WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1410 2014-07-09 13:53:42Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1378	richard	30	# testing : connectivity tests, free space test and mageia version test
1221	richard	31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
1389	richard	36	# radius : FreeRadius initialisation
		37	# radius_web : copy ans modifiy original "freeradius web" in ACC
		38	# chilli : coovachilli initialisation (+authentication page)
		39	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	40	# antivirus : HAVP + libclamav configuration
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
		44	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1389	richard	46	# fail2ban : Fail2ban IDS installation and configuration
		47	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	48	# post_install : Security, log rotation, etc.
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	53	mode="install"
1	root	54	# ***** Files parameters - paramètres fichiers *******
1015	richard	55	DIR_INSTALL=`pwd` # current directory
		56	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		57	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		58	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		59	DIR_WEB="/var/www/html" # directory of APACHE
		60	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		61	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		62	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		63	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		64	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		65	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		66	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		67	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	68	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	69	DB_RADIUS="radius" # database name used by FreeRadius server
		70	DB_USER="radius" # user name allows to request the users database
1349	richard	71	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	72	# ***** Network parameters - paramètres réseau *****
1211	crox53	73	HOSTNAME="alcasar" #
1243	richard	74	DOMAIN="localdomain" # default local domain
1336	richard	75	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
		76	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	77	MTU="1500"
1157	stephane	78	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
967	franck	87	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		88	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	89	fi
975	franck	90	echo "Taper sur Entrée pour continuer !"
		91	echo "Enter to continue."
959	franck	92	read a
		93	}
		94
1	root	95	header_install ()
		96	{
		97	clear
		98	echo "-----------------------------------------------------------------------------"
460	richard	99	echo " ALCASAR V$VERSION Installation"
1	root	100	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		101	echo "-----------------------------------------------------------------------------"
1389	richard	102	}
1	root	103
		104	##################################################################
1221	richard	105	## Function "testing" ##
1378	richard	106	## - Test of Mageia version ##
1342	richard	107	## - Test of free space on /var (>10G) ##
1005	richard	108	## - Test of Internet access ##
29	richard	109	##################################################################
		110	testing ()
		111	{
1362	richard	112	# Test if ALCASAR is already installed
		113	if [ -e $CONF_FILE ]
		114	then
		115	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	116	if [ $Lang == "fr" ]
1362	richard	117	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		118	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	119	fi
1362	richard	120	response=0
		121	PTN='^[oOnNyY]$'
		122	until [[ $(expr $response : $PTN) -gt 0 ]]
		123	do
		124	if [ $Lang == "fr" ]
		125	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		126	else echo -n "Do you want to update (Y/n)?";
		127	fi
		128	read response
		129	done
		130	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		131	then
		132	rm -f /tmp/alcasar-conf*
		133	else
		134	# Create a backup of running version importants files
		135	$DIR_SCRIPTS/alcasar-conf.sh --create
		136	mode="update"
		137	fi
		138	else
1365	richard	139	if [ ! -d /var/log/netflow/porttracker ]
		140	then
1378	richard	141	# Test of free space on /var
1365	richard	142	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		143	if [ $free_space -lt 10 ]
		144	then
		145	if [ $Lang == "fr" ]
		146	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		147	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		148	fi
		149	exit 0
1362	richard	150	fi
1378	richard	151	fi
		152	# Test of Mageia version
		153	# extract the current Mageia version and hardware architecture (i586 ou X64)
		154	fic=`cat /etc/product.id`
		155	unknown_os=0
		156	old="$IFS"
		157	IFS=","
		158	set $fic
		159	for i in $*
		160	do
		161	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		162	then
		163	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		164	unknown_os=`expr $unknown_os + 1`
		165	fi
		166	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		167	then
		168	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		169	unknown_os=`expr $unknown_os + 1`
		170	fi
		171	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		172	then
		173	ARCH=`echo $i\|cut -d"=" -f2`
		174	unknown_os=`expr $unknown_os + 1`
		175	fi
		176	done
		177	IFS="$old"
		178	if [[ ( $unknown_os != 3 \|\| "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]
		179	then
		180	if [ $Lang == "fr" ]
		181	then
		182	echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."
		183	echo "Le système d'exploitation doit être remplacé (Mageia4)"
		184	else
		185	echo "The automatic update of ALCASAR can't be performed."
		186	echo "The OS must be replaced (Mageia4)"
		187	fi
		188	if [ -e /tmp/alcasar-conf.tar.gz ]
		189	then
		190	echo
		191	if [ $Lang == "fr" ]
		192	then
		193	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
		194	echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"
		195	echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
		196	else
		197	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
		198	echo "2 - Install Linux-Mageia4 (cf. installation doc)"
		199	echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
		200	fi
		201	fi
		202	exit 0
		203	fi
1342	richard	204	fi
1378	richard	205	if [ $Lang == "fr" ]
784	richard	206	then echo -n "Tests des paramètres réseau : "
595	richard	207	else echo -n "Network parameters tests : "
		208	fi
1336	richard	209	# We test EXTIF config files
784	richard	210	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		211	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
1362	richard	212	if [ "$EXTIF" == "" ] \|\| [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
784	richard	213	then
		214	if [ $Lang == "fr" ]
		215	then
		216	echo "Échec"
		217	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		218	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	219	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	220	else
		221	echo "Failed"
		222	echo "The Internet connected network card ($EXTIF) isn't well configured."
		223	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	224	echo "Apply the new configuration 'systemctl restart network'"
784	richard	225	fi
830	richard	226	echo "DEVICE=$EXTIF"
784	richard	227	echo "IPADDR="
		228	echo "NETMASK="
		229	echo "GATEWAY="
		230	echo "DNS1="
		231	echo "DNS2="
830	richard	232	echo "ONBOOT=yes"
784	richard	233	exit 0
		234	fi
		235	echo -n "."
460	richard	236	# We test the Ethernet links state
29	richard	237	for i in $EXTIF $INTIF
		238	do
294	richard	239	/sbin/ip link set $i up
306	richard	240	sleep 3
1031	richard	241	CMD=`/usr/sbin/ethtool $i \|egrep 'Link detected'\| awk '{print $NF}'`
		242	CMD2=`/sbin/mii-tool $i \| grep link \| awk '{print $NF}'`
808	franck	243	if [ $CMD != "yes" ] && [ $CMD2 != "ok" ]
29	richard	244	then
595	richard	245	if [ $Lang == "fr" ]
		246	then
		247	echo "Échec"
		248	echo "Le lien réseau de la carte $i n'est pas actif."
		249	echo "Réglez ce problème puis relancez ce script."
		250	else
		251	echo "Failed"
		252	echo "The link state of $i interface id down."
		253	echo "Resolv this problem, then restart this script."
		254	fi
29	richard	255	exit 0
		256	fi
308	richard	257	echo -n "."
29	richard	258	done
		259	# On teste la présence d'un routeur par défaut (Box FAI)
784	richard	260	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	261	if [ $Lang == "fr" ]
		262	then
		263	echo "Échec"
		264	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		265	echo "Réglez ce problème puis relancez ce script."
		266	else
		267	echo "Failed"
		268	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		269	echo "Resolv this problem, then restart this script."
		270	fi
29	richard	271	exit 0
		272	fi
308	richard	273	echo -n "."
978	franck	274	# On teste le lien vers le routeur par defaut
308	richard	275	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		276	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	277	if [ $(expr $arp_reply) -eq 0 ]
308	richard	278	then
595	richard	279	if [ $Lang == "fr" ]
		280	then
		281	echo "Échec"
		282	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		283	echo "Réglez ce problème puis relancez ce script."
		284	else
		285	echo "Failed"
		286	echo "The Internet gateway doesn't answered"
		287	echo "Resolv this problem, then restart this script."
		288	fi
308	richard	289	exit 0
		290	fi
		291	echo -n "."
421	franck	292	# On teste la connectivité Internet
29	richard	293	rm -rf /tmp/con_ok.html
308	richard	294	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	295	if [ ! -e /tmp/con_ok.html ]
		296	then
595	richard	297	if [ $Lang == "fr" ]
		298	then
		299	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		300	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		301	echo "Vérifiez la validité des adresses IP des DNS."
