WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1474 2014-11-03 22:55:09Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1378	richard	30	# testing : connectivity tests, free space test and mageia version test
1221	richard	31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
1389	richard	36	# radius : FreeRadius initialisation
		37	# radius_web : copy ans modifiy original "freeradius web" in ACC
		38	# chilli : coovachilli initialisation (+authentication page)
		39	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	40	# antivirus : HAVP + libclamav configuration
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
		44	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1389	richard	46	# fail2ban : Fail2ban IDS installation and configuration
		47	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	48	# post_install : Security, log rotation, etc.
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	53	mode="install"
1	root	54	# ***** Files parameters - paramètres fichiers *******
1015	richard	55	DIR_INSTALL=`pwd` # current directory
		56	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		57	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		58	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		59	DIR_WEB="/var/www/html" # directory of APACHE
		60	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		61	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		62	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		63	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		64	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		65	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		66	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		67	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	68	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	69	DB_RADIUS="radius" # database name used by FreeRadius server
		70	DB_USER="radius" # user name allows to request the users database
1349	richard	71	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	72	# ***** Network parameters - paramètres réseau *****
1469	richard	73	HOSTNAME="alcasar" # default hostname
1243	richard	74	DOMAIN="localdomain" # default local domain
1471	richard	75	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1336	richard	76	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	77	MTU="1500"
1157	stephane	78	ETHTOOL_OPTS='"autoneg off speed 100 duplex full"'
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
967	franck	87	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		88	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	89	fi
975	franck	90	echo "Taper sur Entrée pour continuer !"
		91	echo "Enter to continue."
959	franck	92	read a
		93	}
		94
1	root	95	header_install ()
		96	{
		97	clear
		98	echo "-----------------------------------------------------------------------------"
460	richard	99	echo " ALCASAR V$VERSION Installation"
1	root	100	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		101	echo "-----------------------------------------------------------------------------"
1389	richard	102	}
1	root	103
		104	##################################################################
1221	richard	105	## Function "testing" ##
1378	richard	106	## - Test of Mageia version ##
1342	richard	107	## - Test of free space on /var (>10G) ##
1005	richard	108	## - Test of Internet access ##
29	richard	109	##################################################################
		110	testing ()
		111	{
1362	richard	112	# Test if ALCASAR is already installed
		113	if [ -e $CONF_FILE ]
		114	then
		115	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	116	if [ $Lang == "fr" ]
1362	richard	117	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		118	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	119	fi
1362	richard	120	response=0
		121	PTN='^[oOnNyY]$'
		122	until [[ $(expr $response : $PTN) -gt 0 ]]
		123	do
		124	if [ $Lang == "fr" ]
		125	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		126	else echo -n "Do you want to update (Y/n)?";
		127	fi
		128	read response
		129	done
		130	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		131	then
		132	rm -f /tmp/alcasar-conf*
		133	else
1471	richard	134	# Create a backup of running importants files
1362	richard	135	$DIR_SCRIPTS/alcasar-conf.sh --create
		136	mode="update"
		137	fi
		138	else
1365	richard	139	if [ ! -d /var/log/netflow/porttracker ]
		140	then
1378	richard	141	# Test of free space on /var
1365	richard	142	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		143	if [ $free_space -lt 10 ]
		144	then
		145	if [ $Lang == "fr" ]
		146	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		147	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		148	fi
		149	exit 0
1362	richard	150	fi
1378	richard	151	fi
		152	# Test of Mageia version
		153	# extract the current Mageia version and hardware architecture (i586 ou X64)
		154	fic=`cat /etc/product.id`
		155	unknown_os=0
		156	old="$IFS"
		157	IFS=","
		158	set $fic
		159	for i in $*
		160	do
		161	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		162	then
		163	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		164	unknown_os=`expr $unknown_os + 1`
		165	fi
		166	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		167	then
		168	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		169	unknown_os=`expr $unknown_os + 1`
		170	fi
		171	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		172	then
		173	ARCH=`echo $i\|cut -d"=" -f2`
		174	unknown_os=`expr $unknown_os + 1`
		175	fi
		176	done
		177	IFS="$old"
		178	if [[ ( $unknown_os != 3 \|\| "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]
		179	then
		180	if [ $Lang == "fr" ]
		181	then
		182	echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."
		183	echo "Le système d'exploitation doit être remplacé (Mageia4)"
		184	else
		185	echo "The automatic update of ALCASAR can't be performed."
		186	echo "The OS must be replaced (Mageia4)"
		187	fi
		188	if [ -e /tmp/alcasar-conf.tar.gz ]
		189	then
		190	echo
		191	if [ $Lang == "fr" ]
		192	then
		193	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
		194	echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"
		195	echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
		196	else
		197	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
		198	echo "2 - Install Linux-Mageia4 (cf. installation doc)"
		199	echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
		200	fi
		201	fi
		202	exit 0
		203	fi
1342	richard	204	fi
1378	richard	205	if [ $Lang == "fr" ]
784	richard	206	then echo -n "Tests des paramètres réseau : "
595	richard	207	else echo -n "Network parameters tests : "
		208	fi
1471	richard	209
		210	# Test of Ethernet links state
		211	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		212	for i in $DOWN_IF
		213	do
		214	if [ $Lang == "fr" ]
		215	then
		216	echo "Échec"
		217	echo "Le lien réseau de la carte $i n'est pas actif."
		218	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		219	else
		220	echo "Failed"
		221	echo "The link state of $i interface is down."
		222	echo "Make sure that this network card is connected to a switch or an A.P."
		223	fi
		224	exit 0
		225	done
		226	echo -n "."
		227
		228	# Test EXTIF config files
784	richard	229	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		230	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
1471	richard	231	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		232	then
784	richard	233	if [ $Lang == "fr" ]
		234	then
		235	echo "Échec"
		236	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		237	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	238	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	239	else
		240	echo "Failed"
		241	echo "The Internet connected network card ($EXTIF) isn't well configured."
		242	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	243	echo "Apply the new configuration 'systemctl restart network'"
784	richard	244	fi
830	richard	245	echo "DEVICE=$EXTIF"
784	richard	246	echo "IPADDR="
		247	echo "NETMASK="
		248	echo "GATEWAY="
		249	echo "DNS1="
		250	echo "DNS2="
830	richard	251	echo "ONBOOT=yes"
784	richard	252	exit 0
		253	fi
		254	echo -n "."
1471	richard	255
		256	# Test if router is alive (Box FAI)
784	richard	257	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	258	if [ $Lang == "fr" ]
		259	then
		260	echo "Échec"
		261	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		262	echo "Réglez ce problème puis relancez ce script."
		263	else
		264	echo "Failed"
		265	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		266	echo "Resolv this problem, then restart this script."
		267	fi
29	richard	268	exit 0
		269	fi
308	richard	270	echo -n "."
978	franck	271	# On teste le lien vers le routeur par defaut
308	richard	272	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		273	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	274	if [ $(expr $arp_reply) -eq 0 ]
308	richard	275	then
595	richard	276	if [ $Lang == "fr" ]
		277	then
		278	echo "Échec"
		279	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		280	echo "Réglez ce problème puis relancez ce script."
		281	else
		282	echo "Failed"
		283	echo "The Internet gateway doesn't answered"
		284	echo "Resolv this problem, then restart this script."
		285	fi
308	richard	286	exit 0
		287	fi
		288	echo -n "."
421	franck	289	# On teste la connectivité Internet
29	richard	290	rm -rf /tmp/con_ok.html
308	richard	291	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	292	if [ ! -e /tmp/con_ok.html ]
		293	then
595	richard	294	if [ $Lang == "fr" ]
		295	then
		296	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		297	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		298	echo "Vérifiez la validité des adresses IP des DNS."
		299	else
		300	echo "The Internet connection try failed (google.fr)."
