264	echo "root / $mysqlpwd" >> $PASSWD_FILE
1	root	265	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # mot de passe de l'utilisateur Mysqld (utilisé par freeradius)
1003	richard	266	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	267	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1	root	268	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre intercept.php et coova-chilli
628	richard	269	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		270	echo "$secretuam" >> $PASSWD_FILE
1	root	271	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8` # secret partagé entre coova-chilli et FreeRadius
628	richard	272	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		273	echo "$secretradius" >> $PASSWD_FILE
		274	chmod 640 $PASSWD_FILE
977	richard	275	# Scripts and conf files copy
		276	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	277	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	278	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	279	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	280	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	281	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	282	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		283	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	284	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		285	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	286	# generate central conf file
		287	cat <<EOF > $CONF_FILE
612	richard	288	##########################################
		289	## ##
		290	## ALCASAR Parameters ##
		291	## ##
		292	##########################################
1	root	293
612	richard	294	INSTALL_DATE=$DATE
		295	VERSION=$VERSION
		296	ORGANISM=$ORGANISME
923	franck	297	DOMAIN=$DOMAIN
612	richard	298	EOF
628	richard	299	chmod o-rwx $CONF_FILE
1	root	300	} # End of init ()
		301
		302	##################################################################
1221	richard	303	## Function "network" ##
1	root	304	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	305	## - Nommage DNS du système ##
1336	richard	306	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	307	## - Modification du fichier /etc/hosts ##
		308	## - Configuration du serveur de temps (NTP) ##
		309	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		310	##################################################################
		311	network ()
		312	{
		313	header_install
636	richard	314	if [ "$mode" != "update" ]
		315	then
		316	if [ $Lang == "fr" ]
		317	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		318	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		319	fi
		320	response=0
		321	PTN='^[oOyYnN]$'
		322	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	323	do
595	richard	324	if [ $Lang == "fr" ]
659	richard	325	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	326	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	327	fi
1	root	328	read response
		329	done
636	richard	330	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		331	then
		332	PRIVATE_IP_MASK="0"
		333	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		334	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	335	do
595	richard	336	if [ $Lang == "fr" ]
597	richard	337	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		338	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	339	fi
597	richard	340	read PRIVATE_IP_MASK
1	root	341	done
636	richard	342	else
		343	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		344	fi
595	richard	345	else
637	richard	346	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		347	rm -rf conf/etc/alcasar.conf
1	root	348	fi
861	richard	349	# Define LAN side global parameters
1243	richard	350	hostname $HOSTNAME.$DOMAIN
		351	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	352	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		353	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		354	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		355	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		356	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		357	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		358	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		359	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		360	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		361	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	362	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	363	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	364	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	365	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	366	# Define Internet parameters
14	richard	367	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		368	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		369	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	370	DNS1=${DNS1:=208.67.220.220}
		371	DNS2=${DNS2:=208.67.222.222}
597	richard	372	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	373	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	374	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	375	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	376	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	377	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	378	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	379	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		380	echo "DNS1=$DNS1" >> $CONF_FILE
		381	echo "DNS2=$DNS2" >> $CONF_FILE
		382	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	383	echo "DHCP=full" >> $CONF_FILE
914	franck	384	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		385	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		386	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	387	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	388	# config network
1	root	389	cat <<EOF > /etc/sysconfig/network
		390	NETWORKING=yes
1243	richard	391	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	392	FORWARD_IPV4=true
		393	EOF
841	richard	394	# config /etc/hosts
1	root	395	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		396	cat <<EOF > /etc/hosts
503	richard	397	127.0.0.1 localhost
1250	richard	398	$PRIVATE_IP $HOSTNAME.$DOMAIN
1	root	399	EOF
1336	richard	400	# Config EXTIF (Internet)
14	richard	401	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		402	DEVICE=$EXTIF
		403	BOOTPROTO=static
597	richard	404	IPADDR=$PUBLIC_IP
		405	NETMASK=$PUBLIC_NETMASK
		406	GATEWAY=$PUBLIC_GATEWAY
14	richard	407	DNS1=127.0.0.1
		408	ONBOOT=yes
		409	METRIC=10
		410	NOZEROCONF=yes
		411	MII_NOT_SUPPORTED=yes
		412	IPV6INIT=no
		413	IPV6TO4INIT=no
		414	ACCOUNTING=no
		415	USERCTL=no
994	franck	416	MTU=$MTU
14	richard	417	EOF
1336	richard	418	# Config INTIF (consultation LAN) in normal mode
841	richard	419	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		420	DEVICE=$INTIF
		421	BOOTPROTO=static
		422	ONBOOT=yes
		423	NOZEROCONF=yes
		424	MII_NOT_SUPPORTED=yes
		425	IPV6INIT=no
		426	IPV6TO4INIT=no
		427	ACCOUNTING=no
		428	USERCTL=no
1157	stephane	429	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	430	EOF
1336	richard	431	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	432	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	433	DEVICE=$INTIF
		434	BOOTPROTO=static
		435	IPADDR=$PRIVATE_IP
604	richard	436	NETMASK=$PRIVATE_NETMASK
1	root	437	ONBOOT=yes
		438	METRIC=10
		439	NOZEROCONF=yes
		440	MII_NOT_SUPPORTED=yes
14	richard	441	IPV6INIT=no
		442	IPV6TO4INIT=no
		443	ACCOUNTING=no
		444	USERCTL=no
1	root	445	EOF
440	franck	446	# Mise à l'heure du serveur
		447	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		448	cat <<EOF > /etc/ntp/step-tickers
455	franck	449	0.fr.pool.ntp.org # adapt to your country
		450	1.fr.pool.ntp.org
		451	2.fr.pool.ntp.org
440	franck	452	EOF
		453	# Configuration du serveur de temps (sur lui même)
1	root	454	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		455	cat <<EOF > /etc/ntp.conf
456	franck	456	server 0.fr.pool.ntp.org # adapt to your country
447	franck	457	server 1.fr.pool.ntp.org
		458	server 2.fr.pool.ntp.org
		459	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	460	fudge 127.127.1.0 stratum 10
604	richard	461	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	462	restrict 127.0.0.1
310	richard	463	driftfile /var/lib/ntp/drift
1	root	464	logfile /var/log/ntp.log
		465	EOF
440	franck	466
310	richard	467	chown -R ntp:ntp /var/lib/ntp
1	root	468	# Renseignement des fichiers hosts.allow et hosts.deny
		469	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		470	cat <<EOF > /etc/hosts.allow
		471	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	472	sshd: ALL
1	root	473	ntpd: $PRIVATE_NETWORK_SHORT
		474	EOF
		475	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		476	cat <<EOF > /etc/hosts.deny
		477	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		478	EOF
604	richard	479	# Firewall config
790	richard	480	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		481	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		482	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	483	# create the filter exception file and ip_bloqued file