		302	else
		303	echo "The Internet connection try failed (google.fr)."
		304	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		305	echo "Verify the DNS IP addresses"
		306	fi
29	richard	307	exit 0
		308	fi
		309	rm -rf /tmp/con_ok.html
308	richard	310	echo ". : ok"
1389	richard	311	} # end of testing ()
302	richard	312
		313	##################################################################
1221	richard	314	## Function "init" ##
302	richard	315	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		316	## - Installation et modification des scripts du portail ##
		317	##################################################################
		318	init ()
		319	{
527	richard	320	if [ "$mode" != "update" ]
302	richard	321	then
		322	# On affecte le nom d'organisme
597	richard	323	header_install
302	richard	324	ORGANISME=!
		325	PTN='^[a-zA-Z0-9-]*$'
580	richard	326	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	327	do
595	richard	328	if [ $Lang == "fr" ]
597	richard	329	then echo -n "Entrez le nom de votre organisme : "
		330	else echo -n "Enter the name of your organism : "
595	richard	331	fi
330	franck	332	read ORGANISME
613	richard	333	if [ "$ORGANISME" == "" ]
330	franck	334	then
		335	ORGANISME=!
		336	fi
		337	done
302	richard	338	fi
1	root	339	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	340	rm -f $PASSWD_FILE
1350	richard	341	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		342	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	343	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	344	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	345	$SED "/^password.*/d" /boot/grub/menu.lst
		346	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	347	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	348	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	349	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	350	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	351	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	352	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	353	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	354	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		355	echo "$secretuam" >> $PASSWD_FILE
1350	richard	356	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	357	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		358	echo "$secretradius" >> $PASSWD_FILE
		359	chmod 640 $PASSWD_FILE
977	richard	360	# Scripts and conf files copy
		361	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	362	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	363	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	364	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	365	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	366	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	367	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		368	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	369	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		370	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	371	# generate central conf file
		372	cat <<EOF > $CONF_FILE
612	richard	373	##########################################
		374	## ##
		375	## ALCASAR Parameters ##
		376	## ##
		377	##########################################
1	root	378
612	richard	379	INSTALL_DATE=$DATE
		380	VERSION=$VERSION
		381	ORGANISM=$ORGANISME
923	franck	382	DOMAIN=$DOMAIN
612	richard	383	EOF
628	richard	384	chmod o-rwx $CONF_FILE
1	root	385	} # End of init ()
		386
		387	##################################################################
1221	richard	388	## Function "network" ##
1	root	389	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	390	## - Nommage DNS du système ##
1336	richard	391	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	392	## - Modification du fichier /etc/hosts ##
		393	## - Configuration du serveur de temps (NTP) ##
		394	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		395	##################################################################
		396	network ()
		397	{
		398	header_install
636	richard	399	if [ "$mode" != "update" ]
		400	then
		401	if [ $Lang == "fr" ]
		402	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		403	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		404	fi
		405	response=0
		406	PTN='^[oOyYnN]$'
		407	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	408	do
595	richard	409	if [ $Lang == "fr" ]
659	richard	410	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	411	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	412	fi
1	root	413	read response
		414	done
636	richard	415	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		416	then
		417	PRIVATE_IP_MASK="0"
		418	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		419	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	420	do
595	richard	421	if [ $Lang == "fr" ]
597	richard	422	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		423	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	424	fi
597	richard	425	read PRIVATE_IP_MASK
1	root	426	done
636	richard	427	else
		428	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		429	fi
595	richard	430	else
637	richard	431	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		432	rm -rf conf/etc/alcasar.conf
1	root	433	fi
861	richard	434	# Define LAN side global parameters
1243	richard	435	hostname $HOSTNAME.$DOMAIN
		436	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	437	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		438	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		439	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		440	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		441	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		442	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		443	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		444	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		445	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		446	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	447	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	448	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	449	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	450	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	451	# Define Internet parameters
14	richard	452	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		453	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		454	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	455	DNS1=${DNS1:=208.67.220.220}
		456	DNS2=${DNS2:=208.67.222.222}
597	richard	457	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	458	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	459	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	460	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	461	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
765	stephane	462	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	463	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	464	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		465	echo "DNS1=$DNS1" >> $CONF_FILE
		466	echo "DNS2=$DNS2" >> $CONF_FILE
		467	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	468	echo "DHCP=full" >> $CONF_FILE
914	franck	469	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		470	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		471	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	472	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	473	# config network
1	root	474	cat <<EOF > /etc/sysconfig/network
		475	NETWORKING=yes
1243	richard	476	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	477	FORWARD_IPV4=true
		478	EOF
841	richard	479	# config /etc/hosts
1	root	480	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		481	cat <<EOF > /etc/hosts
503	richard	482	127.0.0.1 localhost
1353	richard	483	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	484	EOF
1336	richard	485	# Config EXTIF (Internet)
14	richard	486	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		487	DEVICE=$EXTIF
		488	BOOTPROTO=static
597	richard	489	IPADDR=$PUBLIC_IP
		490	NETMASK=$PUBLIC_NETMASK
		491	GATEWAY=$PUBLIC_GATEWAY
14	richard	492	DNS1=127.0.0.1
		493	ONBOOT=yes
		494	METRIC=10
		495	NOZEROCONF=yes
		496	MII_NOT_SUPPORTED=yes
		497	IPV6INIT=no
		498	IPV6TO4INIT=no
		499	ACCOUNTING=no
		500	USERCTL=no
994	franck	501	MTU=$MTU
14	richard	502	EOF
1336	richard	503	# Config INTIF (consultation LAN) in normal mode
841	richard	504	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		505	DEVICE=$INTIF
		506	BOOTPROTO=static
		507	ONBOOT=yes
		508	NOZEROCONF=yes
		509	MII_NOT_SUPPORTED=yes
		510	IPV6INIT=no
		511	IPV6TO4INIT=no
		512	ACCOUNTING=no
		513	USERCTL=no
1157	stephane	514	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	515	EOF
1336	richard	516	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	517	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	518	DEVICE=$INTIF
		519	BOOTPROTO=static
		520	IPADDR=$PRIVATE_IP
604	richard	521	NETMASK=$PRIVATE_NETMASK
1	root	522	ONBOOT=yes
		523	METRIC=10
		524	NOZEROCONF=yes
		525	MII_NOT_SUPPORTED=yes
14	richard	526	IPV6INIT=no
		527	IPV6TO4INIT=no
		528	ACCOUNTING=no
		529	USERCTL=no
1	root	530	EOF
440	franck	531	# Mise à l'heure du serveur
		532	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		533	cat <<EOF > /etc/ntp/step-tickers
455	franck	534	0.fr.pool.ntp.org # adapt to your country
		535	1.fr.pool.ntp.org
		536	2.fr.pool.ntp.org
440	franck	537	EOF
		538	# Configuration du serveur de temps (sur lui même)
1	root	539	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		540	cat <<EOF > /etc/ntp.conf
456	franck	541	server 0.fr.pool.ntp.org # adapt to your country
447	franck	542	server 1.fr.pool.ntp.org
		543	server 2.fr.pool.ntp.org
		544	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	545	fudge 127.127.1.0 stratum 10
604	richard	546	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	547	restrict 127.0.0.1
310	richard	548	driftfile /var/lib/ntp/drift
1	root	549	logfile /var/log/ntp.log
		550	EOF
440	franck	551
310	richard	552	chown -R ntp:ntp /var/lib/ntp
1	root	553	# Renseignement des fichiers hosts.allow et hosts.deny
		554	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		555	cat <<EOF > /etc/hosts.allow
		556	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	557	sshd: ALL
1	root	558	ntpd: $PRIVATE_NETWORK_SHORT
		559	EOF
		560	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		561	cat <<EOF > /etc/hosts.deny
		562	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		563	EOF
604	richard	564	# Firewall config
790	richard	565	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		566	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-iptables.sh $DIR_DEST_BIN/alcasar-iptables-bypass.sh
		567	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	568	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	569	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	570	# load conntrack ftp module
		571	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		572	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	573	# load ipt_NETFLOW module
		574	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	575	#
860	richard	576	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	577	} # End of network ()
		578
		579	##################################################################
1221	richard	580	## Function "ACC" ##
		581	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	582	## - configuration du serveur web (Apache) ##
		583	## - définition du 1er comptes de gestion ##
		584	## - sécurisation des accès ##
		585	##################################################################
1221	richard	586	ACC ()
1	root	587	{
		588	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		589	mkdir $DIR_WEB
		590	# Copie et configuration des fichiers du centre de gestion
316	richard	591	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	592	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	593	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		594	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		595	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		596	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		597	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	598	chown -R apache:apache $DIR_WEB/*
1342	richard	599	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	600	do
		601	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		602	done
5	franck	603	chown -R root:apache $DIR_SAVE
71	richard	604	# Configuration et sécurisation php
		605	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	606	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		607	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	608	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		609	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	610	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		611	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		612	# Configuration et sécurisation Apache
790	richard	613	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	614	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	615	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	616	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	617	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		618	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		619	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	620	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		621	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		622	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		623	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		624	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		625	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	626	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	627	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		628	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		629	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		630	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		631	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		632	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	633	</body>
		634	</html>
		635	EOF
		636	# Définition du premier compte lié au profil 'admin'
509	richard	637	header_install
510	richard	638	if [ "$mode" = "install" ]
		639	then
613	richard	640	admin_portal=!
