WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
1361	richard	1
672	richard	2	#!/bin/bash
57	franck	3	# $Id: alcasar.sh 1362 2014-05-26 17:12:54Z richard $
1	root	4
		5	# alcasar.sh
959	franck	6
1157	stephane	7	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		8	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	9	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		10	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		11	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		12	# Voir la Licence Publique Générale GNU pour plus de détails.
		13
967	franck	14	# team@alcasar.net
959	franck	15
1	root	16	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		17	# This script is distributed under the Gnu General Public License (GPL)
		18
672	richard	19	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	20	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	21	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	22	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	23	#
1342	richard	24	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	25
		26	# Options :
376	franck	27	# -i or --install
		28	# -u or --uninstall
1	root	29
376	franck	30	# Functions :
1221	richard	31	# testing : connectivity tests and downloading before intall
		32	# init : Installation of RPM and scripts
		33	# network : Network parameters
		34	# ACC : ALCASAR Control Center installation
		35	# CA : Certification Authority initialization
		36	# init_db : Initilization of radius database managed with MariaDB
		37	# param_radius : FreeRadius initialisation
		38	# param_web_radius : copy ans modifiy original "freeradius web" in ACC
		39	# param_chilli : coovachilli initialisation (+authentication page)
		40	# param_dansguardian : DansGuardian filtering HTTP proxy configuration
		41	# antivirus : HAVP + libclamav configuration
		42	# param_nfsen : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
		44	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1253	richard	46	# fail2ban : Fail2ban installation and configuration
1266	richard	47	# post_install : Security, log rotation, etc.
1349	richard	48	# gammu_smsd : Autoregister addon (gammu-smsd)
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	53	mode="install"
1	root	54	# ***** Files parameters - paramètres fichiers *******
1015	richard	55	DIR_INSTALL=`pwd` # current directory
		56	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		57	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		58	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		59	DIR_WEB="/var/www/html" # directory of APACHE
		60	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		61	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		62	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		63	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		64	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		65	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		66	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		67	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	68	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	69	DB_RADIUS="radius" # database name used by FreeRadius server
		70	DB_USER="radius" # user name allows to request the users database
1349	richard	71	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	72	# ***** Network parameters - paramètres réseau *****
1211	crox53	73	HOSTNAME="alcasar" #
1243	richard	74	DOMAIN="localdomain" # default local domain
1336	richard	75	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		76	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	77	MTU="1500"
1157	stephane	78	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
967	franck	87	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		88	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	89	fi
975	franck	90	echo "Taper sur Entrée pour continuer !"
		91	echo "Enter to continue."
959	franck	92	read a
		93	}
		94
1	root	95	header_install ()
		96	{
		97	clear
		98	echo "-----------------------------------------------------------------------------"
460	richard	99	echo " ALCASAR V$VERSION Installation"
1	root	100	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		101	echo "-----------------------------------------------------------------------------"
		102	} # End of header_install ()
		103
1174	crox53	104
1	root	105	##################################################################
1221	richard	106	## Function "testing" ##
1342	richard	107	## - Test of free space on /var (>10G) ##
1005	richard	108	## - Test of Internet access ##
29	richard	109	##################################################################
		110	testing ()
		111	{
1362	richard	112	# Test if ALCASAR is already installed
		113	if [ -e $CONF_FILE ]
		114	then
		115	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	116	if [ $Lang == "fr" ]
1362	richard	117	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		118	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	119	fi
1362	richard	120	response=0
		121	PTN='^[oOnNyY]$'
		122	until [[ $(expr $response : $PTN) -gt 0 ]]
		123	do
		124	if [ $Lang == "fr" ]
		125	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		126	else echo -n "Do you want to update (Y/n)?";
		127	fi
		128	read response
		129	done
		130	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		131	then
		132	rm -f /tmp/alcasar-conf*
		133	else
		134	# Create a backup of running version importants files
		135	$DIR_SCRIPTS/alcasar-conf.sh --create
		136	mode="update"
		137	fi
		138	else
		139	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		140	if [ $free_space -lt 10 ]
		141	then
		142	if [ $Lang == "fr" ]
		143	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		144	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		145	fi
1342	richard	146	exit 0
1362	richard	147	fi
1342	richard	148	fi
		149	if [ $Lang == "fr" ]
784	richard	150	then echo -n "Tests des paramètres réseau : "
595	richard	151	else echo -n "Network parameters tests : "
		152	fi
1336	richard	153	# We test EXTIF config files
784	richard	154	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		155	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
1362	richard	156	if [ "$EXTIF" == "" ] \|\| [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
784	richard	157	then
		158	if [ $Lang == "fr" ]
		159	then
		160	echo "Échec"
		161	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		162	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	163	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	164	else
		165	echo "Failed"
		166	echo "The Internet connected network card ($EXTIF) isn't well configured."
		167	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	168	echo "Apply the new configuration 'systemctl restart network'"
784	richard	169	fi
830	richard	170	echo "DEVICE=$EXTIF"
784	richard	171	echo "IPADDR="
		172	echo "NETMASK="
		173	echo "GATEWAY="
		174	echo "DNS1="
		175	echo "DNS2="
830	richard	176	echo "ONBOOT=yes"
784	richard	177	exit 0
		178	fi
		179	echo -n "."
460	richard	180	# We test the Ethernet links state
29	richard	181	for i in $EXTIF $INTIF
		182	do
294	richard	183	/sbin/ip link set $i up
306	richard	184	sleep 3
1031	richard	185	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		186	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	187	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	188	then
595	richard	189	if [ $Lang == "fr" ]
		190	then
		191	echo "Échec"
		192	echo "Le lien réseau de la carte $i n'est pas actif."
		193	echo "Réglez ce problème puis relancez ce script."
		194	else
		195	echo "Failed"
		196	echo "The link state of $i interface id down."
		197	echo "Resolv this problem, then restart this script."
		198	fi
29	richard	199	exit 0
		200	fi
308	richard	201	echo -n "."
29	richard	202	done
		203	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	204	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	205	if [ $Lang == "fr" ]
		206	then
		207	echo "Échec"
		208	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		209	echo "Réglez ce problème puis relancez ce script."
		210	else
		211	echo "Failed"
		212	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		213	echo "Resolv this problem, then restart this script."
		214	fi
29	richard	215	exit 0
		216	fi
308	richard	217	echo -n "."
978	franck	218	# On teste le lien vers le routeur par defaut
308	richard	219	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		220	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	221	if [ $(expr $arp_reply) -eq 0 ]
308	richard	222	then
595	richard	223	if [ $Lang == "fr" ]
		224	then
		225	echo "Échec"
		226	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		227	echo "Réglez ce problème puis relancez ce script."
		228	else
		229	echo "Failed"
		230	echo "The Internet gateway doesn't answered"
		231	echo "Resolv this problem, then restart this script."
		232	fi
308	richard	233	exit 0
		234	fi
		235	echo -n "."
