WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1484 2014-11-11 23:14:36Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1378	richard	30	# testing : connectivity tests, free space test and mageia version test
1221	richard	31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
1389	richard	36	# radius : FreeRadius initialisation
		37	# radius_web : copy ans modifiy original "freeradius web" in ACC
		38	# chilli : coovachilli initialisation (+authentication page)
		39	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	40	# antivirus : HAVP + libclamav configuration
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
		44	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	45	# cron : Logs export + watchdog + connexion statistics
1389	richard	46	# fail2ban : Fail2ban IDS installation and configuration
		47	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	48	# post_install : Security, log rotation, etc.
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	53	mode="install"
1	root	54	# ***** Files parameters - paramètres fichiers *******
1015	richard	55	DIR_INSTALL=`pwd` # current directory
		56	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		57	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		58	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		59	DIR_WEB="/var/www/html" # directory of APACHE
		60	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		61	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		62	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		63	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		64	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		65	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		66	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		67	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	68	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	69	DB_RADIUS="radius" # database name used by FreeRadius server
		70	DB_USER="radius" # user name allows to request the users database
1349	richard	71	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	72	# ***** Network parameters - paramètres réseau *****
1469	richard	73	HOSTNAME="alcasar" # default hostname
1243	richard	74	DOMAIN="localdomain" # default local domain
1471	richard	75	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1336	richard	76	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	77	MTU="1500"
1243	richard	78	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	79	# **** Paths - chemin des commandes *****
		80	SED="/bin/sed -i"
		81	# **************** End of global parameters *******************
		82
959	franck	83	license ()
		84	{
		85	if [ $Lang == "fr" ]
967	franck	86	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		87	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	88	fi
975	franck	89	echo "Taper sur Entrée pour continuer !"
		90	echo "Enter to continue."
959	franck	91	read a
		92	}
		93
1	root	94	header_install ()
		95	{
		96	clear
		97	echo "-----------------------------------------------------------------------------"
460	richard	98	echo " ALCASAR V$VERSION Installation"
1	root	99	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		100	echo "-----------------------------------------------------------------------------"
1389	richard	101	}
1	root	102
		103	##################################################################
1221	richard	104	## Function "testing" ##
1378	richard	105	## - Test of Mageia version ##
1342	richard	106	## - Test of free space on /var (>10G) ##
1005	richard	107	## - Test of Internet access ##
29	richard	108	##################################################################
		109	testing ()
		110	{
1362	richard	111	# Test if ALCASAR is already installed
		112	if [ -e $CONF_FILE ]
		113	then
		114	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	115	if [ $Lang == "fr" ]
1362	richard	116	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		117	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	118	fi
1362	richard	119	response=0
		120	PTN='^[oOnNyY]$'
		121	until [[ $(expr $response : $PTN) -gt 0 ]]
		122	do
		123	if [ $Lang == "fr" ]
		124	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		125	else echo -n "Do you want to update (Y/n)?";
		126	fi
		127	read response
		128	done
		129	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		130	then
		131	rm -f /tmp/alcasar-conf*
		132	else
1471	richard	133	# Create a backup of running importants files
1362	richard	134	$DIR_SCRIPTS/alcasar-conf.sh --create
		135	mode="update"
		136	fi
		137	else
1365	richard	138	if [ ! -d /var/log/netflow/porttracker ]
		139	then
1378	richard	140	# Test of free space on /var
1365	richard	141	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		142	if [ $free_space -lt 10 ]
		143	then
		144	if [ $Lang == "fr" ]
		145	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		146	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		147	fi
		148	exit 0
1362	richard	149	fi
1378	richard	150	fi
		151	# Test of Mageia version
		152	# extract the current Mageia version and hardware architecture (i586 ou X64)
		153	fic=`cat /etc/product.id`
		154	unknown_os=0
		155	old="$IFS"
		156	IFS=","
		157	set $fic
		158	for i in $*
		159	do
		160	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		161	then
		162	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		163	unknown_os=`expr $unknown_os + 1`
		164	fi
		165	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		166	then
		167	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		168	unknown_os=`expr $unknown_os + 1`
		169	fi
		170	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		171	then
		172	ARCH=`echo $i\|cut -d"=" -f2`
		173	unknown_os=`expr $unknown_os + 1`
		174	fi
		175	done
		176	IFS="$old"
		177	if [[ ( $unknown_os != 3 \|\| "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]
		178	then
		179	if [ $Lang == "fr" ]
		180	then
		181	echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."
		182	echo "Le système d'exploitation doit être remplacé (Mageia4)"
		183	else
		184	echo "The automatic update of ALCASAR can't be performed."
		185	echo "The OS must be replaced (Mageia4)"
		186	fi
		187	if [ -e /tmp/alcasar-conf.tar.gz ]
		188	then
		189	echo
		190	if [ $Lang == "fr" ]
		191	then
		192	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
		193	echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"
		194	echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
		195	else
		196	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
		197	echo "2 - Install Linux-Mageia4 (cf. installation doc)"
		198	echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
		199	fi
		200	fi
		201	exit 0
		202	fi
1342	richard	203	fi
1378	richard	204	if [ $Lang == "fr" ]
784	richard	205	then echo -n "Tests des paramètres réseau : "
595	richard	206	else echo -n "Network parameters tests : "
		207	fi
1471	richard	208
		209	# Test of Ethernet links state
		210	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		211	for i in $DOWN_IF
		212	do
		213	if [ $Lang == "fr" ]
		214	then
		215	echo "Échec"
		216	echo "Le lien réseau de la carte $i n'est pas actif."
		217	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		218	else
		219	echo "Failed"
		220	echo "The link state of $i interface is down."
