WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1366 2014-05-29 09:21:47Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1221	richard	30	# testing : connectivity tests and downloading before intall
		31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
		36	# param_radius : FreeRadius initialisation
		37	# param_web_radius : copy ans modifiy original "freeradius web" in ACC
		38	# param_chilli : coovachilli initialisation (+authentication page)
		39	# param_dansguardian : DansGuardian filtering HTTP proxy configuration
		40	# antivirus : HAVP + libclamav configuration
		41	# param_nfsen : Configuration du grapheur nfsen pour apache
1253	richard	42	# dnsmasq : Name server configuration
		43	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	44	# cron : Logs export + watchdog + connexion statistics
1253	richard	45	# fail2ban : Fail2ban installation and configuration
1266	richard	46	# post_install : Security, log rotation, etc.
1349	richard	47	# gammu_smsd : Autoregister addon (gammu-smsd)
1	root	48
		49	DATE=`date '+%d %B %Y - %Hh%M'`
		50	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	51	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	52	mode="install"
1	root	53	# ***** Files parameters - paramètres fichiers *******
1015	richard	54	DIR_INSTALL=`pwd` # current directory
		55	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		56	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		57	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		58	DIR_WEB="/var/www/html" # directory of APACHE
		59	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		60	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		61	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		62	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		63	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		64	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		65	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		66	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	67	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	68	DB_RADIUS="radius" # database name used by FreeRadius server
		69	DB_USER="radius" # user name allows to request the users database
1349	richard	70	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	71	# ***** Network parameters - paramètres réseau *****
1211	crox53	72	HOSTNAME="alcasar" #
1243	richard	73	DOMAIN="localdomain" # default local domain
1336	richard	74	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		75	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	76	MTU="1500"
1157	stephane	77	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	78	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	79	# **** Paths - chemin des commandes *****
		80	SED="/bin/sed -i"
		81	# **************** End of global parameters *******************
		82
959	franck	83	license ()
		84	{
		85	if [ $Lang == "fr" ]
967	franck	86	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		87	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	88	fi
975	franck	89	echo "Taper sur Entrée pour continuer !"
		90	echo "Enter to continue."
959	franck	91	read a
		92	}
		93
1	root	94	header_install ()
		95	{
		96	clear
		97	echo "-----------------------------------------------------------------------------"
460	richard	98	echo " ALCASAR V$VERSION Installation"
1	root	99	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		100	echo "-----------------------------------------------------------------------------"
		101	} # End of header_install ()
		102
1174	crox53	103
1	root	104	##################################################################
1221	richard	105	## Function "testing" ##
1342	richard	106	## - Test of free space on /var (>10G) ##
1005	richard	107	## - Test of Internet access ##
29	richard	108	##################################################################
		109	testing ()
		110	{
1362	richard	111	# Test if ALCASAR is already installed
		112	if [ -e $CONF_FILE ]
		113	then
		114	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	115	if [ $Lang == "fr" ]
1362	richard	116	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		117	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	118	fi
1362	richard	119	response=0
		120	PTN='^[oOnNyY]$'
		121	until [[ $(expr $response : $PTN) -gt 0 ]]
		122	do
		123	if [ $Lang == "fr" ]
		124	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		125	else echo -n "Do you want to update (Y/n)?";
		126	fi
		127	read response
		128	done
		129	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		130	then
		131	rm -f /tmp/alcasar-conf*
		132	else
		133	# Create a backup of running version importants files
		134	$DIR_SCRIPTS/alcasar-conf.sh --create
		135	mode="update"
		136	fi
		137	else
1365	richard	138	if [ ! -d /var/log/netflow/porttracker ]
		139	then
		140	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		141	if [ $free_space -lt 10 ]
		142	then
		143	if [ $Lang == "fr" ]
		144	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		145	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		146	fi
		147	exit 0
1362	richard	148	fi
1365	richard	149	fi
1342	richard	150	fi
		151	if [ $Lang == "fr" ]
784	richard	152	then echo -n "Tests des paramètres réseau : "
595	richard	153	else echo -n "Network parameters tests : "
		154	fi
1336	richard	155	# We test EXTIF config files
784	richard	156	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		157	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
1362	richard	158	if [ "$EXTIF" == "" ] \|\| [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
784	richard	159	then
		160	if [ $Lang == "fr" ]
		161	then
		162	echo "Échec"
		163	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		164	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	165	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	166	else
		167	echo "Failed"
		168	echo "The Internet connected network card ($EXTIF) isn't well configured."
		169	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	170	echo "Apply the new configuration 'systemctl restart network'"
784	richard	171	fi
830	richard	172	echo "DEVICE=$EXTIF"
784	richard	173	echo "IPADDR="
		174	echo "NETMASK="
		175	echo "GATEWAY="
		176	echo "DNS1="
		177	echo "DNS2="
830	richard	178	echo "ONBOOT=yes"
784	richard	179	exit 0
		180	fi
		181	echo -n "."
460	richard	182	# We test the Ethernet links state
29	richard	183	for i in $EXTIF $INTIF
		184	do
294	richard	185	/sbin/ip link set $i up
306	richard	186	sleep 3
1031	richard	187	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		188	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	189	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	190	then
595	richard	191	if [ $Lang == "fr" ]
		192	then
		193	echo "Échec"
		194	echo "Le lien réseau de la carte $i n'est pas actif."
		195	echo "Réglez ce problème puis relancez ce script."
		196	else
		197	echo "Failed"
		198	echo "The link state of $i interface id down."
		199	echo "Resolv this problem, then restart this script."
		200	fi
29	richard	201	exit 0
		202	fi
308	richard	203	echo -n "."
29	richard	204	done
		205	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	206	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	207	if [ $Lang == "fr" ]
		208	then
		209	echo "Échec"
		210	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		211	echo "Réglez ce problème puis relancez ce script."
		212	else
		213	echo "Failed"
		214	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		215	echo "Resolv this problem, then restart this script."
		216	fi
29	richard	217	exit 0
		218	fi
308	richard	219	echo -n "."
978	franck	220	# On teste le lien vers le routeur par defaut
308	richard	221	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		222	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	223	if [ $(expr $arp_reply) -eq 0 ]
308	richard	224	then
595	richard	225	if [ $Lang == "fr" ]
		226	then
		227	echo "Échec"
		228	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		229	echo "Réglez ce problème puis relancez ce script."
		230	else
		231	echo "Failed"
		232	echo "The Internet gateway doesn't answered"
		233	echo "Resolv this problem, then restart this script."
		234	fi
308	richard	235	exit 0
		236	fi
		237	echo -n "."
421	franck	238	# On teste la connectivité Internet
29	richard	239	rm -rf /tmp/con_ok.html
308	richard	240	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	241	if [ ! -e /tmp/con_ok.html ]
		242	then
595	richard	243	if [ $Lang == "fr" ]
		244	then
		245	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		246	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		247	echo "Vérifiez la validité des adresses IP des DNS."
		248	else
		249	echo "The Internet connection try failed (google.fr)."