		641	PTN='^[a-zA-Z0-9-]*$'
		642	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		643	do
		644	header_install
		645	if [ $Lang == "fr" ]
		646	then
		647	echo ""
		648	echo "Définissez un premier compte d'administration du portail :"
		649	echo
		650	echo -n "Nom : "
		651	else
		652	echo ""
		653	echo "Define the first account allow to administrate the portal :"
		654	echo
		655	echo -n "Account : "
		656	fi
		657	read admin_portal
		658	if [ "$admin_portal" == "" ]
		659	then
		660	admin_portal=!
		661	fi
		662	done
1268	richard	663	# Creation of keys file for the admin account ("admin")
510	richard	664	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		665	mkdir -p $DIR_DEST_ETC/digest
		666	chmod 755 $DIR_DEST_ETC/digest
		667	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		668	do
1350	richard	669	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	670	done
		671	$DIR_DEST_SBIN/alcasar-profil.sh --list
		672	fi
434	richard	673	# synchronisation horaire
		674	ntpd -q -g &
1	root	675	# Sécurisation du centre
988	franck	676	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	677	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	678	<Directory $DIR_ACC>
1	root	679	SSLRequireSSL
		680	AllowOverride None
		681	Order deny,allow
		682	Deny from all
		683	Allow from 127.0.0.1
		684	Allow from $PRIVATE_NETWORK_MASK
990	franck	685	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	686	require valid-user
		687	AuthType digest
1243	richard	688	AuthName $HOSTNAME.$DOMAIN
1	root	689	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	690	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	691	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	692	</Directory>
316	richard	693	<Directory $DIR_ACC/admin>
1	root	694	SSLRequireSSL
		695	AllowOverride None
		696	Order deny,allow
		697	Deny from all
		698	Allow from 127.0.0.1
		699	Allow from $PRIVATE_NETWORK_MASK
990	franck	700	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	701	require valid-user
		702	AuthType digest
1243	richard	703	AuthName $HOSTNAME.$DOMAIN
1	root	704	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	705	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	706	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	707	</Directory>
344	richard	708	<Directory $DIR_ACC/manager>
1	root	709	SSLRequireSSL
		710	AllowOverride None
		711	Order deny,allow
		712	Deny from all
		713	Allow from 127.0.0.1
		714	Allow from $PRIVATE_NETWORK_MASK
990	franck	715	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	716	require valid-user
		717	AuthType digest
1243	richard	718	AuthName $HOSTNAME.$DOMAIN
1	root	719	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	720	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	721	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	722	</Directory>
316	richard	723	<Directory $DIR_ACC/backup>
		724	SSLRequireSSL
		725	AllowOverride None
		726	Order deny,allow
		727	Deny from all
		728	Allow from 127.0.0.1
		729	Allow from $PRIVATE_NETWORK_MASK
990	franck	730	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	731	require valid-user
		732	AuthType digest
1243	richard	733	AuthName $HOSTNAME.$DOMAIN
316	richard	734	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	735	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	736	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	737	</Directory>
811	richard	738	Alias /save/ "$DIR_SAVE/"
		739	<Directory $DIR_SAVE>
		740	SSLRequireSSL
		741	Options Indexes
		742	Order deny,allow
		743	Deny from all
		744	Allow from 127.0.0.1
		745	Allow from $PRIVATE_NETWORK_MASK
990	franck	746	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	747	require valid-user
		748	AuthType digest
1243	richard	749	AuthName $HOSTNAME.$DOMAIN
811	richard	750	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	751	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	752	</Directory>
1	root	753	EOF
1378	richard	754	# Launch after coova
		755	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1410	richard	756	# Error page management
		757	FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
		758	[ -e $FIC_ERROR_DOC ] \|\| cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default
		759
		760	cat <<EOF > $FIC_ERROR_DOC
		761	Alias /error/ "/var/www/html/"
		762
		763	<Directory "/usr/share/httpd/error">
		764	AllowOverride None
		765	Options IncludesNoExec
		766	AddOutputFilter Includes html
		767	AddHandler type-map var
		768	Require all granted
		769	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		770	ForceLanguagePriority Prefer Fallback
		771	</Directory>
		772
		773	ErrorDocument 400 /error/error.php?error=400
		774	ErrorDocument 401 /error/error.php?error=401
		775	ErrorDocument 403 /error/error.php?error=403
		776	ErrorDocument 404 /error/error.php?error=404
		777	ErrorDocument 405 /error/error.php?error=405
		778	ErrorDocument 408 /error/error.php?error=408
		779	ErrorDocument 410 /error/error.php?error=410
		780	ErrorDocument 411 /error/error.php?error=411
		781	ErrorDocument 412 /error/error.php?error=412
		782	ErrorDocument 413 /error/error.php?error=413
		783	ErrorDocument 414 /error/error.php?error=414
		784	ErrorDocument 415 /error/error.php?error=415
		785	ErrorDocument 500 /error/error.php?error=500
		786	ErrorDocument 501 /error/error.php?error=501
		787	ErrorDocument 502 /error/error.php?error=502
		788	ErrorDocument 503 /error/error.php?error=503
		789	ErrorDocument 506 /error/error.php?error=506
		790	EOF
		791
1389	richard	792	} # End of ACC ()
1	root	793
		794	##########################################################################################
1221	richard	795	## Fonction "CA" ##
1	root	796	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		797	##########################################################################################
1221	richard	798	CA ()
1	root	799	{
		800	$SED "s?ifcfg-eth.?ifcfg-$INTIF?g" $DIR_DEST_BIN/alcasar-CA.sh
510	richard	801	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	802	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	803	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	804
		805	#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		806	#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
		807	#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
		808
		809	cat <<EOF > $FIC_VIRTUAL_SSL
		810	# default SSL virtual host, used for all HTTPS requests that do not
		811	# match a ServerName or ServerAlias in any <VirtualHost> block.