		221	echo "Make sure that this network card is connected to a switch or an A.P."
		222	fi
		223	exit 0
		224	done
		225	echo -n "."
		226
		227	# Test EXTIF config files
784	richard	228	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		229	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
1471	richard	230	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		231	then
784	richard	232	if [ $Lang == "fr" ]
		233	then
		234	echo "Échec"
		235	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		236	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	237	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	238	else
		239	echo "Failed"
		240	echo "The Internet connected network card ($EXTIF) isn't well configured."
		241	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	242	echo "Apply the new configuration 'systemctl restart network'"
784	richard	243	fi
830	richard	244	echo "DEVICE=$EXTIF"
784	richard	245	echo "IPADDR="
		246	echo "NETMASK="
		247	echo "GATEWAY="
		248	echo "DNS1="
		249	echo "DNS2="
830	richard	250	echo "ONBOOT=yes"
784	richard	251	exit 0
		252	fi
		253	echo -n "."
1471	richard	254
		255	# Test if router is alive (Box FAI)
784	richard	256	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	257	if [ $Lang == "fr" ]
		258	then
		259	echo "Échec"
		260	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		261	echo "Réglez ce problème puis relancez ce script."
		262	else
		263	echo "Failed"
		264	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		265	echo "Resolv this problem, then restart this script."
		266	fi
29	richard	267	exit 0
		268	fi
308	richard	269	echo -n "."
978	franck	270	# On teste le lien vers le routeur par defaut
308	richard	271	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		272	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	273	if [ $(expr $arp_reply) -eq 0 ]
308	richard	274	then
595	richard	275	if [ $Lang == "fr" ]
		276	then
		277	echo "Échec"
		278	echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."
		279	echo "Réglez ce problème puis relancez ce script."
		280	else
		281	echo "Failed"
		282	echo "The Internet gateway doesn't answered"
		283	echo "Resolv this problem, then restart this script."
		284	fi
308	richard	285	exit 0
		286	fi
		287	echo -n "."
421	franck	288	# On teste la connectivité Internet
29	richard	289	rm -rf /tmp/con_ok.html
308	richard	290	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	291	if [ ! -e /tmp/con_ok.html ]
		292	then
595	richard	293	if [ $Lang == "fr" ]
		294	then
		295	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		296	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		297	echo "Vérifiez la validité des adresses IP des DNS."
		298	else
		299	echo "The Internet connection try failed (google.fr)."
		300	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		301	echo "Verify the DNS IP addresses"
		302	fi
29	richard	303	exit 0
		304	fi
		305	rm -rf /tmp/con_ok.html
308	richard	306	echo ". : ok"
1389	richard	307	} # end of testing ()
302	richard	308
		309	##################################################################
1221	richard	310	## Function "init" ##
302	richard	311	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		312	## - Installation et modification des scripts du portail ##
		313	##################################################################
		314	init ()
		315	{
527	richard	316	if [ "$mode" != "update" ]
302	richard	317	then
		318	# On affecte le nom d'organisme
597	richard	319	header_install
302	richard	320	ORGANISME=!
		321	PTN='^[a-zA-Z0-9-]*$'
580	richard	322	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	323	do
595	richard	324	if [ $Lang == "fr" ]
597	richard	325	then echo -n "Entrez le nom de votre organisme : "
		326	else echo -n "Enter the name of your organism : "
595	richard	327	fi
330	franck	328	read ORGANISME
613	richard	329	if [ "$ORGANISME" == "" ]
330	franck	330	then
		331	ORGANISME=!
		332	fi
		333	done
302	richard	334	fi
1	root	335	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	336	rm -f $PASSWD_FILE
1350	richard	337	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		338	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	339	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	340	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	341	$SED "/^password.*/d" /boot/grub/menu.lst
		342	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	343	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	344	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	345	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	346	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	347	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	348	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	349	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	350	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		351	echo "$secretuam" >> $PASSWD_FILE
1350	richard	352	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	353	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		354	echo "$secretradius" >> $PASSWD_FILE
		355	chmod 640 $PASSWD_FILE
977	richard	356	# Scripts and conf files copy
		357	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	358	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	359	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	360	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	361	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	362	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	363	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		364	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	365	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		366	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	367	# generate central conf file
		368	cat <<EOF > $CONF_FILE
612	richard	369	##########################################
		370	## ##
		371	## ALCASAR Parameters ##
		372	## ##
		373	##########################################
1	root	374
612	richard	375	INSTALL_DATE=$DATE
		376	VERSION=$VERSION
		377	ORGANISM=$ORGANISME
923	franck	378	DOMAIN=$DOMAIN
612	richard	379	EOF
628	richard	380	chmod o-rwx $CONF_FILE
1	root	381	} # End of init ()
		382
		383	##################################################################
1221	richard	384	## Function "network" ##
1	root	385	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	386	## - Nommage DNS du système ##
1336	richard	387	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	388	## - Modification du fichier /etc/hosts ##
		389	## - Configuration du serveur de temps (NTP) ##
		390	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		391	##################################################################
		392	network ()
		393	{
		394	header_install
636	richard	395	if [ "$mode" != "update" ]
		396	then
		397	if [ $Lang == "fr" ]
		398	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		399	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		400	fi
		401	response=0
		402	PTN='^[oOyYnN]$'
		403	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	404	do
595	richard	405	if [ $Lang == "fr" ]
659	richard	406	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	407	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	408	fi
1	root	409	read response
		410	done
636	richard	411	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		412	then
		413	PRIVATE_IP_MASK="0"
		414	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		415	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	416	do
595	richard	417	if [ $Lang == "fr" ]
597	richard	418	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		419	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	420	fi
597	richard	421	read PRIVATE_IP_MASK
1	root	422	done
636	richard	423	else
		424	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		425	fi
595	richard	426	else
637	richard	427	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		428	rm -rf conf/etc/alcasar.conf
1	root	429	fi
861	richard	430	# Define LAN side global parameters
1243	richard	431	hostname $HOSTNAME.$DOMAIN
		432	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	433	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		434	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		435	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		436	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		437	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
