WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
1361	richard	1
672	richard	2	#!/bin/bash
57	franck	3	# $Id: alcasar.sh 1365 2014-05-28 14:38:29Z richard $
1	root	4
		5	# alcasar.sh
959	franck	6
1157	stephane	7	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		8	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	9	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		10	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		11	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		12	# Voir la Licence Publique Générale GNU pour plus de détails.
		13
967	franck	14	# team@alcasar.net
959	franck	15
1	root	16	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		17	# This script is distributed under the Gnu General Public License (GPL)
		18
672	richard	19	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	20	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	21	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	22	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	23	#
1342	richard	24	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	25
		26	# Options :
376	franck	27	# -i or --install
		28	# -u or --uninstall
1	root	29
376	franck	30	# Functions :
1221	richard	31	# testing : connectivity tests and downloading before intall
		32	# init : Installation of RPM and scripts
		33	# network : Network parameters
		34	# ACC : ALCASAR Control Center installation
		35	# CA : Certification Authority initialization
		36	# init_db : Initilization of radius database managed with MariaDB
		37	# param_radius : FreeRadius initialisation
		38	# param_web_radius : copy ans modifiy original "freeradius web" in ACC
		39	# param_chilli : coovachilli initialisation (+authentication page)
		40	# param_dansguardian : DansGuardian filtering HTTP proxy configuration
		41	# antivirus : HAVP + libclamav configuration
		42	# param_nfsen : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
		44	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1253	richard	46	# fail2ban : Fail2ban installation and configuration
1266	richard	47	# post_install : Security, log rotation, etc.
1349	richard	48	# gammu_smsd : Autoregister addon (gammu-smsd)
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	53	mode="install"
1	root	54	# ***** Files parameters - paramètres fichiers *******
1015	richard	55	DIR_INSTALL=`pwd` # current directory
		56	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		57	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		58	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		59	DIR_WEB="/var/www/html" # directory of APACHE
		60	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		61	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		62	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		63	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		64	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		65	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		66	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		67	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	68	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	69	DB_RADIUS="radius" # database name used by FreeRadius server
		70	DB_USER="radius" # user name allows to request the users database
1349	richard	71	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	72	# ***** Network parameters - paramètres réseau *****
1211	crox53	73	HOSTNAME="alcasar" #
1243	richard	74	DOMAIN="localdomain" # default local domain
1336	richard	75	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		76	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	77	MTU="1500"
1157	stephane	78	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
967	franck	87	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		88	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	89	fi
975	franck	90	echo "Taper sur Entrée pour continuer !"
		91	echo "Enter to continue."
959	franck	92	read a
		93	}
		94
1	root	95	header_install ()
		96	{
		97	clear
		98	echo "-----------------------------------------------------------------------------"
460	richard	99	echo " ALCASAR V$VERSION Installation"
1	root	100	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		101	echo "-----------------------------------------------------------------------------"
		102	} # End of header_install ()
		103
1174	crox53	104
1	root	105	##################################################################
1221	richard	106	## Function "testing" ##
1342	richard	107	## - Test of free space on /var (>10G) ##
1005	richard	108	## - Test of Internet access ##
29	richard	109	##################################################################
		110	testing ()
		111	{
1362	richard	112	# Test if ALCASAR is already installed
		113	if [ -e $CONF_FILE ]
		114	then
		115	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	116	if [ $Lang == "fr" ]
1362	richard	117	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		118	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	119	fi
1362	richard	120	response=0
		121	PTN='^[oOnNyY]$'
		122	until [[ $(expr $response : $PTN) -gt 0 ]]
		123	do
		124	if [ $Lang == "fr" ]
		125	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		126	else echo -n "Do you want to update (Y/n)?";
		127	fi
		128	read response
		129	done
		130	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		131	then
		132	rm -f /tmp/alcasar-conf*
		133	else
		134	# Create a backup of running version importants files
		135	$DIR_SCRIPTS/alcasar-conf.sh --create
		136	mode="update"
		137	fi
		138	else
1365	richard	139	if [ ! -d /var/log/netflow/porttracker ]
		140	then
		141	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		142	if [ $free_space -lt 10 ]
		143	then
		144	if [ $Lang == "fr" ]
		145	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		146	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		147	fi
		148	exit 0
1362	richard	149	fi
1365	richard	150	fi
1342	richard	151	fi
		152	if [ $Lang == "fr" ]
784	richard	153	then echo -n "Tests des paramètres réseau : "
595	richard	154	else echo -n "Network parameters tests : "
		155	fi
1336	richard	156	# We test EXTIF config files
784	richard	157	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		158	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
1362	richard	159	if [ "$EXTIF" == "" ] \|\| [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
784	richard	160	then
		161	if [ $Lang == "fr" ]
		162	then
		163	echo "Échec"
		164	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		165	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	166	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	167	else
		168	echo "Failed"
		169	echo "The Internet connected network card ($EXTIF) isn't well configured."
		170	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	171	echo "Apply the new configuration 'systemctl restart network'"
784	richard	172	fi
830	richard	173	echo "DEVICE=$EXTIF"
784	richard	174	echo "IPADDR="
		175	echo "NETMASK="
		176	echo "GATEWAY="
		177	echo "DNS1="
		178	echo "DNS2="
830	richard	179	echo "ONBOOT=yes"
784	richard	180	exit 0
		181	fi
		182	echo -n "."
460	richard	183	# We test the Ethernet links state
29	richard	184	for i in $EXTIF $INTIF
		185	do
294	richard	186	/sbin/ip link set $i up
306	richard	187	sleep 3
1031	richard	188	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		189	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	190	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	191	then
595	richard	192	if [ $Lang == "fr" ]
		193	then
		194	echo "Échec"
		195	echo "Le lien réseau de la carte $i n'est pas actif."
		196	echo "Réglez ce problème puis relancez ce script."
		197	else
		198	echo "Failed"
		199	echo "The link state of $i interface id down."
		200	echo "Resolv this problem, then restart this script."
		201	fi
29	richard	202	exit 0
		203	fi
308	richard	204	echo -n "."
29	richard	205	done
		206	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	207	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	208	if [ $Lang == "fr" ]
		209	then
		210	echo "Échec"
		211	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		212	echo "Réglez ce problème puis relancez ce script."
		213	else
		214	echo "Failed"
		215	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		216	echo "Resolv this problem, then restart this script."
		217	fi
29	richard	218	exit 0
		219	fi
308	richard	220	echo -n "."
978	franck	221	# On teste le lien vers le routeur par defaut
308	richard	222	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		223	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	224	if [ $(expr $arp_reply) -eq 0 ]
308	richard	225	then
595	richard	226	if [ $Lang == "fr" ]
		227	then
		228	echo "Échec"
		229	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		230	echo "Réglez ce problème puis relancez ce script."
		231	else
		232	echo "Failed"
		233	echo "The Internet gateway doesn't answered"
		234	echo "Resolv this problem, then restart this script."