		812
		813	<VirtualHost _default_:443>
		814	# general configuration
		815	ServerAdmin root@localhost
		816	ServerName localhost
		817
		818	# SSL configuration
		819	SSLEngine on
		820	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		821	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		822	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		823	CustomLog logs/ssl_request_log \
		824	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		825	ErrorLog logs/ssl_error_log
		826	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		827	</VirtualHost>
		828	EOF
		829
5	franck	830	chown -R root:apache /etc/pki
1	root	831	chmod -R 750 /etc/pki
1389	richard	832	} # End of CA ()
1	root	833
		834	##########################################################################################
1221	richard	835	## Fonction "init_db" ##
1	root	836	## - Initialisation de la base Mysql ##
		837	## - Affectation du mot de passe de l'administrateur (root) ##
		838	## - Suppression des bases et des utilisateurs superflus ##
		839	## - Création de la base 'radius' ##
		840	## - Installation du schéma de cette base ##
		841	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		842	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		843	##########################################################################################
		844	init_db ()
		845	{
1355	richard	846	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	847	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		848	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	849	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	850	systemctl start mysqld.service
1	root	851	sleep 4
		852	mysqladmin -u root password $mysqlpwd
		853	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	854	# Secure the server
		855	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		856	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	857	# Create 'radius' database
1317	richard	858	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	859	# Add an empty radius database structure
364	franck	860	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	861	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	862	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
		863	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	864	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		865	systemctl daemon-reload
1389	richard	866	} # End of init_db ()
1	root	867
		868	##########################################################################
1389	richard	869	## Fonction "radius" ##
1	root	870	## - Paramètrage des fichiers de configuration FreeRadius ##
		871	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		872	## - Modification de fichier de conf pour l'accès à Mysql ##
		873	##########################################################################
1389	richard	874	radius ()
1	root	875	{
		876	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		877	chown -R radius:radius /etc/raddb
		878	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	879	# Set radius.conf parameters
1	root	880	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		881	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		882	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	883	# remove the proxy function
1	root	884	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		885	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	886	# remove EAP module
654	richard	887	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	888	# listen on loopback (should be modified later if EAP enabled)
1	root	889	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	890	# enable the SQL module (and SQL counter)
1	root	891	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		892	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		893	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1278	richard	894	# remvove virtual server and copy our conf file
1	root	895	rm -f /etc/raddb/sites-enabled/*
1278	richard	896	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	897	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		898	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		899	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		900	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	901	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	902	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	903	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	904	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		905	cat << EOF > /etc/raddb/clients.conf
		906	client 127.0.0.1 {
		907	secret = $secretradius
		908	shortname = localhost
		909	}
		910	EOF
1278	richard	911	# sql.conf modification
1	root	912	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		913	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		914	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		915	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		916	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	917	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	918	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	919	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		920	# counter.conf modification (change the Max-All-Session-Time counter)
		921	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		922	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		923	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	924	# make certain that mysql is up before radius start
		925	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		926	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		927	systemctl daemon-reload
1389	richard	928	} # End radius ()
1	root	929
		930	##########################################################################
1389	richard	931	## Function "radius_web" ##
1	root	932	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		933	## - Création du lien vers la page de changement de mot de passe ##
		934	##########################################################################
1389	richard	935	radius_web ()
1	root	936	{
		937	# copie de l'interface d'origine dans la structure Alcasar
316	richard	938	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		939	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		940	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	941	# copie des fichiers modifiés
		942	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	943	chown -R apache:apache $DIR_ACC/manager/
344	richard	944	# Modification des fichiers de configuration
1	root	945	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	946	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	947	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		948	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		949	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		950	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		951	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		952	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		953	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	954	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	955	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	956	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	957	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	958	nas1_name: alcasar-$ORGANISME
1	root	959	nas1_model: Portail captif
		960	nas1_ip: $PRIVATE_IP
		961	nas1_port_num: 0
		962	nas1_community: public
		963	EOF
		964	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		965	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	966	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	967	# Ajout du mappage des attributs chillispot
		968	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	969	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	970	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	971	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	972	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		973	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	974	chown -R apache:apache /etc/freeradius-web
1	root	975	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		976	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	977	<Directory $DIR_WEB/pass>
1	root	978	SSLRequireSSL
		979	AllowOverride None
		980	Order deny,allow
		981	Deny from all
		982	Allow from 127.0.0.1
		983	Allow from $PRIVATE_NETWORK_MASK
1243	richard	984	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	985	</Directory>
		986	EOF
1389	richard	987	} # End of radius_web ()
1	root	988
799	richard	989	##################################################################################
1389	richard	990	## Fonction "chilli" ##
799	richard	991	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		992	## - Paramètrage de la page d'authentification (intercept.php) ##
		993	##################################################################################
1389	richard	994	chilli ()
1	root	995	{
1370	richard	996	# chilli unit for systemd
		997	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	998	# This file is part of systemd.
		999	#
		1000	# systemd is free software; you can redistribute it and/or modify it
		1001	# under the terms of the GNU General Public License as published by
		1002	# the Free Software Foundation; either version 2 of the License, or
		1003	# (at your option) any later version.
1370	richard	1004	[Unit]
		1005	Description=chilli is a captive portal daemon
		1006	After=network.target
		1007
		1008	[Service]
1379	richard	1009	Type=forking
1370	richard	1010	ExecStart=/usr/libexec/chilli start
		1011	ExecStop=/usr/libexec/chilli stop
		1012	ExecReload=/usr/libexec/chilli reload
		1013	PIDFile=/var/run/chilli.pid
		1014
		1015	[Install]
		1016	WantedBy=multi-user.target
		1017	EOF
799	richard	1018	# init file creation
1370	richard	1019	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1020	cat <<EOF > /usr/libexec/chilli
799	richard	1021	#!/bin/sh
		1022	#
		1023	# chilli CoovaChilli init
		1024	#
		1025	# chkconfig: 2345 65 35
		1026	# description: CoovaChilli
		1027	### BEGIN INIT INFO
		1028	# Provides: chilli
		1029	# Required-Start: network
		1030	# Should-Start:
		1031	# Required-Stop: network
		1032	# Should-Stop:
		1033	# Default-Start: 2 3 5
		1034	# Default-Stop:
		1035	# Description: CoovaChilli access controller
		1036	### END INIT INFO
		1037
		1038	[ -f /usr/sbin/chilli ] \|\| exit 0
		1039	. /etc/init.d/functions
		1040	CONFIG=/etc/chilli.conf
		1041	pidfile=/var/run/chilli.pid
		1042	[ -f \$CONFIG ] \|\| {
		1043	echo "\$CONFIG Not found"
		1044	exit 0
		1045	}
		1046	RETVAL=0
		1047	prog="chilli"
		1048	case \$1 in
		1049	start)
		1050	if [ -f \$pidfile ] ; then
		1051	gprintf "chilli is already running"
		1052	else
		1053	gprintf "Starting \$prog: "
		1054	rm -f /var/run/chilli* # cleaning
		1055	/sbin/modprobe tun >/dev/null 2>&1
		1056	echo 1 > /proc/sys/net/ipv4/ip_forward
		1057	[ -e /dev/net/tun ] \|\| {
		1058	(cd /dev;
		1059	mkdir net;
		1060	cd net;
		1061	mknod tun c 10 200)
		1062	}
1336	richard	1063	ifconfig $INTIF 0.0.0.0
799	richard	1064	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1065	RETVAL=$?
		1066	fi
		1067	;;
		1068
		1069	reload)
		1070	killall -HUP chilli
		1071	;;
		1072
		1073	restart)
		1074	\$0 stop
		1075	sleep 2
		1076	\$0 start
		1077	;;
		1078
		1079	status)
		1080	status chilli
		1081	RETVAL=0
		1082	;;
		1083
		1084	stop)
		1085	if [ -f \$pidfile ] ; then
		1086	gprintf "Shutting down \$prog: "