		438	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		439	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		440	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		441	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		442	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	443	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	444	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	445	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	446	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	447	# Define Internet parameters
14	richard	448	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		449	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		450	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	451	DNS1=${DNS1:=208.67.220.220}
		452	DNS2=${DNS2:=208.67.222.222}
597	richard	453	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	454	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	455	PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}
1052	richard	456	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	457	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1469	richard	458	echo "EXTIF=$EXTIF" >> $CONF_FILE
		459	echo "INTIF=$INTIF" >> $CONF_FILE
765	stephane	460	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
994	franck	461	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	462	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		463	echo "DNS1=$DNS1" >> $CONF_FILE
		464	echo "DNS2=$DNS2" >> $CONF_FILE
		465	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	466	echo "DHCP=on" >> $CONF_FILE
914	franck	467	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		468	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		469	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
597	richard	470	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
841	richard	471	# config network
1	root	472	cat <<EOF > /etc/sysconfig/network
		473	NETWORKING=yes
1243	richard	474	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	475	FORWARD_IPV4=true
		476	EOF
841	richard	477	# config /etc/hosts
1	root	478	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		479	cat <<EOF > /etc/hosts
503	richard	480	127.0.0.1 localhost
1353	richard	481	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	482	EOF
1336	richard	483	# Config EXTIF (Internet)
14	richard	484	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		485	DEVICE=$EXTIF
		486	BOOTPROTO=static
597	richard	487	IPADDR=$PUBLIC_IP
		488	NETMASK=$PUBLIC_NETMASK
		489	GATEWAY=$PUBLIC_GATEWAY
14	richard	490	DNS1=127.0.0.1
		491	ONBOOT=yes
		492	METRIC=10
		493	NOZEROCONF=yes
		494	MII_NOT_SUPPORTED=yes
		495	IPV6INIT=no
		496	IPV6TO4INIT=no
		497	ACCOUNTING=no
		498	USERCTL=no
994	franck	499	MTU=$MTU
14	richard	500	EOF
1336	richard	501	# Config INTIF (consultation LAN) in normal mode
841	richard	502	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		503	DEVICE=$INTIF
		504	BOOTPROTO=static
		505	ONBOOT=yes
		506	NOZEROCONF=yes
		507	MII_NOT_SUPPORTED=yes
		508	IPV6INIT=no
		509	IPV6TO4INIT=no
		510	ACCOUNTING=no
		511	USERCTL=no
		512	EOF
1336	richard	513	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	514	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	515	DEVICE=$INTIF
		516	BOOTPROTO=static
		517	IPADDR=$PRIVATE_IP
604	richard	518	NETMASK=$PRIVATE_NETMASK
1	root	519	ONBOOT=yes
		520	METRIC=10
		521	NOZEROCONF=yes
		522	MII_NOT_SUPPORTED=yes
14	richard	523	IPV6INIT=no
		524	IPV6TO4INIT=no
		525	ACCOUNTING=no
		526	USERCTL=no
1	root	527	EOF
440	franck	528	# Mise à l'heure du serveur
		529	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		530	cat <<EOF > /etc/ntp/step-tickers
455	franck	531	0.fr.pool.ntp.org # adapt to your country
		532	1.fr.pool.ntp.org
		533	2.fr.pool.ntp.org
440	franck	534	EOF
		535	# Configuration du serveur de temps (sur lui même)
1	root	536	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		537	cat <<EOF > /etc/ntp.conf
456	franck	538	server 0.fr.pool.ntp.org # adapt to your country
447	franck	539	server 1.fr.pool.ntp.org
		540	server 2.fr.pool.ntp.org
		541	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	542	fudge 127.127.1.0 stratum 10
604	richard	543	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	544	restrict 127.0.0.1
310	richard	545	driftfile /var/lib/ntp/drift
1	root	546	logfile /var/log/ntp.log
		547	EOF
440	franck	548
310	richard	549	chown -R ntp:ntp /var/lib/ntp
1	root	550	# Renseignement des fichiers hosts.allow et hosts.deny
		551	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		552	cat <<EOF > /etc/hosts.allow
		553	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	554	sshd: ALL
1	root	555	ntpd: $PRIVATE_NETWORK_SHORT
		556	EOF
		557	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		558	cat <<EOF > /etc/hosts.deny
		559	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		560	EOF
790	richard	561	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	562	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	563	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	564	# load conntrack ftp module
		565	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		566	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	567	# load ipt_NETFLOW module
		568	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	569	#
860	richard	570	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	571	} # End of network ()
		572
		573	##################################################################
1221	richard	574	## Function "ACC" ##
		575	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	576	## - configuration du serveur web (Apache) ##
		577	## - définition du 1er comptes de gestion ##
		578	## - sécurisation des accès ##
		579	##################################################################
1221	richard	580	ACC ()
1	root	581	{
		582	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		583	mkdir $DIR_WEB
		584	# Copie et configuration des fichiers du centre de gestion
316	richard	585	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	586	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	587	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		588	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		589	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		590	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		591	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	592	chown -R apache:apache $DIR_WEB/*
1342	richard	593	for i in system_backup base logs/firewall logs/httpd logs/security;
1	root	594	do
		595	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		596	done
5	franck	597	chown -R root:apache $DIR_SAVE
71	richard	598	# Configuration et sécurisation php
		599	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	600	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		601	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	602	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		603	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	604	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		605	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		606	# Configuration et sécurisation Apache
790	richard	607	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	608	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	609	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	610	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	611	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		612	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		613	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	614	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		615	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		616	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		617	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		618	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		619	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	620	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	621	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		622	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		623	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		624	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		625	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		626	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	627	</body>
		628	</html>
		629	EOF
		630	# Définition du premier compte lié au profil 'admin'
509	richard	631	header_install
510	richard	632	if [ "$mode" = "install" ]
		633	then
613	richard	634	admin_portal=!