		235	fi
308	richard	236	exit 0
		237	fi
		238	echo -n "."
421	franck	239	# On teste la connectivité Internet
29	richard	240	rm -rf /tmp/con_ok.html
308	richard	241	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	242	if [ ! -e /tmp/con_ok.html ]
		243	then
595	richard	244	if [ $Lang == "fr" ]
		245	then
		246	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		247	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		248	echo "Vérifiez la validité des adresses IP des DNS."
		249	else
		250	echo "The Internet connection try failed (google.fr)."
		251	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		252	echo "Verify the DNS IP addresses"
		253	fi
29	richard	254	exit 0
		255	fi
		256	rm -rf /tmp/con_ok.html
308	richard	257	echo ". : ok"
302	richard	258	} # end of testing
		259
		260	##################################################################
1221	richard	261	## Function "init" ##
302	richard	262	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		263	## - Installation et modification des scripts du portail ##
		264	##################################################################
		265	init ()
		266	{
527	richard	267	if [ "$mode" != "update" ]
302	richard	268	then
		269	# On affecte le nom d'organisme
597	richard	270	header_install
302	richard	271	ORGANISME=!
		272	PTN='^[a-zA-Z0-9-]*$'
580	richard	273	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	274	do
595	richard	275	if [ $Lang == "fr" ]
597	richard	276	then echo -n "Entrez le nom de votre organisme : "
		277	else echo -n "Enter the name of your organism : "
595	richard	278	fi
330	franck	279	read ORGANISME
613	richard	280	if [ "$ORGANISME" == "" ]
330	franck	281	then
		282	ORGANISME=!
		283	fi
		284	done
302	richard	285	fi
1	root	286	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	287	rm -f $PASSWD_FILE
1350	richard	288	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		289	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	290	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	291	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	292	$SED "/^password.*/d" /boot/grub/menu.lst
		293	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	294	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	295	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	296	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	297	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	298	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	299	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	300	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	301	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		302	echo "$secretuam" >> $PASSWD_FILE
1350	richard	303	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	304	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		305	echo "$secretradius" >> $PASSWD_FILE
		306	chmod 640 $PASSWD_FILE
977	richard	307	# Scripts and conf files copy
		308	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	309	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	310	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	311	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	312	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	313	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	314	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		315	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	316	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		317	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	318	# generate central conf file
		319	cat <<EOF > $CONF_FILE
612	richard	320	##########################################
		321	## ##
		322	## ALCASAR Parameters ##
		323	## ##
		324	##########################################
1	root	325
612	richard	326	INSTALL_DATE=$DATE
		327	VERSION=$VERSION
		328	ORGANISM=$ORGANISME
923	franck	329	DOMAIN=$DOMAIN
612	richard	330	EOF
628	richard	331	chmod o-rwx $CONF_FILE
1	root	332	} # End of init ()
		333
		334	##################################################################
1221	richard	335	## Function "network" ##
1	root	336	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	337	## - Nommage DNS du système ##
1336	richard	338	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	339	## - Modification du fichier /etc/hosts ##
		340	## - Configuration du serveur de temps (NTP) ##
		341	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		342	##################################################################
		343	network ()
		344	{
		345	header_install
636	richard	346	if [ "$mode" != "update" ]
		347	then
		348	if [ $Lang == "fr" ]
		349	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		350	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		351	fi
		352	response=0
		353	PTN='^[oOyYnN]$'
		354	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	355	do
595	richard	356	if [ $Lang == "fr" ]
659	richard	357	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	358	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	359	fi
1	root	360	read response
		361	done
636	richard	362	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		363	then
		364	PRIVATE_IP_MASK="0"
		365	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		366	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	367	do
595	richard	368	if [ $Lang == "fr" ]
597	richard	369	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		370	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	371	fi
597	richard	372	read PRIVATE_IP_MASK
1	root	373	done
636	richard	374	else
		375	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		376	fi
595	richard	377	else
637	richard	378	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		379	rm -rf conf/etc/alcasar.conf
1	root	380	fi
861	richard	381	# Define LAN side global parameters
1243	richard	382	hostname $HOSTNAME.$DOMAIN
		383	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	384	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		385	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		386	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		387	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		388	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		389	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		390	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		391	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		392	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		393	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	394	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	395	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	396	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	397	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	398	# Define Internet parameters
14	richard	399	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		400	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		401	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	402	DNS1=${DNS1:=208.67.220.220}
		403	DNS2=${DNS2:=208.67.222.222}
597	richard	404	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	405	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	406	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	407	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	408	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	409	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	410	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	411	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		412	echo "DNS1=$DNS1" >> $CONF_FILE
		413	echo "DNS2=$DNS2" >> $CONF_FILE
		414	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	415	echo "DHCP=full" >> $CONF_FILE
914	franck	416	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		417	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		418	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	419	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	420	# config network
1	root	421	cat <<EOF > /etc/sysconfig/network
		422	NETWORKING=yes
1243	richard	423	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	424	FORWARD_IPV4=true
		425	EOF
841	richard	426	# config /etc/hosts
1	root	427	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		428	cat <<EOF > /etc/hosts
503	richard	429	127.0.0.1 localhost
1353	richard	430	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	431	EOF
1336	richard	432	# Config EXTIF (Internet)
14	richard	433	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		434	DEVICE=$EXTIF
		435	BOOTPROTO=static
597	richard	436	IPADDR=$PUBLIC_IP
		437	NETMASK=$PUBLIC_NETMASK
		438	GATEWAY=$PUBLIC_GATEWAY
14	richard	439	DNS1=127.0.0.1
		440	ONBOOT=yes
		441	METRIC=10
		442	NOZEROCONF=yes
		443	MII_NOT_SUPPORTED=yes
		444	IPV6INIT=no
		445	IPV6TO4INIT=no
		446	ACCOUNTING=no
		447	USERCTL=no
994	franck	448	MTU=$MTU
14	richard	449	EOF
1336	richard	450	# Config INTIF (consultation LAN) in normal mode
841	richard	451	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		452	DEVICE=$INTIF
		453	BOOTPROTO=static
		454	ONBOOT=yes
		455	NOZEROCONF=yes
		456	MII_NOT_SUPPORTED=yes
		457	IPV6INIT=no
		458	IPV6TO4INIT=no
		459	ACCOUNTING=no
		460	USERCTL=no
1157	stephane	461	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	462	EOF
1336	richard	463	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	464	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	465	DEVICE=$INTIF
		466	BOOTPROTO=static
		467	IPADDR=$PRIVATE_IP
604	richard	468	NETMASK=$PRIVATE_NETMASK
1	root	469	ONBOOT=yes
		470	METRIC=10
		471	NOZEROCONF=yes
		472	MII_NOT_SUPPORTED=yes
14	richard	473	IPV6INIT=no
		474	IPV6TO4INIT=no
		475	ACCOUNTING=no
		476	USERCTL=no
1	root	477	EOF
440	franck	478	# Mise à l'heure du serveur
		479	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		480	cat <<EOF > /etc/ntp/step-tickers
455	franck	481	0.fr.pool.ntp.org # adapt to your country
		482	1.fr.pool.ntp.org