		301	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		302	echo "Verify the DNS IP addresses"
		303	fi
29	richard	304	exit 0
		305	fi
		306	rm -rf /tmp/con_ok.html
308	richard	307	echo ". : ok"
1389	richard	308	} # end of testing ()
302	richard	309
		310	##################################################################
1221	richard	311	## Function "init" ##
302	richard	312	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		313	## - Installation et modification des scripts du portail ##
		314	##################################################################
		315	init ()
		316	{
527	richard	317	if [ "$mode" != "update" ]
302	richard	318	then
		319	# On affecte le nom d'organisme
597	richard	320	header_install
302	richard	321	ORGANISME=!
		322	PTN='^[a-zA-Z0-9-]*$'
580	richard	323	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	324	do
595	richard	325	if [ $Lang == "fr" ]
597	richard	326	then echo -n "Entrez le nom de votre organisme : "
		327	else echo -n "Enter the name of your organism : "
595	richard	328	fi
330	franck	329	read ORGANISME
613	richard	330	if [ "$ORGANISME" == "" ]
330	franck	331	then
		332	ORGANISME=!
		333	fi
		334	done
302	richard	335	fi
1	root	336	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	337	rm -f $PASSWD_FILE
1350	richard	338	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		339	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	340	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	341	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	342	$SED "/^password.*/d" /boot/grub/menu.lst
		343	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	344	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	345	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	346	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	347	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	348	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	349	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	350	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	351	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		352	echo "$secretuam" >> $PASSWD_FILE
1350	richard	353	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	354	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		355	echo "$secretradius" >> $PASSWD_FILE
		356	chmod 640 $PASSWD_FILE
977	richard	357	# Scripts and conf files copy
		358	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	359	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	360	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	361	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	362	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	363	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	364	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		365	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	366	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		367	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	368	# generate central conf file
		369	cat <<EOF > $CONF_FILE
612	richard	370	##########################################
		371	## ##
		372	## ALCASAR Parameters ##
		373	## ##
		374	##########################################
1	root	375
612	richard	376	INSTALL_DATE=$DATE
		377	VERSION=$VERSION
		378	ORGANISM=$ORGANISME
923	franck	379	DOMAIN=$DOMAIN
612	richard	380	EOF
628	richard	381	chmod o-rwx $CONF_FILE
1	root	382	} # End of init ()
		383
		384	##################################################################
1221	richard	385	## Function "network" ##
1	root	386	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	387	## - Nommage DNS du système ##
1336	richard	388	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	389	## - Modification du fichier /etc/hosts ##
		390	## - Configuration du serveur de temps (NTP) ##
		391	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		392	##################################################################
		393	network ()
		394	{
		395	header_install
636	richard	396	if [ "$mode" != "update" ]
		397	then
		398	if [ $Lang == "fr" ]
		399	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		400	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		401	fi
		402	response=0
		403	PTN='^[oOyYnN]$'
		404	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	405	do
595	richard	406	if [ $Lang == "fr" ]
659	richard	407	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	408	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	409	fi
1	root	410	read response
		411	done
636	richard	412	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		413	then
		414	PRIVATE_IP_MASK="0"
		415	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		416	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	417	do
595	richard	418	if [ $Lang == "fr" ]
597	richard	419	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		420	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	421	fi
597	richard	422	read PRIVATE_IP_MASK
1	root	423	done
636	richard	424	else
		425	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		426	fi
595	richard	427	else
637	richard	428	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		429	rm -rf conf/etc/alcasar.conf
1	root	430	fi
861	richard	431	# Define LAN side global parameters
1243	richard	432	hostname $HOSTNAME.$DOMAIN
		433	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	434	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		435	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		436	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		437	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		438	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		439	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		440	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		441	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		442	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		443	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	444	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	445	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	446	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	447	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	448	# Define Internet parameters
14	richard	449	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		450	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		451	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	452	DNS1=${DNS1:=208.67.220.220}
		453	DNS2=${DNS2:=208.67.222.222}
597	richard	454	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	455	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	456	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	457	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	458	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1469	richard	459	echo "EXTIF=$EXTIF" >> $CONF_FILE
		460	echo "INTIF=$INTIF" >> $CONF_FILE
765	stephane	461	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	462	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	463	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		464	echo "DNS1=$DNS1" >> $CONF_FILE
		465	echo "DNS2=$DNS2" >> $CONF_FILE
		466	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
941	richard	467	echo "DHCP=full" >> $CONF_FILE
914	franck	468	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		469	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		470	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	471	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	472	# config network
1	root	473	cat <<EOF > /etc/sysconfig/network
		474	NETWORKING=yes
1243	richard	475	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	476	FORWARD_IPV4=true
		477	EOF
841	richard	478	# config /etc/hosts
1	root	479	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		480	cat <<EOF > /etc/hosts
503	richard	481	127.0.0.1 localhost
1353	richard	482	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	483	EOF
1336	richard	484	# Config EXTIF (Internet)
14	richard	485	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		486	DEVICE=$EXTIF
		487	BOOTPROTO=static
597	richard	488	IPADDR=$PUBLIC_IP
		489	NETMASK=$PUBLIC_NETMASK
		490	GATEWAY=$PUBLIC_GATEWAY
14	richard	491	DNS1=127.0.0.1
		492	ONBOOT=yes
		493	METRIC=10
		494	NOZEROCONF=yes
		495	MII_NOT_SUPPORTED=yes
		496	IPV6INIT=no
		497	IPV6TO4INIT=no
		498	ACCOUNTING=no
		499	USERCTL=no
994	franck	500	MTU=$MTU
14	richard	501	EOF
1336	richard	502	# Config INTIF (consultation LAN) in normal mode
841	richard	503	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		504	DEVICE=$INTIF
		505	BOOTPROTO=static
		506	ONBOOT=yes
		507	NOZEROCONF=yes
		508	MII_NOT_SUPPORTED=yes
		509	IPV6INIT=no
		510	IPV6TO4INIT=no
		511	ACCOUNTING=no
		512	USERCTL=no
1157	stephane	513	ETHTOOL_OPTS=$ETHTOOL_OPTS
841	richard	514	EOF
1336	richard	515	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	516	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	517	DEVICE=$INTIF
		518	BOOTPROTO=static
		519	IPADDR=$PRIVATE_IP
604	richard	520	NETMASK=$PRIVATE_NETMASK
1	root	521	ONBOOT=yes
		522	METRIC=10
		523	NOZEROCONF=yes
		524	MII_NOT_SUPPORTED=yes
14	richard	525	IPV6INIT=no
		526	IPV6TO4INIT=no
		527	ACCOUNTING=no
		528	USERCTL=no
1	root	529	EOF
440	franck	530	# Mise à l'heure du serveur
		531	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		532	cat <<EOF > /etc/ntp/step-tickers
455	franck	533	0.fr.pool.ntp.org # adapt to your country
		534	1.fr.pool.ntp.org
		535	2.fr.pool.ntp.org
440	franck	536	EOF
		537	# Configuration du serveur de temps (sur lui même)
1	root	538	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		539	cat <<EOF > /etc/ntp.conf
456	franck	540	server 0.fr.pool.ntp.org # adapt to your country
447	franck	541	server 1.fr.pool.ntp.org
		542	server 2.fr.pool.ntp.org
		543	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	544	fudge 127.127.1.0 stratum 10
604	richard	545	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	546	restrict 127.0.0.1
310	richard	547	driftfile /var/lib/ntp/drift
1	root	548	logfile /var/log/ntp.log
		549	EOF
440	franck	550
310	richard	551	chown -R ntp:ntp /var/lib/ntp
1	root	552	# Renseignement des fichiers hosts.allow et hosts.deny
		553	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		554	cat <<EOF > /etc/hosts.allow
		555	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	556	sshd: ALL
1	root	557	ntpd: $PRIVATE_NETWORK_SHORT
		558	EOF
		559	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		560	cat <<EOF > /etc/hosts.deny
		561	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		562	EOF
790	richard	563	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	564	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	565	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	566	# load conntrack ftp module
		567	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		568	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	569	# load ipt_NETFLOW module
		570	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	571	#
860	richard	572	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	573	} # End of network ()
		574
		575	##################################################################
1221	richard	576	## Function "ACC" ##
		577	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	578	## - configuration du serveur web (Apache) ##
		579	## - définition du 1er comptes de gestion ##
		580	## - sécurisation des accès ##
		581	##################################################################
1221	richard	582	ACC ()
1	root	583	{
		584	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		585	mkdir $DIR_WEB
		586	# Copie et configuration des fichiers du centre de gestion
316	richard	587	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	588	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	589	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		590	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		591	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		592	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		593	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	594	chown -R apache:apache $DIR_WEB/*
1342	richard	595	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	596	do
		597	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		598	done
5	franck	599	chown -R root:apache $DIR_SAVE
71	richard	600	# Configuration et sécurisation php
		601	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	602	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		603	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	604	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		605	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	606	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		607	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		608	# Configuration et sécurisation Apache
790	richard	609	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	610	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	611	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	612	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	613	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		614	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		615	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	616	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		617	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		618	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		619	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		620	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		621	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	622	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	623	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		624	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		625	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		626	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		627	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		628	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	629	</body>
		630	</html>
		631	EOF
		632	# Définition du premier compte lié au profil 'admin'
509	richard	633	header_install
510	richard	634	if [ "$mode" = "install" ]
		635	then
613	richard	636	admin_portal=!