421	franck	236	# On teste la connectivité Internet
29	richard	237	rm -rf /tmp/con_ok.html
308	richard	238	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	239	if [ ! -e /tmp/con_ok.html ]
		240	then
595	richard	241	if [ $Lang == "fr" ]
		242	then
		243	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		244	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		245	echo "Vérifiez la validité des adresses IP des DNS."
		246	else
		247	echo "The Internet connection try failed (google.fr)."
		248	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		249	echo "Verify the DNS IP addresses"
		250	fi
29	richard	251	exit 0
		252	fi
		253	rm -rf /tmp/con_ok.html
308	richard	254	echo ". : ok"
302	richard	255	} # end of testing
		256
		257	##################################################################
1221	richard	258	## Function "init" ##
302	richard	259	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		260	## - Installation et modification des scripts du portail ##
		261	##################################################################
		262	init ()
		263	{
527	richard	264	if [ "$mode" != "update" ]
302	richard	265	then
		266	# On affecte le nom d'organisme
597	richard	267	header_install
302	richard	268	ORGANISME=!
		269	PTN='^[a-zA-Z0-9-]*$'
580	richard	270	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	271	do
595	richard	272	if [ $Lang == "fr" ]
597	richard	273	then echo -n "Entrez le nom de votre organisme : "
		274	else echo -n "Enter the name of your organism : "
595	richard	275	fi
330	franck	276	read ORGANISME
613	richard	277	if [ "$ORGANISME" == "" ]
330	franck	278	then
		279	ORGANISME=!
		280	fi
		281	done
302	richard	282	fi
1	root	283	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	284	rm -f $PASSWD_FILE
1350	richard	285	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		286	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	287	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	288	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	289	$SED "/^password.*/d" /boot/grub/menu.lst
		290	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	291	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	292	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	293	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	294	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	295	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	296	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	297	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	298	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		299	echo "$secretuam" >> $PASSWD_FILE
1350	richard	300	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	301	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		302	echo "$secretradius" >> $PASSWD_FILE
		303	chmod 640 $PASSWD_FILE
977	richard	304	# Scripts and conf files copy
		305	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	306	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	307	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	308	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	309	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	310	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	311	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		312	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	313	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		314	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	315	# generate central conf file
		316	cat <<EOF > $CONF_FILE
612	richard	317	##########################################
		318	## ##
		319	## ALCASAR Parameters ##
		320	## ##
		321	##########################################
1	root	322
612	richard	323	INSTALL_DATE=$DATE
		324	VERSION=$VERSION
		325	ORGANISM=$ORGANISME
923	franck	326	DOMAIN=$DOMAIN
612	richard	327	EOF
628	richard	328	chmod o-rwx $CONF_FILE
1	root	329	} # End of init ()
		330
		331	##################################################################
1221	richard	332	## Function "network" ##
1	root	333	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	334	## - Nommage DNS du système ##
1336	richard	335	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	336	## - Modification du fichier /etc/hosts ##
		337	## - Configuration du serveur de temps (NTP) ##
		338	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		339	##################################################################
		340	network ()
		341	{
		342	header_install
636	richard	343	if [ "$mode" != "update" ]
		344	then
		345	if [ $Lang == "fr" ]
		346	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		347	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		348	fi
		349	response=0
		350	PTN='^[oOyYnN]$'
		351	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	352	do
595	richard	353	if [ $Lang == "fr" ]
659	richard	354	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	355	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	356	fi
1	root	357	read response
		358	done
636	richard	359	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		360	then
		361	PRIVATE_IP_MASK="0"
		362	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		363	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	364	do
595	richard	365	if [ $Lang == "fr" ]
597	richard	366	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		367	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	368	fi
597	richard	369	read PRIVATE_IP_MASK
1	root	370	done
636	richard	371	else
		372	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		373	fi
595	richard	374	else
637	richard	375	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		376	rm -rf conf/etc/alcasar.conf
1	root	377	fi
861	richard	378	# Define LAN side global parameters
1243	richard	379	hostname $HOSTNAME.$DOMAIN
		380	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	381	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		382	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		383	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		384	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		385	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		386	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		387	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		388	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		389	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		390	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	391	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	392	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	393	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	394	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	395	# Define Internet parameters
14	richard	396	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		397	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		398	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	399	DNS1=${DNS1:=208.67.220.220}
		400	DNS2=${DNS2:=208.67.222.222}
597	richard	401	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	402	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	403	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	404	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	405	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	406	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	407	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	408	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		409	echo "DNS1=$DNS1" >> $CONF_FILE
		410	echo "DNS2=$DNS2" >> $CONF_FILE
		411	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	412	echo "DHCP=full" >> $CONF_FILE
914	franck	413	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		414	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		415	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	416	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	417	# config network
1	root	418	cat <<EOF > /etc/sysconfig/network
		419	NETWORKING=yes
1243	richard	420	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	421	FORWARD_IPV4=true
		422	EOF
841	richard	423	# config /etc/hosts
1	root	424	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		425	cat <<EOF > /etc/hosts
503	richard	426	127.0.0.1 localhost
1353	richard	427	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	428	EOF
1336	richard	429	# Config EXTIF (Internet)
14	richard	430	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		431	DEVICE=$EXTIF
		432	BOOTPROTO=static
597	richard	433	IPADDR=$PUBLIC_IP
		434	NETMASK=$PUBLIC_NETMASK
		435	GATEWAY=$PUBLIC_GATEWAY
14	richard	436	DNS1=127.0.0.1
		437	ONBOOT=yes
		438	METRIC=10
		439	NOZEROCONF=yes
		440	MII_NOT_SUPPORTED=yes
		441	IPV6INIT=no
		442	IPV6TO4INIT=no
		443	ACCOUNTING=no
		444	USERCTL=no
994	franck	445	MTU=$MTU
14	richard	446	EOF
1336	richard	447	# Config INTIF (consultation LAN) in normal mode
841	richard	448	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		449	DEVICE=$INTIF
		450	BOOTPROTO=static
		451	ONBOOT=yes
		452	NOZEROCONF=yes
		453	MII_NOT_SUPPORTED=yes
		454	IPV6INIT=no
		455	IPV6TO4INIT=no
		456	ACCOUNTING=no
		457	USERCTL=no
1157	stephane	458	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	459	EOF
1336	richard	460	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	461	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	462	DEVICE=$INTIF
		463	BOOTPROTO=static
		464	IPADDR=$PRIVATE_IP
604	richard	465	NETMASK=$PRIVATE_NETMASK
1	root	466	ONBOOT=yes
		467	METRIC=10
		468	NOZEROCONF=yes
		469	MII_NOT_SUPPORTED=yes
14	richard	470	IPV6INIT=no
		471	IPV6TO4INIT=no
		472	ACCOUNTING=no
		473	USERCTL=no
1	root	474	EOF
440	franck	475	# Mise à l'heure du serveur
		476	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		477	cat <<EOF > /etc/ntp/step-tickers
455	franck	478	0.fr.pool.ntp.org # adapt to your country
		479	1.fr.pool.ntp.org
		480	2.fr.pool.ntp.org
440	franck	481	EOF