		1087	killproc /usr/sbin/chilli
		1088	RETVAL=\$?
		1089	[ \$RETVAL = 0 ] && rm -f $pidfile
		1090	else
		1091	gprintf "chilli is not running"
		1092	fi
		1093	;;
		1094
		1095	*)
		1096	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1097	exit 1
		1098	esac
		1099	echo
		1100	EOF
1373	richard	1101	chmod a+x /usr/libexec/chilli
799	richard	1102	# conf file creation
346	richard	1103	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1104	cat <<EOF > /etc/chilli.conf
		1105	# coova config for ALCASAR
		1106	cmdsocket /var/run/chilli.sock
1336	richard	1107	unixipc chilli.$INTIF.ipc
		1108	pidfile /var/run/chilli.$INTIF.pid
346	richard	1109	net $PRIVATE_NETWORK_MASK
595	richard	1110	dhcpif $INTIF
841	richard	1111	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1112	#nodynip
865	richard	1113	#statip
		1114	dynip $PRIVATE_NETWORK_MASK
1249	richard	1115	domain $DOMAIN
355	richard	1116	dns1 $PRIVATE_IP
		1117	dns2 $PRIVATE_IP
346	richard	1118	uamlisten $PRIVATE_IP
503	richard	1119	uamport 3990
837	richard	1120	macauth
		1121	macpasswd password
1243	richard	1122	locationname $HOSTNAME.$DOMAIN
346	richard	1123	radiusserver1 127.0.0.1
		1124	radiusserver2 127.0.0.1
		1125	radiussecret $secretradius
		1126	radiusauthport 1812
		1127	radiusacctport 1813
1243	richard	1128	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1129	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1130	uamsecret $secretuam
1249	richard	1131	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1132	coaport 3799
1379	richard	1133	conup $DIR_DEST_BIN/alcasar-conup.sh
		1134	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1135	include $DIR_DEST_ETC/alcasar-uamallowed
		1136	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1137	#dhcpgateway
1157	stephane	1138	#dhcprelayagent
		1139	#dhcpgatewayport
346	richard	1140	EOF
1336	richard	1141	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1142	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1143	# create files for trusted domains and urls
1148	crox53	1144	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1145	chown root:apache $DIR_DEST_ETC/alcasar-*
		1146	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1147	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1148	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1149	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1150	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1151	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1152	if [ "$chilli_exist" == "1" ]
		1153	then
		1154	userdel -r chilli 2>/dev/null
		1155	fi
		1156	groupadd -f chilli
		1157	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1158	} # End of chilli ()
1349	richard	1159
1	root	1160	##################################################################
1389	richard	1161	## Fonction "dansguardian" ##
1	root	1162	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1163	##################################################################
1389	richard	1164	dansguardian ()
1	root	1165	{
		1166	mkdir /var/dansguardian
		1167	chown dansguardian /var/dansguardian
1375	richard	1168	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1169	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1170	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1171	# By default the filter is off
497	richard	1172	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1173	# French deny HTML page
497	richard	1174	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1175	# Listen only on LAN side
497	richard	1176	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1177	# DG send its flow to HAVP
		1178	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1179	# replace the default deny HTML page
1	root	1180	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1181	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1182	# Don't log
		1183	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1184	# Run 10 daemons (20 in largest server)
659	richard	1185	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1186	# on désactive par défaut le controle de contenu des pages html
497	richard	1187	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1188	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1189	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1190	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1191	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1192	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1193	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1194	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1195	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1196	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1197	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1198	touch $DIR_DG/lists/bannedextensionlist
		1199	touch $DIR_DG/lists/bannedmimetypelist
		1200	# 'Safesearch' regex actualisation
498	richard	1201	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1202	# empty LAN IP list that won't be WEB filtered
		1203	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1204	touch $DIR_DG/lists/exceptioniplist
		1205	# Keep a copy of URL & domain filter configuration files
		1206	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1207	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1208	} # End of dansguardian ()
1	root	1209
71	richard	1210	##################################################################
1221	richard	1211	## Fonction "antivirus" ##
1357	richard	1212	## - configuration of havp, libclamav and freshclam ##
71	richard	1213	##################################################################
		1214	antivirus ()
		1215	{
1358	richard	1216	# create 'havp' user
288	richard	1217	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1218	if [ "$havp_exist" == "1" ]
288	richard	1219	then
478	richard	1220	userdel -r havp 2>/dev/null
894	richard	1221	groupdel havp 2>/dev/null
288	richard	1222	fi
307	richard	1223	groupadd -f havp
796	richard	1224	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1366	richard	1225	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1393	richard	1226	mkdir -p /var/tmp/havp2 /var/log/havp2
476	richard	1227	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
1393	richard	1228	chown -R havp /var/tmp/havp2 /var/log/havp2
109	richard	1229	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1230	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1393	richard	1231	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1232	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1233	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1234	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1235	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1236	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1237	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1238	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1239	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1240	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1393	richard	1241	cp /etc/havp/havp.config /etc/havp/havp2.config
		1242	$SED "s?^PIDFILE.*?PIDFILE /var/run/havp/havp2.pid?g" /etc/havp/havp2.config # pidfile
		1243	$SED "s?^TRANSPARENT.*?TRANSPARENT true?g" /etc/havp/havp2.config # transparent mode
		1244	$SED "s?^PORT.*?PORT 8091?g" /etc/havp/havp2.config # datas come on 8091
		1245	$SED "s?^BIND_ADDRESS.*?BIND_ADDRESS 192.168.182.1?g" /etc/havp/havp2.config # we listen only on tun0
1007	richard	1246	# skip checking of youtube flow (too heavy load / risk too low)
		1247	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1248	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1249	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1250	# replacement of init script
335	richard	1251	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1252	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1393	richard	1253	cp /etc/init.d/havp /etc/init.d/havp2
		1254	$SED "s?^# description.*?# description: starts HAVP2 the High Availability Antivirus Proxy?g" /etc/init.d/havp2 # description
		1255	$SED "s?^HAVP_CONFIG.*?HAVP_CONFIG=/etc/havp/havp2.config?g" /etc/init.d/havp2 # config file
		1256	$SED "s?^PIDFILE.*?PIDFILE=/var/run/havp/havp2.pid?g" /etc/init.d/havp2 # pidfile
		1257	$SED "s?^NAME.*?NAME=havp2?g" /etc/init.d/havp2 # name
		1258	$SED "s?^DESC.*?DESC=havp2?g" /etc/init.d/havp2 # desc
		1259	#$SED "s?if [ -f /etc/sysconfig/havp ] ; then.*?if [ -f /etc/sysconfig/havp2 ] ; then?g" /etc/init.d/havp2 # defaults
		1260	#$SED "s?. /etc/sysconfig/havp.*?. /etc/sysconfig/havp2?g" /etc/init.d/havp2 # defaults
		1261	$SED "s?^havp_mountpoint.*?havp_mountpoint=/var/tmp/havp2?g" /etc/init.d/havp2 # mountpoint
		1262	$SED "s?echo \"Reloading HAVP ...\".*?echo \"Reloading HAVP2 ...\"?g" /etc/init.d/havp2 # reloading havp
		1263	$SED "s?echo \"Error: HAVP not running\".*?echo \"Error : HAVP2 not running\"?g" /etc/init.d/havp2 # error havp
		1264	$SED "s?echo \"Error: HAVP not running or PIDFILE not readable\".*?echo \"Error : HAVP2 not running or PIDFILE not readable\"?g" /etc/init.d/havp2 # error havp
		1265	$SED "s?echo \"Error: HAVP not running or PIDFILE unreadable\".*?echo \"Error : HAVP2 not running or PIDFILE unreadable\"?g" /etc/init.d/havp2 # error havp
		1266	$SED "s?echo \"Shutting down HAVP ...\".*?echo \"Shutting down HAVP2 ...\"?g" /etc/init.d/havp2 # shutting down havp
		1267	$SED "s?status havp.*?status havp2?g" /etc/init.d/havp2 # status havp
1358	richard	1268	# replace of the intercept page (template)
340	richard	1269	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1270	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1271	# update virus database every 4 hours (24h/6)
1357	richard	1272	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1273	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1274	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1275	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1276	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1277	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1278	# update now
1382	richard	1279	/usr/bin/freshclam --no-warnings
1389	richard	1280	} # End of antivirus ()
71	richard	1281
1	root	1282	##################################################################################
1389	richard	1283	## function "ulogd" ##
476	richard	1284	## - Ulog config for multi-log files ##
		1285	##################################################################################
1389	richard	1286	ulogd ()
476	richard	1287	{
		1288	# Three instances of ulogd (three different logfiles)
		1289	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1290	nl=1
1358	richard	1291	for log_type in traceability ssh ext-access
478	richard	1292	do
1365	richard	1293	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1294	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1295	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
478	richard	1296	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1297	cat << EOF >> /etc/ulogd-$log_type.conf
		1298	[LOGEMU]
		1299	file="/var/log/firewall/$log_type.log"
		1300	sync=1
		1301	EOF
1375	richard	1302	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -d -c /etc/ulogd-$log_type.conf?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1303	nl=`expr $nl + 1`
		1304	done
476	richard	1305	chown -R root:apache /var/log/firewall
		1306	chmod 750 /var/log/firewall
		1307	chmod 640 /var/log/firewall/*
1389	richard	1308	} # End of ulogd ()
476	richard	1309
1159	crox53	1310
		1311	##########################################################
1389	richard	1312	## Function "nfsen" ##
1159	crox53	1313	##########################################################
1389	richard	1314	nfsen()
1	root	1315	{
1393	richard	1316	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1317	# Add PortTracker plugin
1395	richard	1318	for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1319	do
		1320	[ ! -d $i ] && mkdir $i && chown -R apache:apache $i && echo "$i created" \|\| echo "$i already exists"
		1321	done
1221	richard	1322	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1365	richard	1323	# use of our conf file and init unit
1221	richard	1324	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1365	richard	1325	# Installation of nfsen
1221	richard	1326	DirTmp=$(pwd)
		1327	cd /tmp/nfsen-1.3.6p1/
1365	richard	1328	/usr/bin/perl5 install.pl etc/nfsen.conf
		1329	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1330	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1331	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1332	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1395	richard	1333	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1334	chmod -R 770 /var/log/netflow/porttracker
1365	richard	1335	# Apache conf file
1394	richard	1336	cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1337	Alias /nfsen /var/www/nfsen
		1338	<Directory /var/www/nfsen/>
		1339	DirectoryIndex nfsen.php
		1340	Options -Indexes
		1341	AllowOverride all
		1342	order allow,deny
		1343	allow from all
		1344	AddType application/x-httpd-php .php
		1345	php_flag magic_quotes_gpc on
		1346	php_flag track_vars on
1	root	1347	</Directory>
		1348	EOF
1372	richard	1349	# nfsen unit for systemd
		1350	cat << EOF > /lib/systemd/system/nfsen.service
		1351	# This file is part of systemd.