790	richard	484	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	485	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	486	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	487	# load conntrack ftp module
		488	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		489	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	490	# load ipt_NETFLOW module
		491	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	492	#
860	richard	493	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	494	} # End of network ()
		495
		496	##################################################################
1221	richard	497	## Function "ACC" ##
		498	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	499	## - configuration du serveur web (Apache) ##
		500	## - définition du 1er comptes de gestion ##
		501	## - sécurisation des accès ##
		502	##################################################################
1221	richard	503	ACC ()
1	root	504	{
		505	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		506	mkdir $DIR_WEB
		507	# Copie et configuration des fichiers du centre de gestion
316	richard	508	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	509	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	510	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		511	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		512	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		513	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		514	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	515	chown -R apache:apache $DIR_WEB/*
1342	richard	516	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	517	do
		518	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		519	done
5	franck	520	chown -R root:apache $DIR_SAVE
71	richard	521	# Configuration et sécurisation php
		522	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	523	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		524	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	525	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		526	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	527	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		528	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		529	# Configuration et sécurisation Apache
790	richard	530	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	531	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	532	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	533	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	534	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		535	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		536	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	537	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		538	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		539	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		540	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		541	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		542	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	543	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1	root	544	FIC_MOD_SSL=`find /etc/httpd/modules.d/ -type f -name *mod_ssl.conf`
		545	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" $FIC_MOD_SSL # On écoute en SSL que sur INTIF
		546	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /var/www/error/include/top.html
		547	[ -e /var/www/error/include/bottom.html.default ] \|\| mv /var/www/error/include/bottom.html /var/www/error/include/bottom.html.default
		548	cat <<EOF > /var/www/error/include/bottom.html
		549	</body>
		550	</html>
		551	EOF
		552	# Définition du premier compte lié au profil 'admin'
509	richard	553	header_install
510	richard	554	if [ "$mode" = "install" ]
		555	then
613	richard	556	admin_portal=!
		557	PTN='^[a-zA-Z0-9-]*$'
		558	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		559	do
		560	header_install
		561	if [ $Lang == "fr" ]
		562	then
		563	echo ""
		564	echo "Définissez un premier compte d'administration du portail :"
		565	echo
		566	echo -n "Nom : "
		567	else
		568	echo ""
		569	echo "Define the first account allow to administrate the portal :"
		570	echo
		571	echo -n "Account : "
		572	fi
		573	read admin_portal
		574	if [ "$admin_portal" == "" ]
		575	then
		576	admin_portal=!
		577	fi
		578	done
1268	richard	579	# Creation of keys file for the admin account ("admin")
510	richard	580	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		581	mkdir -p $DIR_DEST_ETC/digest
		582	chmod 755 $DIR_DEST_ETC/digest
		583	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		584	do
1243	richard	585	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	586	done
		587	$DIR_DEST_SBIN/alcasar-profil.sh --list
		588	fi
434	richard	589	# synchronisation horaire
		590	ntpd -q -g &
1	root	591	# Sécurisation du centre
988	franck	592	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	593	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	594	<Directory $DIR_ACC>
1	root	595	SSLRequireSSL
		596	AllowOverride None
		597	Order deny,allow
		598	Deny from all
		599	Allow from 127.0.0.1
		600	Allow from $PRIVATE_NETWORK_MASK
990	franck	601	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	602	require valid-user
		603	AuthType digest
1243	richard	604	AuthName $HOSTNAME.$DOMAIN
1	root	605	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	606	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	607	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	608	</Directory>
316	richard	609	<Directory $DIR_ACC/admin>
1	root	610	SSLRequireSSL
		611	AllowOverride None
		612	Order deny,allow
		613	Deny from all
		614	Allow from 127.0.0.1
		615	Allow from $PRIVATE_NETWORK_MASK
990	franck	616	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	617	require valid-user
		618	AuthType digest
1243	richard	619	AuthName $HOSTNAME.$DOMAIN
1	root	620	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	621	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	622	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	623	</Directory>
344	richard	624	<Directory $DIR_ACC/manager>
1	root	625	SSLRequireSSL
		626	AllowOverride None
		627	Order deny,allow
		628	Deny from all
		629	Allow from 127.0.0.1
		630	Allow from $PRIVATE_NETWORK_MASK
990	franck	631	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	632	require valid-user
		633	AuthType digest
1243	richard	634	AuthName $HOSTNAME.$DOMAIN
1	root	635	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	636	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	637	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	638	</Directory>
316	richard	639	<Directory $DIR_ACC/backup>
		640	SSLRequireSSL
		641	AllowOverride None
		642	Order deny,allow
		643	Deny from all
		644	Allow from 127.0.0.1
		645	Allow from $PRIVATE_NETWORK_MASK
990	franck	646	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	647	require valid-user
		648	AuthType digest
1243	richard	649	AuthName $HOSTNAME.$DOMAIN
316	richard	650	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	651	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	652	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	653	</Directory>
811	richard	654	Alias /save/ "$DIR_SAVE/"
		655	<Directory $DIR_SAVE>
		656	SSLRequireSSL
		657	Options Indexes
		658	Order deny,allow
		659	Deny from all
		660	Allow from 127.0.0.1
		661	Allow from $PRIVATE_NETWORK_MASK
990	franck	662	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	663	require valid-user
		664	AuthType digest
1243	richard	665	AuthName $HOSTNAME.$DOMAIN
811	richard	666	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	667	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	668	</Directory>
1	root	669	EOF
1221	richard	670	} # End of ACC()
1	root	671
		672	##########################################################################################
1221	richard	673	## Fonction "CA" ##
1	root	674	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		675	##########################################################################################
1221	richard	676	CA ()
1	root	677	{
		678	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	679	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	680	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	681	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		682	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		683	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	684	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	685	chown -R root:apache /etc/pki
1	root	686	chmod -R 750 /etc/pki
1221	richard	687	} # End CA ()
1	root	688
		689	##########################################################################################
1221	richard	690	## Fonction "init_db" ##
1	root	691	## - Initialisation de la base Mysql ##
		692	## - Affectation du mot de passe de l'administrateur (root) ##
		693	## - Suppression des bases et des utilisateurs superflus ##
		694	## - Création de la base 'radius' ##
		695	## - Installation du schéma de cette base ##
		696	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		697	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		698	##########################################################################################