		482	# Configuration du serveur de temps (sur lui même)
1	root	483	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		484	cat <<EOF > /etc/ntp.conf
456	franck	485	server 0.fr.pool.ntp.org # adapt to your country
447	franck	486	server 1.fr.pool.ntp.org
		487	server 2.fr.pool.ntp.org
		488	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	489	fudge 127.127.1.0 stratum 10
604	richard	490	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	491	restrict 127.0.0.1
310	richard	492	driftfile /var/lib/ntp/drift
1	root	493	logfile /var/log/ntp.log
		494	EOF
440	franck	495
310	richard	496	chown -R ntp:ntp /var/lib/ntp
1	root	497	# Renseignement des fichiers hosts.allow et hosts.deny
		498	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		499	cat <<EOF > /etc/hosts.allow
		500	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	501	sshd: ALL
1	root	502	ntpd: $PRIVATE_NETWORK_SHORT
		503	EOF
		504	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		505	cat <<EOF > /etc/hosts.deny
		506	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		507	EOF
604	richard	508	# Firewall config
790	richard	509	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		510	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		511	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	512	# create the filter exception file and ip_bloqued file
790	richard	513	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	514	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	515	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	516	# load conntrack ftp module
		517	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		518	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	519	# load ipt_NETFLOW module
		520	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	521	#
860	richard	522	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	523	} # End of network ()
		524
		525	##################################################################
1221	richard	526	## Function "ACC" ##
		527	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	528	## - configuration du serveur web (Apache) ##
		529	## - définition du 1er comptes de gestion ##
		530	## - sécurisation des accès ##
		531	##################################################################
1221	richard	532	ACC ()
1	root	533	{
		534	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		535	mkdir $DIR_WEB
		536	# Copie et configuration des fichiers du centre de gestion
316	richard	537	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	538	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	539	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		540	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		541	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		542	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		543	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	544	chown -R apache:apache $DIR_WEB/*
1342	richard	545	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	546	do
		547	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		548	done
5	franck	549	chown -R root:apache $DIR_SAVE
71	richard	550	# Configuration et sécurisation php
		551	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	552	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		553	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	554	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		555	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	556	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		557	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		558	# Configuration et sécurisation Apache
790	richard	559	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	560	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	561	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	562	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	563	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		564	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		565	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	566	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		567	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		568	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		569	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		570	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		571	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	572	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	573	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		574	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		575	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		576	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		577	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		578	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	579	</body>
		580	</html>
		581	EOF
		582	# Définition du premier compte lié au profil 'admin'
509	richard	583	header_install
510	richard	584	if [ "$mode" = "install" ]
		585	then
613	richard	586	admin_portal=!
		587	PTN='^[a-zA-Z0-9-]*$'
		588	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		589	do
		590	header_install
		591	if [ $Lang == "fr" ]
		592	then
		593	echo ""
		594	echo "Définissez un premier compte d'administration du portail :"
		595	echo
		596	echo -n "Nom : "
		597	else
		598	echo ""
		599	echo "Define the first account allow to administrate the portal :"
		600	echo
		601	echo -n "Account : "
		602	fi
		603	read admin_portal
		604	if [ "$admin_portal" == "" ]
		605	then
		606	admin_portal=!
		607	fi
		608	done
1268	richard	609	# Creation of keys file for the admin account ("admin")
510	richard	610	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		611	mkdir -p $DIR_DEST_ETC/digest
		612	chmod 755 $DIR_DEST_ETC/digest
		613	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		614	do
1350	richard	615	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	616	done
		617	$DIR_DEST_SBIN/alcasar-profil.sh --list
		618	fi
434	richard	619	# synchronisation horaire
		620	ntpd -q -g &
1	root	621	# Sécurisation du centre
988	franck	622	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	623	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	624	<Directory $DIR_ACC>
1	root	625	SSLRequireSSL
		626	AllowOverride None
		627	Order deny,allow
		628	Deny from all
		629	Allow from 127.0.0.1
		630	Allow from $PRIVATE_NETWORK_MASK
990	franck	631	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	632	require valid-user
		633	AuthType digest
1243	richard	634	AuthName $HOSTNAME.$DOMAIN
1	root	635	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	636	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	637	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	638	</Directory>
316	richard	639	<Directory $DIR_ACC/admin>
1	root	640	SSLRequireSSL
		641	AllowOverride None
		642	Order deny,allow
		643	Deny from all
		644	Allow from 127.0.0.1
		645	Allow from $PRIVATE_NETWORK_MASK
990	franck	646	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	647	require valid-user
		648	AuthType digest
1243	richard	649	AuthName $HOSTNAME.$DOMAIN
1	root	650	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	651	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	652	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	653	</Directory>
344	richard	654	<Directory $DIR_ACC/manager>
1	root	655	SSLRequireSSL
		656	AllowOverride None
		657	Order deny,allow
		658	Deny from all
		659	Allow from 127.0.0.1
		660	Allow from $PRIVATE_NETWORK_MASK
990	franck	661	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	662	require valid-user
		663	AuthType digest
1243	richard	664	AuthName $HOSTNAME.$DOMAIN
1	root	665	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	666	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	667	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	668	</Directory>
316	richard	669	<Directory $DIR_ACC/backup>
		670	SSLRequireSSL
		671	AllowOverride None
		672	Order deny,allow
		673	Deny from all
		674	Allow from 127.0.0.1
		675	Allow from $PRIVATE_NETWORK_MASK
990	franck	676	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	677	require valid-user
		678	AuthType digest
1243	richard	679	AuthName $HOSTNAME.$DOMAIN
316	richard	680	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	681	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	682	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	683	</Directory>
811	richard	684	Alias /save/ "$DIR_SAVE/"
		685	<Directory $DIR_SAVE>
		686	SSLRequireSSL
		687	Options Indexes
		688	Order deny,allow
		689	Deny from all
		690	Allow from 127.0.0.1
		691	Allow from $PRIVATE_NETWORK_MASK
990	franck	692	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	693	require valid-user
		694	AuthType digest
1243	richard	695	AuthName $HOSTNAME.$DOMAIN
811	richard	696	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	697	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	698	</Directory>
1	root	699	EOF
1221	richard	700	} # End of ACC()
1	root	701
		702	##########################################################################################
1221	richard	703	## Fonction "CA" ##
1	root	704	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		705	##########################################################################################
1221	richard	706	CA ()
1	root	707	{
		708	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	709	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	710	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	711	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		712	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		713	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	714	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	715	chown -R root:apache /etc/pki
1	root	716	chmod -R 750 /etc/pki
1221	richard	717	} # End CA ()