		483	2.fr.pool.ntp.org
440	franck	484	EOF
		485	# Configuration du serveur de temps (sur lui même)
1	root	486	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		487	cat <<EOF > /etc/ntp.conf
456	franck	488	server 0.fr.pool.ntp.org # adapt to your country
447	franck	489	server 1.fr.pool.ntp.org
		490	server 2.fr.pool.ntp.org
		491	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	492	fudge 127.127.1.0 stratum 10
604	richard	493	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	494	restrict 127.0.0.1
310	richard	495	driftfile /var/lib/ntp/drift
1	root	496	logfile /var/log/ntp.log
		497	EOF
440	franck	498
310	richard	499	chown -R ntp:ntp /var/lib/ntp
1	root	500	# Renseignement des fichiers hosts.allow et hosts.deny
		501	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		502	cat <<EOF > /etc/hosts.allow
		503	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	504	sshd: ALL
1	root	505	ntpd: $PRIVATE_NETWORK_SHORT
		506	EOF
		507	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		508	cat <<EOF > /etc/hosts.deny
		509	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		510	EOF
604	richard	511	# Firewall config
790	richard	512	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		513	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		514	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	515	# create the filter exception file and ip_bloqued file
790	richard	516	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	517	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	518	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	519	# load conntrack ftp module
		520	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		521	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	522	# load ipt_NETFLOW module
		523	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	524	#
860	richard	525	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	526	} # End of network ()
		527
		528	##################################################################
1221	richard	529	## Function "ACC" ##
		530	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	531	## - configuration du serveur web (Apache) ##
		532	## - définition du 1er comptes de gestion ##
		533	## - sécurisation des accès ##
		534	##################################################################
1221	richard	535	ACC ()
1	root	536	{
		537	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		538	mkdir $DIR_WEB
		539	# Copie et configuration des fichiers du centre de gestion
316	richard	540	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	541	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	542	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		543	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		544	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		545	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		546	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	547	chown -R apache:apache $DIR_WEB/*
1342	richard	548	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	549	do
		550	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		551	done
5	franck	552	chown -R root:apache $DIR_SAVE
71	richard	553	# Configuration et sécurisation php
		554	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	555	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		556	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	557	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		558	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	559	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		560	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		561	# Configuration et sécurisation Apache
790	richard	562	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	563	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	564	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	565	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	566	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		567	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		568	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	569	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		570	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		571	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		572	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		573	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		574	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	575	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	576	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		577	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		578	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		579	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		580	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		581	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	582	</body>
		583	</html>
		584	EOF
		585	# Définition du premier compte lié au profil 'admin'
509	richard	586	header_install
510	richard	587	if [ "$mode" = "install" ]
		588	then
613	richard	589	admin_portal=!
		590	PTN='^[a-zA-Z0-9-]*$'
		591	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		592	do
		593	header_install
		594	if [ $Lang == "fr" ]
		595	then
		596	echo ""
		597	echo "Définissez un premier compte d'administration du portail :"
		598	echo
		599	echo -n "Nom : "
		600	else
		601	echo ""
		602	echo "Define the first account allow to administrate the portal :"
		603	echo
		604	echo -n "Account : "
		605	fi
		606	read admin_portal
		607	if [ "$admin_portal" == "" ]
		608	then
		609	admin_portal=!
		610	fi
		611	done
1268	richard	612	# Creation of keys file for the admin account ("admin")
510	richard	613	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		614	mkdir -p $DIR_DEST_ETC/digest
		615	chmod 755 $DIR_DEST_ETC/digest
		616	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		617	do
1350	richard	618	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	619	done
		620	$DIR_DEST_SBIN/alcasar-profil.sh --list
		621	fi
434	richard	622	# synchronisation horaire
		623	ntpd -q -g &
1	root	624	# Sécurisation du centre
988	franck	625	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	626	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	627	<Directory $DIR_ACC>
1	root	628	SSLRequireSSL
		629	AllowOverride None
		630	Order deny,allow
		631	Deny from all
		632	Allow from 127.0.0.1
		633	Allow from $PRIVATE_NETWORK_MASK
990	franck	634	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	635	require valid-user
		636	AuthType digest
1243	richard	637	AuthName $HOSTNAME.$DOMAIN
1	root	638	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	639	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	640	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	641	</Directory>
316	richard	642	<Directory $DIR_ACC/admin>
1	root	643	SSLRequireSSL
		644	AllowOverride None
		645	Order deny,allow
		646	Deny from all
		647	Allow from 127.0.0.1
		648	Allow from $PRIVATE_NETWORK_MASK
990	franck	649	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	650	require valid-user
		651	AuthType digest
1243	richard	652	AuthName $HOSTNAME.$DOMAIN
1	root	653	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	654	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	655	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	656	</Directory>
344	richard	657	<Directory $DIR_ACC/manager>
1	root	658	SSLRequireSSL
		659	AllowOverride None
		660	Order deny,allow
		661	Deny from all
		662	Allow from 127.0.0.1
		663	Allow from $PRIVATE_NETWORK_MASK
990	franck	664	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	665	require valid-user
		666	AuthType digest
1243	richard	667	AuthName $HOSTNAME.$DOMAIN
1	root	668	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	669	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	670	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	671	</Directory>
316	richard	672	<Directory $DIR_ACC/backup>
		673	SSLRequireSSL
		674	AllowOverride None
		675	Order deny,allow
		676	Deny from all
		677	Allow from 127.0.0.1
		678	Allow from $PRIVATE_NETWORK_MASK
990	franck	679	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	680	require valid-user
		681	AuthType digest
1243	richard	682	AuthName $HOSTNAME.$DOMAIN
316	richard	683	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	684	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	685	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	686	</Directory>
811	richard	687	Alias /save/ "$DIR_SAVE/"
		688	<Directory $DIR_SAVE>
		689	SSLRequireSSL
		690	Options Indexes
		691	Order deny,allow
		692	Deny from all
		693	Allow from 127.0.0.1
		694	Allow from $PRIVATE_NETWORK_MASK
990	franck	695	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	696	require valid-user
		697	AuthType digest
1243	richard	698	AuthName $HOSTNAME.$DOMAIN
811	richard	699	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	700	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	701	</Directory>
1	root	702	EOF
1221	richard	703	} # End of ACC()
1	root	704
		705	##########################################################################################
1221	richard	706	## Fonction "CA" ##
1	root	707	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		708	##########################################################################################
1221	richard	709	CA ()
1	root	710	{
		711	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	712	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	713	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	714	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		715	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		716	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	717	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	718	chown -R root:apache /etc/pki
1	root	719	chmod -R 750 /etc/pki