		1352	#
		1353	# systemd is free software; you can redistribute it and/or modify it
		1354	# under the terms of the GNU General Public License as published by
		1355	# the Free Software Foundation; either version 2 of the License, or
		1356	# (at your option) any later version.
		1357
		1358	# This unit launches nfsen (a Netflow grapher).
		1359	[Unit]
		1360	Description= NfSen init script
		1361	After=network.target iptables.service
		1362
		1363	[Service]
		1364	Type=oneshot
		1365	RemainAfterExit=yes
1393	richard	1366	PIDFile=/var/run/nfsen/nfsen.pid
		1367	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1368	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1369	ExecStart=/usr/bin/nfsen start
		1370	ExecStop=/usr/bin/nfsen stop
1393	richard	1371	ExecReload=/usr/bin/nfsen restart
1372	richard	1372	TimeoutSec=0
		1373
		1374	[Install]
		1375	WantedBy=multi-user.target
		1376	EOF
1365	richard	1377	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1378	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1379	# expire delay for the profile "live"
1393	richard	1380	systemctl start nfsen
		1381	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1382	# add SURFmap plugin
1410	richard	1383	tar xzf $DIR_CONF/nfsen/SURFmap_v3.3.tar.gz -C /tmp/
1397	richard	1384	cd /tmp/SURFmap
		1385	/usr/bin/sh install.sh
1365	richard	1386	# clear the installation
1221	richard	1387	cd $DirTmp
		1388	rm -rf /tmp/nfsen-1.3.6p1/
1397	richard	1389	rm -rf /tmp/SURFmap/
1389	richard	1390	} # End of nfsen ()
1	root	1391
1390	richard	1392	##################################################
1389	richard	1393	## Function "dnsmasq" ##
1390	richard	1394	##################################################
1389	richard	1395	dnsmasq ()
219	jeremy	1396	{
		1397	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1398	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1399	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1400	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
520	richard	1401	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if bypass is on.
503	richard	1402	cat << EOF > /etc/dnsmasq.conf
520	richard	1403	# Configuration file for "dnsmasq in forward mode"
1387	richard	1404	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1405	listen-address=$PRIVATE_IP
1390	richard	1406	pid-file=/var/run/dnsmasq.pid
259	richard	1407	listen-address=127.0.0.1
286	richard	1408	no-dhcp-interface=$INTIF
1387	richard	1409	no-dhcp-interface=tun0
		1410	no-dhcp-interface=lo
259	richard	1411	bind-interfaces
		1412	cache-size=256
		1413	domain=$DOMAIN
		1414	domain-needed
		1415	expand-hosts
		1416	bogus-priv
		1417	filterwin2k
		1418	server=$DNS1
		1419	server=$DNS2
1387	richard	1420	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1421	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1422	dhcp-option=option:router,$PRIVATE_IP
259	richard	1423	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1424
1387	richard	1425	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1426	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1427	EOF
1356	richard	1428	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1429	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1430	# Configuration file for "dnsmasq with blacklist"
1387	richard	1431	# Add Toulouse blacklist domains
1015	richard	1432	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1387	richard	1433	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1390	richard	1434	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1435	listen-address=$PRIVATE_IP
		1436	port=54
		1437	no-dhcp-interface=$INTIF
1387	richard	1438	no-dhcp-interface=tun0
498	richard	1439	bind-interfaces
		1440	cache-size=256
		1441	domain=$DOMAIN
		1442	domain-needed
		1443	expand-hosts
		1444	bogus-priv
		1445	filterwin2k
		1446	server=$DNS1
		1447	server=$DNS2
		1448	EOF
1379	richard	1449	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1450	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1451	# Configuration file for "dnsmasq with whitelist"
1356	richard	1452	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
		1453	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
		1454	conf-file=$DIR_DEST_ETC/alcasar-dns-name # zone de definition de noms DNS locaux
		1455	listen-address=$PRIVATE_IP
1390	richard	1456	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1457	port=55
		1458	no-dhcp-interface=$INTIF
1387	richard	1459	no-dhcp-interface=tun0
1356	richard	1460	bind-interfaces
		1461	cache-size=256
		1462	domain=$DOMAIN
		1463	domain-needed
		1464	expand-hosts
		1465	bogus-priv
		1466	filterwin2k
		1467	address=/#/$PRIVATE_IP
1390	richard	1468	ipset=/#/whitelist_ip_allowed
1356	richard	1469	EOF
1372	richard	1470	# Start after chilli (which create tun0)
		1471	$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1356	richard	1472	# Create dnsmasq-blacklist and dnsmasq-whitelist unit
1361	richard	1473	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-blacklist.service
		1474	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-whitelist.service
1365	richard	1475	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-blacklist.conf?g" /lib/systemd/system/dnsmasq-blacklist.service
		1476	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-whitelist.conf?g" /lib/systemd/system/dnsmasq-whitelist.service
1387	richard	1477	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-blacklist.pid?g" /lib/systemd/system/dnsmasq-blacklist.service
		1478	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-whitelist.pid?g" /lib/systemd/system/dnsmasq-whitelist.service
308	richard	1479	} # End dnsmasq
		1480
		1481	##########################################################
1221	richard	1482	## Fonction "BL" ##
308	richard	1483	##########################################################
		1484	BL ()
		1485	{
1386	richard	1486	# modify iptables boot file to start alcasar-iptables.sh when the system is booting
		1487	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		1488	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
1384	richard	1489	# copy and extract toulouse BL
648	richard	1490	rm -rf $DIR_DG/lists/blacklists
		1491	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1492	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1493	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1494	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1495	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1496	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1497	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1498	# creation of file for the rehabilited domains and urls
648	richard	1499	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1500	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1501	touch $DIR_DG/lists/exceptionsitelist
		1502	touch $DIR_DG/lists/exceptionurllist
311	richard	1503	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1504	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1505	# Dansguardian filter config for ALCASAR
		1506	EOF
648	richard	1507	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1508	# Dansguardian domain filter config for ALCASAR
		1509	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1510	#**
		1511	# block all SSL and CONNECT tunnels
		1512	**s
		1513	# block all SSL and CONNECT tunnels specified only as an IP
		1514	*ips
		1515	# block all sites specified only by an IP
		1516	*ip
		1517	EOF
1000	richard	1518	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1519	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1520	# Bing - add 'adlt=strict'
		1521	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1522	# Youtube - add 'edufilter=your_ID'
885	richard	1523	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1524	EOF
1000	richard	1525	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1526	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1527	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1528	if [ "$mode" != "update" ]; then
		1529	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1530	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1387	richard	1531	# !!! we can be banned by DNS server (waiting for a cool solution $DIR_DEST_SBIN/alcasar-bl.sh --ip_retrieving
654	richard	1532	fi
308	richard	1533	}
219	jeremy	1534
1	root	1535	##########################################################
1221	richard	1536	## Fonction "cron" ##
1	root	1537	## - Mise en place des différents fichiers de cron ##
		1538	##########################################################
		1539	cron ()
		1540	{
		1541	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1542	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1543	cat <<EOF > /etc/crontab
		1544	SHELL=/bin/bash
		1545	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1546	MAILTO=root
		1547	HOME=/
		1548
		1549	# run-parts
		1550	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1551	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1552	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1553	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1554	EOF
		1555	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1556	cat <<EOF >> /etc/anacrontab