1	root	718
		719	##########################################################################################
1221	richard	720	## Fonction "init_db" ##
1	root	721	## - Initialisation de la base Mysql ##
		722	## - Affectation du mot de passe de l'administrateur (root) ##
		723	## - Suppression des bases et des utilisateurs superflus ##
		724	## - Création de la base 'radius' ##
		725	## - Installation du schéma de cette base ##
		726	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		727	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		728	##########################################################################################
		729	init_db ()
		730	{
1355	richard	731	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	732	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		733	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	734	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	735	systemctl start mysqld.service
1	root	736	sleep 4
		737	mysqladmin -u root password $mysqlpwd
		738	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	739	# Secure the server
		740	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		741	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	742	# Create 'radius' database
1317	richard	743	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	744	# Add an empty radius database structure
364	franck	745	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	746	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	747	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
		748	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	749	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		750	systemctl daemon-reload
1	root	751	} # End init_db ()
		752
		753	##########################################################################
1221	richard	754	## Fonction "param_radius" ##
1	root	755	## - Paramètrage des fichiers de configuration FreeRadius ##
		756	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		757	## - Modification de fichier de conf pour l'accès à Mysql ##
		758	##########################################################################
		759	param_radius ()
		760	{
		761	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		762	chown -R radius:radius /etc/raddb
		763	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	764	# Set radius.conf parameters
1	root	765	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		766	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		767	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	768	# remove the proxy function
1	root	769	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		770	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	771	# remove EAP module
654	richard	772	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	773	# listen on loopback (should be modified later if EAP enabled)
1	root	774	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	775	# enable the SQL module (and SQL counter)
1	root	776	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		777	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		778	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	779	# remvove virtual server and copy our conf file
1	root	780	rm -f /etc/raddb/sites-enabled/*
1278	richard	781	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	782	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		783	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		784	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		785	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	786	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	787	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	788	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	789	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		790	cat << EOF > /etc/raddb/clients.conf
		791	client 127.0.0.1 {
		792	secret = $secretradius
		793	shortname = localhost
		794	}
		795	EOF
1278	richard	796	# sql.conf modification
1	root	797	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		798	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		799	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		800	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		801	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	802	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	803	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	804	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		805	# counter.conf modification (change the Max-All-Session-Time counter)
		806	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		807	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		808	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	809	# make certain that mysql is up before radius start
		810	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		811	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		812	systemctl daemon-reload
1	root	813	} # End param_radius ()
		814
		815	##########################################################################
1221	richard	816	## Function "param_web_radius" ##
1	root	817	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		818	## - Création du lien vers la page de changement de mot de passe ##
		819	##########################################################################
		820	param_web_radius ()
		821	{
		822	# copie de l'interface d'origine dans la structure Alcasar
316	richard	823	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		824	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		825	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	826	# copie des fichiers modifiés
		827	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	828	chown -R apache:apache $DIR_ACC/manager/
344	richard	829	# Modification des fichiers de configuration
1	root	830	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	831	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	832	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		833	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		834	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		835	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		836	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		837	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		838	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	839	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	840	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	841	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	842	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	843	nas1_name: alcasar-$ORGANISME
1	root	844	nas1_model: Portail captif
		845	nas1_ip: $PRIVATE_IP
		846	nas1_port_num: 0
		847	nas1_community: public
		848	EOF
		849	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		850	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	851	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	852	# Ajout du mappage des attributs chillispot
		853	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	854	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	855	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	856	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	857	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		858	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	859	chown -R apache:apache /etc/freeradius-web
1	root	860	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		861	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	862	<Directory $DIR_WEB/pass>
1	root	863	SSLRequireSSL
		864	AllowOverride None
		865	Order deny,allow
		866	Deny from all
		867	Allow from 127.0.0.1
		868	Allow from $PRIVATE_NETWORK_MASK
1243	richard	869	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	870	</Directory>
		871	EOF
		872	} # End of param_web_radius ()
		873
799	richard	874	##################################################################################
1221	richard	875	## Fonction "param_chilli" ##
799	richard	876	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		877	## - Paramètrage de la page d'authentification (intercept.php) ##
		878	##################################################################################
1	root	879	param_chilli ()
		880	{
799	richard	881	# init file creation
461	richard	882	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	883	cat <<EOF > /etc/init.d/chilli
		884	#!/bin/sh
		885	#
		886	# chilli CoovaChilli init
		887	#
		888	# chkconfig: 2345 65 35
		889	# description: CoovaChilli
		890	### BEGIN INIT INFO
		891	# Provides: chilli
		892	# Required-Start: network
		893	# Should-Start:
		894	# Required-Stop: network
		895	# Should-Stop:
		896	# Default-Start: 2 3 5
		897	# Default-Stop:
		898	# Description: CoovaChilli access controller
		899	### END INIT INFO
		900
		901	[ -f /usr/sbin/chilli ] \|\| exit 0
		902	. /etc/init.d/functions
		903	CONFIG=/etc/chilli.conf
		904	pidfile=/var/run/chilli.pid
		905	[ -f \$CONFIG ] \|\| {
		906	echo "\$CONFIG Not found"
		907	exit 0
		908	}
		909	RETVAL=0
		910	prog="chilli"
		911	case \$1 in
		912	start)
		913	if [ -f \$pidfile ] ; then
		914	gprintf "chilli is already running"
		915	else
		916	gprintf "Starting \$prog: "
		917	rm -f /var/run/chilli* # cleaning
		918	/sbin/modprobe tun >/dev/null 2>&1
		919	echo 1 > /proc/sys/net/ipv4/ip_forward
		920	[ -e /dev/net/tun ] \|\| {
		921	(cd /dev;
		922	mkdir net;
		923	cd net;
		924	mknod tun c 10 200)
		925	}
1336	richard	926	ifconfig $INTIF 0.0.0.0
799	richard	927	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		928	RETVAL=$?
		929	fi
		930	;;
		931
		932	reload)
		933	killall -HUP chilli
		934	;;
		935
		936	restart)
		937	\$0 stop
		938	sleep 2
		939	\$0 start
		940	;;
		941
		942	status)
		943	status chilli
		944	RETVAL=0
		945	;;
		946
		947	stop)
		948	if [ -f \$pidfile ] ; then
		949	gprintf "Shutting down \$prog: "