1221	richard	720	} # End CA ()
1	root	721
		722	##########################################################################################
1221	richard	723	## Fonction "init_db" ##
1	root	724	## - Initialisation de la base Mysql ##
		725	## - Affectation du mot de passe de l'administrateur (root) ##
		726	## - Suppression des bases et des utilisateurs superflus ##
		727	## - Création de la base 'radius' ##
		728	## - Installation du schéma de cette base ##
		729	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		730	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		731	##########################################################################################
		732	init_db ()
		733	{
1355	richard	734	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	735	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		736	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	737	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	738	systemctl start mysqld.service
1	root	739	sleep 4
		740	mysqladmin -u root password $mysqlpwd
		741	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	742	# Secure the server
		743	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		744	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	745	# Create 'radius' database
1317	richard	746	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	747	# Add an empty radius database structure
364	franck	748	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	749	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	750	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
		751	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	752	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		753	systemctl daemon-reload
1	root	754	} # End init_db ()
		755
		756	##########################################################################
1221	richard	757	## Fonction "param_radius" ##
1	root	758	## - Paramètrage des fichiers de configuration FreeRadius ##
		759	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		760	## - Modification de fichier de conf pour l'accès à Mysql ##
		761	##########################################################################
		762	param_radius ()
		763	{
		764	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		765	chown -R radius:radius /etc/raddb
		766	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	767	# Set radius.conf parameters
1	root	768	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		769	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		770	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	771	# remove the proxy function
1	root	772	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		773	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	774	# remove EAP module
654	richard	775	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	776	# listen on loopback (should be modified later if EAP enabled)
1	root	777	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	778	# enable the SQL module (and SQL counter)
1	root	779	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		780	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		781	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	782	# remvove virtual server and copy our conf file
1	root	783	rm -f /etc/raddb/sites-enabled/*
1278	richard	784	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	785	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		786	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		787	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		788	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	789	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	790	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	791	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	792	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		793	cat << EOF > /etc/raddb/clients.conf
		794	client 127.0.0.1 {
		795	secret = $secretradius
		796	shortname = localhost
		797	}
		798	EOF
1278	richard	799	# sql.conf modification
1	root	800	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		801	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		802	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		803	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		804	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	805	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	806	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	807	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		808	# counter.conf modification (change the Max-All-Session-Time counter)
		809	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		810	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		811	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	812	# make certain that mysql is up before radius start
		813	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		814	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		815	systemctl daemon-reload
1	root	816	} # End param_radius ()
		817
		818	##########################################################################
1221	richard	819	## Function "param_web_radius" ##
1	root	820	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		821	## - Création du lien vers la page de changement de mot de passe ##
		822	##########################################################################
		823	param_web_radius ()
		824	{
		825	# copie de l'interface d'origine dans la structure Alcasar
316	richard	826	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		827	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		828	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	829	# copie des fichiers modifiés
		830	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	831	chown -R apache:apache $DIR_ACC/manager/
344	richard	832	# Modification des fichiers de configuration
1	root	833	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	834	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	835	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		836	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		837	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		838	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		839	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		840	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		841	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	842	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	843	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	844	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	845	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	846	nas1_name: alcasar-$ORGANISME
1	root	847	nas1_model: Portail captif
		848	nas1_ip: $PRIVATE_IP
		849	nas1_port_num: 0
		850	nas1_community: public
		851	EOF
		852	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		853	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	854	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	855	# Ajout du mappage des attributs chillispot
		856	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	857	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	858	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	859	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	860	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		861	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	862	chown -R apache:apache /etc/freeradius-web
1	root	863	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		864	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	865	<Directory $DIR_WEB/pass>
1	root	866	SSLRequireSSL
		867	AllowOverride None
		868	Order deny,allow
		869	Deny from all
		870	Allow from 127.0.0.1
		871	Allow from $PRIVATE_NETWORK_MASK
1243	richard	872	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	873	</Directory>
		874	EOF
		875	} # End of param_web_radius ()
		876
799	richard	877	##################################################################################
1221	richard	878	## Fonction "param_chilli" ##
799	richard	879	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		880	## - Paramètrage de la page d'authentification (intercept.php) ##
		881	##################################################################################
1	root	882	param_chilli ()
		883	{
799	richard	884	# init file creation
461	richard	885	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	886	cat <<EOF > /etc/init.d/chilli
		887	#!/bin/sh
		888	#
		889	# chilli CoovaChilli init
		890	#
		891	# chkconfig: 2345 65 35
		892	# description: CoovaChilli
		893	### BEGIN INIT INFO
		894	# Provides: chilli
		895	# Required-Start: network
		896	# Should-Start:
		897	# Required-Stop: network
		898	# Should-Stop:
		899	# Default-Start: 2 3 5
		900	# Default-Stop:
		901	# Description: CoovaChilli access controller
		902	### END INIT INFO
		903
		904	[ -f /usr/sbin/chilli ] \|\| exit 0
		905	. /etc/init.d/functions
		906	CONFIG=/etc/chilli.conf
		907	pidfile=/var/run/chilli.pid
		908	[ -f \$CONFIG ] \|\| {
		909	echo "\$CONFIG Not found"
		910	exit 0
		911	}
		912	RETVAL=0
		913	prog="chilli"
		914	case \$1 in
		915	start)
		916	if [ -f \$pidfile ] ; then
		917	gprintf "chilli is already running"
		918	else
		919	gprintf "Starting \$prog: "
		920	rm -f /var/run/chilli* # cleaning
		921	/sbin/modprobe tun >/dev/null 2>&1
		922	echo 1 > /proc/sys/net/ipv4/ip_forward
		923	[ -e /dev/net/tun ] \|\| {
		924	(cd /dev;
		925	mkdir net;
		926	cd net;
		927	mknod tun c 10 200)
		928	}
1336	richard	929	ifconfig $INTIF 0.0.0.0
799	richard	930	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		931	RETVAL=$?
		932	fi
		933	;;
		934
		935	reload)
		936	killall -HUP chilli
		937	;;
		938
		939	restart)
		940	\$0 stop
		941	sleep 2
		942	\$0 start
		943	;;
		944
		945	status)
		946	status chilli
		947	RETVAL=0
		948	;;
		949
		950	stop)
		951	if [ -f \$pidfile ] ; then
		952	gprintf "Shutting down \$prog: "