		699	init_db ()
		700	{
		701	mkdir -p /var/lib/mysql/.tmp
1008	richard	702	chown -R mysql:mysql /var/lib/mysql/
227	franck	703	[ -e /etc/my.cnf.rpmnew ] && mv /etc/my.cnf.rpmnew /etc/my.cnf # prend en compte les migrations de MySQL
1	root	704	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		705	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
		706	/etc/init.d/mysqld start
		707	sleep 4
		708	mysqladmin -u root password $mysqlpwd
		709	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
615	richard	710	# Delete exemple databases if exist
1	root	711	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;CONNECT mysql;DELETE from user where user='';FLUSH PRIVILEGES;"
615	richard	712	# Create 'radius' database
1317	richard	713	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	714	# Add an empty radius database structure
364	franck	715	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	716	# modify the start script in order to close accounting connexion when the system is comming down or up
		717	[ -e /etc/init.d/mysqld.default ] \|\| cp /etc/init.d/mysqld /etc/init.d/mysqld.default
		718	$SED "/wait_for_pid created/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
		719	$SED "/'stop')/a echo \"Flush ALCASAR open accounting sessions\"; /usr/local/sbin/alcasar-mysql.sh -acct_stop" /etc/init.d/mysqld
1	root	720	} # End init_db ()
		721
		722	##########################################################################
1221	richard	723	## Fonction "param_radius" ##
1	root	724	## - Paramètrage des fichiers de configuration FreeRadius ##
		725	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		726	## - Modification de fichier de conf pour l'accès à Mysql ##
		727	##########################################################################
		728	param_radius ()
		729	{
		730	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		731	chown -R radius:radius /etc/raddb
		732	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	733	# Set radius.conf parameters
1	root	734	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		735	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		736	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	737	# remove the proxy function
1	root	738	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		739	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	740	# remove EAP module
654	richard	741	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	742	# listen on loopback (should be modified later if EAP enabled)
1	root	743	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	744	# enable the SQL module (and SQL counter)
1	root	745	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		746	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		747	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	748	# remvove virtual server and copy our conf file
1	root	749	rm -f /etc/raddb/sites-enabled/*
1278	richard	750	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	751	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		752	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		753	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		754	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	755	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	756	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	757	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	758	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		759	cat << EOF > /etc/raddb/clients.conf
		760	client 127.0.0.1 {
		761	secret = $secretradius
		762	shortname = localhost
		763	}
		764	EOF
1278	richard	765	# sql.conf modification
1	root	766	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		767	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		768	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		769	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		770	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	771	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	772	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	773	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		774	# counter.conf modification (change the Max-All-Session-Time counter)
		775	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		776	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		777	chown -R radius:radius /etc/raddb/sql/mysql/*
1114	richard	778	# insures that mysql is up before radius start
1184	crox53	779	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
1157	stephane	780
1	root	781	} # End param_radius ()
		782
		783	##########################################################################
1221	richard	784	## Function "param_web_radius" ##
1	root	785	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		786	## - Création du lien vers la page de changement de mot de passe ##
		787	##########################################################################
		788	param_web_radius ()
		789	{
		790	# copie de l'interface d'origine dans la structure Alcasar
316	richard	791	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		792	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		793	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	794	# copie des fichiers modifiés
		795	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	796	chown -R apache:apache $DIR_ACC/manager/
344	richard	797	# Modification des fichiers de configuration
1	root	798	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	799	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	800	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		801	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		802	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		803	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		804	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		805	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		806	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	807	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	808	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	809	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	810	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	811	nas1_name: alcasar-$ORGANISME
1	root	812	nas1_model: Portail captif
		813	nas1_ip: $PRIVATE_IP
		814	nas1_port_num: 0
		815	nas1_community: public
		816	EOF
		817	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		818	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	819	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	820	# Ajout du mappage des attributs chillispot
		821	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	822	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	823	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	824	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	825	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		826	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	827	chown -R apache:apache /etc/freeradius-web
1	root	828	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		829	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	830	<Directory $DIR_WEB/pass>
1	root	831	SSLRequireSSL
		832	AllowOverride None
		833	Order deny,allow
		834	Deny from all
		835	Allow from 127.0.0.1
		836	Allow from $PRIVATE_NETWORK_MASK
1243	richard	837	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	838	</Directory>
		839	EOF
		840	} # End of param_web_radius ()
		841
799	richard	842	##################################################################################
1221	richard	843	## Fonction "param_chilli" ##
799	richard	844	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		845	## - Paramètrage de la page d'authentification (intercept.php) ##
		846	##################################################################################
1	root	847	param_chilli ()
		848	{
799	richard	849	# init file creation
461	richard	850	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	851	cat <<EOF > /etc/init.d/chilli
		852	#!/bin/sh
		853	#
		854	# chilli CoovaChilli init
		855	#
		856	# chkconfig: 2345 65 35
		857	# description: CoovaChilli
		858	### BEGIN INIT INFO
		859	# Provides: chilli
		860	# Required-Start: network
		861	# Should-Start:
		862	# Required-Stop: network
		863	# Should-Stop:
		864	# Default-Start: 2 3 5
		865	# Default-Stop:
		866	# Description: CoovaChilli access controller
		867	### END INIT INFO
		868
		869	[ -f /usr/sbin/chilli ] \|\| exit 0
		870	. /etc/init.d/functions
		871	CONFIG=/etc/chilli.conf
		872	pidfile=/var/run/chilli.pid
		873	[ -f \$CONFIG ] \|\| {
		874	echo "\$CONFIG Not found"
		875	exit 0
		876	}
		877	RETVAL=0
		878	prog="chilli"
		879	case \$1 in
		880	start)
		881	if [ -f \$pidfile ] ; then
		882	gprintf "chilli is already running"
		883	else
		884	gprintf "Starting \$prog: "
		885	rm -f /var/run/chilli* # cleaning
		886	/sbin/modprobe tun >/dev/null 2>&1
		887	echo 1 > /proc/sys/net/ipv4/ip_forward
		888	[ -e /dev/net/tun ] \|\| {
		889	(cd /dev;
		890	mkdir net;
		891	cd net;
		892	mknod tun c 10 200)
		893	}
1336	richard	894	ifconfig $INTIF 0.0.0.0
799	richard	895	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		896	RETVAL=$?