		635	PTN='^[a-zA-Z0-9-]*$'
		636	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		637	do
		638	header_install
		639	if [ $Lang == "fr" ]
		640	then
		641	echo ""
		642	echo "Définissez un premier compte d'administration du portail :"
		643	echo
		644	echo -n "Nom : "
		645	else
		646	echo ""
		647	echo "Define the first account allow to administrate the portal :"
		648	echo
		649	echo -n "Account : "
		650	fi
		651	read admin_portal
		652	if [ "$admin_portal" == "" ]
		653	then
		654	admin_portal=!
		655	fi
		656	done
1268	richard	657	# Creation of keys file for the admin account ("admin")
510	richard	658	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		659	mkdir -p $DIR_DEST_ETC/digest
		660	chmod 755 $DIR_DEST_ETC/digest
		661	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		662	do
1350	richard	663	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	664	done
		665	$DIR_DEST_SBIN/alcasar-profil.sh --list
		666	fi
434	richard	667	# synchronisation horaire
		668	ntpd -q -g &
1	root	669	# Sécurisation du centre
988	franck	670	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	671	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	672	<Directory $DIR_ACC>
1	root	673	SSLRequireSSL
		674	AllowOverride None
		675	Order deny,allow
		676	Deny from all
		677	Allow from 127.0.0.1
		678	Allow from $PRIVATE_NETWORK_MASK
990	franck	679	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	680	require valid-user
		681	AuthType digest
1243	richard	682	AuthName $HOSTNAME.$DOMAIN
1	root	683	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	684	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	685	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	686	</Directory>
316	richard	687	<Directory $DIR_ACC/admin>
1	root	688	SSLRequireSSL
		689	AllowOverride None
		690	Order deny,allow
		691	Deny from all
		692	Allow from 127.0.0.1
		693	Allow from $PRIVATE_NETWORK_MASK
990	franck	694	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	695	require valid-user
		696	AuthType digest
1243	richard	697	AuthName $HOSTNAME.$DOMAIN
1	root	698	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	699	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	700	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	701	</Directory>
344	richard	702	<Directory $DIR_ACC/manager>
1	root	703	SSLRequireSSL
		704	AllowOverride None
		705	Order deny,allow
		706	Deny from all
		707	Allow from 127.0.0.1
		708	Allow from $PRIVATE_NETWORK_MASK
990	franck	709	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	710	require valid-user
		711	AuthType digest
1243	richard	712	AuthName $HOSTNAME.$DOMAIN
1	root	713	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	714	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	715	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	716	</Directory>
316	richard	717	<Directory $DIR_ACC/backup>
		718	SSLRequireSSL
		719	AllowOverride None
		720	Order deny,allow
		721	Deny from all
		722	Allow from 127.0.0.1
		723	Allow from $PRIVATE_NETWORK_MASK
990	franck	724	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	725	require valid-user
		726	AuthType digest
1243	richard	727	AuthName $HOSTNAME.$DOMAIN
316	richard	728	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	729	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	730	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	731	</Directory>
811	richard	732	Alias /save/ "$DIR_SAVE/"
		733	<Directory $DIR_SAVE>
		734	SSLRequireSSL
		735	Options Indexes
		736	Order deny,allow
		737	Deny from all
		738	Allow from 127.0.0.1
		739	Allow from $PRIVATE_NETWORK_MASK
990	franck	740	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	741	require valid-user
		742	AuthType digest
1243	richard	743	AuthName $HOSTNAME.$DOMAIN
811	richard	744	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	745	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	746	</Directory>
1	root	747	EOF
1378	richard	748	# Launch after coova
		749	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1410	richard	750	# Error page management
		751	FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
		752	[ -e $FIC_ERROR_DOC ] \|\| cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default
		753
		754	cat <<EOF > $FIC_ERROR_DOC
		755	Alias /error/ "/var/www/html/"
		756
		757	<Directory "/usr/share/httpd/error">
		758	AllowOverride None
		759	Options IncludesNoExec
		760	AddOutputFilter Includes html
		761	AddHandler type-map var
		762	Require all granted
		763	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		764	ForceLanguagePriority Prefer Fallback
		765	</Directory>
		766
		767	ErrorDocument 400 /error/error.php?error=400
		768	ErrorDocument 401 /error/error.php?error=401
		769	ErrorDocument 403 /error/error.php?error=403
		770	ErrorDocument 404 /error/error.php?error=404
		771	ErrorDocument 405 /error/error.php?error=405
		772	ErrorDocument 408 /error/error.php?error=408
		773	ErrorDocument 410 /error/error.php?error=410
		774	ErrorDocument 411 /error/error.php?error=411
		775	ErrorDocument 412 /error/error.php?error=412
		776	ErrorDocument 413 /error/error.php?error=413
		777	ErrorDocument 414 /error/error.php?error=414
		778	ErrorDocument 415 /error/error.php?error=415
		779	ErrorDocument 500 /error/error.php?error=500
		780	ErrorDocument 501 /error/error.php?error=501
		781	ErrorDocument 502 /error/error.php?error=502
		782	ErrorDocument 503 /error/error.php?error=503
		783	ErrorDocument 506 /error/error.php?error=506
		784	EOF
		785
1389	richard	786	} # End of ACC ()
1	root	787
		788	##########################################################################################
1221	richard	789	## Fonction "CA" ##
1	root	790	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		791	##########################################################################################
1221	richard	792	CA ()
1	root	793	{
510	richard	794	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	795	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	796	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	797
		798	#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		799	#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
		800	#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
		801
		802	cat <<EOF > $FIC_VIRTUAL_SSL
		803	# default SSL virtual host, used for all HTTPS requests that do not
		804	# match a ServerName or ServerAlias in any <VirtualHost> block.