		637	PTN='^[a-zA-Z0-9-]*$'
		638	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		639	do
		640	header_install
		641	if [ $Lang == "fr" ]
		642	then
		643	echo ""
		644	echo "Définissez un premier compte d'administration du portail :"
		645	echo
		646	echo -n "Nom : "
		647	else
		648	echo ""
		649	echo "Define the first account allow to administrate the portal :"
		650	echo
		651	echo -n "Account : "
		652	fi
		653	read admin_portal
		654	if [ "$admin_portal" == "" ]
		655	then
		656	admin_portal=!
		657	fi
		658	done
1268	richard	659	# Creation of keys file for the admin account ("admin")
510	richard	660	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		661	mkdir -p $DIR_DEST_ETC/digest
		662	chmod 755 $DIR_DEST_ETC/digest
		663	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		664	do
1350	richard	665	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	666	done
		667	$DIR_DEST_SBIN/alcasar-profil.sh --list
		668	fi
434	richard	669	# synchronisation horaire
		670	ntpd -q -g &
1	root	671	# Sécurisation du centre
988	franck	672	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	673	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	674	<Directory $DIR_ACC>
1	root	675	SSLRequireSSL
		676	AllowOverride None
		677	Order deny,allow
		678	Deny from all
		679	Allow from 127.0.0.1
		680	Allow from $PRIVATE_NETWORK_MASK
990	franck	681	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	682	require valid-user
		683	AuthType digest
1243	richard	684	AuthName $HOSTNAME.$DOMAIN
1	root	685	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	686	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	687	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	688	</Directory>
316	richard	689	<Directory $DIR_ACC/admin>
1	root	690	SSLRequireSSL
		691	AllowOverride None
		692	Order deny,allow
		693	Deny from all
		694	Allow from 127.0.0.1
		695	Allow from $PRIVATE_NETWORK_MASK
990	franck	696	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	697	require valid-user
		698	AuthType digest
1243	richard	699	AuthName $HOSTNAME.$DOMAIN
1	root	700	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	701	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	702	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	703	</Directory>
344	richard	704	<Directory $DIR_ACC/manager>
1	root	705	SSLRequireSSL
		706	AllowOverride None
		707	Order deny,allow
		708	Deny from all
		709	Allow from 127.0.0.1
		710	Allow from $PRIVATE_NETWORK_MASK
990	franck	711	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	712	require valid-user
		713	AuthType digest
1243	richard	714	AuthName $HOSTNAME.$DOMAIN
1	root	715	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	716	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	717	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	718	</Directory>
316	richard	719	<Directory $DIR_ACC/backup>
		720	SSLRequireSSL
		721	AllowOverride None
		722	Order deny,allow
		723	Deny from all
		724	Allow from 127.0.0.1
		725	Allow from $PRIVATE_NETWORK_MASK
990	franck	726	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	727	require valid-user
		728	AuthType digest
1243	richard	729	AuthName $HOSTNAME.$DOMAIN
316	richard	730	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	731	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	732	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	733	</Directory>
811	richard	734	Alias /save/ "$DIR_SAVE/"
		735	<Directory $DIR_SAVE>
		736	SSLRequireSSL
		737	Options Indexes
		738	Order deny,allow
		739	Deny from all
		740	Allow from 127.0.0.1
		741	Allow from $PRIVATE_NETWORK_MASK
990	franck	742	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	743	require valid-user
		744	AuthType digest
1243	richard	745	AuthName $HOSTNAME.$DOMAIN
811	richard	746	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	747	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	748	</Directory>
1	root	749	EOF
1378	richard	750	# Launch after coova
		751	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1410	richard	752	# Error page management
		753	FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
		754	[ -e $FIC_ERROR_DOC ] \|\| cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default
		755
		756	cat <<EOF > $FIC_ERROR_DOC
		757	Alias /error/ "/var/www/html/"
		758
		759	<Directory "/usr/share/httpd/error">
		760	AllowOverride None
		761	Options IncludesNoExec
		762	AddOutputFilter Includes html
		763	AddHandler type-map var
		764	Require all granted
		765	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		766	ForceLanguagePriority Prefer Fallback
		767	</Directory>
		768
		769	ErrorDocument 400 /error/error.php?error=400
		770	ErrorDocument 401 /error/error.php?error=401
		771	ErrorDocument 403 /error/error.php?error=403
		772	ErrorDocument 404 /error/error.php?error=404
		773	ErrorDocument 405 /error/error.php?error=405
		774	ErrorDocument 408 /error/error.php?error=408
		775	ErrorDocument 410 /error/error.php?error=410
		776	ErrorDocument 411 /error/error.php?error=411
		777	ErrorDocument 412 /error/error.php?error=412
		778	ErrorDocument 413 /error/error.php?error=413
		779	ErrorDocument 414 /error/error.php?error=414
		780	ErrorDocument 415 /error/error.php?error=415
		781	ErrorDocument 500 /error/error.php?error=500
		782	ErrorDocument 501 /error/error.php?error=501
		783	ErrorDocument 502 /error/error.php?error=502
		784	ErrorDocument 503 /error/error.php?error=503
		785	ErrorDocument 506 /error/error.php?error=506
		786	EOF
		787
1389	richard	788	} # End of ACC ()
1	root	789
		790	##########################################################################################
1221	richard	791	## Fonction "CA" ##
1	root	792	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		793	##########################################################################################
1221	richard	794	CA ()
1	root	795	{
510	richard	796	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	797	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	798	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	799
		800	#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		801	#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
		802	#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
		803
		804	cat <<EOF > $FIC_VIRTUAL_SSL
		805	# default SSL virtual host, used for all HTTPS requests that do not
		806	# match a ServerName or ServerAlias in any <VirtualHost> block.