		250	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		251	echo "Verify the DNS IP addresses"
		252	fi
29	richard	253	exit 0
		254	fi
		255	rm -rf /tmp/con_ok.html
308	richard	256	echo ". : ok"
302	richard	257	} # end of testing
		258
		259	##################################################################
1221	richard	260	## Function "init" ##
302	richard	261	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		262	## - Installation et modification des scripts du portail ##
		263	##################################################################
		264	init ()
		265	{
527	richard	266	if [ "$mode" != "update" ]
302	richard	267	then
		268	# On affecte le nom d'organisme
597	richard	269	header_install
302	richard	270	ORGANISME=!
		271	PTN='^[a-zA-Z0-9-]*$'
580	richard	272	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	273	do
595	richard	274	if [ $Lang == "fr" ]
597	richard	275	then echo -n "Entrez le nom de votre organisme : "
		276	else echo -n "Enter the name of your organism : "
595	richard	277	fi
330	franck	278	read ORGANISME
613	richard	279	if [ "$ORGANISME" == "" ]
330	franck	280	then
		281	ORGANISME=!
		282	fi
		283	done
302	richard	284	fi
1	root	285	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	286	rm -f $PASSWD_FILE
1350	richard	287	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		288	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	289	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	290	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	291	$SED "/^password.*/d" /boot/grub/menu.lst
		292	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	293	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	294	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	295	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	296	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	297	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	298	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	299	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	300	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		301	echo "$secretuam" >> $PASSWD_FILE
1350	richard	302	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	303	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		304	echo "$secretradius" >> $PASSWD_FILE
		305	chmod 640 $PASSWD_FILE
977	richard	306	# Scripts and conf files copy
		307	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	308	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	309	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	310	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	311	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	312	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	313	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		314	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	315	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		316	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	317	# generate central conf file
		318	cat <<EOF > $CONF_FILE
612	richard	319	##########################################
		320	## ##
		321	## ALCASAR Parameters ##
		322	## ##
		323	##########################################
1	root	324
612	richard	325	INSTALL_DATE=$DATE
		326	VERSION=$VERSION
		327	ORGANISM=$ORGANISME
923	franck	328	DOMAIN=$DOMAIN
612	richard	329	EOF
628	richard	330	chmod o-rwx $CONF_FILE
1	root	331	} # End of init ()
		332
		333	##################################################################
1221	richard	334	## Function "network" ##
1	root	335	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	336	## - Nommage DNS du système ##
1336	richard	337	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	338	## - Modification du fichier /etc/hosts ##
		339	## - Configuration du serveur de temps (NTP) ##
		340	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		341	##################################################################
		342	network ()
		343	{
		344	header_install
636	richard	345	if [ "$mode" != "update" ]
		346	then
		347	if [ $Lang == "fr" ]
		348	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		349	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		350	fi
		351	response=0
		352	PTN='^[oOyYnN]$'
		353	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	354	do
595	richard	355	if [ $Lang == "fr" ]
659	richard	356	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	357	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	358	fi
1	root	359	read response
		360	done
636	richard	361	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		362	then
		363	PRIVATE_IP_MASK="0"
		364	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		365	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	366	do
595	richard	367	if [ $Lang == "fr" ]
597	richard	368	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		369	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	370	fi
597	richard	371	read PRIVATE_IP_MASK
1	root	372	done
636	richard	373	else
		374	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		375	fi
595	richard	376	else
637	richard	377	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		378	rm -rf conf/etc/alcasar.conf
1	root	379	fi
861	richard	380	# Define LAN side global parameters
1243	richard	381	hostname $HOSTNAME.$DOMAIN
		382	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	383	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		384	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		385	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		386	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		387	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		388	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		389	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		390	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		391	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		392	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	393	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	394	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	395	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	396	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	397	# Define Internet parameters
14	richard	398	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		399	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		400	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	401	DNS1=${DNS1:=208.67.220.220}
		402	DNS2=${DNS2:=208.67.222.222}
597	richard	403	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	404	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	405	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	406	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	407	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	408	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	409	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	410	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		411	echo "DNS1=$DNS1" >> $CONF_FILE
		412	echo "DNS2=$DNS2" >> $CONF_FILE
		413	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	414	echo "DHCP=full" >> $CONF_FILE
914	franck	415	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		416	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		417	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	418	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	419	# config network
1	root	420	cat <<EOF > /etc/sysconfig/network
		421	NETWORKING=yes
1243	richard	422	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	423	FORWARD_IPV4=true
		424	EOF
841	richard	425	# config /etc/hosts
1	root	426	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		427	cat <<EOF > /etc/hosts
503	richard	428	127.0.0.1 localhost
1353	richard	429	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	430	EOF
1336	richard	431	# Config EXTIF (Internet)
14	richard	432	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		433	DEVICE=$EXTIF
		434	BOOTPROTO=static
597	richard	435	IPADDR=$PUBLIC_IP
		436	NETMASK=$PUBLIC_NETMASK
		437	GATEWAY=$PUBLIC_GATEWAY
14	richard	438	DNS1=127.0.0.1
		439	ONBOOT=yes
		440	METRIC=10
		441	NOZEROCONF=yes
		442	MII_NOT_SUPPORTED=yes
		443	IPV6INIT=no
		444	IPV6TO4INIT=no
		445	ACCOUNTING=no
		446	USERCTL=no
994	franck	447	MTU=$MTU
14	richard	448	EOF
1336	richard	449	# Config INTIF (consultation LAN) in normal mode
841	richard	450	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		451	DEVICE=$INTIF
		452	BOOTPROTO=static
		453	ONBOOT=yes
		454	NOZEROCONF=yes
		455	MII_NOT_SUPPORTED=yes
		456	IPV6INIT=no
		457	IPV6TO4INIT=no
		458	ACCOUNTING=no
		459	USERCTL=no
1157	stephane	460	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	461	EOF
1336	richard	462	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	463	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	464	DEVICE=$INTIF
		465	BOOTPROTO=static
		466	IPADDR=$PRIVATE_IP
604	richard	467	NETMASK=$PRIVATE_NETMASK
1	root	468	ONBOOT=yes
		469	METRIC=10
		470	NOZEROCONF=yes
		471	MII_NOT_SUPPORTED=yes
14	richard	472	IPV6INIT=no
		473	IPV6TO4INIT=no
		474	ACCOUNTING=no
		475	USERCTL=no
1	root	476	EOF
440	franck	477	# Mise à l'heure du serveur
		478	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		479	cat <<EOF > /etc/ntp/step-tickers
455	franck	480	0.fr.pool.ntp.org # adapt to your country
		481	1.fr.pool.ntp.org
		482	2.fr.pool.ntp.org
440	franck	483	EOF
		484	# Configuration du serveur de temps (sur lui même)
1	root	485	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		486	cat <<EOF > /etc/ntp.conf
456	franck	487	server 0.fr.pool.ntp.org # adapt to your country
447	franck	488	server 1.fr.pool.ntp.org
		489	server 2.fr.pool.ntp.org
		490	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	491	fudge 127.127.1.0 stratum 10
604	richard	492	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	493	restrict 127.0.0.1
310	richard	494	driftfile /var/lib/ntp/drift
1	root	495	logfile /var/log/ntp.log
		496	EOF
440	franck	497
310	richard	498	chown -R ntp:ntp /var/lib/ntp
1	root	499	# Renseignement des fichiers hosts.allow et hosts.deny
		500	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		501	cat <<EOF > /etc/hosts.allow
		502	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	503	sshd: ALL
1	root	504	ntpd: $PRIVATE_NETWORK_SHORT
		505	EOF
		506	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		507	cat <<EOF > /etc/hosts.deny
		508	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		509	EOF
604	richard	510	# Firewall config
790	richard	511	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		512	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		513	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	514	# create the filter exception file and ip_bloqued file
790	richard	515	touch $DIR_DEST_ETC/alcasar-filter-exceptions
860	richard	516	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	517	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	518	# load conntrack ftp module
		519	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		520	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	521	# load ipt_NETFLOW module
		522	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	523	#
860	richard	524	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	525	} # End of network ()
		526
		527	##################################################################
1221	richard	528	## Function "ACC" ##
		529	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	530	## - configuration du serveur web (Apache) ##
		531	## - définition du 1er comptes de gestion ##
		532	## - sécurisation des accès ##
		533	##################################################################
1221	richard	534	ACC ()
1	root	535	{
		536	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		537	mkdir $DIR_WEB
		538	# Copie et configuration des fichiers du centre de gestion
316	richard	539	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	540	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	541	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		542	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		543	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		544	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		545	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	546	chown -R apache:apache $DIR_WEB/*
1342	richard	547	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	548	do
		549	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		550	done
5	franck	551	chown -R root:apache $DIR_SAVE
71	richard	552	# Configuration et sécurisation php
		553	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	554	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		555	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	556	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		557	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	558	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		559	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		560	# Configuration et sécurisation Apache
790	richard	561	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	562	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	563	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	564	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	565	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		566	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		567	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	568	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		569	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		570	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		571	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		572	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		573	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	574	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	575	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		576	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		577	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		578	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		579	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		580	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	581	</body>
		582	</html>
		583	EOF
		584	# Définition du premier compte lié au profil 'admin'
509	richard	585	header_install
510	richard	586	if [ "$mode" = "install" ]
		587	then
613	richard	588	admin_portal=!