		897	fi
		898	;;
		899
		900	reload)
		901	killall -HUP chilli
		902	;;
		903
		904	restart)
		905	\$0 stop
		906	sleep 2
		907	\$0 start
		908	;;
		909
		910	status)
		911	status chilli
		912	RETVAL=0
		913	;;
		914
		915	stop)
		916	if [ -f \$pidfile ] ; then
		917	gprintf "Shutting down \$prog: "
		918	killproc /usr/sbin/chilli
		919	RETVAL=\$?
		920	[ \$RETVAL = 0 ] && rm -f $pidfile
		921	else
		922	gprintf "chilli is not running"
		923	fi
		924	;;
		925
		926	*)
		927	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		928	exit 1
		929	esac
		930	echo
		931	EOF
		932
		933	# conf file creation
346	richard	934	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		935	cat <<EOF > /etc/chilli.conf
		936	# coova config for ALCASAR
		937	cmdsocket /var/run/chilli.sock
1336	richard	938	unixipc chilli.$INTIF.ipc
		939	pidfile /var/run/chilli.$INTIF.pid
346	richard	940	net $PRIVATE_NETWORK_MASK
595	richard	941	dhcpif $INTIF
841	richard	942	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	943	#nodynip
865	richard	944	#statip
		945	dynip $PRIVATE_NETWORK_MASK
1249	richard	946	domain $DOMAIN
355	richard	947	dns1 $PRIVATE_IP
		948	dns2 $PRIVATE_IP
346	richard	949	uamlisten $PRIVATE_IP
503	richard	950	uamport 3990
837	richard	951	macauth
		952	macpasswd password
1243	richard	953	locationname $HOSTNAME.$DOMAIN
346	richard	954	radiusserver1 127.0.0.1
		955	radiusserver2 127.0.0.1
		956	radiussecret $secretradius
		957	radiusauthport 1812
		958	radiusacctport 1813
1243	richard	959	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		960	radiusnasid $HOSTNAME.$DOMAIN
346	richard	961	uamsecret $secretuam
1249	richard	962	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	963	coaport 3799
1299	richard	964	#conup $DIR_DEST_BIN/alcasar-conup.sh
		965	#condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	966	include $DIR_DEST_ETC/alcasar-uamallowed
		967	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	968	#dhcpgateway
1157	stephane	969	#dhcprelayagent
		970	#dhcpgatewayport
346	richard	971	EOF
1336	richard	972	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	973	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	974	# create files for trusted domains and urls
1148	crox53	975	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	976	chown root:apache $DIR_DEST_ETC/alcasar-*
		977	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	978	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	979	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		980	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	981	# user 'chilli' creation (in order to run conup/off and up/down scripts
		982	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		983	if [ "$chilli_exist" == "1" ]
		984	then
		985	userdel -r chilli 2>/dev/null
		986	fi
		987	groupadd -f chilli
		988	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	989	} # End of param_chilli ()
1349	richard	990
1	root	991	##################################################################
1221	richard	992	## Fonction "param_dansguardian" ##
1	root	993	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		994	##################################################################
		995	param_dansguardian ()
		996	{
		997	mkdir /var/dansguardian
		998	chown dansguardian /var/dansguardian
497	richard	999	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1000	# By default the filter is off
497	richard	1001	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1002	# French deny HTML page
497	richard	1003	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1004	# Listen only on LAN side
497	richard	1005	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1006	# DG send its flow to HAVP
		1007	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1008	# replace the default deny HTML page
1	root	1009	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1010	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1011	# Don't log
		1012	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1013	# Run 10 daemons (20 in largest server)
659	richard	1014	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1015	# on désactive par défaut le controle de contenu des pages html
497	richard	1016	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1017	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1018	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1019	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1020	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1021	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1022	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1023	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1024	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1025	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1026	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1027	touch $DIR_DG/lists/bannedextensionlist
		1028	touch $DIR_DG/lists/bannedmimetypelist
		1029	# 'Safesearch' regex actualisation
498	richard	1030	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1031	# empty LAN IP list that won't be WEB filtered
		1032	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1033	touch $DIR_DG/lists/exceptioniplist
		1034	# Keep a copy of URL & domain filter configuration files
		1035	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1036	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1037	} # End of param_dansguardian ()
		1038
71	richard	1039	##################################################################
1221	richard	1040	## Fonction "antivirus" ##
479	richard	1041	## - configuration havp + libclamav ##
71	richard	1042	##################################################################
		1043	antivirus ()
		1044	{
288	richard	1045	# création de l'usager 'havp'
		1046	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1047	if [ "$havp_exist" == "1" ]
288	richard	1048	then
478	richard	1049	userdel -r havp 2>/dev/null
894	richard	1050	groupdel havp 2>/dev/null
288	richard	1051	fi
307	richard	1052	groupadd -f havp
796	richard	1053	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1054	mkdir -p /var/tmp/havp /var/log/havp
		1055	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1056	# configuration d'HAVP
		1057	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1058	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1059	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1060	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1061	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1062	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1063	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1064	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1065	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1066	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1067	# skip checking of youtube flow (too heavy load / risk too low)
		1068	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1069	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1070	echo ".youtube.com/" >> /etc/havp/whitelist
481	franck	1071	# remplacement du fichier d'initialisation
335	richard	1072	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
1005	richard	1073	# if keep old init file : $SED "/$HAVP_BIN -c $HAVP_CONFIG/i chown -R havp:havp \/var\/tmp\/havp" /etc/init.d/havp
481	franck	1074	cp -f $DIR_CONF/havp-init /etc/init.d/havp
340	richard	1075	# on remplace la page d'interception (template)
		1076	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1077	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
489	richard	1078	# automatisation de la mise à jour de la base antivirale (toutes les 2 heures)
		1079	$SED "s?^Checks.*?Checks 12?g" /etc/freshclam.conf
		1080	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
734	richard	1081	# Virus database update
		1082	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1083	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
		1084	/usr/bin/freshclam
71	richard	1085	}
		1086
1	root	1087	##################################################################################
1221	richard	1088	## function "param_ulogd" ##
476	richard	1089	## - Ulog config for multi-log files ##
		1090	##################################################################################
		1091	param_ulogd ()
		1092	{
		1093	# Three instances of ulogd (three different logfiles)
		1094	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1095	nl=1
1244	richard	1096	for log_type in tracability ssh ext-access
478	richard	1097	do
		1098	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1099	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1100	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1101	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1102	cat << EOF >> /etc/ulogd-$log_type.conf
		1103	[LOGEMU]
		1104	file="/var/log/firewall/$log_type.log"
		1105	sync=1
		1106	EOF
		1107	nl=`expr $nl + 1`
		1108	done
476	richard	1109	chown -R root:apache /var/log/firewall
		1110	chmod 750 /var/log/firewall
		1111	chmod 640 /var/log/firewall/*
		1112	[ -e /etc/init.d/ulogd.default ] \|\| cp /etc/init.d/ulogd /etc/init.d/ulogd.default
		1113	cp -f $DIR_CONF/ulogd-init /etc/init.d/ulogd
		1114	} # End of param_ulogd ()
		1115
1159	crox53	1116
		1117	##########################################################
1221	richard	1118	## Function "param_nfsen" ##
1159	crox53	1119	##########################################################
		1120	param_nfsen()
1	root	1121	{
1159	crox53	1122	#Decompression tarball
1221	richard	1123	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1159	crox53	1124	#Création groupe et utilisteur
1221	richard	1125	if grep "^www-data:" /etc/group > /dev/null; then
		1126	echo "Group already exists !"