		807
		808	<VirtualHost _default_:443>
		809	# general configuration
		810	ServerAdmin root@localhost
		811	ServerName localhost
		812
		813	# SSL configuration
		814	SSLEngine on
		815	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		816	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		817	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		818	CustomLog logs/ssl_request_log \
		819	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		820	ErrorLog logs/ssl_error_log
		821	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		822	</VirtualHost>
		823	EOF
		824
5	franck	825	chown -R root:apache /etc/pki
1	root	826	chmod -R 750 /etc/pki
1389	richard	827	} # End of CA ()
1	root	828
		829	##########################################################################################
1221	richard	830	## Fonction "init_db" ##
1	root	831	## - Initialisation de la base Mysql ##
		832	## - Affectation du mot de passe de l'administrateur (root) ##
		833	## - Suppression des bases et des utilisateurs superflus ##
		834	## - Création de la base 'radius' ##
		835	## - Installation du schéma de cette base ##
		836	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		837	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		838	##########################################################################################
		839	init_db ()
		840	{
1355	richard	841	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	842	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		843	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	844	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	845	systemctl start mysqld.service
1	root	846	sleep 4
		847	mysqladmin -u root password $mysqlpwd
		848	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	849	# Secure the server
		850	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		851	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	852	# Create 'radius' database
1317	richard	853	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	854	# Add an empty radius database structure
364	franck	855	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	856	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	857	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
		858	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	859	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		860	systemctl daemon-reload
1389	richard	861	} # End of init_db ()
1	root	862
		863	##########################################################################
1389	richard	864	## Fonction "radius" ##
1	root	865	## - Paramètrage des fichiers de configuration FreeRadius ##
		866	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		867	## - Modification de fichier de conf pour l'accès à Mysql ##
		868	##########################################################################
1389	richard	869	radius ()
1	root	870	{
		871	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		872	chown -R radius:radius /etc/raddb
		873	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	874	# Set radius.conf parameters
1	root	875	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		876	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		877	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	878	# remove the proxy function
1	root	879	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		880	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	881	# remove EAP module
654	richard	882	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	883	# listen on loopback (should be modified later if EAP enabled)
1	root	884	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	885	# enable the SQL module (and SQL counter)
1	root	886	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		887	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		888	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	889	# only include modules for ALCASAR needs
		890	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		891	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		892	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		893	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		894	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		895	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	896	# remvove virtual server and copy our conf file
1	root	897	rm -f /etc/raddb/sites-enabled/*
1278	richard	898	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	899	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		900	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		901	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		902	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	903	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	904	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	905	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	906	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		907	cat << EOF > /etc/raddb/clients.conf
		908	client 127.0.0.1 {
		909	secret = $secretradius
		910	shortname = localhost
		911	}
		912	EOF
1278	richard	913	# sql.conf modification
1	root	914	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		915	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		916	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		917	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		918	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	919	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	920	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	921	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		922	# counter.conf modification (change the Max-All-Session-Time counter)
		923	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		924	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		925	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	926	# make certain that mysql is up before radius start
		927	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		928	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		929	systemctl daemon-reload
1389	richard	930	} # End radius ()
1	root	931
		932	##########################################################################
1389	richard	933	## Function "radius_web" ##
1	root	934	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		935	## - Création du lien vers la page de changement de mot de passe ##
		936	##########################################################################
1389	richard	937	radius_web ()
1	root	938	{
		939	# copie de l'interface d'origine dans la structure Alcasar
316	richard	940	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		941	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		942	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	943	# copie des fichiers modifiés
		944	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	945	chown -R apache:apache $DIR_ACC/manager/
344	richard	946	# Modification des fichiers de configuration
1	root	947	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	948	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	949	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		950	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		951	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		952	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		953	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		954	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		955	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	956	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	957	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	958	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	959	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	960	nas1_name: alcasar-$ORGANISME
1	root	961	nas1_model: Portail captif
		962	nas1_ip: $PRIVATE_IP
		963	nas1_port_num: 0
		964	nas1_community: public
		965	EOF
		966	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		967	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	968	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	969	# Ajout du mappage des attributs chillispot
		970	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	971	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	972	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	973	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	974	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		975	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	976	chown -R apache:apache /etc/freeradius-web
1	root	977	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		978	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	979	<Directory $DIR_WEB/pass>
1	root	980	SSLRequireSSL
		981	AllowOverride None
		982	Order deny,allow
		983	Deny from all
		984	Allow from 127.0.0.1
		985	Allow from $PRIVATE_NETWORK_MASK
1243	richard	986	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	987	</Directory>
		988	EOF
1389	richard	989	} # End of radius_web ()
1	root	990
799	richard	991	##################################################################################
1389	richard	992	## Fonction "chilli" ##
799	richard	993	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		994	## - Paramètrage de la page d'authentification (intercept.php) ##
		995	##################################################################################
1389	richard	996	chilli ()
1	root	997	{
1370	richard	998	# chilli unit for systemd
		999	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1000	# This file is part of systemd.
		1001	#
		1002	# systemd is free software; you can redistribute it and/or modify it
		1003	# under the terms of the GNU General Public License as published by
		1004	# the Free Software Foundation; either version 2 of the License, or
		1005	# (at your option) any later version.
1370	richard	1006	[Unit]
		1007	Description=chilli is a captive portal daemon
		1008	After=network.target
		1009
		1010	[Service]
1379	richard	1011	Type=forking
1370	richard	1012	ExecStart=/usr/libexec/chilli start
		1013	ExecStop=/usr/libexec/chilli stop
		1014	ExecReload=/usr/libexec/chilli reload
		1015	PIDFile=/var/run/chilli.pid
		1016
		1017	[Install]
		1018	WantedBy=multi-user.target
		1019	EOF
799	richard	1020	# init file creation
1370	richard	1021	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1022	cat <<EOF > /usr/libexec/chilli
799	richard	1023	#!/bin/sh
		1024	#
		1025	# chilli CoovaChilli init
		1026	#
		1027	# chkconfig: 2345 65 35
		1028	# description: CoovaChilli
		1029	### BEGIN INIT INFO
		1030	# Provides: chilli
		1031	# Required-Start: network
		1032	# Should-Start:
		1033	# Required-Stop: network
		1034	# Should-Stop:
		1035	# Default-Start: 2 3 5
		1036	# Default-Stop:
		1037	# Description: CoovaChilli access controller
		1038	### END INIT INFO
		1039
		1040	[ -f /usr/sbin/chilli ] \|\| exit 0
		1041	. /etc/init.d/functions
		1042	CONFIG=/etc/chilli.conf
		1043	pidfile=/var/run/chilli.pid
		1044	[ -f \$CONFIG ] \|\| {
		1045	echo "\$CONFIG Not found"
		1046	exit 0
		1047	}
		1048	RETVAL=0
		1049	prog="chilli"
		1050	case \$1 in
		1051	start)
		1052	if [ -f \$pidfile ] ; then
		1053	gprintf "chilli is already running"
		1054	else
		1055	gprintf "Starting \$prog: "
		1056	rm -f /var/run/chilli* # cleaning
		1057	/sbin/modprobe tun >/dev/null 2>&1
		1058	echo 1 > /proc/sys/net/ipv4/ip_forward
		1059	[ -e /dev/net/tun ] \|\| {
		1060	(cd /dev;
		1061	mkdir net;
		1062	cd net;
		1063	mknod tun c 10 200)
		1064	}
1336	richard	1065	ifconfig $INTIF 0.0.0.0
799	richard	1066	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1067	RETVAL=$?
		1068	fi
		1069	;;
		1070
		1071	reload)
		1072	killall -HUP chilli
		1073	;;
		1074
		1075	restart)
		1076	\$0 stop
		1077	sleep 2
		1078	\$0 start
		1079	;;
		1080
		1081	status)
		1082	status chilli
		1083	RETVAL=0
		1084	;;
		1085
		1086	stop)
		1087	if [ -f \$pidfile ] ; then
		1088	gprintf "Shutting down \$prog: "