		589	PTN='^[a-zA-Z0-9-]*$'
		590	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		591	do
		592	header_install
		593	if [ $Lang == "fr" ]
		594	then
		595	echo ""
		596	echo "Définissez un premier compte d'administration du portail :"
		597	echo
		598	echo -n "Nom : "
		599	else
		600	echo ""
		601	echo "Define the first account allow to administrate the portal :"
		602	echo
		603	echo -n "Account : "
		604	fi
		605	read admin_portal
		606	if [ "$admin_portal" == "" ]
		607	then
		608	admin_portal=!
		609	fi
		610	done
1268	richard	611	# Creation of keys file for the admin account ("admin")
510	richard	612	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		613	mkdir -p $DIR_DEST_ETC/digest
		614	chmod 755 $DIR_DEST_ETC/digest
		615	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		616	do
1350	richard	617	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	618	done
		619	$DIR_DEST_SBIN/alcasar-profil.sh --list
		620	fi
434	richard	621	# synchronisation horaire
		622	ntpd -q -g &
1	root	623	# Sécurisation du centre
988	franck	624	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	625	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	626	<Directory $DIR_ACC>
1	root	627	SSLRequireSSL
		628	AllowOverride None
		629	Order deny,allow
		630	Deny from all
		631	Allow from 127.0.0.1
		632	Allow from $PRIVATE_NETWORK_MASK
990	franck	633	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	634	require valid-user
		635	AuthType digest
1243	richard	636	AuthName $HOSTNAME.$DOMAIN
1	root	637	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	638	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	639	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	640	</Directory>
316	richard	641	<Directory $DIR_ACC/admin>
1	root	642	SSLRequireSSL
		643	AllowOverride None
		644	Order deny,allow
		645	Deny from all
		646	Allow from 127.0.0.1
		647	Allow from $PRIVATE_NETWORK_MASK
990	franck	648	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	649	require valid-user
		650	AuthType digest
1243	richard	651	AuthName $HOSTNAME.$DOMAIN
1	root	652	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	653	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	654	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	655	</Directory>
344	richard	656	<Directory $DIR_ACC/manager>
1	root	657	SSLRequireSSL
		658	AllowOverride None
		659	Order deny,allow
		660	Deny from all
		661	Allow from 127.0.0.1
		662	Allow from $PRIVATE_NETWORK_MASK
990	franck	663	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	664	require valid-user
		665	AuthType digest
1243	richard	666	AuthName $HOSTNAME.$DOMAIN
1	root	667	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	668	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	669	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	670	</Directory>
316	richard	671	<Directory $DIR_ACC/backup>
		672	SSLRequireSSL
		673	AllowOverride None
		674	Order deny,allow
		675	Deny from all
		676	Allow from 127.0.0.1
		677	Allow from $PRIVATE_NETWORK_MASK
990	franck	678	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	679	require valid-user
		680	AuthType digest
1243	richard	681	AuthName $HOSTNAME.$DOMAIN
316	richard	682	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	683	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	684	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	685	</Directory>
811	richard	686	Alias /save/ "$DIR_SAVE/"
		687	<Directory $DIR_SAVE>
		688	SSLRequireSSL
		689	Options Indexes
		690	Order deny,allow
		691	Deny from all
		692	Allow from 127.0.0.1
		693	Allow from $PRIVATE_NETWORK_MASK
990	franck	694	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	695	require valid-user
		696	AuthType digest
1243	richard	697	AuthName $HOSTNAME.$DOMAIN
811	richard	698	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	699	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	700	</Directory>
1	root	701	EOF
1221	richard	702	} # End of ACC()
1	root	703
		704	##########################################################################################
1221	richard	705	## Fonction "CA" ##
1	root	706	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		707	##########################################################################################
1221	richard	708	CA ()
1	root	709	{
		710	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	711	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	712	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	713	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
		714	$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		715	$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
679	richard	716	$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
5	franck	717	chown -R root:apache /etc/pki
1	root	718	chmod -R 750 /etc/pki
1221	richard	719	} # End CA ()
1	root	720
		721	##########################################################################################
1221	richard	722	## Fonction "init_db" ##
1	root	723	## - Initialisation de la base Mysql ##
		724	## - Affectation du mot de passe de l'administrateur (root) ##
		725	## - Suppression des bases et des utilisateurs superflus ##
		726	## - Création de la base 'radius' ##
		727	## - Installation du schéma de cette base ##
		728	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		729	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		730	##########################################################################################
		731	init_db ()
		732	{
1355	richard	733	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	734	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		735	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	736	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	737	systemctl start mysqld.service
1	root	738	sleep 4
		739	mysqladmin -u root password $mysqlpwd
		740	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	741	# Secure the server
		742	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		743	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	744	# Create 'radius' database
1317	richard	745	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	746	# Add an empty radius database structure
364	franck	747	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	748	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	749	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
		750	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	751	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		752	systemctl daemon-reload
1	root	753	} # End init_db ()
		754
		755	##########################################################################
1221	richard	756	## Fonction "param_radius" ##
1	root	757	## - Paramètrage des fichiers de configuration FreeRadius ##
		758	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		759	## - Modification de fichier de conf pour l'accès à Mysql ##
		760	##########################################################################
		761	param_radius ()
		762	{
		763	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		764	chown -R radius:radius /etc/raddb
		765	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	766	# Set radius.conf parameters
1	root	767	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		768	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		769	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	770	# remove the proxy function