		953	killproc /usr/sbin/chilli
		954	RETVAL=\$?
		955	[ \$RETVAL = 0 ] && rm -f $pidfile
		956	else
		957	gprintf "chilli is not running"
		958	fi
		959	;;
		960
		961	*)
		962	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		963	exit 1
		964	esac
		965	echo
		966	EOF
		967
		968	# conf file creation
346	richard	969	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		970	cat <<EOF > /etc/chilli.conf
		971	# coova config for ALCASAR
		972	cmdsocket /var/run/chilli.sock
1336	richard	973	unixipc chilli.$INTIF.ipc
		974	pidfile /var/run/chilli.$INTIF.pid
346	richard	975	net $PRIVATE_NETWORK_MASK
595	richard	976	dhcpif $INTIF
841	richard	977	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	978	#nodynip
865	richard	979	#statip
		980	dynip $PRIVATE_NETWORK_MASK
1249	richard	981	domain $DOMAIN
355	richard	982	dns1 $PRIVATE_IP
		983	dns2 $PRIVATE_IP
346	richard	984	uamlisten $PRIVATE_IP
503	richard	985	uamport 3990
837	richard	986	macauth
		987	macpasswd password
1243	richard	988	locationname $HOSTNAME.$DOMAIN
346	richard	989	radiusserver1 127.0.0.1
		990	radiusserver2 127.0.0.1
		991	radiussecret $secretradius
		992	radiusauthport 1812
		993	radiusacctport 1813
1243	richard	994	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		995	radiusnasid $HOSTNAME.$DOMAIN
346	richard	996	uamsecret $secretuam
1249	richard	997	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	998	coaport 3799
1299	richard	999	#conup $DIR_DEST_BIN/alcasar-conup.sh
		1000	#condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1001	include $DIR_DEST_ETC/alcasar-uamallowed
		1002	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1003	#dhcpgateway
1157	stephane	1004	#dhcprelayagent
		1005	#dhcpgatewayport
346	richard	1006	EOF
1336	richard	1007	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1008	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1009	# create files for trusted domains and urls
1148	crox53	1010	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1011	chown root:apache $DIR_DEST_ETC/alcasar-*
		1012	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1013	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1014	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1015	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1016	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1017	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1018	if [ "$chilli_exist" == "1" ]
		1019	then
		1020	userdel -r chilli 2>/dev/null
		1021	fi
		1022	groupadd -f chilli
		1023	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1024	} # End of param_chilli ()
1349	richard	1025
1	root	1026	##################################################################
1221	richard	1027	## Fonction "param_dansguardian" ##
1	root	1028	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1029	##################################################################
		1030	param_dansguardian ()
		1031	{
		1032	mkdir /var/dansguardian
		1033	chown dansguardian /var/dansguardian
497	richard	1034	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1035	# By default the filter is off
497	richard	1036	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1037	# French deny HTML page
497	richard	1038	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1039	# Listen only on LAN side
497	richard	1040	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1041	# DG send its flow to HAVP
		1042	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1043	# replace the default deny HTML page
1	root	1044	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1045	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1046	# Don't log
		1047	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1048	# Run 10 daemons (20 in largest server)
659	richard	1049	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1050	# on désactive par défaut le controle de contenu des pages html
497	richard	1051	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1052	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1053	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1054	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1055	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1056	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1057	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1058	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1059	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1060	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1061	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1062	touch $DIR_DG/lists/bannedextensionlist
		1063	touch $DIR_DG/lists/bannedmimetypelist
		1064	# 'Safesearch' regex actualisation
498	richard	1065	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1066	# empty LAN IP list that won't be WEB filtered
		1067	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1068	touch $DIR_DG/lists/exceptioniplist
		1069	# Keep a copy of URL & domain filter configuration files
		1070	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1071	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1072	} # End of param_dansguardian ()
		1073
71	richard	1074	##################################################################
1221	richard	1075	## Fonction "antivirus" ##
1357	richard	1076	## - configuration of havp, libclamav and freshclam ##
71	richard	1077	##################################################################
		1078	antivirus ()
		1079	{
1358	richard	1080	# create 'havp' user
288	richard	1081	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1082	if [ "$havp_exist" == "1" ]
288	richard	1083	then
478	richard	1084	userdel -r havp 2>/dev/null
894	richard	1085	groupdel havp 2>/dev/null
288	richard	1086	fi
307	richard	1087	groupadd -f havp
796	richard	1088	useradd -r -g havp -s /bin/false -c "system user for havp" havp
476	richard	1089	mkdir -p /var/tmp/havp /var/log/havp
		1090	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1091	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1092	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1093	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1094	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1095	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1096	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1097	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1098	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1099	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1100	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1101	# skip checking of youtube flow (too heavy load / risk too low)
		1102	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1103	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1104	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1105	# replacement of init script
335	richard	1106	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1107	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1358	richard	1108	# replace of the intercept page (template)
340	richard	1109	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1110	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1111	# update virus database every 4 hours (24h/6)
1357	richard	1112	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1113	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1114	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1115	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1116	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1117	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1355	richard	1118	# Copy of the main virus database
734	richard	1119	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1120	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
1357	richard	1121	/usr/bin/freshclam
71	richard	1122	}
		1123
1	root	1124	##################################################################################
1221	richard	1125	## function "param_ulogd" ##
476	richard	1126	## - Ulog config for multi-log files ##
		1127	##################################################################################
		1128	param_ulogd ()
		1129	{
		1130	# Three instances of ulogd (three different logfiles)
		1131	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1132	nl=1
1358	richard	1133	for log_type in traceability ssh ext-access
478	richard	1134	do
1365	richard	1135	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
		1136	/var/log/firewall/$log_type.log ] \|\| touch /var/log/firewall/$log_type.log
478	richard	1137	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1138	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1139	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1140	cat << EOF >> /etc/ulogd-$log_type.conf
		1141	[LOGEMU]
		1142	file="/var/log/firewall/$log_type.log"
		1143	sync=1
		1144	EOF
1358	richard	1145	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -C /etc/ulogd-$log_type.conf?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1146	nl=`expr $nl + 1`
		1147	done
476	richard	1148	chown -R root:apache /var/log/firewall
		1149	chmod 750 /var/log/firewall
		1150	chmod 640 /var/log/firewall/*
		1151	} # End of param_ulogd ()
		1152
1159	crox53	1153
		1154	##########################################################
1221	richard	1155	## Function "param_nfsen" ##
1159	crox53	1156	##########################################################
		1157	param_nfsen()
1	root	1158	{
1221	richard	1159	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1160	# Create a specific user and group
		1161	[ `grep "^www-data:" /etc/group \| wc -l` == 1 ] \|\| groupadd www-data
		1162	[ `grep "^nfsen:" /etc/passwd \| wc -l` == 1 ] \|\| useradd -m nfsen
1221	richard	1163	usermod -G www-data nfsen
1365	richard	1164	# Add PortTracker plugin
1221	richard	1165	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1166	chown -R nfsen:www-data /var/www/nfsen
		1167	chown -R apache:apache /usr/share/nfsen /var/log/netflow/porttracker
		1168	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1365	richard	1169	# use of our conf file and init unit
1221	richard	1170	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
		1171	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1365	richard	1172	# Installation of nfsen
1221	richard	1173	DirTmp=$(pwd)
		1174	cd /tmp/nfsen-1.3.6p1/
1365	richard	1175	/usr/bin/perl5 install.pl etc/nfsen.conf
		1176	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1177	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1178	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1179	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1365	richard	1180	[ d /var/log/netflow/porttracker ] \|\| sudo -u apache nftrack -I -d /var/log/netflow/porttracker
1221	richard	1181	chown -R apache:www-data /var/log/netflow/porttracker/
		1182	chmod -R 775 /var/log/netflow/porttracker
1365	richard	1183	# Apache conf file
		1184	rm -f /etc/httpd/conf/conf.d/nfsen.conf
1355	richard	1185	cat <<EOF >> /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1186	Alias /nfsen /var/www/nfsen
		1187	<Directory /var/www/nfsen/>
		1188	DirectoryIndex nfsen.php
		1189	Options -Indexes
		1190	AllowOverride all
		1191	order allow,deny
		1192	allow from all
		1193	AddType application/x-httpd-php .php
		1194	php_flag magic_quotes_gpc on
		1195	php_flag track_vars on
1	root	1196	</Directory>
		1197	EOF
1365	richard	1198	# Add the listen port to collect netflow packet (nfcapd)
1229	crox53	1199	$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
1365	richard	1200	# expire delay for the profile "live"
1250	richard	1201	nfsen -m live -e 62d 2>/dev/null
1365	richard	1202	# clear the installation
1221	richard	1203	cd $DirTmp
		1204	rm -rf /tmp/nfsen-1.3.6p1/
1159	crox53	1205	} # End of param_nfsen
1	root	1206
		1207	##########################################################
1221	richard	1208	## Function "param_dnsmasq" ##
1	root	1209	##########################################################
219	jeremy	1210	param_dnsmasq ()
		1211	{
		1212	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1213	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
259	richard	1214	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
1356	richard	1215	# Option : on pré-active les logs DNS des clients
		1216	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
		1217	# Option : exemple de paramètre supplémentaire pour le cache memoire
		1218	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
		1219	# Option : exemple de configuration avec un A.D.