		950	killproc /usr/sbin/chilli
		951	RETVAL=\$?
		952	[ \$RETVAL = 0 ] && rm -f $pidfile
		953	else
		954	gprintf "chilli is not running"
		955	fi
		956	;;
		957
		958	*)
		959	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		960	exit 1
		961	esac
		962	echo
		963	EOF
		964
		965	# conf file creation
346	richard	966	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		967	cat <<EOF > /etc/chilli.conf
		968	# coova config for ALCASAR
		969	cmdsocket /var/run/chilli.sock
1336	richard	970	unixipc chilli.$INTIF.ipc
		971	pidfile /var/run/chilli.$INTIF.pid
346	richard	972	net $PRIVATE_NETWORK_MASK
595	richard	973	dhcpif $INTIF
841	richard	974	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	975	#nodynip
865	richard	976	#statip
		977	dynip $PRIVATE_NETWORK_MASK
1249	richard	978	domain $DOMAIN
355	richard	979	dns1 $PRIVATE_IP
		980	dns2 $PRIVATE_IP
346	richard	981	uamlisten $PRIVATE_IP
503	richard	982	uamport 3990
837	richard	983	macauth
		984	macpasswd password
1243	richard	985	locationname $HOSTNAME.$DOMAIN
346	richard	986	radiusserver1 127.0.0.1
		987	radiusserver2 127.0.0.1
		988	radiussecret $secretradius
		989	radiusauthport 1812
		990	radiusacctport 1813
1243	richard	991	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		992	radiusnasid $HOSTNAME.$DOMAIN
346	richard	993	uamsecret $secretuam
1249	richard	994	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	995	coaport 3799
1299	richard	996	#conup $DIR_DEST_BIN/alcasar-conup.sh
		997	#condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	998	include $DIR_DEST_ETC/alcasar-uamallowed
		999	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1000	#dhcpgateway
1157	stephane	1001	#dhcprelayagent
		1002	#dhcpgatewayport
346	richard	1003	EOF
1336	richard	1004	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1005	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1006	# create files for trusted domains and urls
1148	crox53	1007	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1008	chown root:apache $DIR_DEST_ETC/alcasar-*
		1009	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1010	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1011	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1012	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1013	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1014	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1015	if [ "$chilli_exist" == "1" ]
		1016	then
		1017	userdel -r chilli 2>/dev/null
		1018	fi
		1019	groupadd -f chilli
		1020	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1021	} # End of param_chilli ()
1349	richard	1022
1	root	1023	##################################################################
1221	richard	1024	## Fonction "param_dansguardian" ##
1	root	1025	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1026	##################################################################
		1027	param_dansguardian ()
		1028	{
		1029	mkdir /var/dansguardian
		1030	chown dansguardian /var/dansguardian
497	richard	1031	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1032	# By default the filter is off
497	richard	1033	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1034	# French deny HTML page
497	richard	1035	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1036	# Listen only on LAN side
497	richard	1037	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1038	# DG send its flow to HAVP
		1039	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1040	# replace the default deny HTML page
1	root	1041	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1042	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1043	# Don't log
		1044	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1045	# Run 10 daemons (20 in largest server)
659	richard	1046	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1047	# on désactive par défaut le controle de contenu des pages html
497	richard	1048	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1049	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1050	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1051	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1052	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1053	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1054	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1055	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1056	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1057	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1058	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1059	touch $DIR_DG/lists/bannedextensionlist
		1060	touch $DIR_DG/lists/bannedmimetypelist
		1061	# 'Safesearch' regex actualisation
498	richard	1062	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1063	# empty LAN IP list that won't be WEB filtered
		1064	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1065	touch $DIR_DG/lists/exceptioniplist
		1066	# Keep a copy of URL & domain filter configuration files
		1067	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1068	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1069	} # End of param_dansguardian ()
		1070
71	richard	1071	##################################################################
1221	richard	1072	## Fonction "antivirus" ##
1357	richard	1073	## - configuration of havp, libclamav and freshclam ##
71	richard	1074	##################################################################
		1075	antivirus ()
		1076	{
1358	richard	1077	# create 'havp' user
288	richard	1078	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1079	if [ "$havp_exist" == "1" ]
288	richard	1080	then
478	richard	1081	userdel -r havp 2>/dev/null
894	richard	1082	groupdel havp 2>/dev/null
288	richard	1083	fi
307	richard	1084	groupadd -f havp
796	richard	1085	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1086	mkdir -p /var/tmp/havp /var/log/havp
		1087	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1088	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1089	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1090	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1091	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1092	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1093	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1094	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1095	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1096	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1097	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1098	# skip checking of youtube flow (too heavy load / risk too low)
		1099	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1100	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1101	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1102	# replacement of init script
335	richard	1103	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1104	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1358	richard	1105	# replace of the intercept page (template)
340	richard	1106	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1107	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1108	# update virus database every 4 hours (24h/6)
1357	richard	1109	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1110	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1111	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1112	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1113	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1114	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1355	richard	1115	# Copy of the main virus database
734	richard	1116	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1117	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
1357	richard	1118	/usr/bin/freshclam
71	richard	1119	}
		1120
1	root	1121	##################################################################################
1221	richard	1122	## function "param_ulogd" ##
476	richard	1123	## - Ulog config for multi-log files ##
		1124	##################################################################################
		1125	param_ulogd ()
		1126	{
		1127	# Three instances of ulogd (three different logfiles)
1359	richard	1128	cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-ssh.service
		1129	cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-ext-access.service
1358	richard	1130	mv /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-traceability.service
476	richard	1131	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1132	nl=1
1358	richard	1133	for log_type in traceability ssh ext-access
478	richard	1134	do
		1135	[ -e /var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
		1136	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1137	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1138	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1139	cat << EOF >> /etc/ulogd-$log_type.conf
		1140	[LOGEMU]
		1141	file="/var/log/firewall/$log_type.log"
		1142	sync=1
		1143	EOF
1358	richard	1144	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -C /etc/ulogd-$log_type.conf?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1145	nl=`expr $nl + 1`
		1146	done
476	richard	1147	chown -R root:apache /var/log/firewall
		1148	chmod 750 /var/log/firewall
		1149	chmod 640 /var/log/firewall/*
		1150	} # End of param_ulogd ()
		1151
1159	crox53	1152
		1153	##########################################################
1221	richard	1154	## Function "param_nfsen" ##
1159	crox53	1155	##########################################################
		1156	param_nfsen()
1	root	1157	{
1159	crox53	1158	#Decompression tarball
1221	richard	1159	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1159	crox53	1160	#Création groupe et utilisteur
1221	richard	1161	if grep "^www-data:" /etc/group > /dev/null; then
		1162	echo "Group already exists !"
		1163	else
		1164	groupadd www-data
		1165	echo "Group 'www-data' created !"
		1166	fi
		1167	if grep "^nfsen:" /etc/passwd > /dev/null; then
		1168	echo "User already exists !"
		1169	else
		1170	useradd -m nfsen
		1171	echo "User 'nfsen' created !"