		1127	else
		1128	groupadd www-data
		1129	echo "Group 'www-data' created !"
		1130	fi
		1131	if grep "^nfsen:" /etc/passwd > /dev/null; then
		1132	echo "User already exists !"
		1133	else
		1134	useradd -m nfsen
		1135	echo "User 'nfsen' created !"
		1136	fi
		1137	usermod -G www-data nfsen
1159	crox53	1138	#Ajout du plugin nfsen : PortTracker
1221	richard	1139	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1140	chown -R nfsen:www-data /var/www/nfsen
		1141	chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
		1142	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1159	crox53	1143	#Copie du fichier de conf modifié de nfsen
1221	richard	1144	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1159	crox53	1145	#Copie du script d'initialisation de nfsen
1221	richard	1146	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1159	crox53	1147	#Installation de nfsen via le scrip Perl
1221	richard	1148	DirTmp=$(pwd)
		1149	cd /tmp/nfsen-1.3.6p1/
		1150	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
		1151	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
1159	crox53	1152	#Création de la DB pour rrdtool
1221	richard	1153	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1154	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
		1155	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
		1156	chown -R apache:www-data /var/log/netflow/porttracker/
		1157	chmod -R 775 /var/log/netflow/porttracker
1159	crox53	1158	#Configuration du fichier de conf d'apache
1221	richard	1159	if [ -f /etc/httpd/conf.d/nfsen.conf ];then
		1160	rm -f /etc/httpd/conf.d/nfsen.conf
		1161	fi
		1162	cat <<EOF >> /etc/httpd/conf.d/nfsen.conf
1159	crox53	1163	Alias /nfsen /var/www/nfsen
		1164	<Directory /var/www/nfsen/>
		1165	DirectoryIndex nfsen.php
		1166	Options -Indexes
		1167	AllowOverride all
		1168	order allow,deny
		1169	allow from all
		1170	AddType application/x-httpd-php .php
		1171	php_flag magic_quotes_gpc on
		1172	php_flag track_vars on
1	root	1173	</Directory>
		1174	EOF
1223	crox53	1175	#Ajout du paramètre : IP d'écoute pour le collecteur (nfcapd)
1229	crox53	1176	$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
1210	crox53	1177	#Configuration du délais d'expiration des captures du profile "live"
1250	richard	1178	nfsen -m live -e 62d 2>/dev/null
1159	crox53	1179	#Suppression des sources de nfsen
1221	richard	1180	cd $DirTmp
		1181	rm -rf /tmp/nfsen-1.3.6p1/
1159	crox53	1182	} # End of param_nfsen
1	root	1183
		1184	##########################################################
1221	richard	1185	## Function "param_dnsmasq" ##
1	root	1186	##########################################################
219	jeremy	1187	param_dnsmasq ()
		1188	{
		1189	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
259	richard	1190	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
503	richard	1191	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1192	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1193	cat << EOF > /etc/dnsmasq.conf
520	richard	1194	# Configuration file for "dnsmasq in forward mode"
503	richard	1195	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1196	listen-address=$PRIVATE_IP
		1197	listen-address=127.0.0.1
286	richard	1198	no-dhcp-interface=$INTIF
259	richard	1199	bind-interfaces
		1200	cache-size=256
		1201	domain=$DOMAIN
		1202	domain-needed
		1203	expand-hosts
		1204	bogus-priv
		1205	filterwin2k
		1206	server=$DNS1
		1207	server=$DNS2
498	richard	1208	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1209	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1210	dhcp-option=option:router,$PRIVATE_IP
259	richard	1211	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1212
291	franck	1213	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1214	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1215	EOF
520	richard	1216	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blackhole")
		1217	cat << EOF > /etc/dnsmasq-blackhole.conf
		1218	# Configuration file for "dnsmasq with blackhole"
		1219	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1220	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1221	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1222	listen-address=$PRIVATE_IP
		1223	port=54
		1224	no-dhcp-interface=$INTIF
		1225	bind-interfaces
		1226	cache-size=256
		1227	domain=$DOMAIN
		1228	domain-needed
		1229	expand-hosts
		1230	bogus-priv
		1231	filterwin2k
		1232	server=$DNS1
		1233	server=$DNS2
		1234	EOF
718	franck	1235
800	richard	1236	# Init file modification
1221	richard	1237	[ -e /etc/init.d/dnsmasq.default ] \|\| cp /etc/init.d/dnsmasq /etc/init.d/dnsmasq.default
800	richard	1238	# Start and stop a 2nd process for the "DNS blackhole"
1221	richard	1239	cp -f $DIR_CONF/dnsmasq /etc/init.d/dnsmasq
800	richard	1240	# Start after chilli (65) which create tun0
1221	richard	1241	$SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
933	franck	1242	# Optionnellement on pré-active les logs DNS des clients
1221	richard	1243	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
		1244	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
1157	stephane	1245	# Optionnellement, exemple de paramètre supplémentaire pour le cache memoire
1221	richard	1246	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
933	franck	1247	# Optionnellement, exemple de configuration avec un A.D.