		1089	killproc /usr/sbin/chilli
		1090	RETVAL=\$?
		1091	[ \$RETVAL = 0 ] && rm -f $pidfile
		1092	else
		1093	gprintf "chilli is not running"
		1094	fi
		1095	;;
		1096
		1097	*)
		1098	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1099	exit 1
		1100	esac
		1101	echo
		1102	EOF
1373	richard	1103	chmod a+x /usr/libexec/chilli
799	richard	1104	# conf file creation
346	richard	1105	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1106	cat <<EOF > /etc/chilli.conf
		1107	# coova config for ALCASAR
		1108	cmdsocket /var/run/chilli.sock
1336	richard	1109	unixipc chilli.$INTIF.ipc
		1110	pidfile /var/run/chilli.$INTIF.pid
346	richard	1111	net $PRIVATE_NETWORK_MASK
595	richard	1112	dhcpif $INTIF
841	richard	1113	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1114	#nodynip
865	richard	1115	#statip
		1116	dynip $PRIVATE_NETWORK_MASK
1249	richard	1117	domain $DOMAIN
355	richard	1118	dns1 $PRIVATE_IP
		1119	dns2 $PRIVATE_IP
346	richard	1120	uamlisten $PRIVATE_IP
503	richard	1121	uamport 3990
837	richard	1122	macauth
		1123	macpasswd password
1243	richard	1124	locationname $HOSTNAME.$DOMAIN
346	richard	1125	radiusserver1 127.0.0.1
		1126	radiusserver2 127.0.0.1
		1127	radiussecret $secretradius
		1128	radiusauthport 1812
		1129	radiusacctport 1813
1243	richard	1130	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1131	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1132	uamsecret $secretuam
1249	richard	1133	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1134	coaport 3799
1379	richard	1135	conup $DIR_DEST_BIN/alcasar-conup.sh
		1136	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1137	include $DIR_DEST_ETC/alcasar-uamallowed
		1138	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1139	#dhcpgateway
1157	stephane	1140	#dhcprelayagent
		1141	#dhcpgatewayport
346	richard	1142	EOF
1336	richard	1143	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1144	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1145	# create files for trusted domains and urls
1148	crox53	1146	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1147	chown root:apache $DIR_DEST_ETC/alcasar-*
		1148	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1149	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1150	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1151	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1152	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1153	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1154	if [ "$chilli_exist" == "1" ]
		1155	then
		1156	userdel -r chilli 2>/dev/null
		1157	fi
		1158	groupadd -f chilli
		1159	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1160	} # End of chilli ()
1349	richard	1161
1	root	1162	##################################################################
1389	richard	1163	## Fonction "dansguardian" ##
1	root	1164	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1165	##################################################################
1389	richard	1166	dansguardian ()
1	root	1167	{
		1168	mkdir /var/dansguardian
		1169	chown dansguardian /var/dansguardian
1375	richard	1170	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1171	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1172	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1173	# By default the filter is off
497	richard	1174	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1175	# French deny HTML page
497	richard	1176	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1177	# Listen only on LAN side
497	richard	1178	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1179	# DG send its flow to HAVP
		1180	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1181	# replace the default deny HTML page
1	root	1182	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1183	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1184	# Don't log
		1185	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1186	# Run 10 daemons (20 in largest server)
659	richard	1187	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1188	# on désactive par défaut le controle de contenu des pages html
497	richard	1189	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1190	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1191	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1192	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1193	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1194	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1195	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1196	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1197	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1198	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1199	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1200	touch $DIR_DG/lists/bannedextensionlist
		1201	touch $DIR_DG/lists/bannedmimetypelist
		1202	# 'Safesearch' regex actualisation
498	richard	1203	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1204	# empty LAN IP list that won't be WEB filtered
		1205	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1206	touch $DIR_DG/lists/exceptioniplist
		1207	# Keep a copy of URL & domain filter configuration files
		1208	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1209	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1210	} # End of dansguardian ()
1	root	1211
71	richard	1212	##################################################################
1221	richard	1213	## Fonction "antivirus" ##
1357	richard	1214	## - configuration of havp, libclamav and freshclam ##
71	richard	1215	##################################################################
		1216	antivirus ()
		1217	{
1358	richard	1218	# create 'havp' user
288	richard	1219	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1220	if [ "$havp_exist" == "1" ]
288	richard	1221	then
478	richard	1222	userdel -r havp 2>/dev/null
894	richard	1223	groupdel havp 2>/dev/null
288	richard	1224	fi
307	richard	1225	groupadd -f havp
796	richard	1226	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1366	richard	1227	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1393	richard	1228	mkdir -p /var/tmp/havp2 /var/log/havp2
476	richard	1229	chown -R havp /var/tmp/havp /var/log/havp /var/run/havp
1393	richard	1230	chown -R havp /var/tmp/havp2 /var/log/havp2
109	richard	1231	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1232	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1393	richard	1233	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1234	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1235	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090
		1236	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
990	franck	1237	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1238	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1239	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1240	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1241	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1242	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1393	richard	1243	cp /etc/havp/havp.config /etc/havp/havp2.config
		1244	$SED "s?^PIDFILE.*?PIDFILE /var/run/havp/havp2.pid?g" /etc/havp/havp2.config # pidfile
		1245	$SED "s?^TRANSPARENT.*?TRANSPARENT true?g" /etc/havp/havp2.config # transparent mode
		1246	$SED "s?^PORT.*?PORT 8091?g" /etc/havp/havp2.config # datas come on 8091
		1247	$SED "s?^BIND_ADDRESS.*?BIND_ADDRESS 192.168.182.1?g" /etc/havp/havp2.config # we listen only on tun0
1007	richard	1248	# skip checking of youtube flow (too heavy load / risk too low)
		1249	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1250	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1251	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1252	# replacement of init script
335	richard	1253	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1254	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1393	richard	1255	cp /etc/init.d/havp /etc/init.d/havp2
		1256	$SED "s?^# description.*?# description: starts HAVP2 the High Availability Antivirus Proxy?g" /etc/init.d/havp2 # description
		1257	$SED "s?^HAVP_CONFIG.*?HAVP_CONFIG=/etc/havp/havp2.config?g" /etc/init.d/havp2 # config file
		1258	$SED "s?^PIDFILE.*?PIDFILE=/var/run/havp/havp2.pid?g" /etc/init.d/havp2 # pidfile
		1259	$SED "s?^NAME.*?NAME=havp2?g" /etc/init.d/havp2 # name
		1260	$SED "s?^DESC.*?DESC=havp2?g" /etc/init.d/havp2 # desc
		1261	#$SED "s?if [ -f /etc/sysconfig/havp ] ; then.*?if [ -f /etc/sysconfig/havp2 ] ; then?g" /etc/init.d/havp2 # defaults
		1262	#$SED "s?. /etc/sysconfig/havp.*?. /etc/sysconfig/havp2?g" /etc/init.d/havp2 # defaults
		1263	$SED "s?^havp_mountpoint.*?havp_mountpoint=/var/tmp/havp2?g" /etc/init.d/havp2 # mountpoint
		1264	$SED "s?echo \"Reloading HAVP ...\".*?echo \"Reloading HAVP2 ...\"?g" /etc/init.d/havp2 # reloading havp
		1265	$SED "s?echo \"Error: HAVP not running\".*?echo \"Error : HAVP2 not running\"?g" /etc/init.d/havp2 # error havp
		1266	$SED "s?echo \"Error: HAVP not running or PIDFILE not readable\".*?echo \"Error : HAVP2 not running or PIDFILE not readable\"?g" /etc/init.d/havp2 # error havp
		1267	$SED "s?echo \"Error: HAVP not running or PIDFILE unreadable\".*?echo \"Error : HAVP2 not running or PIDFILE unreadable\"?g" /etc/init.d/havp2 # error havp
		1268	$SED "s?echo \"Shutting down HAVP ...\".*?echo \"Shutting down HAVP2 ...\"?g" /etc/init.d/havp2 # shutting down havp
		1269	$SED "s?status havp.*?status havp2?g" /etc/init.d/havp2 # status havp
1358	richard	1270	# replace of the intercept page (template)
340	richard	1271	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1272	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1273	# update virus database every 4 hours (24h/6)
1357	richard	1274	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1275	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1276	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1277	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1278	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1279	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1280	# update now
1382	richard	1281	/usr/bin/freshclam --no-warnings
1389	richard	1282	} # End of antivirus ()
71	richard	1283
1	root	1284	##################################################################################
1389	richard	1285	## function "ulogd" ##
476	richard	1286	## - Ulog config for multi-log files ##
		1287	##################################################################################
1389	richard	1288	ulogd ()
476	richard	1289	{
		1290	# Three instances of ulogd (three different logfiles)
		1291	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1292	nl=1
1358	richard	1293	for log_type in traceability ssh ext-access
478	richard	1294	do
1365	richard	1295	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1296	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1297	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
478	richard	1298	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1299	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1300	[emu1]
478	richard	1301	file="/var/log/firewall/$log_type.log"
		1302	sync=1
		1303	EOF
1452	richard	1304	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1305	nl=`expr $nl + 1`
		1306	done
476	richard	1307	chown -R root:apache /var/log/firewall
		1308	chmod 750 /var/log/firewall
		1309	chmod 640 /var/log/firewall/*
1389	richard	1310	} # End of ulogd ()
476	richard	1311
1159	crox53	1312
		1313	##########################################################
1389	richard	1314	## Function "nfsen" ##
1159	crox53	1315	##########################################################
1389	richard	1316	nfsen()
1	root	1317	{
1393	richard	1318	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1319	# Add PortTracker plugin
1395	richard	1320	for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1321	do
		1322	[ ! -d $i ] && mkdir $i && chown -R apache:apache $i && echo "$i created" \|\| echo "$i already exists"
		1323	done
1221	richard	1324	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1365	richard	1325	# use of our conf file and init unit
1221	richard	1326	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1365	richard	1327	# Installation of nfsen
1221	richard	1328	DirTmp=$(pwd)
		1329	cd /tmp/nfsen-1.3.6p1/
1365	richard	1330	/usr/bin/perl5 install.pl etc/nfsen.conf
		1331	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1332	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1333	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1334	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1395	richard	1335	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1336	chmod -R 770 /var/log/netflow/porttracker
1365	richard	1337	# Apache conf file
1394	richard	1338	cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1339	Alias /nfsen /var/www/nfsen
		1340	<Directory /var/www/nfsen/>
		1341	DirectoryIndex nfsen.php
		1342	Options -Indexes
		1343	AllowOverride all
		1344	order allow,deny
		1345	allow from all
		1346	AddType application/x-httpd-php .php
		1347	php_flag magic_quotes_gpc on
		1348	php_flag track_vars on
1	root	1349	</Directory>
		1350	EOF
1372	richard	1351	# nfsen unit for systemd
		1352	cat << EOF > /lib/systemd/system/nfsen.service
		1353	# This file is part of systemd.