1	root	771	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		772	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	773	# remove EAP module
654	richard	774	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	775	# listen on loopback (should be modified later if EAP enabled)
1	root	776	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	777	# enable the SQL module (and SQL counter)
1	root	778	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		779	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		780	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	781	# remvove virtual server and copy our conf file
1	root	782	rm -f /etc/raddb/sites-enabled/*
1278	richard	783	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	784	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		785	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		786	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		787	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	788	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	789	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	790	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	791	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		792	cat << EOF > /etc/raddb/clients.conf
		793	client 127.0.0.1 {
		794	secret = $secretradius
		795	shortname = localhost
		796	}
		797	EOF
1278	richard	798	# sql.conf modification
1	root	799	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		800	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		801	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		802	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		803	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	804	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	805	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	806	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		807	# counter.conf modification (change the Max-All-Session-Time counter)
		808	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		809	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		810	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	811	# make certain that mysql is up before radius start
		812	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		813	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		814	systemctl daemon-reload
1	root	815	} # End param_radius ()
		816
		817	##########################################################################
1221	richard	818	## Function "param_web_radius" ##
1	root	819	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		820	## - Création du lien vers la page de changement de mot de passe ##
		821	##########################################################################
		822	param_web_radius ()
		823	{
		824	# copie de l'interface d'origine dans la structure Alcasar
316	richard	825	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		826	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		827	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	828	# copie des fichiers modifiés
		829	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	830	chown -R apache:apache $DIR_ACC/manager/
344	richard	831	# Modification des fichiers de configuration
1	root	832	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	833	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	834	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		835	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		836	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		837	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		838	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		839	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		840	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	841	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	842	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	843	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	844	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	845	nas1_name: alcasar-$ORGANISME
1	root	846	nas1_model: Portail captif
		847	nas1_ip: $PRIVATE_IP
		848	nas1_port_num: 0
		849	nas1_community: public
		850	EOF
		851	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		852	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	853	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	854	# Ajout du mappage des attributs chillispot
		855	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	856	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	857	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	858	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	859	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		860	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	861	chown -R apache:apache /etc/freeradius-web
1	root	862	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		863	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	864	<Directory $DIR_WEB/pass>
1	root	865	SSLRequireSSL
		866	AllowOverride None
		867	Order deny,allow
		868	Deny from all
		869	Allow from 127.0.0.1
		870	Allow from $PRIVATE_NETWORK_MASK
1243	richard	871	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	872	</Directory>
		873	EOF
		874	} # End of param_web_radius ()
		875
799	richard	876	##################################################################################
1221	richard	877	## Fonction "param_chilli" ##
799	richard	878	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		879	## - Paramètrage de la page d'authentification (intercept.php) ##
		880	##################################################################################
1	root	881	param_chilli ()
		882	{
799	richard	883	# init file creation
461	richard	884	[ -e /etc/init.d/chilli.default ] \|\| cp /etc/init.d/chilli /etc/init.d/chilli.default
799	richard	885	cat <<EOF > /etc/init.d/chilli
		886	#!/bin/sh
		887	#
		888	# chilli CoovaChilli init
		889	#
		890	# chkconfig: 2345 65 35
		891	# description: CoovaChilli
		892	### BEGIN INIT INFO
		893	# Provides: chilli
		894	# Required-Start: network
		895	# Should-Start:
		896	# Required-Stop: network
		897	# Should-Stop:
		898	# Default-Start: 2 3 5
		899	# Default-Stop:
		900	# Description: CoovaChilli access controller
		901	### END INIT INFO
		902
		903	[ -f /usr/sbin/chilli ] \|\| exit 0
		904	. /etc/init.d/functions
		905	CONFIG=/etc/chilli.conf
		906	pidfile=/var/run/chilli.pid
		907	[ -f \$CONFIG ] \|\| {
		908	echo "\$CONFIG Not found"
		909	exit 0
		910	}
		911	RETVAL=0
		912	prog="chilli"
		913	case \$1 in
		914	start)
		915	if [ -f \$pidfile ] ; then
		916	gprintf "chilli is already running"
		917	else
		918	gprintf "Starting \$prog: "
		919	rm -f /var/run/chilli* # cleaning
		920	/sbin/modprobe tun >/dev/null 2>&1
		921	echo 1 > /proc/sys/net/ipv4/ip_forward
		922	[ -e /dev/net/tun ] \|\| {
		923	(cd /dev;
		924	mkdir net;
		925	cd net;
		926	mknod tun c 10 200)
		927	}
1336	richard	928	ifconfig $INTIF 0.0.0.0
799	richard	929	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		930	RETVAL=$?
		931	fi
		932	;;
		933
		934	reload)
		935	killall -HUP chilli
		936	;;
		937
		938	restart)
		939	\$0 stop
		940	sleep 2
		941	\$0 start
		942	;;
		943
		944	status)
		945	status chilli
		946	RETVAL=0
		947	;;
		948
		949	stop)
		950	if [ -f \$pidfile ] ; then
		951	gprintf "Shutting down \$prog: "