1221	richard	1248	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
308	richard	1249	} # End dnsmasq
		1250
		1251	##########################################################
1221	richard	1252	## Fonction "BL" ##
308	richard	1253	##########################################################
		1254	BL ()
		1255	{
		1256	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1257	rm -rf $DIR_DG/lists/blacklists
		1258	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1259	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1260	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1261	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1262	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1263	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1264	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1265	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1266	touch $DIR_DG/lists/exceptionsitelist
		1267	touch $DIR_DG/lists/exceptionurllist
311	richard	1268	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1269	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1270	# Dansguardian filter config for ALCASAR
		1271	EOF
648	richard	1272	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1273	# Dansguardian domain filter config for ALCASAR
		1274	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1275	#**
		1276	# block all SSL and CONNECT tunnels
		1277	**s
		1278	# block all SSL and CONNECT tunnels specified only as an IP
		1279	*ips
		1280	# block all sites specified only by an IP
		1281	*ip
		1282	EOF
1000	richard	1283	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1284	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1285	# Bing - add 'adlt=strict'
		1286	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1287	# Youtube - add 'edufilter=your_ID'
885	richard	1288	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1289	EOF
1000	richard	1290	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1291	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1292	chown -R dansguardian:apache $DIR_DG
		1293	chmod -R g+rw $DIR_DG
786	richard	1294	# On adapte la BL de Toulouse à notre structure
654	richard	1295	if [ "$mode" != "update" ]; then
		1296	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1297	fi
308	richard	1298	}
219	jeremy	1299
1	root	1300	##########################################################
1221	richard	1301	## Fonction "cron" ##
1	root	1302	## - Mise en place des différents fichiers de cron ##
		1303	##########################################################
		1304	cron ()
		1305	{
		1306	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1307	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1308	cat <<EOF > /etc/crontab
		1309	SHELL=/bin/bash
		1310	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1311	MAILTO=root
		1312	HOME=/
		1313
		1314	# run-parts
		1315	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1316	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1317	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1318	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1319	EOF
		1320	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1321	cat <<EOF >> /etc/anacrontab
667	franck	1322	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1323	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1324	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1325	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1326	EOF
1247	crox53	1327
811	richard	1328	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1329	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1330	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1331	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1332	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1333	EOF
952	franck	1334	cat <<EOF > /etc/cron.d/alcasar-archive
		1335	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1336	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1337	EOF
667	franck	1338	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1339	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1340	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1341	EOF
722	franck	1342	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1343	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1344	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1345	EOF
1247	crox53	1346	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1347	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1348	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1349	#EOF
1159	crox53	1350
1	root	1351	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1352	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1353	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1354	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1355	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1356	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1357	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1358	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1359	rm -f /etc/cron.daily/freeradius-web
		1360	rm -f /etc/cron.monthly/freeradius-web
		1361	cat << EOF > /etc/cron.d/freeradius-web
		1362	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1363	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1364	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1365	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1366	EOF
671	franck	1367	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1368	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1369	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1370	EOF
808	franck	1371	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1372	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1373	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1374	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1375	EOF
522	richard	1376	# suppression des crons usagers
		1377	rm -f /var/spool/cron/*
1	root	1378	} # End cron
		1379
		1380	##################################################################
1221	richard	1381	## Fonction "Fail2Ban" ##
1163	crox53	1382	##- Modification de la configuration de fail2ban ##
		1383	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1384	##################################################################
		1385	fail2ban()
		1386	{
1191	crox53	1387	$DIR_CONF/fail2ban.sh
1192	crox53	1388	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1389	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1390	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1391	chmod 644 /var/log/fail2ban.log
1192	crox53	1392	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1393	} #Fin de fail2ban_install()
		1394
		1395	##################################################################
1221	richard	1396	## Fonction "post_install" ##
1	root	1397	## - Modification des bannières (locales et ssh) et des prompts ##
		1398	## - Installation de la structure de chiffrement pour root ##
		1399	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1400	## - Mise en place du la rotation des logs ##
5	franck	1401	## - Configuration dans le cas d'une mise à jour ##
1	root	1402	##################################################################
		1403	post_install()
		1404	{
		1405	# adaptation du script "chien de garde" (watchdog)
376	franck	1406	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1407	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1408	# création de la bannière locale
1007	richard	1409	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1410	cp -f $DIR_CONF/banner /etc/mageia-release
		1411	echo " V$VERSION" >> /etc/mageia-release
1	root	1412	# création de la bannière SSH
1007	richard	1413	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1414	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1415	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1416	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1417	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1418	# postfix banner anonymisation
		1419	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1420	# sshd écoute côté LAN et WAN
1	root	1421	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1422	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1423	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1424	echo "SSH=off" >> $CONF_FILE
1063	richard	1425	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1426	echo "QOS=off" >> $CONF_FILE
		1427	echo "LDAP=off" >> $CONF_FILE
786	richard	1428	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1429	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE
628	richard	1430	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
		1431	echo "DNS_FILTERING=off" >> $CONF_FILE
885	richard	1432	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1433	echo "MULTIWAN=off" >> $CONF_FILE
		1434	echo "FAILOVER=30" >> $CONF_FILE
		1435	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1436	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1437	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1438	# Coloration des prompts
		1439	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1440	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1441	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1442	# Droits d'exécution pour utilisateur apache et sysadmin
		1443	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1444	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1445	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1446	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1447	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1448	chmod 644 /etc/logrotate.d/*
714	franck	1449	# rectification sur versions précédentes de la compression des logs
706	franck	1450	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1451	# actualisation des fichiers logs compressés
1342	richard	1452	for dir in firewall dansguardian httpd
706	franck	1453	do
714	franck	1454	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1455	done
1221	richard	1456	# create the alcasar-load_balancing unit
		1457	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1458	# This file is part of systemd.
		1459	#
		1460	# systemd is free software; you can redistribute it and/or modify it
		1461	# under the terms of the GNU General Public License as published by
		1462	# the Free Software Foundation; either version 2 of the License, or
		1463	# (at your option) any later version.
		1464
		1465	# This unit lauches alcasar-load-balancing.sh script.