		805
		806	<VirtualHost _default_:443>
		807	# general configuration
		808	ServerAdmin root@localhost
		809	ServerName localhost
		810
		811	# SSL configuration
		812	SSLEngine on
		813	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		814	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		815	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		816	CustomLog logs/ssl_request_log \
		817	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		818	ErrorLog logs/ssl_error_log
		819	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		820	</VirtualHost>
		821	EOF
		822
5	franck	823	chown -R root:apache /etc/pki
1	root	824	chmod -R 750 /etc/pki
1389	richard	825	} # End of CA ()
1	root	826
		827	##########################################################################################
1221	richard	828	## Fonction "init_db" ##
1	root	829	## - Initialisation de la base Mysql ##
		830	## - Affectation du mot de passe de l'administrateur (root) ##
		831	## - Suppression des bases et des utilisateurs superflus ##
		832	## - Création de la base 'radius' ##
		833	## - Installation du schéma de cette base ##
		834	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		835	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		836	##########################################################################################
		837	init_db ()
		838	{
1355	richard	839	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	840	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		841	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	842	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	843	systemctl start mysqld.service
1	root	844	sleep 4
		845	mysqladmin -u root password $mysqlpwd
		846	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	847	# Secure the server
		848	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		849	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	850	# Create 'radius' database
1317	richard	851	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	852	# Add an empty radius database structure
364	franck	853	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	854	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	855	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
		856	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	857	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		858	systemctl daemon-reload
1389	richard	859	} # End of init_db ()
1	root	860
		861	##########################################################################
1389	richard	862	## Fonction "radius" ##
1	root	863	## - Paramètrage des fichiers de configuration FreeRadius ##
		864	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		865	## - Modification de fichier de conf pour l'accès à Mysql ##
		866	##########################################################################
1389	richard	867	radius ()
1	root	868	{
		869	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		870	chown -R radius:radius /etc/raddb
		871	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	872	# Set radius.conf parameters
1	root	873	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		874	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		875	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	876	# remove the proxy function
1	root	877	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		878	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	879	# remove EAP module
654	richard	880	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	881	# listen on loopback (should be modified later if EAP enabled)
1	root	882	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	883	# enable the SQL module (and SQL counter)
1	root	884	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		885	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		886	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	887	# only include modules for ALCASAR needs
		888	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		889	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		890	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		891	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		892	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		893	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	894	# remvove virtual server and copy our conf file
1	root	895	rm -f /etc/raddb/sites-enabled/*
1278	richard	896	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	897	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		898	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		899	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		900	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	901	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	902	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	903	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	904	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		905	cat << EOF > /etc/raddb/clients.conf
		906	client 127.0.0.1 {
		907	secret = $secretradius
		908	shortname = localhost
		909	}
		910	EOF
1278	richard	911	# sql.conf modification
1	root	912	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		913	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		914	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		915	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		916	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	917	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	918	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	919	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		920	# counter.conf modification (change the Max-All-Session-Time counter)
		921	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		922	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		923	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	924	# make certain that mysql is up before radius start
		925	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		926	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		927	systemctl daemon-reload
1389	richard	928	} # End radius ()
1	root	929
		930	##########################################################################
1389	richard	931	## Function "radius_web" ##
1	root	932	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		933	## - Création du lien vers la page de changement de mot de passe ##
		934	##########################################################################
1389	richard	935	radius_web ()
1	root	936	{
		937	# copie de l'interface d'origine dans la structure Alcasar
316	richard	938	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		939	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		940	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	941	# copie des fichiers modifiés
		942	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	943	chown -R apache:apache $DIR_ACC/manager/
344	richard	944	# Modification des fichiers de configuration
1	root	945	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	946	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	947	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		948	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		949	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		950	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		951	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		952	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		953	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	954	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	955	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	956	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	957	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	958	nas1_name: alcasar-$ORGANISME
1	root	959	nas1_model: Portail captif
		960	nas1_ip: $PRIVATE_IP
		961	nas1_port_num: 0
		962	nas1_community: public
		963	EOF
		964	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		965	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	966	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	967	# Ajout du mappage des attributs chillispot
		968	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	969	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	970	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	971	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	972	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		973	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	974	chown -R apache:apache /etc/freeradius-web
1	root	975	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		976	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	977	<Directory $DIR_WEB/pass>
1	root	978	SSLRequireSSL
		979	AllowOverride None
		980	Order deny,allow
		981	Deny from all
		982	Allow from 127.0.0.1
		983	Allow from $PRIVATE_NETWORK_MASK
1243	richard	984	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	985	</Directory>
		986	EOF
1389	richard	987	} # End of radius_web ()
1	root	988
799	richard	989	##################################################################################
1389	richard	990	## Fonction "chilli" ##
799	richard	991	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		992	## - Paramètrage de la page d'authentification (intercept.php) ##
		993	##################################################################################
1389	richard	994	chilli ()
1	root	995	{
1370	richard	996	# chilli unit for systemd
		997	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	998	# This file is part of systemd.