		1220	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
503	richard	1221	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1222	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1223	cat << EOF > /etc/dnsmasq.conf
520	richard	1224	# Configuration file for "dnsmasq in forward mode"
503	richard	1225	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1226	listen-address=$PRIVATE_IP
		1227	listen-address=127.0.0.1
286	richard	1228	no-dhcp-interface=$INTIF
259	richard	1229	bind-interfaces
		1230	cache-size=256
		1231	domain=$DOMAIN
		1232	domain-needed
		1233	expand-hosts
		1234	bogus-priv
		1235	filterwin2k
		1236	server=$DNS1
		1237	server=$DNS2
498	richard	1238	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1239	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1240	dhcp-option=option:router,$PRIVATE_IP
259	richard	1241	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1242
291	franck	1243	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1244	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1245	EOF
1356	richard	1246	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1247	cat << EOF > /etc/dnsmasq-blacklist.conf
		1248	# Configuration file for "dnsmasq with blacklist"
520	richard	1249	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1250	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1251	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1252	listen-address=$PRIVATE_IP
		1253	port=54
		1254	no-dhcp-interface=$INTIF
		1255	bind-interfaces
		1256	cache-size=256
		1257	domain=$DOMAIN
		1258	domain-needed
		1259	expand-hosts
		1260	bogus-priv
		1261	filterwin2k
		1262	server=$DNS1
		1263	server=$DNS2
		1264	EOF
1356	richard	1265	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelis")
1357	richard	1266	cat << EOF > /etc/dnsmasq-whitelist.conf
1356	richard	1267	# Configuration file for "dnsmasq with whitelist"
		1268	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
		1269	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
		1270	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
		1271	listen-address=$PRIVATE_IP
		1272	port=55
		1273	no-dhcp-interface=$INTIF
		1274	bind-interfaces
		1275	cache-size=256
		1276	domain=$DOMAIN
		1277	domain-needed
		1278	expand-hosts
		1279	bogus-priv
		1280	filterwin2k
		1281	address=/#/$PRIVATE_IP
		1282	EOF
		1283	# Create dnsmasq-blacklist and dnsmasq-whitelist unit
1361	richard	1284	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
		1285	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
1365	richard	1286	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
		1287	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1358	richard	1288	# TODO Start after chilli which create tun0
1356	richard	1289	# $SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
308	richard	1290	} # End dnsmasq
		1291
		1292	##########################################################
1221	richard	1293	## Fonction "BL" ##
308	richard	1294	##########################################################
		1295	BL ()
		1296	{
		1297	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1298	rm -rf $DIR_DG/lists/blacklists
		1299	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1300	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1301	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1302	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1303	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1304	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1305	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1306	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1307	touch $DIR_DG/lists/exceptionsitelist
		1308	touch $DIR_DG/lists/exceptionurllist
311	richard	1309	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1310	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1311	# Dansguardian filter config for ALCASAR
		1312	EOF
648	richard	1313	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1314	# Dansguardian domain filter config for ALCASAR
		1315	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1316	#**
		1317	# block all SSL and CONNECT tunnels
		1318	**s
		1319	# block all SSL and CONNECT tunnels specified only as an IP
		1320	*ips
		1321	# block all sites specified only by an IP
		1322	*ip
		1323	EOF
1000	richard	1324	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1325	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1326	# Bing - add 'adlt=strict'
		1327	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1328	# Youtube - add 'edufilter=your_ID'
885	richard	1329	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1330	EOF
1000	richard	1331	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1332	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1333	chown -R dansguardian:apache $DIR_DG
		1334	chmod -R g+rw $DIR_DG
786	richard	1335	# On adapte la BL de Toulouse à notre structure
654	richard	1336	if [ "$mode" != "update" ]; then
		1337	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1338	fi
308	richard	1339	}
219	jeremy	1340
1	root	1341	##########################################################
1221	richard	1342	## Fonction "cron" ##
1	root	1343	## - Mise en place des différents fichiers de cron ##
		1344	##########################################################
		1345	cron ()
		1346	{
		1347	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1348	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1349	cat <<EOF > /etc/crontab
		1350	SHELL=/bin/bash
		1351	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1352	MAILTO=root
		1353	HOME=/
		1354
		1355	# run-parts
		1356	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1357	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1358	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1359	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1360	EOF
		1361	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1362	cat <<EOF >> /etc/anacrontab
667	franck	1363	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1364	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1365	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1366	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1367	EOF
1247	crox53	1368
811	richard	1369	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1370	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1371	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1372	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1373	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1374	EOF
952	franck	1375	cat <<EOF > /etc/cron.d/alcasar-archive
		1376	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1377	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1378	EOF
667	franck	1379	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1380	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1381	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1382	EOF
722	franck	1383	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1384	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1385	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1386	EOF
1247	crox53	1387	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1388	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1389	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1390	#EOF
1159	crox53	1391
1	root	1392	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1393	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1394	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1395	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1396	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1397	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1398	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1399	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1400	rm -f /etc/cron.daily/freeradius-web
		1401	rm -f /etc/cron.monthly/freeradius-web
		1402	cat << EOF > /etc/cron.d/freeradius-web
		1403	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1404	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1405	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1406	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1407	EOF
671	franck	1408	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1409	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1410	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1411	EOF