		1354	#
		1355	# systemd is free software; you can redistribute it and/or modify it
		1356	# under the terms of the GNU General Public License as published by
		1357	# the Free Software Foundation; either version 2 of the License, or
		1358	# (at your option) any later version.
		1359
		1360	# This unit launches nfsen (a Netflow grapher).
		1361	[Unit]
		1362	Description= NfSen init script
		1363	After=network.target iptables.service
		1364
		1365	[Service]
		1366	Type=oneshot
		1367	RemainAfterExit=yes
1393	richard	1368	PIDFile=/var/run/nfsen/nfsen.pid
		1369	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1370	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1371	ExecStart=/usr/bin/nfsen start
		1372	ExecStop=/usr/bin/nfsen stop
1393	richard	1373	ExecReload=/usr/bin/nfsen restart
1372	richard	1374	TimeoutSec=0
		1375
		1376	[Install]
		1377	WantedBy=multi-user.target
		1378	EOF
1365	richard	1379	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1380	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1381	# expire delay for the profile "live"
1393	richard	1382	systemctl start nfsen
		1383	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1384	# add SURFmap plugin
1412	richard	1385	tar xzf $DIR_CONF/nfsen/SURFmap_v3.3b1.tar.gz -C /tmp/
1413	richard	1386	cp $DIR_CONF/nfsen/install-surfmap.sh /tmp/SURFmap/install.sh
1397	richard	1387	cd /tmp/SURFmap
		1388	/usr/bin/sh install.sh
1418	richard	1389
1365	richard	1390	# clear the installation
1221	richard	1391	cd $DirTmp
		1392	rm -rf /tmp/nfsen-1.3.6p1/
1397	richard	1393	rm -rf /tmp/SURFmap/
1389	richard	1394	} # End of nfsen ()
1	root	1395
1390	richard	1396	##################################################
1389	richard	1397	## Function "dnsmasq" ##
1390	richard	1398	##################################################
1389	richard	1399	dnsmasq ()
219	jeremy	1400	{
		1401	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1402	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1403	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1404	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1405	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1406	cat << EOF > /etc/dnsmasq.conf
520	richard	1407	# Configuration file for "dnsmasq in forward mode"
1387	richard	1408	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1409	listen-address=$PRIVATE_IP
1390	richard	1410	pid-file=/var/run/dnsmasq.pid
259	richard	1411	listen-address=127.0.0.1
286	richard	1412	no-dhcp-interface=$INTIF
1387	richard	1413	no-dhcp-interface=tun0
		1414	no-dhcp-interface=lo
259	richard	1415	bind-interfaces
		1416	cache-size=256
		1417	domain=$DOMAIN
		1418	domain-needed
		1419	expand-hosts
		1420	bogus-priv
		1421	filterwin2k
		1422	server=$DNS1
		1423	server=$DNS2
1387	richard	1424	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1425	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1426	dhcp-option=option:router,$PRIVATE_IP
259	richard	1427	#dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
		1428
1387	richard	1429	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1430	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1431	EOF
1356	richard	1432	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1433	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1434	# Configuration file for "dnsmasq with blacklist"
1387	richard	1435	# Add Toulouse blacklist domains
1472	richard	1436	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1437	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1438	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1439	listen-address=$PRIVATE_IP
		1440	port=54
		1441	no-dhcp-interface=$INTIF
1387	richard	1442	no-dhcp-interface=tun0
1472	richard	1443	no-dhcp-interface=lo
498	richard	1444	bind-interfaces
		1445	cache-size=256
		1446	domain=$DOMAIN
		1447	domain-needed
		1448	expand-hosts
		1449	bogus-priv
		1450	filterwin2k
		1451	server=$DNS1
		1452	server=$DNS2
		1453	EOF
1379	richard	1454	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1455	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1456	# Configuration file for "dnsmasq with whitelist"
1356	richard	1457	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1458	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1459	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1460	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1461	listen-address=$PRIVATE_IP
		1462	port=55
		1463	no-dhcp-interface=$INTIF
1387	richard	1464	no-dhcp-interface=tun0
1472	richard	1465	no-dhcp-interface=lo
1356	richard	1466	bind-interfaces
		1467	cache-size=256
		1468	domain=$DOMAIN
		1469	domain-needed
		1470	expand-hosts
		1471	bogus-priv
		1472	filterwin2k
1472	richard	1473	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1474	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1475	EOF
1472	richard	1476	# 4th dnsmasq listen on udp 56 ("blackhole")
		1477	cat << EOF > /etc/dnsmasq-blackhole.conf
		1478	# Configuration file for "dnsmasq as a blackhole"
		1479	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1480	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1481	pid-file=/var/run/dnsmasq-blackhole.pid
		1482	listen-address=$PRIVATE_IP
		1483	port=56
		1484	no-dhcp-interface=$INTIF
		1485	no-dhcp-interface=tun0
		1486	no-dhcp-interface=lo
		1487	bind-interfaces
		1488	cache-size=256
		1489	domain=$DOMAIN
		1490	domain-needed
		1491	expand-hosts
		1492	bogus-priv
		1493	filterwin2k
		1494	EOF
		1495
1372	richard	1496	# Start after chilli (which create tun0)
		1497	$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1498	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1499	for list in blacklist whitelist blackhole
		1500	do
		1501	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1502	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1503	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1504	done
308	richard	1505	} # End dnsmasq
		1506
		1507	##########################################################
1221	richard	1508	## Fonction "BL" ##
308	richard	1509	##########################################################
		1510	BL ()
		1511	{
1386	richard	1512	# modify iptables boot file to start alcasar-iptables.sh when the system is booting
		1513	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		1514	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
1384	richard	1515	# copy and extract toulouse BL
648	richard	1516	rm -rf $DIR_DG/lists/blacklists
		1517	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1518	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1519	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1520	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1521	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1522	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1523	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1524	# creation of file for the rehabilited domains and urls
648	richard	1525	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1526	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1527	touch $DIR_DG/lists/exceptionsitelist
		1528	touch $DIR_DG/lists/exceptionurllist
311	richard	1529	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1530	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1531	# Dansguardian filter config for ALCASAR
		1532	EOF
648	richard	1533	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1534	# Dansguardian domain filter config for ALCASAR
		1535	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1536	#**
		1537	# block all SSL and CONNECT tunnels
		1538	**s
		1539	# block all SSL and CONNECT tunnels specified only as an IP
		1540	*ips
		1541	# block all sites specified only by an IP
		1542	*ip
		1543	EOF
1000	richard	1544	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1545	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1546	# Bing - add 'adlt=strict'
		1547	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1548	# Youtube - add 'edufilter=your_ID'
885	richard	1549	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1550	EOF
1000	richard	1551	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1552	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1553	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1554	if [ "$mode" != "update" ]; then
		1555	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1556	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1387	richard	1557	# !!! we can be banned by DNS server (waiting for a cool solution $DIR_DEST_SBIN/alcasar-bl.sh --ip_retrieving
654	richard	1558	fi
308	richard	1559	}
219	jeremy	1560
1	root	1561	##########################################################
1221	richard	1562	## Fonction "cron" ##
1	root	1563	## - Mise en place des différents fichiers de cron ##
		1564	##########################################################
		1565	cron ()
		1566	{
		1567	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1568	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1569	cat <<EOF > /etc/crontab
		1570	SHELL=/bin/bash
		1571	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1572	MAILTO=root
		1573	HOME=/
		1574
		1575	# run-parts
		1576	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1577	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1578	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1579	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1580	EOF
		1581	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1582	cat <<EOF >> /etc/anacrontab