		999	#
		1000	# systemd is free software; you can redistribute it and/or modify it
		1001	# under the terms of the GNU General Public License as published by
		1002	# the Free Software Foundation; either version 2 of the License, or
		1003	# (at your option) any later version.
1370	richard	1004	[Unit]
		1005	Description=chilli is a captive portal daemon
		1006	After=network.target
		1007
		1008	[Service]
1379	richard	1009	Type=forking
1370	richard	1010	ExecStart=/usr/libexec/chilli start
		1011	ExecStop=/usr/libexec/chilli stop
		1012	ExecReload=/usr/libexec/chilli reload
		1013	PIDFile=/var/run/chilli.pid
		1014
		1015	[Install]
		1016	WantedBy=multi-user.target
		1017	EOF
799	richard	1018	# init file creation
1370	richard	1019	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1020	cat <<EOF > /usr/libexec/chilli
799	richard	1021	#!/bin/sh
		1022	#
		1023	# chilli CoovaChilli init
		1024	#
		1025	# chkconfig: 2345 65 35
		1026	# description: CoovaChilli
		1027	### BEGIN INIT INFO
		1028	# Provides: chilli
		1029	# Required-Start: network
		1030	# Should-Start:
		1031	# Required-Stop: network
		1032	# Should-Stop:
		1033	# Default-Start: 2 3 5
		1034	# Default-Stop:
		1035	# Description: CoovaChilli access controller
		1036	### END INIT INFO
		1037
		1038	[ -f /usr/sbin/chilli ] \|\| exit 0
		1039	. /etc/init.d/functions
		1040	CONFIG=/etc/chilli.conf
		1041	pidfile=/var/run/chilli.pid
		1042	[ -f \$CONFIG ] \|\| {
		1043	echo "\$CONFIG Not found"
		1044	exit 0
		1045	}
		1046	RETVAL=0
		1047	prog="chilli"
		1048	case \$1 in
		1049	start)
		1050	if [ -f \$pidfile ] ; then
		1051	gprintf "chilli is already running"
		1052	else
		1053	gprintf "Starting \$prog: "
		1054	rm -f /var/run/chilli* # cleaning
		1055	/sbin/modprobe tun >/dev/null 2>&1
		1056	echo 1 > /proc/sys/net/ipv4/ip_forward
		1057	[ -e /dev/net/tun ] \|\| {
		1058	(cd /dev;
		1059	mkdir net;
		1060	cd net;
		1061	mknod tun c 10 200)
		1062	}
1336	richard	1063	ifconfig $INTIF 0.0.0.0
799	richard	1064	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1065	RETVAL=$?
		1066	fi
		1067	;;
		1068
		1069	reload)
		1070	killall -HUP chilli
		1071	;;
		1072
		1073	restart)
		1074	\$0 stop
		1075	sleep 2
		1076	\$0 start
		1077	;;
		1078
		1079	status)
		1080	status chilli
		1081	RETVAL=0
		1082	;;
		1083
		1084	stop)
		1085	if [ -f \$pidfile ] ; then
		1086	gprintf "Shutting down \$prog: "
		1087	killproc /usr/sbin/chilli
		1088	RETVAL=\$?
		1089	[ \$RETVAL = 0 ] && rm -f $pidfile
		1090	else
		1091	gprintf "chilli is not running"
		1092	fi
		1093	;;
		1094
		1095	*)
		1096	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1097	exit 1
		1098	esac
		1099	echo
		1100	EOF
1373	richard	1101	chmod a+x /usr/libexec/chilli
799	richard	1102	# conf file creation
346	richard	1103	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1104	cat <<EOF > /etc/chilli.conf
		1105	# coova config for ALCASAR
		1106	cmdsocket /var/run/chilli.sock
1336	richard	1107	unixipc chilli.$INTIF.ipc
		1108	pidfile /var/run/chilli.$INTIF.pid
346	richard	1109	net $PRIVATE_NETWORK_MASK
595	richard	1110	dhcpif $INTIF
841	richard	1111	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1112	#nodynip
865	richard	1113	#statip
		1114	dynip $PRIVATE_NETWORK_MASK
1249	richard	1115	domain $DOMAIN
355	richard	1116	dns1 $PRIVATE_IP
		1117	dns2 $PRIVATE_IP
346	richard	1118	uamlisten $PRIVATE_IP
503	richard	1119	uamport 3990
837	richard	1120	macauth
		1121	macpasswd password
1243	richard	1122	locationname $HOSTNAME.$DOMAIN
346	richard	1123	radiusserver1 127.0.0.1
		1124	radiusserver2 127.0.0.1
		1125	radiussecret $secretradius
		1126	radiusauthport 1812
		1127	radiusacctport 1813
1243	richard	1128	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1129	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1130	uamsecret $secretuam
1249	richard	1131	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1132	coaport 3799
1379	richard	1133	conup $DIR_DEST_BIN/alcasar-conup.sh
		1134	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1135	include $DIR_DEST_ETC/alcasar-uamallowed
		1136	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1137	#dhcpgateway
1157	stephane	1138	#dhcprelayagent
		1139	#dhcpgatewayport
346	richard	1140	EOF
1336	richard	1141	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1142	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1143	# create files for trusted domains and urls
1148	crox53	1144	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1145	chown root:apache $DIR_DEST_ETC/alcasar-*
		1146	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1147	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1148	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1149	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1150	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1151	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1152	if [ "$chilli_exist" == "1" ]
		1153	then
		1154	userdel -r chilli 2>/dev/null
		1155	fi
		1156	groupadd -f chilli
		1157	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1158	} # End of chilli ()
1349	richard	1159
1	root	1160	##################################################################
1389	richard	1161	## Fonction "dansguardian" ##
1	root	1162	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1163	##################################################################
1389	richard	1164	dansguardian ()
1	root	1165	{
		1166	mkdir /var/dansguardian
		1167	chown dansguardian /var/dansguardian
1375	richard	1168	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1169	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1170	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1171	# By default the filter is off
497	richard	1172	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1173	# French deny HTML page
497	richard	1174	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1175	# Listen only on LAN side
497	richard	1176	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1177	# DG send its flow to HAVP
		1178	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1179	# replace the default deny HTML page