667	franck	1557	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1558	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1559	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1560	EOF
1247	crox53	1561
811	richard	1562	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1563	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1564	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1565	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1566	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1567	EOF
952	franck	1568	cat <<EOF > /etc/cron.d/alcasar-archive
		1569	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1570	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1571	EOF
667	franck	1572	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1573	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1574	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1575	EOF
722	franck	1576	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1577	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1578	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1579	EOF
1247	crox53	1580	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1581	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1582	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1583	#EOF
1159	crox53	1584
1	root	1585	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1586	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1587	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1588	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1589	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1590	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1591	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1592	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1593	rm -f /etc/cron.daily/freeradius-web
		1594	rm -f /etc/cron.monthly/freeradius-web
		1595	cat << EOF > /etc/cron.d/freeradius-web
		1596	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1597	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1598	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1599	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1600	EOF
671	franck	1601	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1602	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1603	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1604	EOF
808	franck	1605	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1606	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1607	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1608	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1609	EOF
522	richard	1610	# suppression des crons usagers
		1611	rm -f /var/spool/cron/*
1	root	1612	} # End cron
		1613
		1614	##################################################################
1221	richard	1615	## Fonction "Fail2Ban" ##
1163	crox53	1616	##- Modification de la configuration de fail2ban ##
		1617	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1618	##################################################################
		1619	fail2ban()
		1620	{
1191	crox53	1621	$DIR_CONF/fail2ban.sh
1192	crox53	1622	#Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
		1623	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1624	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1625	chmod 644 /var/log/fail2ban.log
1192	crox53	1626	chmod 644 /var/Save/logs/security/watchdog.log
1163	crox53	1627	} #Fin de fail2ban_install()
		1628
		1629	##################################################################
1376	richard	1630	## Fonction "gammu_smsd" ##
		1631	## - Creation de la base de donnée Gammu ##
		1632	## - Creation du fichier de config: gammu_smsd_conf ##
		1633	## ##
		1634	##################################################################
		1635	gammu_smsd()
		1636	{
		1637	# Create 'gammu' databse
		1638	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1639	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1640	# Add a gammu database structure
		1641	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1642
		1643	# config file for the daemon
		1644	cat << EOF > /etc/gammu_smsd_conf
		1645	[gammu]
		1646	port = /dev/ttyUSB0
		1647	connection = at115200
		1648
		1649	;########################################################
		1650
		1651	[smsd]
		1652
		1653	PIN = 1234
		1654
		1655	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1656	logformat = textall
		1657	debuglevel = 0
		1658
		1659	service = sql
		1660	driver = native_mysql
		1661	user = $DB_USER
		1662	password = $radiuspwd
		1663	pc = localhost
		1664	database = $DB_GAMMU
		1665
		1666	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1667
		1668	StatusFrequency = 30
1380	richard	1669	;LoopSleep = 2
1376	richard	1670
		1671	;ResetFrequency = 300
		1672	;HardResetFrequency = 120
		1673
		1674	CheckSecurity = 1
		1675	CheckSignal = 1
		1676	CheckBattery = 0
		1677	EOF
		1678
		1679	chmod 755 /etc/gammu_smsd_conf
		1680
		1681	#Creation dossier de log Gammu-smsd
1382	richard	1682	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1683	chmod 755 /var/log/gammu-smsd
		1684
		1685	#Edition du script sql gammu <-> radius
		1686	$SED "10c u_db=\"$DB_USER\"" $DIR_DEST_BIN/alcasar-sms.sh
		1687	$SED "11c p_db=\"$radiuspwd\"" $DIR_DEST_BIN/alcasar-sms.sh
		1688
1380	richard	1689	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1690	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1691	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1692	EOF
		1693
1376	richard	1694	} # END gammu_smsd()
		1695
		1696	##################################################################
1221	richard	1697	## Fonction "post_install" ##
1	root	1698	## - Modification des bannières (locales et ssh) et des prompts ##
		1699	## - Installation de la structure de chiffrement pour root ##
		1700	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1701	## - Mise en place du la rotation des logs ##
5	franck	1702	## - Configuration dans le cas d'une mise à jour ##
1	root	1703	##################################################################
		1704	post_install()
		1705	{
		1706	# adaptation du script "chien de garde" (watchdog)
376	franck	1707	$SED "s?^EXTIF=.*?EXTIF=\"$EXTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
		1708	$SED "s?^INTIF=.*?INTIF=\"$INTIF\"?g" $DIR_DEST_BIN/alcasar-watchdog.sh
1	root	1709	# création de la bannière locale
1007	richard	1710	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1711	cp -f $DIR_CONF/banner /etc/mageia-release
		1712	echo " V$VERSION" >> /etc/mageia-release
1	root	1713	# création de la bannière SSH
1007	richard	1714	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1715	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1716	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1717	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1718	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1719	# postfix banner anonymisation
		1720	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1721	# sshd écoute côté LAN et WAN
1	root	1722	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1723	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1724	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1725	echo "SSH=off" >> $CONF_FILE
1063	richard	1726	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1727	echo "QOS=off" >> $CONF_FILE
		1728	echo "LDAP=off" >> $CONF_FILE
786	richard	1729	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1730	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1731	echo "MULTIWAN=off" >> $CONF_FILE
		1732	echo "FAILOVER=30" >> $CONF_FILE
		1733	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1734	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1735	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1736	# Coloration des prompts
		1737	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1738	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1739	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1740	# Droits d'exécution pour utilisateur apache et sysadmin
		1741	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1742	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1743	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1744	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1745	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1746	chmod 644 /etc/logrotate.d/*
714	franck	1747	# rectification sur versions précédentes de la compression des logs
706	franck	1748	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1749	# actualisation des fichiers logs compressés
1342	richard	1750	for dir in firewall dansguardian httpd
706	franck	1751	do
714	franck	1752	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1753	done
1221	richard	1754	# create the alcasar-load_balancing unit
		1755	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1756	# This file is part of systemd.
		1757	#
		1758	# systemd is free software; you can redistribute it and/or modify it
		1759	# under the terms of the GNU General Public License as published by
		1760	# the Free Software Foundation; either version 2 of the License, or
		1761	# (at your option) any later version.
		1762
		1763	# This unit lauches alcasar-load-balancing.sh script.