		952	killproc /usr/sbin/chilli
		953	RETVAL=\$?
		954	[ \$RETVAL = 0 ] && rm -f $pidfile
		955	else
		956	gprintf "chilli is not running"
		957	fi
		958	;;
		959
		960	*)
		961	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		962	exit 1
		963	esac
		964	echo
		965	EOF
		966
		967	# conf file creation
346	richard	968	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		969	cat <<EOF > /etc/chilli.conf
		970	# coova config for ALCASAR
		971	cmdsocket /var/run/chilli.sock
1336	richard	972	unixipc chilli.$INTIF.ipc
		973	pidfile /var/run/chilli.$INTIF.pid
346	richard	974	net $PRIVATE_NETWORK_MASK
595	richard	975	dhcpif $INTIF
841	richard	976	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	977	#nodynip
865	richard	978	#statip
		979	dynip $PRIVATE_NETWORK_MASK
1249	richard	980	domain $DOMAIN
355	richard	981	dns1 $PRIVATE_IP
		982	dns2 $PRIVATE_IP
346	richard	983	uamlisten $PRIVATE_IP
503	richard	984	uamport 3990
837	richard	985	macauth
		986	macpasswd password
1243	richard	987	locationname $HOSTNAME.$DOMAIN
346	richard	988	radiusserver1 127.0.0.1
		989	radiusserver2 127.0.0.1
		990	radiussecret $secretradius
		991	radiusauthport 1812
		992	radiusacctport 1813
1243	richard	993	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		994	radiusnasid $HOSTNAME.$DOMAIN
346	richard	995	uamsecret $secretuam
1249	richard	996	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	997	coaport 3799
1299	richard	998	#conup $DIR_DEST_BIN/alcasar-conup.sh
		999	#condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1000	include $DIR_DEST_ETC/alcasar-uamallowed
		1001	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1002	#dhcpgateway
1157	stephane	1003	#dhcprelayagent
		1004	#dhcpgatewayport
346	richard	1005	EOF
1336	richard	1006	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1007	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1008	# create files for trusted domains and urls
1148	crox53	1009	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1010	chown root:apache $DIR_DEST_ETC/alcasar-*
		1011	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1012	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1013	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1014	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1015	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1016	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1017	if [ "$chilli_exist" == "1" ]
		1018	then
		1019	userdel -r chilli 2>/dev/null
		1020	fi
		1021	groupadd -f chilli
		1022	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1	root	1023	} # End of param_chilli ()
1349	richard	1024
1	root	1025	##################################################################
1221	richard	1026	## Fonction "param_dansguardian" ##
1	root	1027	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1028	##################################################################
		1029	param_dansguardian ()
		1030	{
		1031	mkdir /var/dansguardian
		1032	chown dansguardian /var/dansguardian
497	richard	1033	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1034	# By default the filter is off
497	richard	1035	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1036	# French deny HTML page
497	richard	1037	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1038	# Listen only on LAN side
497	richard	1039	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1040	# DG send its flow to HAVP
		1041	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1042	# replace the default deny HTML page
1	root	1043	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1044	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1045	# Don't log
		1046	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1047	# Run 10 daemons (20 in largest server)
659	richard	1048	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1049	# on désactive par défaut le controle de contenu des pages html
497	richard	1050	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1051	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1052	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1053	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1054	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1055	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1056	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1057	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1058	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1059	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1060	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1061	touch $DIR_DG/lists/bannedextensionlist
		1062	touch $DIR_DG/lists/bannedmimetypelist
		1063	# 'Safesearch' regex actualisation
498	richard	1064	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1065	# empty LAN IP list that won't be WEB filtered
		1066	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1067	touch $DIR_DG/lists/exceptioniplist
		1068	# Keep a copy of URL & domain filter configuration files
		1069	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1070	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1	root	1071	} # End of param_dansguardian ()
		1072
71	richard	1073	##################################################################
1221	richard	1074	## Fonction "antivirus" ##
1357	richard	1075	## - configuration of havp, libclamav and freshclam ##
71	richard	1076	##################################################################
		1077	antivirus ()
		1078	{
1358	richard	1079	# create 'havp' user
288	richard	1080	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1081	if [ "$havp_exist" == "1" ]
288	richard	1082	then
478	richard	1083	userdel -r havp 2>/dev/null
894	richard	1084	groupdel havp 2>/dev/null
288	richard	1085	fi
307	richard	1086	groupadd -f havp
796	richard	1087	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1366	richard	1088	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
476	richard	1089	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1090	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1091	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
631	richard	1092	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1093	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1094	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1095	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1096	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1097	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1098	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1099	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1100	# skip checking of youtube flow (too heavy load / risk too low)
		1101	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1102	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1103	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1104	# replacement of init script
335	richard	1105	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1106	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1358	richard	1107	# replace of the intercept page (template)
340	richard	1108	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1109	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1110	# update virus database every 4 hours (24h/6)
1357	richard	1111	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1112	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1113	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1114	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1115	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1116	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1355	richard	1117	# Copy of the main virus database
734	richard	1118	rm -f /var/lib/clamav/*.cld # in case of old database scheme
1005	richard	1119	cp -f $DIR_CONF/clamav-main.cvd /var/lib/clamav/main.cvd
1357	richard	1120	/usr/bin/freshclam
71	richard	1121	}
		1122
1	root	1123	##################################################################################
1221	richard	1124	## function "param_ulogd" ##
476	richard	1125	## - Ulog config for multi-log files ##
		1126	##################################################################################
		1127	param_ulogd ()
		1128	{
		1129	# Three instances of ulogd (three different logfiles)
		1130	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1131	nl=1
1358	richard	1132	for log_type in traceability ssh ext-access
478	richard	1133	do
1365	richard	1134	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1366	richard	1135	/var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
478	richard	1136	cp -f /etc/ulogd.conf /etc/ulogd-$log_type.conf
		1137	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1138	$SED '/OPRINT/,$d' /etc/ulogd-$log_type.conf
		1139	cat << EOF >> /etc/ulogd-$log_type.conf
		1140	[LOGEMU]
		1141	file="/var/log/firewall/$log_type.log"
		1142	sync=1
		1143	EOF
1358	richard	1144	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -C /etc/ulogd-$log_type.conf?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1145	nl=`expr $nl + 1`
		1146	done
476	richard	1147	chown -R root:apache /var/log/firewall
		1148	chmod 750 /var/log/firewall
		1149	chmod 640 /var/log/firewall/*
		1150	} # End of param_ulogd ()
		1151
1159	crox53	1152
		1153	##########################################################
1221	richard	1154	## Function "param_nfsen" ##
1159	crox53	1155	##########################################################
		1156	param_nfsen()
1	root	1157	{
1221	richard	1158	tar xvzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1159	# Create a specific user and group
		1160	[ `grep "^www-data:" /etc/group \| wc -l` == 1 ] \|\| groupadd www-data
		1161	[ `grep "^nfsen:" /etc/passwd \| wc -l` == 1 ] \|\| useradd -m nfsen
1221	richard	1162	usermod -G www-data nfsen
1365	richard	1163	# Add PortTracker plugin
1221	richard	1164	mkdir -p /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1165	chown -R nfsen:www-data /var/www/nfsen
1366	richard	1166	chown -R apache:apache /usr/share/nfsen
1221	richard	1167	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1365	richard	1168	# use of our conf file and init unit
1221	richard	1169	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
		1170	cp $DIR_CONF/nfsen/nfsen.service /lib/systemd/system/
1365	richard	1171	# Installation of nfsen
1221	richard	1172	DirTmp=$(pwd)
		1173	cd /tmp/nfsen-1.3.6p1/
1365	richard	1174	/usr/bin/perl5 install.pl etc/nfsen.conf
		1175	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1176	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1177	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1178	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1366	richard	1179	[ -d /var/log/netflow/porttracker ] \|\| sudo -u apache nftrack -I -d /var/log/netflow/porttracker
1221	richard	1180	chown -R apache:www-data /var/log/netflow/porttracker/
		1181	chmod -R 775 /var/log/netflow/porttracker
1365	richard	1182	# Apache conf file
		1183	rm -f /etc/httpd/conf/conf.d/nfsen.conf
1355	richard	1184	cat <<EOF >> /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1185	Alias /nfsen /var/www/nfsen
		1186	<Directory /var/www/nfsen/>
		1187	DirectoryIndex nfsen.php
		1188	Options -Indexes
		1189	AllowOverride all
		1190	order allow,deny
		1191	allow from all
		1192	AddType application/x-httpd-php .php
		1193	php_flag magic_quotes_gpc on
		1194	php_flag track_vars on
1	root	1195	</Directory>
		1196	EOF
1365	richard	1197	# Add the listen port to collect netflow packet (nfcapd)
1229	crox53	1198	$SED s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1";'?g /usr/libexec/NfSenRC.pm
1365	richard	1199	# expire delay for the profile "live"
1250	richard	1200	nfsen -m live -e 62d 2>/dev/null
1365	richard	1201	# clear the installation
1221	richard	1202	cd $DirTmp
		1203	rm -rf /tmp/nfsen-1.3.6p1/
1159	crox53	1204	} # End of param_nfsen
1	root	1205
		1206	##########################################################
1221	richard	1207	## Function "param_dnsmasq" ##
1	root	1208	##########################################################
219	jeremy	1209	param_dnsmasq ()
		1210	{
		1211	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1212	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
259	richard	1213	$SED "s?^DHCP_LEASE=.*?DHCP_LEASE=/var/log/dnsmasq/lease.log?g" /etc/sysconfig/dnsmasq # fichier contenant les baux
1356	richard	1214	# Option : on pré-active les logs DNS des clients
		1215	$SED "s?log-facility?#OPTIONS=\"-q --log-facility=/var/log/dnsmasq/queries.log\"?g" /etc/sysconfig/dnsmasq
		1216	# Option : exemple de paramètre supplémentaire pour le cache memoire
		1217	echo '#OPTIONS="$OPTIONS --cache-size=250"' >> /etc/sysconfig/dnsmasq
		1218	# Option : exemple de configuration avec un A.D.