1	root	1180	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1181	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1182	# Don't log
		1183	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1184	# Run 10 daemons (20 in largest server)
659	richard	1185	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1186	# on désactive par défaut le controle de contenu des pages html
497	richard	1187	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1188	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1189	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1190	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1191	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1192	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1193	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1194	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1195	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1196	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1197	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1198	touch $DIR_DG/lists/bannedextensionlist
		1199	touch $DIR_DG/lists/bannedmimetypelist
		1200	# 'Safesearch' regex actualisation
498	richard	1201	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1202	# empty LAN IP list that won't be WEB filtered
		1203	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1204	touch $DIR_DG/lists/exceptioniplist
		1205	# Keep a copy of URL & domain filter configuration files
		1206	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1207	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1208	} # End of dansguardian ()
1	root	1209
71	richard	1210	##################################################################
1221	richard	1211	## Fonction "antivirus" ##
1357	richard	1212	## - configuration of havp, libclamav and freshclam ##
71	richard	1213	##################################################################
		1214	antivirus ()
		1215	{
1358	richard	1216	# create 'havp' user
288	richard	1217	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1218	if [ "$havp_exist" == "1" ]
288	richard	1219	then
478	richard	1220	userdel -r havp 2>/dev/null
894	richard	1221	groupdel havp 2>/dev/null
288	richard	1222	fi
307	richard	1223	groupadd -f havp
796	richard	1224	useradd -r -g havp -s /bin/false -c "system user for havp" havp
1366	richard	1225	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1226	mkdir -p /var/tmp/havp2 /var/log/havp2 /var/run/havp2
		1227	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
		1228	chown -R havp:havp /var/tmp/havp2 /var/log/havp2 /var/run/havp2
109	richard	1229	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1230	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1231	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1232	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1233	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1484	richard	1234	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090 (on loopback)
990	franck	1235	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1236	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1237	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1238	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1239	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1240	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1393	richard	1241	cp /etc/havp/havp.config /etc/havp/havp2.config
		1242	$SED "s?^PIDFILE.*?PIDFILE /var/run/havp/havp2.pid?g" /etc/havp/havp2.config # pidfile
		1243	$SED "s?^TRANSPARENT.*?TRANSPARENT true?g" /etc/havp/havp2.config # transparent mode
1484	richard	1244	$SED "s?^BIND_ADDRESS.*?BIND_ADDRESS $PRIVATE_IP?g" /etc/havp/havp2.config # we listen only on tun0
		1245	$SED "s?^PORT.*?PORT 8090?g" /etc/havp/havp2.config # datas come on 8091
1007	richard	1246	# skip checking of youtube flow (too heavy load / risk too low)
		1247	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1248	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1249	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1250	# replacement of init script
335	richard	1251	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1252	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1393	richard	1253	cp /etc/init.d/havp /etc/init.d/havp2
		1254	$SED "s?^# description.*?# description: starts HAVP2 the High Availability Antivirus Proxy?g" /etc/init.d/havp2 # description
		1255	$SED "s?^HAVP_CONFIG.*?HAVP_CONFIG=/etc/havp/havp2.config?g" /etc/init.d/havp2 # config file
1484	richard	1256	$SED "s?^PIDFILE.*?PIDFILE=/var/run/havp2/havp.pid?g" /etc/init.d/havp2 # pidfile
1393	richard	1257	$SED "s?^NAME.*?NAME=havp2?g" /etc/init.d/havp2 # name
		1258	$SED "s?^DESC.*?DESC=havp2?g" /etc/init.d/havp2 # desc
		1259	$SED "s?^havp_mountpoint.*?havp_mountpoint=/var/tmp/havp2?g" /etc/init.d/havp2 # mountpoint
		1260	$SED "s?echo \"Reloading HAVP ...\".*?echo \"Reloading HAVP2 ...\"?g" /etc/init.d/havp2 # reloading havp
		1261	$SED "s?echo \"Error: HAVP not running\".*?echo \"Error : HAVP2 not running\"?g" /etc/init.d/havp2 # error havp
		1262	$SED "s?echo \"Error: HAVP not running or PIDFILE not readable\".*?echo \"Error : HAVP2 not running or PIDFILE not readable\"?g" /etc/init.d/havp2 # error havp
		1263	$SED "s?echo \"Error: HAVP not running or PIDFILE unreadable\".*?echo \"Error : HAVP2 not running or PIDFILE unreadable\"?g" /etc/init.d/havp2 # error havp
		1264	$SED "s?echo \"Shutting down HAVP ...\".*?echo \"Shutting down HAVP2 ...\"?g" /etc/init.d/havp2 # shutting down havp
		1265	$SED "s?status havp.*?status havp2?g" /etc/init.d/havp2 # status havp
1358	richard	1266	# replace of the intercept page (template)
340	richard	1267	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1268	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1269	# update virus database every 4 hours (24h/6)
1357	richard	1270	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1271	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1272	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1273	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1274	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1275	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1276	# update now