667	franck	1583	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1584	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1585	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1586	EOF
1247	crox53	1587
811	richard	1588	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1589	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1590	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1591	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1592	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1593	EOF
952	franck	1594	cat <<EOF > /etc/cron.d/alcasar-archive
		1595	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1596	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1597	EOF
667	franck	1598	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1599	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1600	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1601	EOF
722	franck	1602	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1603	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1604	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1605	EOF
1247	crox53	1606	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1607	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1608	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1609	#EOF
1159	crox53	1610
1	root	1611	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1612	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1613	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1614	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1615	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1616	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1617	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1618	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1619	rm -f /etc/cron.daily/freeradius-web
		1620	rm -f /etc/cron.monthly/freeradius-web
		1621	cat << EOF > /etc/cron.d/freeradius-web
		1622	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1623	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1624	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1625	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1626	EOF
671	franck	1627	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1628	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1629	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1630	EOF
808	franck	1631	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1632	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1633	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1634	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1635	EOF
522	richard	1636	# suppression des crons usagers
		1637	rm -f /var/spool/cron/*
1	root	1638	} # End cron
		1639
		1640	##################################################################
1221	richard	1641	## Fonction "Fail2Ban" ##
1163	crox53	1642	##- Modification de la configuration de fail2ban ##
		1643	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1644	##################################################################
		1645	fail2ban()
		1646	{
1191	crox53	1647	$DIR_CONF/fail2ban.sh
1474	richard	1648	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1649	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1650	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1651	chmod 644 /var/log/fail2ban.log
1192	crox53	1652	chmod 644 /var/Save/logs/security/watchdog.log
1418	richard	1653	/usr/bin/touch /var/log/auth.log
		1654
1411	richard	1655
		1656	# Edition de l'unité fail2ban
1418	richard	1657	[ -e /usr/lib/systemd/system/fail2ban.service ] && cp /usr/lib/systemd/system/fail2ban.service /usr/lib/systemd/system/fail2ban.service.default
1411	richard	1658	$SED '/Type/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1659	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1411	richard	1660
		1661
1163	crox53	1662	} #Fin de fail2ban_install()
		1663
		1664	##################################################################
1376	richard	1665	## Fonction "gammu_smsd" ##
		1666	## - Creation de la base de donnée Gammu ##
		1667	## - Creation du fichier de config: gammu_smsd_conf ##
		1668	## ##
		1669	##################################################################
		1670	gammu_smsd()
		1671	{
		1672	# Create 'gammu' databse
		1673	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1674	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1675	# Add a gammu database structure
		1676	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1677
		1678	# config file for the daemon
		1679	cat << EOF > /etc/gammu_smsd_conf
		1680	[gammu]
		1681	port = /dev/ttyUSB0
		1682	connection = at115200
		1683
		1684	;########################################################
		1685
		1686	[smsd]
		1687
		1688	PIN = 1234
		1689
		1690	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1691	logformat = textall
		1692	debuglevel = 0
		1693
		1694	service = sql
		1695	driver = native_mysql
		1696	user = $DB_USER
		1697	password = $radiuspwd
		1698	pc = localhost
		1699	database = $DB_GAMMU
		1700
		1701	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1702
		1703	StatusFrequency = 30
1380	richard	1704	;LoopSleep = 2
1376	richard	1705
		1706	;ResetFrequency = 300
		1707	;HardResetFrequency = 120
		1708
		1709	CheckSecurity = 1
		1710	CheckSignal = 1
		1711	CheckBattery = 0
		1712	EOF
		1713
		1714	chmod 755 /etc/gammu_smsd_conf
		1715
		1716	#Creation dossier de log Gammu-smsd
1382	richard	1717	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1718	chmod 755 /var/log/gammu-smsd
		1719
		1720	#Edition du script sql gammu <-> radius
1452	richard	1721	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1722	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1723
1380	richard	1724	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1725	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1726	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1727	EOF
		1728
1376	richard	1729	} # END gammu_smsd()
		1730
		1731	##################################################################
1221	richard	1732	## Fonction "post_install" ##
1	root	1733	## - Modification des bannières (locales et ssh) et des prompts ##
		1734	## - Installation de la structure de chiffrement pour root ##
		1735	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1736	## - Mise en place du la rotation des logs ##
5	franck	1737	## - Configuration dans le cas d'une mise à jour ##
1	root	1738	##################################################################
		1739	post_install()
		1740	{
		1741	# création de la bannière locale
1007	richard	1742	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1743	cp -f $DIR_CONF/banner /etc/mageia-release
		1744	echo " V$VERSION" >> /etc/mageia-release
1	root	1745	# création de la bannière SSH
1007	richard	1746	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1747	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1748	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1749	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1750	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1751	# postfix banner anonymisation
		1752	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1753	# sshd écoute côté LAN et WAN
1	root	1754	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1755	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1756	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1757	echo "SSH=off" >> $CONF_FILE
1063	richard	1758	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1759	echo "QOS=off" >> $CONF_FILE
		1760	echo "LDAP=off" >> $CONF_FILE
786	richard	1761	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1762	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1763	echo "MULTIWAN=off" >> $CONF_FILE
		1764	echo "FAILOVER=30" >> $CONF_FILE
		1765	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1766	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1767	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1768	# Coloration des prompts
		1769	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1770	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1771	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1772	# Droits d'exécution pour utilisateur apache et sysadmin
		1773	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1774	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1775	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1776	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1777	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1778	chmod 644 /etc/logrotate.d/*
714	franck	1779	# rectification sur versions précédentes de la compression des logs
706	franck	1780	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1781	# actualisation des fichiers logs compressés
1342	richard	1782	for dir in firewall dansguardian httpd
706	franck	1783	do
714	franck	1784	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1785	done
1221	richard	1786	# create the alcasar-load_balancing unit
		1787	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1788	# This file is part of systemd.
		1789	#
		1790	# systemd is free software; you can redistribute it and/or modify it
		1791	# under the terms of the GNU General Public License as published by
		1792	# the Free Software Foundation; either version 2 of the License, or
		1793	# (at your option) any later version.
		1794
		1795	# This unit lauches alcasar-load-balancing.sh script.