808	franck	1412	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1413	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1414	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1415	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1416	EOF
522	richard	1417	# suppression des crons usagers
		1418	rm -f /var/spool/cron/*
1	root	1419	} # End cron
		1420
		1421	##################################################################
1221	richard	1422	## Fonction "Fail2Ban" ##
1163	crox53	1423	##- Modification de la configuration de fail2ban ##
		1424	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1425	##################################################################
		1426	fail2ban()
		1427	{
1191	crox53	1428	$DIR_CONF/fail2ban.sh
1192	crox53	1429	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1430	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1431	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1432	chmod 644 /var/log/fail2ban.log
1192	crox53	1433	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1434	} #Fin de fail2ban_install()
		1435
		1436	##################################################################
1221	richard	1437	## Fonction "post_install" ##
1	root	1438	## - Modification des bannières (locales et ssh) et des prompts ##
		1439	## - Installation de la structure de chiffrement pour root ##
		1440	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1441	## - Mise en place du la rotation des logs ##
5	franck	1442	## - Configuration dans le cas d'une mise à jour ##
1	root	1443	##################################################################
		1444	post_install()
		1445	{
		1446	# adaptation du script "chien de garde" (watchdog)
376	franck	1447	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1448	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1449	# création de la bannière locale
1007	richard	1450	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1451	cp -f $DIR_CONF/banner /etc/mageia-release
		1452	echo " V$VERSION" >> /etc/mageia-release
1	root	1453	# création de la bannière SSH
1007	richard	1454	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1455	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1456	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1457	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1458	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1459	# postfix banner anonymisation
		1460	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1461	# sshd écoute côté LAN et WAN
1	root	1462	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1463	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1464	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1465	echo "SSH=off" >> $CONF_FILE
1063	richard	1466	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1467	echo "QOS=off" >> $CONF_FILE
		1468	echo "LDAP=off" >> $CONF_FILE
786	richard	1469	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1358	richard	1470	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE # TODO to remove
		1471	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE # TODO to remove
		1472	echo "DNS_FILTERING=off" >> $CONF_FILE # TODO to remove
885	richard	1473	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1474	echo "MULTIWAN=off" >> $CONF_FILE
		1475	echo "FAILOVER=30" >> $CONF_FILE
		1476	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1477	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1478	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1479	# Coloration des prompts
		1480	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1481	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1482	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1483	# Droits d'exécution pour utilisateur apache et sysadmin
		1484	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1485	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1486	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1487	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1488	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1489	chmod 644 /etc/logrotate.d/*
714	franck	1490	# rectification sur versions précédentes de la compression des logs
706	franck	1491	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1492	# actualisation des fichiers logs compressés
1342	richard	1493	for dir in firewall dansguardian httpd
706	franck	1494	do
714	franck	1495	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1496	done
1221	richard	1497	# create the alcasar-load_balancing unit
		1498	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1499	# This file is part of systemd.
		1500	#
		1501	# systemd is free software; you can redistribute it and/or modify it
		1502	# under the terms of the GNU General Public License as published by
		1503	# the Free Software Foundation; either version 2 of the License, or
		1504	# (at your option) any later version.
		1505
		1506	# This unit lauches alcasar-load-balancing.sh script.
		1507	[Unit]
		1508	Description=alcasar-load_balancing.sh execution
		1509	After=network.target iptables.service
		1510
		1511	[Service]
		1512	Type=oneshot
		1513	RemainAfterExit=yes
		1514	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1515	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1516	TimeoutSec=0
		1517	SysVStartPriority=99
		1518
		1519	[Install]
		1520	WantedBy=multi-user.target
1157	stephane	1521	EOF
1221	richard	1522	# processes launched at boot time (SYSV)
1358	richard	1523	for i in chilli havp
1221	richard	1524	do
		1525	/sbin/chkconfig --add $i
		1526	done
		1527	# processes launched at boot time (Systemctl)
1365	richard	1528	for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access
1221	richard	1529	do
1361	richard	1530	systemctl -q enable $i
1221	richard	1531	done
		1532	# Apply French Security Agency (ANSSI) rules
1362	richard	1533	# ignore ICMP broadcast (smurf attack)
		1534	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1535	# ignore ICMP errors bogus
		1536	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1537	# remove ICMP redirects responces
		1538	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1539	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1540	# enable SYN Cookies (Syn flood attacks)
		1541	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1542	# enable kernel antispoofing
		1543	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1544	# ignore source routing
		1545	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1546	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1547	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1548	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1549	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1550	# remove Magic SysReq Keys
1363	richard	1551	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1552	# switch to multi-users runlevel (instead of x11)
1221	richard	1553	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1554	# GRUB modifications
		1555	# limit wait time to 3s
		1556	# create an alcasar entry instead of linux-nonfb
		1557	# change display to 1024*768 (vga791)
1221	richard	1558	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1559	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1560	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1561	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1562	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1563	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1564	# Remove unused services and users
1365	richard	1565	for svc in sshd.service alsa-state
1221	richard	1566	do
1362	richard	1567	/bin/systemctl -q disable $svc
1221	richard	1568	done
1362	richard	1569	for rm_users in sysqdin
1221	richard	1570	do
		1571	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1572	if [ "$user" == "$rm_users" ]
		1573	then
		1574	/usr/sbin/userdel -f $rm_users
		1575	fi
		1576	done
		1577	# Load and apply the previous conf file
		1578	if [ "$mode" = "update" ]
532	richard	1579	then
1266	richard	1580	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1581	$DIR_DEST_BIN/alcasar-conf.sh --load
		1582	PARENT_SCRIPT=`basename $0`
		1583	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1584	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1585	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1586	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1587	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1588	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1589	then
		1590	header_install