		1172	fi
		1173	usermod -G www-data nfsen
1159	crox53	1174	#Ajout du plugin nfsen : PortTracker
1221	richard	1175	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1176	chown -R nfsen:www-data /var/www/nfsen
		1177	chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
		1178	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1159	crox53	1179	#Copie du fichier de conf modifié de nfsen
1221	richard	1180	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1159	crox53	1181	#Copie du script d'initialisation de nfsen
1221	richard	1182	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1159	crox53	1183	#Installation de nfsen via le scrip Perl
1221	richard	1184	DirTmp=$(pwd)
		1185	cd /tmp/nfsen-1.3.6p1/
		1186	/usr/bin/perl5 install.pl etc/nfsen.conf #script lancé deux fois pour corriger,
		1187	/usr/bin/perl5 install.pl etc/nfsen.conf #un problème Perl : "Semaphore introuvable"
1159	crox53	1188	#Création de la DB pour rrdtool
1221	richard	1189	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1190	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
		1191	sudo -u apache nftrack -I -d /var/log/netflow/porttracker
		1192	chown -R apache:www-data /var/log/netflow/porttracker/
		1193	chmod -R 775 /var/log/netflow/porttracker
1159	crox53	1194	#Configuration du fichier de conf d'apache
1355	richard	1195	if [ -f /etc/httpd/conf/conf.d/nfsen.conf ];then
		1196	rm -f /etc/httpd/conf/conf.d/nfsen.conf
1221	richard	1197	fi
1355	richard	1198	cat <<EOF >> /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1199	Alias /nfsen /var/www/nfsen
		1200	<Directory /var/www/nfsen/>
		1201	DirectoryIndex nfsen.php
		1202	Options -Indexes
		1203	AllowOverride all
		1204	order allow,deny
		1205	allow from all
		1206	AddType application/x-httpd-php .php
		1207	php_flag magic_quotes_gpc on
		1208	php_flag track_vars on
1	root	1209	</Directory>
		1210	EOF
1223	crox53	1211	#Ajout du paramètre : IP d'écoute pour le collecteur (nfcapd)
1229	crox53	1212	$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
1210	crox53	1213	#Configuration du délais d'expiration des captures du profile "live"
1250	richard	1214	nfsen -m live -e 62d 2>/dev/null
1159	crox53	1215	#Suppression des sources de nfsen
1221	richard	1216	cd $DirTmp
		1217	rm -rf /tmp/nfsen-1.3.6p1/
1159	crox53	1218	} # End of param_nfsen
1	root	1219
		1220	##########################################################
1221	richard	1221	## Function "param_dnsmasq" ##
1	root	1222	##########################################################
219	jeremy	1223	param_dnsmasq ()
		1224	{
		1225	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1226	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
259	richard	1227	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
1356	richard	1228	# Option : on pré-active les logs DNS des clients
		1229	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
		1230	# Option : exemple de paramètre supplémentaire pour le cache memoire
		1231	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
		1232	# Option : exemple de configuration avec un A.D.
		1233	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
503	richard	1234	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1235	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1236	cat << EOF > /etc/dnsmasq.conf
520	richard	1237	# Configuration file for "dnsmasq in forward mode"
503	richard	1238	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1239	listen-address=$PRIVATE_IP
		1240	listen-address=127.0.0.1
286	richard	1241	no-dhcp-interface=$INTIF
259	richard	1242	bind-interfaces
		1243	cache-size=256
		1244	domain=$DOMAIN
		1245	domain-needed
		1246	expand-hosts
		1247	bogus-priv
		1248	filterwin2k
		1249	server=$DNS1
		1250	server=$DNS2
498	richard	1251	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1252	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1253	dhcp-option=option:router,$PRIVATE_IP
259	richard	1254	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1255
291	franck	1256	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1257	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1258	EOF
1356	richard	1259	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1260	cat << EOF > /etc/dnsmasq-blacklist.conf
		1261	# Configuration file for "dnsmasq with blacklist"
520	richard	1262	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1263	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1264	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1265	listen-address=$PRIVATE_IP
		1266	port=54
		1267	no-dhcp-interface=$INTIF
		1268	bind-interfaces
		1269	cache-size=256
		1270	domain=$DOMAIN
		1271	domain-needed
		1272	expand-hosts
		1273	bogus-priv
		1274	filterwin2k
		1275	server=$DNS1
		1276	server=$DNS2
		1277	EOF
1356	richard	1278	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelis")
1357	richard	1279	cat << EOF > /etc/dnsmasq-whitelist.conf
1356	richard	1280	# Configuration file for "dnsmasq with whitelist"
		1281	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
		1282	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
		1283	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
		1284	listen-address=$PRIVATE_IP
		1285	port=55
		1286	no-dhcp-interface=$INTIF
		1287	bind-interfaces
		1288	cache-size=256
		1289	domain=$DOMAIN
		1290	domain-needed
		1291	expand-hosts
		1292	bogus-priv
		1293	filterwin2k
		1294	address=/#/$PRIVATE_IP
		1295	EOF
		1296	# Create dnsmasq-blacklist and dnsmasq-whitelist unit
1361	richard	1297	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
		1298	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
1356	richard	1299	$SED "s?^ExecStart=.*?ExecStart=/usr/bin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
		1300	$SED "s?^ExecStart=.*?ExecStart=/usr/bin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1358	richard	1301	# TODO Start after chilli which create tun0
1356	richard	1302	# $SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
308	richard	1303	} # End dnsmasq
		1304
		1305	##########################################################
1221	richard	1306	## Fonction "BL" ##
308	richard	1307	##########################################################
		1308	BL ()
		1309	{
		1310	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1311	rm -rf $DIR_DG/lists/blacklists
		1312	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1313	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1314	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1315	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1316	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1317	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1318	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1319	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1320	touch $DIR_DG/lists/exceptionsitelist
		1321	touch $DIR_DG/lists/exceptionurllist
311	richard	1322	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1323	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1324	# Dansguardian filter config for ALCASAR
		1325	EOF
648	richard	1326	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1327	# Dansguardian domain filter config for ALCASAR
		1328	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1329	#**
		1330	# block all SSL and CONNECT tunnels
		1331	**s
		1332	# block all SSL and CONNECT tunnels specified only as an IP
		1333	*ips
		1334	# block all sites specified only by an IP
		1335	*ip
		1336	EOF
1000	richard	1337	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1338	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1339	# Bing - add 'adlt=strict'
		1340	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1341	# Youtube - add 'edufilter=your_ID'
885	richard	1342	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1343	EOF
1000	richard	1344	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1345	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1346	chown -R dansguardian:apache $DIR_DG
		1347	chmod -R g+rw $DIR_DG
786	richard	1348	# On adapte la BL de Toulouse à notre structure
654	richard	1349	if [ "$mode" != "update" ]; then
		1350	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1351	fi
308	richard	1352	}
219	jeremy	1353
1	root	1354	##########################################################
1221	richard	1355	## Fonction "cron" ##
1	root	1356	## - Mise en place des différents fichiers de cron ##
		1357	##########################################################
		1358	cron ()
		1359	{
		1360	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1361	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1362	cat <<EOF > /etc/crontab
		1363	SHELL=/bin/bash
		1364	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1365	MAILTO=root
		1366	HOME=/
		1367
		1368	# run-parts
		1369	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1370	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1371	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1372	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1373	EOF
		1374	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1375	cat <<EOF >> /etc/anacrontab
667	franck	1376	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1377	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1378	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1379	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1380	EOF
1247	crox53	1381
811	richard	1382	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1383	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1384	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1385	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1386	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1387	EOF