		1219	echo '#OPTIONS="$OPTIONS --server=/your.domain/192.168.182.3"' >> /etc/sysconfig/dnsmasq
503	richard	1220	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1221	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1222	cat << EOF > /etc/dnsmasq.conf
520	richard	1223	# Configuration file for "dnsmasq in forward mode"
503	richard	1224	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
259	richard	1225	listen-address=$PRIVATE_IP
		1226	listen-address=127.0.0.1
286	richard	1227	no-dhcp-interface=$INTIF
259	richard	1228	bind-interfaces
		1229	cache-size=256
		1230	domain=$DOMAIN
		1231	domain-needed
		1232	expand-hosts
		1233	bogus-priv
		1234	filterwin2k
		1235	server=$DNS1
		1236	server=$DNS2
498	richard	1237	# le servive DHCP est configuré mais n'est exploité que pour le "bypass"
865	richard	1238	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1239	dhcp-option=option:router,$PRIVATE_IP
259	richard	1240	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1241
291	franck	1242	# Exemple de configuration statique : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1243	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1244	EOF
1356	richard	1245	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1246	cat << EOF > /etc/dnsmasq-blacklist.conf
		1247	# Configuration file for "dnsmasq with blacklist"
520	richard	1248	# Inclusion de la blacklist <domains> de Toulouse dans la configuration
1015	richard	1249	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
503	richard	1250	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
498	richard	1251	listen-address=$PRIVATE_IP
		1252	port=54
		1253	no-dhcp-interface=$INTIF
		1254	bind-interfaces
		1255	cache-size=256
		1256	domain=$DOMAIN
		1257	domain-needed
		1258	expand-hosts
		1259	bogus-priv
		1260	filterwin2k
		1261	server=$DNS1
		1262	server=$DNS2
		1263	EOF
1356	richard	1264	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelis")
1357	richard	1265	cat << EOF > /etc/dnsmasq-whitelist.conf
1356	richard	1266	# Configuration file for "dnsmasq with whitelist"
		1267	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
		1268	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
		1269	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
		1270	listen-address=$PRIVATE_IP
		1271	port=55
		1272	no-dhcp-interface=$INTIF
		1273	bind-interfaces
		1274	cache-size=256
		1275	domain=$DOMAIN
		1276	domain-needed
		1277	expand-hosts
		1278	bogus-priv
		1279	filterwin2k
		1280	address=/#/$PRIVATE_IP
		1281	EOF
		1282	# Create dnsmasq-blacklist and dnsmasq-whitelist unit
1361	richard	1283	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
		1284	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
1365	richard	1285	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
		1286	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1358	richard	1287	# TODO Start after chilli which create tun0
1356	richard	1288	# $SED "s?^# chkconfig:.*?# chkconfig: 2345 99 40?g" /etc/init.d/dnsmasq
308	richard	1289	} # End dnsmasq
		1290
		1291	##########################################################
1221	richard	1292	## Fonction "BL" ##
308	richard	1293	##########################################################
		1294	BL ()
		1295	{
		1296	# on copie par défaut la BL de toulouse embarqués dans l'archive d'ALCASAR
648	richard	1297	rm -rf $DIR_DG/lists/blacklists
		1298	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
878	richard	1299	# on crée le répertoire ossi (noms de domaine et URLs ajoutés à la BL)
		1300	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1301	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1302	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
309	richard	1303	# On crée les fichiers vides de sites ou d'URL réhabilités
648	richard	1304	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1305	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1306	touch $DIR_DG/lists/exceptionsitelist
		1307	touch $DIR_DG/lists/exceptionurllist
311	richard	1308	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1309	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1310	# Dansguardian filter config for ALCASAR
		1311	EOF
648	richard	1312	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1313	# Dansguardian domain filter config for ALCASAR
		1314	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1315	#**
		1316	# block all SSL and CONNECT tunnels
		1317	**s
		1318	# block all SSL and CONNECT tunnels specified only as an IP
		1319	*ips
		1320	# block all sites specified only by an IP
		1321	*ip
		1322	EOF
1000	richard	1323	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1324	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1325	# Bing - add 'adlt=strict'
		1326	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1327	# Youtube - add 'edufilter=your_ID'
885	richard	1328	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1329	EOF
1000	richard	1330	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1331	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
648	richard	1332	chown -R dansguardian:apache $DIR_DG
		1333	chmod -R g+rw $DIR_DG
786	richard	1334	# On adapte la BL de Toulouse à notre structure
654	richard	1335	if [ "$mode" != "update" ]; then
		1336	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
		1337	fi
308	richard	1338	}
219	jeremy	1339
1	root	1340	##########################################################
1221	richard	1341	## Fonction "cron" ##
1	root	1342	## - Mise en place des différents fichiers de cron ##
		1343	##########################################################
		1344	cron ()
		1345	{
		1346	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1347	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1348	cat <<EOF > /etc/crontab
		1349	SHELL=/bin/bash
		1350	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1351	MAILTO=root
		1352	HOME=/
		1353
		1354	# run-parts
		1355	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1356	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1357	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1358	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1359	EOF
		1360	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1361	cat <<EOF >> /etc/anacrontab
667	franck	1362	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
		1363	7 10 cron.logExport nice /etc/cron.d/alcasar-export_log
		1364	7 15 cron.logClean nice /etc/cron.d/alcasar-clean_log
		1365	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1366	EOF
1247	crox53	1367
811	richard	1368	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1369	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1370	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1371	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1372	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1373	EOF
952	franck	1374	cat <<EOF > /etc/cron.d/alcasar-archive
		1375	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1376	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1377	EOF
667	franck	1378	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1379	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1380	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1381	EOF
722	franck	1382	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1383	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1384	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1385	EOF
1247	crox53	1386	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1387	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1388	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1389	#EOF
1159	crox53	1390
1	root	1391	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1392	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1393	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1394	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1395	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1396	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1397	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1398	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1399	rm -f /etc/cron.daily/freeradius-web
		1400	rm -f /etc/cron.monthly/freeradius-web
		1401	cat << EOF > /etc/cron.d/freeradius-web
		1402	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1403	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1404	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1405	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1406	EOF
671	franck	1407	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1408	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1409	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1410	EOF