		1591	if [ $Lang == "fr" ]
		1592	then
		1593	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1594	echo
		1595	echo -n "Nom : "
		1596	else
		1597	echo "This update need to redefine the first admin account"
		1598	echo
		1599	echo -n "Account : "
		1600	fi
		1601	read admin_portal
		1602	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1603	mkdir -p $DIR_DEST_ETC/digest
		1604	chmod 755 $DIR_DEST_ETC/digest
		1605	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1606	do
1350	richard	1607	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1608	done
		1609	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1610	fi
532	richard	1611	fi
1221	richard	1612	rm -f /tmp/alcasar-conf*
		1613	chown -R root:apache $DIR_DEST_ETC/*
		1614	chmod -R 660 $DIR_DEST_ETC/*
		1615	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1616	# Apply and save the firewall rules
		1617	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1618	sleep 2
1	root	1619	cd $DIR_INSTALL
5	franck	1620	echo ""
1	root	1621	echo "#############################################################################"
638	richard	1622	if [ $Lang == "fr" ]
		1623	then
		1624	echo "# Fin d'installation d'ALCASAR #"
		1625	echo "# #"
		1626	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1627	echo "# des Accès au Réseau ( ALCASAR ) #"
		1628	echo "# #"
		1629	echo "#############################################################################"
		1630	echo
		1631	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1632	echo
		1633	echo "- Lisez attentivement la documentation d'exploitation"
		1634	echo
		1635	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1636	echo
		1637	echo " Appuyez sur 'Entrée' pour continuer"
		1638	else
		1639	echo "# Enf of ALCASAR install process #"
		1640	echo "# #"
		1641	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1642	echo "# des Accès au Réseau ( ALCASAR ) #"
		1643	echo "# #"
		1644	echo "#############################################################################"
		1645	echo
		1646	echo "- The system will be rebooted in order to operate ALCASAR"
		1647	echo
		1648	echo "- Read the exploitation documentation"
		1649	echo
		1650	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1651	echo
		1652	echo " Hit 'Enter' to continue"
		1653	fi
815	richard	1654	sleep 2
		1655	if [ "$mode" != "update" ]
820	richard	1656	then
815	richard	1657	read a
		1658	fi
774	richard	1659	clear
1	root	1660	reboot
		1661	} # End post_install ()
		1662
1349	richard	1663
		1664	##################################################################
		1665	## Fonction "gammu_smsd" ##
		1666	## - Creation de la base de donnée Gammu ##
		1667	## - Creation du fichier de config: gammu_smsd_conf ##
		1668	## ##
		1669	##################################################################
		1670	gammu_smsd()
		1671	{
		1672	# Create 'gammu' databse
		1673	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1674	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1675	# Add a gammu database structure
		1676	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1677
		1678
		1679	# Creation du fichier de config gammu_smsd_conf
		1680	cat << EOF > /etc/gammu_smsd_conf
		1681	[gammu]
		1682	port = /dev/ttyUSB0
		1683	connection = at115200
		1684
		1685	;########################################################
		1686
		1687	[smsd]
		1688
		1689	PIN = 1234
		1690
		1691	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1692	logformat = textall
		1693	debuglevel = 0
		1694
		1695	service = sql
		1696	driver = native_mysql
		1697	user = $DB_USER
		1698	password = $radiuspwd
		1699	pc = localhost
		1700	database = $DB_GAMMU
		1701
		1702	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1703
		1704	StatusFrequency = 30
		1705	LoopSleep = 2
		1706
		1707	;ResetFrequency = 300
		1708	;HardResetFrequency = 120
		1709
		1710	CheckSecurity = 1
		1711	CheckSignal = 1
		1712	CheckBattery = 0
		1713	EOF
		1714
		1715	chmod 755 /etc/gammu_smsd_conf
		1716
		1717	#Creation dossier de log Gammu-smsd
		1718	mkdir /var/log/gammu-smsd
		1719	chmod 755 /var/log/gammu-smsd
		1720
		1721	#Edition du script sql gammu <-> radius
		1722	$SED "10c u_db=\"$DB_USER\"" $DIR_DEST_BIN/alcasar-sms.sh
		1723	$SED "11c p_db=\"$radiuspwd\"" $DIR_DEST_BIN/alcasar-sms.sh
		1724
		1725	} # END gammu_smsd()
		1726
		1727
		1728
		1729
1	root	1730	#################################
1005	richard	1731	# Main Install loop #
1	root	1732	#################################
832	richard	1733	dir_exec=`dirname "$0"`
		1734	if [ $dir_exec != "." ]
		1735	then
		1736	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1737	echo "Launch this program from the ALCASAR archive directory"
		1738	exit 0
		1739	fi
		1740	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1741	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1742	nb_args=$#
		1743	args=$1
		1744	if [ $nb_args -eq 0 ]
		1745	then
		1746	nb_args=1
		1747	args="-h"
		1748	fi
1062	richard	1749	chmod -R u+x $DIR_SCRIPTS/*
1	root	1750	case $args in
		1751	-\? \| -h* \| --h*)
		1752	echo "$usage"
		1753	exit 0
		1754	;;
291	franck	1755	-i \| --install)
959	franck	1756	license
5	franck	1757	header_install
29	richard	1758	testing
595	richard	1759	# RPMs install
		1760	$DIR_SCRIPTS/alcasar-urpmi.sh
		1761	if [ "$?" != "0" ]
1	root	1762	then
595	richard	1763	exit 0
		1764	fi
1249	richard	1765	if [ -e $CONF_FILE ]
595	richard	1766	then
597	richard	1767	# Uninstall the running version
532	richard	1768	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1769	fi
636	richard	1770	# Test if manual update
1362	richard	1771	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	1772	then
636	richard	1773	header_install
595	richard	1774	if [ $Lang == "fr" ]
636	richard	1775	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1776	else echo "The configuration file of an old version has been found";
595	richard	1777	fi
597	richard	1778	response=0
		1779	PTN='^[oOnNyY]$'
		1780	until [[ $(expr $response : $PTN) -gt 0 ]]
		1781	do
		1782	if [ $Lang == "fr" ]
		1783	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1784	else echo -n "Do you want to use it (Y/n)?";
		1785	fi
		1786	read response
		1787	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1788	then rm -f /tmp/alcasar-conf*
		1789	fi
		1790	done
		1791	fi
636	richard	1792	# Test if update
1057	richard	1793	if [ -e /tmp/alcasar-conf* ]
597	richard	1794	then
		1795	if [ $Lang == "fr" ]
		1796	then echo "#### Installation avec mise à jour ####";
		1797	else echo "#### Installation with update ####";
		1798	fi
636	richard	1799	# Extract the central configuration file
1057	richard	1800	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1801	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1802	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1803	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1804	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1805	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1806	mode="update"
1	root	1807	fi
1342	richard	1808	for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1809	do
		1810	$func
1362	richard	1811	# echo "* 'debug' : end of function $func *"; read a
14	richard	1812	done
5	franck	1813	;;
291	franck	1814	-u \| --uninstall)
5	franck	1815	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1816	then
597	richard	1817	if [ $Lang == "fr" ]
		1818	then echo "ALCASAR n'est pas installé!";
		1819	else echo "ALCASAR isn't installed!";
		1820	fi
1	root	1821	exit 0
		1822	fi
5	franck	1823	response=0
		1824	PTN='^[oOnN]$'
580	richard	1825	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1826	do
597	richard	1827	if [ $Lang == "fr" ]
		1828	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1829	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1830	fi
5	franck	1831	read response
		1832	done
1103	richard	1833	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1834	then
1103	richard	1835	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1836	else
		1837	rm -f /tmp/alcasar-conf*
1	root	1838	fi
597	richard	1839	# Uninstall the running version
65	richard	1840	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1841	;;
		1842	*)
		1843	echo "Argument inconnu :$1";
460	richard	1844	echo "Unknown argument :$1";
1	root	1845	echo "$usage"
		1846	exit 1
		1847	;;
		1848	esac
10	franck	1849	# end of script
366	franck	1850

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1365