		1466	[Unit]
		1467	Description=alcasar-load_balancing.sh execution
		1468	After=network.target iptables.service
		1469
		1470	[Service]
		1471	Type=oneshot
		1472	RemainAfterExit=yes
		1473	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1474	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1475	TimeoutSec=0
		1476	SysVStartPriority=99
		1477
		1478	[Install]
		1479	WantedBy=multi-user.target
1157	stephane	1480	EOF
1221	richard	1481	# processes launched at boot time (SYSV)
1342	richard	1482	for i in ntpd iptables ulogd dnsmasq chilli httpd radiusd netfs mysqld dansguardian havp freshclam
1221	richard	1483	do
		1484	/sbin/chkconfig --add $i
		1485	done
		1486	# processes launched at boot time (Systemctl)
		1487	for i in alcasar-load_balancing.service nfsen.service
953	franck	1488
1221	richard	1489	do
		1490	systemctl enable $i
		1491	done
		1492	# Apply French Security Agency (ANSSI) rules
568	richard	1493	# ignorer les broadcast ICMP. (attaque smurf)
1221	richard	1494	sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1
568	richard	1495	# ignorer les erreurs ICMP bogus
1221	richard	1496	sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1
595	richard	1497	# désactiver l'envoi et la réponse aux ICMP redirects
1221	richard	1498	sysctl -w net.ipv4.conf.all.accept_redirects=0
		1499	accept_redirect=`grep accept_redirect /etc/sysctl.conf\|wc -l`
568	richard	1500	if [ "$accept_redirect" == "0" ]
		1501	then
679	richard	1502	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
		1503	else
		1504	$SED "s?accept_redirects.*?accept_redirects = 0?g" /etc/sysctl.conf
568	richard	1505	fi
1221	richard	1506	sysctl -w net.ipv4.conf.all.send_redirects=0
		1507	send_redirect=`grep send_redirect /etc/sysctl.conf\|wc -l`
568	richard	1508	if [ "$send_redirect" == "0" ]
		1509	then
679	richard	1510	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
		1511	else
		1512	$SED "s?send_redirects.*?send_redirects = 0?g" /etc/sysctl.conf
568	richard	1513	fi
		1514	# activer les SYN Cookies (attaque syn flood)
1221	richard	1515	sysctl -w net.ipv4.tcp_syncookies=1
		1516	tcp_syncookies=`grep tcp_syncookies /etc/sysctl.conf\|wc -l`
568	richard	1517	if [ "$tcp_syncookies" == "0" ]
		1518	then
679	richard	1519	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
		1520	else
		1521	$SED "s?tcp_syncookies.*?tcp_syncookies = 1?g" /etc/sysctl.conf
568	richard	1522	fi
595	richard	1523	# activer l'antispoofing niveau Noyau
1221	richard	1524	sysctl -w net.ipv4.conf.all.rp_filter=1
568	richard	1525	# ignorer le source routing
1221	richard	1526	sysctl -w net.ipv4.conf.all.accept_source_route=0
		1527	accept_source_route=`grep accept_source_route /etc/sysctl.conf\|wc -l`
568	richard	1528	if [ "$accept_source_route" == "0" ]
		1529	then
679	richard	1530	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
		1531	else
		1532	$SED "s?accept_source_route.*?accept_source_route = 0?g" /etc/sysctl.conf
568	richard	1533	fi
679	richard	1534	# réglage du timer de maintien de suivi de session à 1h (3600s) au lieu de 5 semaines
1221	richard	1535	sysctl -w net.netfilter.nf_conntrack_tcp_timeout_established=3600
		1536	timeout_established=`grep timeout_established /etc/sysctl.conf\|wc -l`
679	richard	1537	if [ "$timeout_established" == "0" ]
		1538	then
		1539	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.conf
		1540	else
793	richard	1541	$SED "s?timeout_established.*?timeout_established = 3600?g" /etc/sysctl.conf
679	richard	1542	fi
1157	stephane	1543	# disable log_martians (ALCASAR is often installed between two private network addresses)
1221	richard	1544	sysctl -w net.ipv4.conf.all.log_martians=0
306	richard	1545	# On supprime la gestion du <CTRL>+<ALT>+<SUPPR> et des Magic SysReq Keys
1005	richard	1546	# ??? $SED "s?^ALLOW_REBOOT=.*?ALLOW_REBOOT=no?g" /etc/security/msec/level.fileserver
1003	richard	1547	# switch to multi-users runlevel (instead of x11)
1221	richard	1548	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1549	# GRUB modifications
		1550	# limit wait time to 3s
		1551	# create an alcasar entry instead of linux-nonfb
		1552	# change display to 1024*768 (vga791)
1221	richard	1553	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1554	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1555	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1556	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1557	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1558	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1559	# Remove unused services and users
1221	richard	1560	for old_svc in alsa sound dm
		1561	do
		1562	/sbin/chkconfig --del $old_svc
		1563	done
		1564	for svc in snmpd.service sshd.service
		1565	do
		1566	/bin/systemctl disable $svc
		1567	done
		1568	for rm_users in avahi-autoipd avahi icapd
		1569	do
		1570	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1571	if [ "$user" == "$rm_users" ]
		1572	then
		1573	/usr/sbin/userdel -f $rm_users
		1574	fi
		1575	done
		1576	# Load and apply the previous conf file
		1577	if [ "$mode" = "update" ]
532	richard	1578	then
1266	richard	1579	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1580	$DIR_DEST_BIN/alcasar-conf.sh --load
		1581	PARENT_SCRIPT=`basename $0`
		1582	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1583	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1584	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1585	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1586	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1587	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1588	then
		1589	header_install
		1590	if [ $Lang == "fr" ]
		1591	then
		1592	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1593	echo
		1594	echo -n "Nom : "
		1595	else
		1596	echo "This update need to redefine the first admin account"
		1597	echo
		1598	echo -n "Account : "
		1599	fi
		1600	read admin_portal
		1601	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1602	mkdir -p $DIR_DEST_ETC/digest
		1603	chmod 755 $DIR_DEST_ETC/digest
		1604	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1605	do
		1606	/usr/sbin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
		1607	done
		1608	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1609	fi
532	richard	1610	fi
1221	richard	1611	rm -f /tmp/alcasar-conf*
		1612	chown -R root:apache $DIR_DEST_ETC/*
		1613	chmod -R 660 $DIR_DEST_ETC/*
		1614	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1615	# Apply and save the firewall rules
		1616	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1617	sleep 2
1	root	1618	cd $DIR_INSTALL
5	franck	1619	echo ""
1	root	1620	echo "#############################################################################"
638	richard	1621	if [ $Lang == "fr" ]
		1622	then
		1623	echo "# Fin d'installation d'ALCASAR #"
		1624	echo "# #"
		1625	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1626	echo "# des Accès au Réseau ( ALCASAR ) #"
		1627	echo "# #"
		1628	echo "#############################################################################"
		1629	echo
		1630	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1631	echo
		1632	echo "- Lisez attentivement la documentation d'exploitation"
		1633	echo
		1634	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1635	echo
		1636	echo " Appuyez sur 'Entrée' pour continuer"
		1637	else
		1638	echo "# Enf of ALCASAR install process #"
		1639	echo "# #"
		1640	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1641	echo "# des Accès au Réseau ( ALCASAR ) #"
		1642	echo "# #"