952	franck	1388	cat <<EOF > /etc/cron.d/alcasar-archive
		1389	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1390	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1391	EOF
667	franck	1392	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1393	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1394	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1395	EOF
722	franck	1396	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1397	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1398	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1399	EOF
1247	crox53	1400	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1401	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1402	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1403	#EOF
1159	crox53	1404
1	root	1405	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1406	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1407	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1408	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1409	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1410	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1411	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1412	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1413	rm -f /etc/cron.daily/freeradius-web
		1414	rm -f /etc/cron.monthly/freeradius-web
		1415	cat << EOF > /etc/cron.d/freeradius-web
		1416	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1417	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1418	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1419	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1420	EOF
671	franck	1421	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1422	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1423	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1424	EOF
808	franck	1425	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1426	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1427	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1428	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1429	EOF
522	richard	1430	# suppression des crons usagers
		1431	rm -f /var/spool/cron/*
1	root	1432	} # End cron
		1433
		1434	##################################################################
1221	richard	1435	## Fonction "Fail2Ban" ##
1163	crox53	1436	##- Modification de la configuration de fail2ban ##
		1437	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1438	##################################################################
		1439	fail2ban()
		1440	{
1191	crox53	1441	$DIR_CONF/fail2ban.sh
1192	crox53	1442	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1443	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1444	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1445	chmod 644 /var/log/fail2ban.log
1192	crox53	1446	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1447	} #Fin de fail2ban_install()
		1448
		1449	##################################################################
1221	richard	1450	## Fonction "post_install" ##
1	root	1451	## - Modification des bannières (locales et ssh) et des prompts ##
		1452	## - Installation de la structure de chiffrement pour root ##
		1453	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1454	## - Mise en place du la rotation des logs ##
5	franck	1455	## - Configuration dans le cas d'une mise à jour ##
1	root	1456	##################################################################
		1457	post_install()
		1458	{
		1459	# adaptation du script "chien de garde" (watchdog)
376	franck	1460	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1461	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1462	# création de la bannière locale
1007	richard	1463	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1464	cp -f $DIR_CONF/banner /etc/mageia-release
		1465	echo " V$VERSION" >> /etc/mageia-release
1	root	1466	# création de la bannière SSH
1007	richard	1467	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1468	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1469	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1470	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1471	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1472	# postfix banner anonymisation
		1473	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1474	# sshd écoute côté LAN et WAN
1	root	1475	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1476	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1477	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1478	echo "SSH=off" >> $CONF_FILE
1063	richard	1479	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1480	echo "QOS=off" >> $CONF_FILE
		1481	echo "LDAP=off" >> $CONF_FILE
786	richard	1482	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1358	richard	1483	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE # TODO to remove
		1484	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE # TODO to remove
		1485	echo "DNS_FILTERING=off" >> $CONF_FILE # TODO to remove
885	richard	1486	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1487	echo "MULTIWAN=off" >> $CONF_FILE
		1488	echo "FAILOVER=30" >> $CONF_FILE
		1489	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1490	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1491	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1492	# Coloration des prompts
		1493	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1494	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1495	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1496	# Droits d'exécution pour utilisateur apache et sysadmin
		1497	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1498	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1499	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1500	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1501	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1502	chmod 644 /etc/logrotate.d/*
714	franck	1503	# rectification sur versions précédentes de la compression des logs
706	franck	1504	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1505	# actualisation des fichiers logs compressés
1342	richard	1506	for dir in firewall dansguardian httpd
706	franck	1507	do
714	franck	1508	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1509	done
1221	richard	1510	# create the alcasar-load_balancing unit
		1511	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1512	# This file is part of systemd.
		1513	#
		1514	# systemd is free software; you can redistribute it and/or modify it
		1515	# under the terms of the GNU General Public License as published by
		1516	# the Free Software Foundation; either version 2 of the License, or
		1517	# (at your option) any later version.
		1518
		1519	# This unit lauches alcasar-load-balancing.sh script.
		1520	[Unit]
		1521	Description=alcasar-load_balancing.sh execution
		1522	After=network.target iptables.service
		1523
		1524	[Service]
		1525	Type=oneshot
		1526	RemainAfterExit=yes
		1527	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1528	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1529	TimeoutSec=0
		1530	SysVStartPriority=99
		1531
		1532	[Install]
		1533	WantedBy=multi-user.target
1157	stephane	1534	EOF
1221	richard	1535	# processes launched at boot time (SYSV)
1358	richard	1536	for i in chilli havp
1221	richard	1537	do
		1538	/sbin/chkconfig --add $i
		1539	done
		1540	# processes launched at boot time (Systemctl)
1355	richard	1541	for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq radiusd dansguardian freshclam
953	franck	1542
1221	richard	1543	do
1361	richard	1544	systemctl -q enable $i
1221	richard	1545	done
		1546	# Apply French Security Agency (ANSSI) rules
1362	richard	1547	# ignore ICMP broadcast (smurf attack)
		1548	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1549	# ignore ICMP errors bogus
		1550	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1551	# remove ICMP redirects responces
		1552	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1553	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1554	# enable SYN Cookies (Syn flood attacks)
		1555	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1556	# enable kernel antispoofing
		1557	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1558	# ignore source routing
		1559	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1560	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1561	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1562	# disable log_martians (ALCASAR is often installed between two private network addresses)
1362	richard	1563	echo "net.ipv4.conf.all.log_martians = 0" >> etc/sysctl.d/alcasar.conf
		1564	# remove Magic SysReq Keys
		1565	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.con
1003	richard	1566	# switch to multi-users runlevel (instead of x11)
1221	richard	1567	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1568	# GRUB modifications
		1569	# limit wait time to 3s
		1570	# create an alcasar entry instead of linux-nonfb
		1571	# change display to 1024*768 (vga791)
1221	richard	1572	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1573	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1574	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1575	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1576	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1577	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1578	# Remove unused services and users