808	franck	1411	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1412	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1413	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1414	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1415	EOF
522	richard	1416	# suppression des crons usagers
		1417	rm -f /var/spool/cron/*
1	root	1418	} # End cron
		1419
		1420	##################################################################
1221	richard	1421	## Fonction "Fail2Ban" ##
1163	crox53	1422	##- Modification de la configuration de fail2ban ##
		1423	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1424	##################################################################
		1425	fail2ban()
		1426	{
1191	crox53	1427	$DIR_CONF/fail2ban.sh
1192	crox53	1428	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1429	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1430	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1431	chmod 644 /var/log/fail2ban.log
1192	crox53	1432	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1433	} #Fin de fail2ban_install()
		1434
		1435	##################################################################
1221	richard	1436	## Fonction "post_install" ##
1	root	1437	## - Modification des bannières (locales et ssh) et des prompts ##
		1438	## - Installation de la structure de chiffrement pour root ##
		1439	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1440	## - Mise en place du la rotation des logs ##
5	franck	1441	## - Configuration dans le cas d'une mise à jour ##
1	root	1442	##################################################################
		1443	post_install()
		1444	{
		1445	# adaptation du script "chien de garde" (watchdog)
376	franck	1446	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1447	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1448	# création de la bannière locale
1007	richard	1449	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1450	cp -f $DIR_CONF/banner /etc/mageia-release
		1451	echo " V$VERSION" >> /etc/mageia-release
1	root	1452	# création de la bannière SSH
1007	richard	1453	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1454	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1455	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1456	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1457	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1458	# postfix banner anonymisation
		1459	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1460	# sshd écoute côté LAN et WAN
1	root	1461	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1462	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1463	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1464	echo "SSH=off" >> $CONF_FILE
1063	richard	1465	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1466	echo "QOS=off" >> $CONF_FILE
		1467	echo "LDAP=off" >> $CONF_FILE
786	richard	1468	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
1358	richard	1469	echo "WEB_ANTIVIRUS=on" >> $CONF_FILE # TODO to remove
		1470	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE # TODO to remove
		1471	echo "DNS_FILTERING=off" >> $CONF_FILE # TODO to remove
885	richard	1472	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1473	echo "MULTIWAN=off" >> $CONF_FILE
		1474	echo "FAILOVER=30" >> $CONF_FILE
		1475	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1476	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1477	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1478	# Coloration des prompts
		1479	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1480	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1481	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1482	# Droits d'exécution pour utilisateur apache et sysadmin
		1483	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1484	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1485	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1486	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1487	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1488	chmod 644 /etc/logrotate.d/*
714	franck	1489	# rectification sur versions précédentes de la compression des logs
706	franck	1490	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1491	# actualisation des fichiers logs compressés
1342	richard	1492	for dir in firewall dansguardian httpd
706	franck	1493	do
714	franck	1494	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1495	done
1221	richard	1496	# create the alcasar-load_balancing unit
		1497	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1498	# This file is part of systemd.
		1499	#
		1500	# systemd is free software; you can redistribute it and/or modify it
		1501	# under the terms of the GNU General Public License as published by
		1502	# the Free Software Foundation; either version 2 of the License, or
		1503	# (at your option) any later version.
		1504
		1505	# This unit lauches alcasar-load-balancing.sh script.
		1506	[Unit]
		1507	Description=alcasar-load_balancing.sh execution
		1508	After=network.target iptables.service
		1509
		1510	[Service]
		1511	Type=oneshot
		1512	RemainAfterExit=yes
		1513	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1514	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1515	TimeoutSec=0
		1516	SysVStartPriority=99
		1517
		1518	[Install]
		1519	WantedBy=multi-user.target
1157	stephane	1520	EOF
1221	richard	1521	# processes launched at boot time (SYSV)
1358	richard	1522	for i in chilli havp
1221	richard	1523	do
		1524	/sbin/chkconfig --add $i
		1525	done
		1526	# processes launched at boot time (Systemctl)
1365	richard	1527	for i in alcasar-load_balancing nfsen mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access
1221	richard	1528	do
1361	richard	1529	systemctl -q enable $i
1221	richard	1530	done
		1531	# Apply French Security Agency (ANSSI) rules
1362	richard	1532	# ignore ICMP broadcast (smurf attack)
		1533	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1534	# ignore ICMP errors bogus
		1535	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1536	# remove ICMP redirects responces
		1537	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1538	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1539	# enable SYN Cookies (Syn flood attacks)
		1540	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1541	# enable kernel antispoofing
		1542	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1543	# ignore source routing
		1544	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1545	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1546	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1547	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1548	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1549	# remove Magic SysReq Keys
1363	richard	1550	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1551	# switch to multi-users runlevel (instead of x11)
1221	richard	1552	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1553	# GRUB modifications
		1554	# limit wait time to 3s
		1555	# create an alcasar entry instead of linux-nonfb
		1556	# change display to 1024*768 (vga791)
1221	richard	1557	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1558	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1559	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1560	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1561	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1562	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1563	# Remove unused services and users
1365	richard	1564	for svc in sshd.service alsa-state
1221	richard	1565	do
1362	richard	1566	/bin/systemctl -q disable $svc
1221	richard	1567	done
1362	richard	1568	for rm_users in sysqdin
1221	richard	1569	do
		1570	user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1571	if [ "$user" == "$rm_users" ]
		1572	then
		1573	/usr/sbin/userdel -f $rm_users
		1574	fi
		1575	done
		1576	# Load and apply the previous conf file
		1577	if [ "$mode" = "update" ]
532	richard	1578	then
1266	richard	1579	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1580	$DIR_DEST_BIN/alcasar-conf.sh --load
		1581	PARENT_SCRIPT=`basename $0`
		1582	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1583	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1584	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1585	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1586	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1587	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1588	then
		1589	header_install