		1796	[Unit]
		1797	Description=alcasar-load_balancing.sh execution
		1798	After=network.target iptables.service
		1799
		1800	[Service]
		1801	Type=oneshot
		1802	RemainAfterExit=yes
		1803	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1804	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1805	TimeoutSec=0
		1806	SysVStartPriority=99
		1807
		1808	[Install]
		1809	WantedBy=multi-user.target
1157	stephane	1810	EOF
1221	richard	1811	# processes launched at boot time (SYSV)
1371	richard	1812	for i in havp
1221	richard	1813	do
		1814	/sbin/chkconfig --add $i
		1815	done
		1816	# processes launched at boot time (Systemctl)
1472	richard	1817	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
1221	richard	1818	do
1389	richard	1819	systemctl -q enable $i.service
1221	richard	1820	done
1452	richard	1821
		1822	# disable processes at boot time (Systemctl)
		1823	for i in ulogd
		1824	do
		1825	systemctl -q disable $i.service
		1826	done
		1827
1221	richard	1828	# Apply French Security Agency (ANSSI) rules
1362	richard	1829	# ignore ICMP broadcast (smurf attack)
		1830	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1831	# ignore ICMP errors bogus
		1832	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1833	# remove ICMP redirects responces
		1834	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1835	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1836	# enable SYN Cookies (Syn flood attacks)
		1837	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1838	# enable kernel antispoofing
		1839	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1840	# ignore source routing
		1841	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1842	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1843	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1844	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1845	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1846	# remove Magic SysReq Keys
1363	richard	1847	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1848	# switch to multi-users runlevel (instead of x11)
1221	richard	1849	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1850	# GRUB modifications
		1851	# limit wait time to 3s
		1852	# create an alcasar entry instead of linux-nonfb
		1853	# change display to 1024*768 (vga791)
1221	richard	1854	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1855	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1856	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1857	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1858	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1859	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1860	# Remove unused services and users
1378	richard	1861	for svc in sshd.service
1221	richard	1862	do
1362	richard	1863	/bin/systemctl -q disable $svc
1221	richard	1864	done
		1865	# Load and apply the previous conf file
		1866	if [ "$mode" = "update" ]
532	richard	1867	then
1266	richard	1868	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1869	$DIR_DEST_BIN/alcasar-conf.sh --load
		1870	PARENT_SCRIPT=`basename $0`
		1871	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1872	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1873	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1874	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1875	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1876	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1877	then
		1878	header_install
		1879	if [ $Lang == "fr" ]
		1880	then
		1881	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1882	echo
		1883	echo -n "Nom : "
		1884	else
		1885	echo "This update need to redefine the first admin account"
		1886	echo
		1887	echo -n "Account : "
		1888	fi
		1889	read admin_portal
		1890	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1891	mkdir -p $DIR_DEST_ETC/digest
		1892	chmod 755 $DIR_DEST_ETC/digest
		1893	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1894	do
1350	richard	1895	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1896	done
		1897	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1898	fi
532	richard	1899	fi
1221	richard	1900	rm -f /tmp/alcasar-conf*
		1901	chown -R root:apache $DIR_DEST_ETC/*
		1902	chmod -R 660 $DIR_DEST_ETC/*
		1903	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1904	# Apply and save the firewall rules
		1905	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1906	sleep 2
1	root	1907	cd $DIR_INSTALL
5	franck	1908	echo ""
1	root	1909	echo "#############################################################################"
638	richard	1910	if [ $Lang == "fr" ]
		1911	then
		1912	echo "# Fin d'installation d'ALCASAR #"
		1913	echo "# #"
		1914	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1915	echo "# des Accès au Réseau ( ALCASAR ) #"
		1916	echo "# #"
		1917	echo "#############################################################################"
		1918	echo
		1919	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1920	echo
		1921	echo "- Lisez attentivement la documentation d'exploitation"
		1922	echo
		1923	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1924	echo
		1925	echo " Appuyez sur 'Entrée' pour continuer"
		1926	else
		1927	echo "# Enf of ALCASAR install process #"
		1928	echo "# #"
		1929	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1930	echo "# des Accès au Réseau ( ALCASAR ) #"
		1931	echo "# #"
		1932	echo "#############################################################################"
		1933	echo
		1934	echo "- The system will be rebooted in order to operate ALCASAR"
		1935	echo
		1936	echo "- Read the exploitation documentation"
		1937	echo
		1938	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1939	echo
		1940	echo " Hit 'Enter' to continue"
		1941	fi
815	richard	1942	sleep 2
		1943	if [ "$mode" != "update" ]
820	richard	1944	then
815	richard	1945	read a
		1946	fi
774	richard	1947	clear
1	root	1948	reboot
		1949	} # End post_install ()
		1950
		1951	#################################
1005	richard	1952	# Main Install loop #
1	root	1953	#################################
832	richard	1954	dir_exec=`dirname "$0"`
		1955	if [ $dir_exec != "." ]
		1956	then
		1957	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1958	echo "Launch this program from the ALCASAR archive directory"
		1959	exit 0
		1960	fi
		1961	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1962	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1963	nb_args=$#
		1964	args=$1
		1965	if [ $nb_args -eq 0 ]
		1966	then
		1967	nb_args=1
		1968	args="-h"
		1969	fi
1062	richard	1970	chmod -R u+x $DIR_SCRIPTS/*
1	root	1971	case $args in
		1972	-\? \| -h* \| --h*)
		1973	echo "$usage"
		1974	exit 0
		1975	;;
291	franck	1976	-i \| --install)
959	franck	1977	license
5	franck	1978	header_install
29	richard	1979	testing
595	richard	1980	# RPMs install
		1981	$DIR_SCRIPTS/alcasar-urpmi.sh
		1982	if [ "$?" != "0" ]
1	root	1983	then
595	richard	1984	exit 0
		1985	fi
1249	richard	1986	if [ -e $CONF_FILE ]
595	richard	1987	then
597	richard	1988	# Uninstall the running version
532	richard	1989	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1990	fi
636	richard	1991	# Test if manual update
1362	richard	1992	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	1993	then
636	richard	1994	header_install
595	richard	1995	if [ $Lang == "fr" ]
636	richard	1996	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1997	else echo "The configuration file of an old version has been found";
595	richard	1998	fi
597	richard	1999	response=0
		2000	PTN='^[oOnNyY]$'
		2001	until [[ $(expr $response : $PTN) -gt 0 ]]
		2002	do
		2003	if [ $Lang == "fr" ]
		2004	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2005	else echo -n "Do you want to use it (Y/n)?";
		2006	fi
		2007	read response
		2008	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2009	then rm -f /tmp/alcasar-conf*
		2010	fi
		2011	done
		2012	fi
636	richard	2013	# Test if update
1057	richard	2014	if [ -e /tmp/alcasar-conf* ]
597	richard	2015	then
		2016	if [ $Lang == "fr" ]
		2017	then echo "#### Installation avec mise à jour ####";
		2018	else echo "#### Installation with update ####";
		2019	fi
636	richard	2020	# Extract the central configuration file
1057	richard	2021	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2022	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2023	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2024	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2025	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2026	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2027	mode="update"
1	root	2028	fi
1389	richard	2029	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2030	do
		2031	$func
1362	richard	2032	# echo "* 'debug' : end of function $func *"; read a
14	richard	2033	done
5	franck	2034	;;
291	franck	2035	-u \| --uninstall)
5	franck	2036	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2037	then
597	richard	2038	if [ $Lang == "fr" ]
		2039	then echo "ALCASAR n'est pas installé!";
		2040	else echo "ALCASAR isn't installed!";
		2041	fi
1	root	2042	exit 0
		2043	fi
5	franck	2044	response=0
		2045	PTN='^[oOnN]$'
580	richard	2046	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2047	do
597	richard	2048	if [ $Lang == "fr" ]
		2049	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2050	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2051	fi
5	franck	2052	read response
		2053	done
1103	richard	2054	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2055	then
1103	richard	2056	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2057	else
		2058	rm -f /tmp/alcasar-conf*
1	root	2059	fi
597	richard	2060	# Uninstall the running version
65	richard	2061	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2062	;;
		2063	*)
		2064	echo "Argument inconnu :$1";
460	richard	2065	echo "Unknown argument :$1";
1	root	2066	echo "$usage"
		2067	exit 1
		2068	;;
		2069	esac
10	franck	2070	# end of script
366	franck	2071

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1474