1362	richard	1579	for svc in sshd.service
1221	richard	1580	do
1362	richard	1581	/bin/systemctl -q disable $svc
1221	richard	1582	done
1362	richard	1583	for rm_users in sysqdin
1221	richard	1584	do
		1585	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1586	if [ "$user" == "$rm_users" ]
		1587	then
		1588	/usr/sbin/userdel -f $rm_users
		1589	fi
		1590	done
		1591	# Load and apply the previous conf file
		1592	if [ "$mode" = "update" ]
532	richard	1593	then
1266	richard	1594	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1595	$DIR_DEST_BIN/alcasar-conf.sh --load
		1596	PARENT_SCRIPT=`basename $0`
		1597	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1598	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1599	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1600	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1601	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1602	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1603	then
		1604	header_install
		1605	if [ $Lang == "fr" ]
		1606	then
		1607	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1608	echo
		1609	echo -n "Nom : "
		1610	else
		1611	echo "This update need to redefine the first admin account"
		1612	echo
		1613	echo -n "Account : "
		1614	fi
		1615	read admin_portal
		1616	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1617	mkdir -p $DIR_DEST_ETC/digest
		1618	chmod 755 $DIR_DEST_ETC/digest
		1619	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1620	do
1350	richard	1621	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1622	done
		1623	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1624	fi
532	richard	1625	fi
1221	richard	1626	rm -f /tmp/alcasar-conf*
		1627	chown -R root:apache $DIR_DEST_ETC/*
		1628	chmod -R 660 $DIR_DEST_ETC/*
		1629	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1630	# Apply and save the firewall rules
		1631	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1632	sleep 2
1	root	1633	cd $DIR_INSTALL
5	franck	1634	echo ""
1	root	1635	echo "#############################################################################"
638	richard	1636	if [ $Lang == "fr" ]
		1637	then
		1638	echo "# Fin d'installation d'ALCASAR #"
		1639	echo "# #"
		1640	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1641	echo "# des Accès au Réseau ( ALCASAR ) #"
		1642	echo "# #"
		1643	echo "#############################################################################"
		1644	echo
		1645	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1646	echo
		1647	echo "- Lisez attentivement la documentation d'exploitation"
		1648	echo
		1649	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1650	echo
		1651	echo " Appuyez sur 'Entrée' pour continuer"
		1652	else
		1653	echo "# Enf of ALCASAR install process #"
		1654	echo "# #"
		1655	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1656	echo "# des Accès au Réseau ( ALCASAR ) #"
		1657	echo "# #"
		1658	echo "#############################################################################"
		1659	echo
		1660	echo "- The system will be rebooted in order to operate ALCASAR"
		1661	echo
		1662	echo "- Read the exploitation documentation"
		1663	echo
		1664	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1665	echo
		1666	echo " Hit 'Enter' to continue"
		1667	fi
815	richard	1668	sleep 2
		1669	if [ "$mode" != "update" ]
820	richard	1670	then
815	richard	1671	read a
		1672	fi
774	richard	1673	clear
1	root	1674	reboot
		1675	} # End post_install ()
		1676
1349	richard	1677
		1678	##################################################################
		1679	## Fonction "gammu_smsd" ##
		1680	## - Creation de la base de donnée Gammu ##
		1681	## - Creation du fichier de config: gammu_smsd_conf ##
		1682	## ##
		1683	##################################################################
		1684	gammu_smsd()
		1685	{
		1686	# Create 'gammu' databse
		1687	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1688	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1689	# Add a gammu database structure
		1690	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1691
		1692
		1693	# Creation du fichier de config gammu_smsd_conf
		1694	cat << EOF > /etc/gammu_smsd_conf
		1695	[gammu]
		1696	port = /dev/ttyUSB0
		1697	connection = at115200
		1698
		1699	;########################################################
		1700
		1701	[smsd]
		1702
		1703	PIN = 1234
		1704
		1705	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1706	logformat = textall
		1707	debuglevel = 0
		1708
		1709	service = sql
		1710	driver = native_mysql
		1711	user = $DB_USER
		1712	password = $radiuspwd
		1713	pc = localhost
		1714	database = $DB_GAMMU
		1715
		1716	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1717
		1718	StatusFrequency = 30
		1719	LoopSleep = 2
		1720
		1721	;ResetFrequency = 300
		1722	;HardResetFrequency = 120
		1723
		1724	CheckSecurity = 1
		1725	CheckSignal = 1
		1726	CheckBattery = 0
		1727	EOF
		1728
		1729	chmod 755 /etc/gammu_smsd_conf
		1730
		1731	#Creation dossier de log Gammu-smsd
		1732	mkdir /var/log/gammu-smsd
		1733	chmod 755 /var/log/gammu-smsd
		1734
		1735	#Edition du script sql gammu <-> radius
		1736	$SED "10c u_db=\"$DB_USER\"" $DIR_DEST_BIN/alcasar-sms.sh
		1737	$SED "11c p_db=\"$radiuspwd\"" $DIR_DEST_BIN/alcasar-sms.sh
		1738
		1739	} # END gammu_smsd()
		1740
		1741
		1742
		1743
1	root	1744	#################################
1005	richard	1745	# Main Install loop #
1	root	1746	#################################
832	richard	1747	dir_exec=`dirname "$0"`
		1748	if [ $dir_exec != "." ]
		1749	then
		1750	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1751	echo "Launch this program from the ALCASAR archive directory"
		1752	exit 0
		1753	fi
		1754	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1755	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1756	nb_args=$#
		1757	args=$1
		1758	if [ $nb_args -eq 0 ]
		1759	then
		1760	nb_args=1
		1761	args="-h"
		1762	fi
1062	richard	1763	chmod -R u+x $DIR_SCRIPTS/*
1	root	1764	case $args in
		1765	-\? \| -h* \| --h*)
		1766	echo "$usage"
		1767	exit 0
		1768	;;
291	franck	1769	-i \| --install)
959	franck	1770	license
5	franck	1771	header_install
29	richard	1772	testing
595	richard	1773	# RPMs install
		1774	$DIR_SCRIPTS/alcasar-urpmi.sh
		1775	if [ "$?" != "0" ]
1	root	1776	then
595	richard	1777	exit 0
		1778	fi
1249	richard	1779	if [ -e $CONF_FILE ]
595	richard	1780	then
597	richard	1781	# Uninstall the running version
532	richard	1782	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1783	fi
636	richard	1784	# Test if manual update
1362	richard	1785	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	1786	then
636	richard	1787	header_install
595	richard	1788	if [ $Lang == "fr" ]
636	richard	1789	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1790	else echo "The configuration file of an old version has been found";
595	richard	1791	fi
597	richard	1792	response=0
		1793	PTN='^[oOnNyY]$'
		1794	until [[ $(expr $response : $PTN) -gt 0 ]]
		1795	do
		1796	if [ $Lang == "fr" ]
		1797	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1798	else echo -n "Do you want to use it (Y/n)?";
		1799	fi
		1800	read response
		1801	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1802	then rm -f /tmp/alcasar-conf*
		1803	fi
		1804	done
		1805	fi
636	richard	1806	# Test if update
1057	richard	1807	if [ -e /tmp/alcasar-conf* ]
597	richard	1808	then
		1809	if [ $Lang == "fr" ]
		1810	then echo "#### Installation avec mise à jour ####";
		1811	else echo "#### Installation with update ####";
		1812	fi
636	richard	1813	# Extract the central configuration file
1057	richard	1814	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1815	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1816	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1817	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1818	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1819	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1820	mode="update"
1	root	1821	fi
1342	richard	1822	for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1823	do
		1824	$func
1362	richard	1825	# echo "* 'debug' : end of function $func *"; read a
14	richard	1826	done
5	franck	1827	;;
291	franck	1828	-u \| --uninstall)
5	franck	1829	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1830	then
597	richard	1831	if [ $Lang == "fr" ]
		1832	then echo "ALCASAR n'est pas installé!";
		1833	else echo "ALCASAR isn't installed!";
		1834	fi
1	root	1835	exit 0
		1836	fi
5	franck	1837	response=0
		1838	PTN='^[oOnN]$'
580	richard	1839	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1840	do
597	richard	1841	if [ $Lang == "fr" ]
		1842	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1843	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1844	fi
5	franck	1845	read response
		1846	done
1103	richard	1847	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1848	then
1103	richard	1849	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1850	else
		1851	rm -f /tmp/alcasar-conf*
1	root	1852	fi
597	richard	1853	# Uninstall the running version
65	richard	1854	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1855	;;
		1856	*)
		1857	echo "Argument inconnu :$1";
460	richard	1858	echo "Unknown argument :$1";
1	root	1859	echo "$usage"
		1860	exit 1
		1861	;;
		1862	esac
10	franck	1863	# end of script
366	franck	1864

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1362