		1643	echo "#############################################################################"
		1644	echo
		1645	echo "- The system will be rebooted in order to operate ALCASAR"
		1646	echo
		1647	echo "- Read the exploitation documentation"
		1648	echo
		1649	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1650	echo
		1651	echo " Hit 'Enter' to continue"
		1652	fi
815	richard	1653	sleep 2
		1654	if [ "$mode" != "update" ]
820	richard	1655	then
815	richard	1656	read a
		1657	fi
774	richard	1658	clear
1	root	1659	reboot
		1660	} # End post_install ()
		1661
1349	richard	1662
		1663	##################################################################
		1664	## Fonction "gammu_smsd" ##
		1665	## - Creation de la base de donnée Gammu ##
		1666	## - Creation du fichier de config: gammu_smsd_conf ##
		1667	## ##
		1668	##################################################################
		1669	gammu_smsd()
		1670	{
		1671	# Create 'gammu' databse
		1672	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1673	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1674	# Add a gammu database structure
		1675	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1676
		1677
		1678	# Creation du fichier de config gammu_smsd_conf
		1679	cat << EOF > /etc/gammu_smsd_conf
		1680	[gammu]
		1681	port = /dev/ttyUSB0
		1682	connection = at115200
		1683
		1684	;########################################################
		1685
		1686	[smsd]
		1687
		1688	PIN = 1234
		1689
		1690	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1691	logformat = textall
		1692	debuglevel = 0
		1693
		1694	service = sql
		1695	driver = native_mysql
		1696	user = $DB_USER
		1697	password = $radiuspwd
		1698	pc = localhost
		1699	database = $DB_GAMMU
		1700
		1701	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1702
		1703	StatusFrequency = 30
		1704	LoopSleep = 2
		1705
		1706	;ResetFrequency = 300
		1707	;HardResetFrequency = 120
		1708
		1709	CheckSecurity = 1
		1710	CheckSignal = 1
		1711	CheckBattery = 0
		1712	EOF
		1713
		1714	chmod 755 /etc/gammu_smsd_conf
		1715
		1716	#Creation dossier de log Gammu-smsd
		1717	mkdir /var/log/gammu-smsd
		1718	chmod 755 /var/log/gammu-smsd
		1719
		1720	#Edition du script sql gammu <-> radius
		1721	$SED "10c u_db=\"$DB_USER\"" $DIR_DEST_BIN/alcasar-sms.sh
		1722	$SED "11c p_db=\"$radiuspwd\"" $DIR_DEST_BIN/alcasar-sms.sh
		1723
		1724	} # END gammu_smsd()
		1725
		1726
		1727
		1728
1	root	1729	#################################
1005	richard	1730	# Main Install loop #
1	root	1731	#################################
832	richard	1732	dir_exec=`dirname "$0"`
		1733	if [ $dir_exec != "." ]
		1734	then
		1735	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1736	echo "Launch this program from the ALCASAR archive directory"
		1737	exit 0
		1738	fi
		1739	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1740	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1741	nb_args=$#
		1742	args=$1
		1743	if [ $nb_args -eq 0 ]
		1744	then
		1745	nb_args=1
		1746	args="-h"
		1747	fi
1062	richard	1748	chmod -R u+x $DIR_SCRIPTS/*
1	root	1749	case $args in
		1750	-\? \| -h* \| --h*)
		1751	echo "$usage"
		1752	exit 0
		1753	;;
291	franck	1754	-i \| --install)
959	franck	1755	license
5	franck	1756	header_install
29	richard	1757	testing
1336	richard	1758	# Test if ALCASAR is already installed
1249	richard	1759	if [ -e $CONF_FILE ]
1	root	1760	then
1249	richard	1761	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
595	richard	1762	if [ $Lang == "fr" ]
1249	richard	1763	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		1764	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
595	richard	1765	fi
5	franck	1766	response=0
460	richard	1767	PTN='^[oOnNyY]$'
580	richard	1768	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1769	do
595	richard	1770	if [ $Lang == "fr" ]
		1771	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		1772	else echo -n "Do you want to update (Y/n)?";
		1773	fi
5	franck	1774	read response
		1775	done
597	richard	1776	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
5	franck	1777	then
597	richard	1778	rm -f /tmp/alcasar-conf*
		1779	else
636	richard	1780	# Create a backup of running version importants files
389	franck	1781	$DIR_SCRIPTS/alcasar-conf.sh --create
532	richard	1782	mode="update"
5	franck	1783	fi
1	root	1784	fi
595	richard	1785	# RPMs install
		1786	$DIR_SCRIPTS/alcasar-urpmi.sh
		1787	if [ "$?" != "0" ]
1	root	1788	then
595	richard	1789	exit 0
		1790	fi
1249	richard	1791	if [ -e $CONF_FILE ]
595	richard	1792	then
597	richard	1793	# Uninstall the running version
532	richard	1794	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1795	fi
636	richard	1796	# Test if manual update
1057	richard	1797	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" != "update" ]
595	richard	1798	then
636	richard	1799	header_install
595	richard	1800	if [ $Lang == "fr" ]
636	richard	1801	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1802	else echo "The configuration file of an old version has been found";
595	richard	1803	fi
597	richard	1804	response=0
		1805	PTN='^[oOnNyY]$'
		1806	until [[ $(expr $response : $PTN) -gt 0 ]]
		1807	do
		1808	if [ $Lang == "fr" ]
		1809	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1810	else echo -n "Do you want to use it (Y/n)?";
		1811	fi
		1812	read response
		1813	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1814	then rm -f /tmp/alcasar-conf*
		1815	fi
		1816	done
		1817	fi
636	richard	1818	# Test if update
1057	richard	1819	if [ -e /tmp/alcasar-conf* ]
597	richard	1820	then
		1821	if [ $Lang == "fr" ]
		1822	then echo "#### Installation avec mise à jour ####";
		1823	else echo "#### Installation with update ####";
		1824	fi
636	richard	1825	# Extract the central configuration file
1057	richard	1826	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1827	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1828	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1829	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1830	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1831	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1832	mode="update"
		1833	else
		1834	mode="install"
1	root	1835	fi
1342	richard	1836	for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1837	do
		1838	$func
1221	richard	1839	# echo "* 'debug' : end of function $func *"; read a
14	richard	1840	done
5	franck	1841	;;
291	franck	1842	-u \| --uninstall)
5	franck	1843	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1844	then
597	richard	1845	if [ $Lang == "fr" ]
		1846	then echo "ALCASAR n'est pas installé!";
		1847	else echo "ALCASAR isn't installed!";
		1848	fi
1	root	1849	exit 0
		1850	fi
5	franck	1851	response=0
		1852	PTN='^[oOnN]$'
580	richard	1853	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1854	do
597	richard	1855	if [ $Lang == "fr" ]
		1856	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1857	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1858	fi
5	franck	1859	read response
		1860	done
1103	richard	1861	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1862	then
1103	richard	1863	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1864	else
		1865	rm -f /tmp/alcasar-conf*
1	root	1866	fi
597	richard	1867	# Uninstall the running version
65	richard	1868	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1869	;;
		1870	*)
		1871	echo "Argument inconnu :$1";
460	richard	1872	echo "Unknown argument :$1";
1	root	1873	echo "$usage"
		1874	exit 1
		1875	;;
		1876	esac
10	franck	1877	# end of script
366	franck	1878

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1349