		1590	if [ $Lang == "fr" ]
		1591	then
		1592	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1593	echo
		1594	echo -n "Nom : "
		1595	else
		1596	echo "This update need to redefine the first admin account"
		1597	echo
		1598	echo -n "Account : "
		1599	fi
		1600	read admin_portal
		1601	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1602	mkdir -p $DIR_DEST_ETC/digest
		1603	chmod 755 $DIR_DEST_ETC/digest
		1604	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1605	do
1350	richard	1606	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1607	done
		1608	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1609	fi
532	richard	1610	fi
1221	richard	1611	rm -f /tmp/alcasar-conf*
		1612	chown -R root:apache $DIR_DEST_ETC/*
		1613	chmod -R 660 $DIR_DEST_ETC/*
		1614	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1615	# Apply and save the firewall rules
		1616	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1617	sleep 2
1	root	1618	cd $DIR_INSTALL
5	franck	1619	echo ""
1	root	1620	echo "#############################################################################"
638	richard	1621	if [ $Lang == "fr" ]
		1622	then
		1623	echo "# Fin d'installation d'ALCASAR #"
		1624	echo "# #"
		1625	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1626	echo "# des Accès au Réseau ( ALCASAR ) #"
		1627	echo "# #"
		1628	echo "#############################################################################"
		1629	echo
		1630	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1631	echo
		1632	echo "- Lisez attentivement la documentation d'exploitation"
		1633	echo
		1634	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1635	echo
		1636	echo " Appuyez sur 'Entrée' pour continuer"
		1637	else
		1638	echo "# Enf of ALCASAR install process #"
		1639	echo "# #"
		1640	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1641	echo "# des Accès au Réseau ( ALCASAR ) #"
		1642	echo "# #"
		1643	echo "#############################################################################"
		1644	echo
		1645	echo "- The system will be rebooted in order to operate ALCASAR"
		1646	echo
		1647	echo "- Read the exploitation documentation"
		1648	echo
		1649	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1650	echo
		1651	echo " Hit 'Enter' to continue"
		1652	fi
815	richard	1653	sleep 2
		1654	if [ "$mode" != "update" ]
820	richard	1655	then
815	richard	1656	read a
		1657	fi
774	richard	1658	clear
1	root	1659	reboot
		1660	} # End post_install ()
		1661
1349	richard	1662
		1663	##################################################################
		1664	## Fonction "gammu_smsd" ##
		1665	## - Creation de la base de donnée Gammu ##
		1666	## - Creation du fichier de config: gammu_smsd_conf ##
		1667	## ##
		1668	##################################################################
		1669	gammu_smsd()
		1670	{
		1671	# Create 'gammu' databse
		1672	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1673	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1674	# Add a gammu database structure
		1675	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1676
		1677
		1678	# Creation du fichier de config gammu_smsd_conf
		1679	cat << EOF > /etc/gammu_smsd_conf
		1680	[gammu]
		1681	port = /dev/ttyUSB0
		1682	connection = at115200
		1683
		1684	;########################################################
		1685
		1686	[smsd]
		1687
		1688	PIN = 1234
		1689
		1690	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1691	logformat = textall
		1692	debuglevel = 0
		1693
		1694	service = sql
		1695	driver = native_mysql
		1696	user = $DB_USER
		1697	password = $radiuspwd
		1698	pc = localhost
		1699	database = $DB_GAMMU
		1700
		1701	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1702
		1703	StatusFrequency = 30
		1704	LoopSleep = 2
		1705
		1706	;ResetFrequency = 300
		1707	;HardResetFrequency = 120
		1708
		1709	CheckSecurity = 1
		1710	CheckSignal = 1
		1711	CheckBattery = 0
		1712	EOF
		1713
		1714	chmod 755 /etc/gammu_smsd_conf
		1715
		1716	#Creation dossier de log Gammu-smsd
		1717	mkdir /var/log/gammu-smsd
		1718	chmod 755 /var/log/gammu-smsd
		1719
		1720	#Edition du script sql gammu <-> radius
		1721	$SED "10c u_db=\"$DB_USER\"" $DIR_DEST_BIN/alcasar-sms.sh
		1722	$SED "11c p_db=\"$radiuspwd\"" $DIR_DEST_BIN/alcasar-sms.sh
		1723
		1724	} # END gammu_smsd()
		1725
		1726
		1727
		1728
1	root	1729	#################################
1005	richard	1730	# Main Install loop #
1	root	1731	#################################
832	richard	1732	dir_exec=`dirname "$0"`
		1733	if [ $dir_exec != "." ]
		1734	then
		1735	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1736	echo "Launch this program from the ALCASAR archive directory"
		1737	exit 0
		1738	fi
		1739	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1740	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1741	nb_args=$#
		1742	args=$1
		1743	if [ $nb_args -eq 0 ]
		1744	then
		1745	nb_args=1
		1746	args="-h"
		1747	fi
1062	richard	1748	chmod -R u+x $DIR_SCRIPTS/*
1	root	1749	case $args in
		1750	-\? \| -h* \| --h*)
		1751	echo "$usage"
		1752	exit 0
		1753	;;
291	franck	1754	-i \| --install)
959	franck	1755	license
5	franck	1756	header_install
29	richard	1757	testing
595	richard	1758	# RPMs install
		1759	$DIR_SCRIPTS/alcasar-urpmi.sh
		1760	if [ "$?" != "0" ]
1	root	1761	then
595	richard	1762	exit 0
		1763	fi
1249	richard	1764	if [ -e $CONF_FILE ]
595	richard	1765	then
597	richard	1766	# Uninstall the running version
532	richard	1767	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1768	fi
636	richard	1769	# Test if manual update
1362	richard	1770	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	1771	then
636	richard	1772	header_install
595	richard	1773	if [ $Lang == "fr" ]
636	richard	1774	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1775	else echo "The configuration file of an old version has been found";
595	richard	1776	fi
597	richard	1777	response=0
		1778	PTN='^[oOnNyY]$'
		1779	until [[ $(expr $response : $PTN) -gt 0 ]]
		1780	do
		1781	if [ $Lang == "fr" ]
		1782	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1783	else echo -n "Do you want to use it (Y/n)?";
		1784	fi
		1785	read response
		1786	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1787	then rm -f /tmp/alcasar-conf*
		1788	fi
		1789	done
		1790	fi
636	richard	1791	# Test if update
1057	richard	1792	if [ -e /tmp/alcasar-conf* ]
597	richard	1793	then
		1794	if [ $Lang == "fr" ]
		1795	then echo "#### Installation avec mise à jour ####";
		1796	else echo "#### Installation with update ####";
		1797	fi
636	richard	1798	# Extract the central configuration file
1057	richard	1799	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1800	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1801	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1802	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1803	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1804	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1805	mode="update"
1	root	1806	fi
1342	richard	1807	for func in init network ACC CA init_db param_radius param_web_radius param_chilli param_dansguardian antivirus param_ulogd param_nfsen param_dnsmasq BL cron fail2ban post_install
5	franck	1808	do
		1809	$func
1362	richard	1810	# echo "* 'debug' : end of function $func *"; read a
14	richard	1811	done
5	franck	1812	;;
291	franck	1813	-u \| --uninstall)
5	franck	1814	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	1815	then
597	richard	1816	if [ $Lang == "fr" ]
		1817	then echo "ALCASAR n'est pas installé!";
		1818	else echo "ALCASAR isn't installed!";
		1819	fi
1	root	1820	exit 0
		1821	fi
5	franck	1822	response=0
		1823	PTN='^[oOnN]$'
580	richard	1824	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	1825	do
597	richard	1826	if [ $Lang == "fr" ]
		1827	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	1828	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	1829	fi
5	franck	1830	read response
		1831	done
1103	richard	1832	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	1833	then
1103	richard	1834	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	1835	else
		1836	rm -f /tmp/alcasar-conf*
1	root	1837	fi
597	richard	1838	# Uninstall the running version
65	richard	1839	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	1840	;;
		1841	*)
		1842	echo "Argument inconnu :$1";
460	richard	1843	echo "Unknown argument :$1";
1	root	1844	echo "$usage"
		1845	exit 1
		1846	;;
		1847	esac
10	franck	1848	# end of script
366	franck	1849

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1366