		1764	[Unit]
		1765	Description=alcasar-load_balancing.sh execution
		1766	After=network.target iptables.service
		1767
		1768	[Service]
		1769	Type=oneshot
		1770	RemainAfterExit=yes
		1771	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1772	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1773	TimeoutSec=0
		1774	SysVStartPriority=99
		1775
		1776	[Install]
		1777	WantedBy=multi-user.target
1157	stephane	1778	EOF
1221	richard	1779	# processes launched at boot time (SYSV)
1371	richard	1780	for i in havp
1221	richard	1781	do
		1782	/sbin/chkconfig --add $i
		1783	done
		1784	# processes launched at boot time (Systemctl)
1393	richard	1785	for i in alcasar-load_balancing mysqld httpd ntpd iptables ulogd dnsmasq dnsmasq-blacklist dnsmasq-whitelist radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
1221	richard	1786	do
1389	richard	1787	systemctl -q enable $i.service
1221	richard	1788	done
		1789	# Apply French Security Agency (ANSSI) rules
1362	richard	1790	# ignore ICMP broadcast (smurf attack)
		1791	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1792	# ignore ICMP errors bogus
		1793	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1794	# remove ICMP redirects responces
		1795	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1796	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1797	# enable SYN Cookies (Syn flood attacks)
		1798	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1799	# enable kernel antispoofing
		1800	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1801	# ignore source routing
		1802	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1803	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1804	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1805	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1806	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1807	# remove Magic SysReq Keys
1363	richard	1808	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1809	# switch to multi-users runlevel (instead of x11)
1221	richard	1810	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1811	# GRUB modifications
		1812	# limit wait time to 3s
		1813	# create an alcasar entry instead of linux-nonfb
		1814	# change display to 1024*768 (vga791)
1221	richard	1815	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1816	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1817	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1818	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1819	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1820	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1821	# Remove unused services and users
1378	richard	1822	for svc in sshd.service
1221	richard	1823	do
1362	richard	1824	/bin/systemctl -q disable $svc
1221	richard	1825	done
1378	richard	1826	# for rm_users in games
		1827	# do
		1828	# user=`cat /etc/passwd\|grep $rm_users\|cut -d":" -f1`
		1829	# if [ "$user" == "$rm_users" ]
		1830	# then
		1831	# /usr/sbin/userdel -r $rm_users
		1832	# fi
		1833	# done
1221	richard	1834	# Load and apply the previous conf file
		1835	if [ "$mode" = "update" ]
532	richard	1836	then
1266	richard	1837	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1838	$DIR_DEST_BIN/alcasar-conf.sh --load
		1839	PARENT_SCRIPT=`basename $0`
		1840	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1841	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1842	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1843	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1844	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1845	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1846	then
		1847	header_install
		1848	if [ $Lang == "fr" ]
		1849	then
		1850	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1851	echo
		1852	echo -n "Nom : "
		1853	else
		1854	echo "This update need to redefine the first admin account"
		1855	echo
		1856	echo -n "Account : "
		1857	fi
		1858	read admin_portal
		1859	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1860	mkdir -p $DIR_DEST_ETC/digest
		1861	chmod 755 $DIR_DEST_ETC/digest
		1862	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1863	do
1350	richard	1864	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1865	done
		1866	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1867	fi
532	richard	1868	fi
1221	richard	1869	rm -f /tmp/alcasar-conf*
		1870	chown -R root:apache $DIR_DEST_ETC/*
		1871	chmod -R 660 $DIR_DEST_ETC/*
		1872	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1873	# Apply and save the firewall rules
		1874	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1875	sleep 2
1	root	1876	cd $DIR_INSTALL
5	franck	1877	echo ""
1	root	1878	echo "#############################################################################"
638	richard	1879	if [ $Lang == "fr" ]
		1880	then
		1881	echo "# Fin d'installation d'ALCASAR #"
		1882	echo "# #"
		1883	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1884	echo "# des Accès au Réseau ( ALCASAR ) #"
		1885	echo "# #"
		1886	echo "#############################################################################"
		1887	echo
		1888	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1889	echo
		1890	echo "- Lisez attentivement la documentation d'exploitation"
		1891	echo
		1892	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1893	echo
		1894	echo " Appuyez sur 'Entrée' pour continuer"
		1895	else
		1896	echo "# Enf of ALCASAR install process #"
		1897	echo "# #"
		1898	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1899	echo "# des Accès au Réseau ( ALCASAR ) #"
		1900	echo "# #"
		1901	echo "#############################################################################"
		1902	echo
		1903	echo "- The system will be rebooted in order to operate ALCASAR"
		1904	echo
		1905	echo "- Read the exploitation documentation"
		1906	echo
		1907	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1908	echo
		1909	echo " Hit 'Enter' to continue"
		1910	fi
815	richard	1911	sleep 2
		1912	if [ "$mode" != "update" ]
820	richard	1913	then
815	richard	1914	read a
		1915	fi
774	richard	1916	clear
1	root	1917	reboot
		1918	} # End post_install ()
		1919
		1920	#################################
1005	richard	1921	# Main Install loop #
1	root	1922	#################################
832	richard	1923	dir_exec=`dirname "$0"`
		1924	if [ $dir_exec != "." ]
		1925	then
		1926	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1927	echo "Launch this program from the ALCASAR archive directory"
		1928	exit 0
		1929	fi
		1930	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1931	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1932	nb_args=$#
		1933	args=$1
		1934	if [ $nb_args -eq 0 ]
		1935	then
		1936	nb_args=1
		1937	args="-h"
		1938	fi
1062	richard	1939	chmod -R u+x $DIR_SCRIPTS/*
1	root	1940	case $args in
		1941	-\? \| -h* \| --h*)
		1942	echo "$usage"
		1943	exit 0
		1944	;;
291	franck	1945	-i \| --install)
959	franck	1946	license
5	franck	1947	header_install
29	richard	1948	testing
595	richard	1949	# RPMs install
		1950	$DIR_SCRIPTS/alcasar-urpmi.sh
		1951	if [ "$?" != "0" ]
1	root	1952	then
595	richard	1953	exit 0
		1954	fi
1249	richard	1955	if [ -e $CONF_FILE ]
595	richard	1956	then
597	richard	1957	# Uninstall the running version
532	richard	1958	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1959	fi
636	richard	1960	# Test if manual update
1362	richard	1961	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	1962	then
636	richard	1963	header_install
595	richard	1964	if [ $Lang == "fr" ]
636	richard	1965	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1966	else echo "The configuration file of an old version has been found";
595	richard	1967	fi
597	richard	1968	response=0
		1969	PTN='^[oOnNyY]$'
		1970	until [[ $(expr $response : $PTN) -gt 0 ]]
		1971	do
		1972	if [ $Lang == "fr" ]
		1973	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		1974	else echo -n "Do you want to use it (Y/n)?";
		1975	fi
		1976	read response
		1977	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		1978	then rm -f /tmp/alcasar-conf*
		1979	fi
		1980	done
		1981	fi
636	richard	1982	# Test if update
1057	richard	1983	if [ -e /tmp/alcasar-conf* ]
597	richard	1984	then
		1985	if [ $Lang == "fr" ]
		1986	then echo "#### Installation avec mise à jour ####";
		1987	else echo "#### Installation with update ####";
		1988	fi
636	richard	1989	# Extract the central configuration file
1057	richard	1990	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	1991	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	1992	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		1993	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		1994	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		1995	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	1996	mode="update"
1	root	1997	fi
1389	richard	1998	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	1999	do
		2000	$func
1362	richard	2001	# echo "* 'debug' : end of function $func *"; read a
14	richard	2002	done
5	franck	2003	;;
291	franck	2004	-u \| --uninstall)
5	franck	2005	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2006	then
597	richard	2007	if [ $Lang == "fr" ]
		2008	then echo "ALCASAR n'est pas installé!";
		2009	else echo "ALCASAR isn't installed!";
		2010	fi
1	root	2011	exit 0
		2012	fi
5	franck	2013	response=0
		2014	PTN='^[oOnN]$'
580	richard	2015	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2016	do
597	richard	2017	if [ $Lang == "fr" ]
		2018	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2019	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2020	fi
5	franck	2021	read response
		2022	done
1103	richard	2023	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2024	then
1103	richard	2025	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2026	else
		2027	rm -f /tmp/alcasar-conf*
1	root	2028	fi
597	richard	2029	# Uninstall the running version
65	richard	2030	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2031	;;
		2032	*)
		2033	echo "Argument inconnu :$1";
460	richard	2034	echo "Unknown argument :$1";
1	root	2035	echo "$usage"
		2036	exit 1
		2037	;;
		2038	esac
10	franck	2039	# end of script
366	franck	2040

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1410