1382	richard	1277	/usr/bin/freshclam --no-warnings
1389	richard	1278	} # End of antivirus ()
71	richard	1279
1	root	1280	##################################################################################
1389	richard	1281	## function "ulogd" ##
476	richard	1282	## - Ulog config for multi-log files ##
		1283	##################################################################################
1389	richard	1284	ulogd ()
476	richard	1285	{
		1286	# Three instances of ulogd (three different logfiles)
		1287	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1288	nl=1
1358	richard	1289	for log_type in traceability ssh ext-access
478	richard	1290	do
1365	richard	1291	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1292	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1293	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
478	richard	1294	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1295	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1296	[emu1]
478	richard	1297	file="/var/log/firewall/$log_type.log"
		1298	sync=1
		1299	EOF
1452	richard	1300	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1301	nl=`expr $nl + 1`
		1302	done
476	richard	1303	chown -R root:apache /var/log/firewall
		1304	chmod 750 /var/log/firewall
		1305	chmod 640 /var/log/firewall/*
1389	richard	1306	} # End of ulogd ()
476	richard	1307
1159	crox53	1308
		1309	##########################################################
1389	richard	1310	## Function "nfsen" ##
1159	crox53	1311	##########################################################
1389	richard	1312	nfsen()
1	root	1313	{
1393	richard	1314	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1315	# Add PortTracker plugin
1395	richard	1316	for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1317	do
		1318	[ ! -d $i ] && mkdir $i && chown -R apache:apache $i && echo "$i created" \|\| echo "$i already exists"
		1319	done
1221	richard	1320	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1365	richard	1321	# use of our conf file and init unit
1221	richard	1322	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1365	richard	1323	# Installation of nfsen
1221	richard	1324	DirTmp=$(pwd)
		1325	cd /tmp/nfsen-1.3.6p1/
1365	richard	1326	/usr/bin/perl5 install.pl etc/nfsen.conf
		1327	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1328	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1329	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1330	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1395	richard	1331	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1332	chmod -R 770 /var/log/netflow/porttracker
1365	richard	1333	# Apache conf file
1394	richard	1334	cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1335	Alias /nfsen /var/www/nfsen
		1336	<Directory /var/www/nfsen/>
		1337	DirectoryIndex nfsen.php
		1338	Options -Indexes
		1339	AllowOverride all
		1340	order allow,deny
		1341	allow from all
		1342	AddType application/x-httpd-php .php
		1343	php_flag magic_quotes_gpc on
		1344	php_flag track_vars on
1	root	1345	</Directory>
		1346	EOF
1372	richard	1347	# nfsen unit for systemd
		1348	cat << EOF > /lib/systemd/system/nfsen.service
		1349	# This file is part of systemd.
		1350	#
		1351	# systemd is free software; you can redistribute it and/or modify it
		1352	# under the terms of the GNU General Public License as published by
		1353	# the Free Software Foundation; either version 2 of the License, or
		1354	# (at your option) any later version.
		1355
		1356	# This unit launches nfsen (a Netflow grapher).
		1357	[Unit]
		1358	Description= NfSen init script
		1359	After=network.target iptables.service
		1360
		1361	[Service]
		1362	Type=oneshot
		1363	RemainAfterExit=yes
1393	richard	1364	PIDFile=/var/run/nfsen/nfsen.pid
		1365	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1366	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1367	ExecStart=/usr/bin/nfsen start
		1368	ExecStop=/usr/bin/nfsen stop
1393	richard	1369	ExecReload=/usr/bin/nfsen restart
1372	richard	1370	TimeoutSec=0
		1371
		1372	[Install]
		1373	WantedBy=multi-user.target
		1374	EOF
1365	richard	1375	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1376	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1377	# expire delay for the profile "live"
1393	richard	1378	systemctl start nfsen
		1379	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1380	# add SURFmap plugin
1412	richard	1381	tar xzf $DIR_CONF/nfsen/SURFmap_v3.3b1.tar.gz -C /tmp/
1413	richard	1382	cp $DIR_CONF/nfsen/install-surfmap.sh /tmp/SURFmap/install.sh
1397	richard	1383	cd /tmp/SURFmap
		1384	/usr/bin/sh install.sh
1418	richard	1385
1365	richard	1386	# clear the installation
1221	richard	1387	cd $DirTmp
		1388	rm -rf /tmp/nfsen-1.3.6p1/
1397	richard	1389	rm -rf /tmp/SURFmap/
1389	richard	1390	} # End of nfsen ()
1	root	1391
1390	richard	1392	##################################################
1389	richard	1393	## Function "dnsmasq" ##
1390	richard	1394	##################################################
1389	richard	1395	dnsmasq ()
219	jeremy	1396	{
		1397	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1398	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1399	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1400	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1401	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1402	cat << EOF > /etc/dnsmasq.conf
520	richard	1403	# Configuration file for "dnsmasq in forward mode"
1387	richard	1404	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1405	listen-address=$PRIVATE_IP
1390	richard	1406	pid-file=/var/run/dnsmasq.pid
259	richard	1407	listen-address=127.0.0.1
286	richard	1408	no-dhcp-interface=$INTIF
1387	richard	1409	no-dhcp-interface=tun0
		1410	no-dhcp-interface=lo
259	richard	1411	bind-interfaces
		1412	cache-size=256
		1413	domain=$DOMAIN
		1414	domain-needed
		1415	expand-hosts
		1416	bogus-priv
		1417	filterwin2k
		1418	server=$DNS1
		1419	server=$DNS2
1387	richard	1420	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1421	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1422	dhcp-option=option:router,$PRIVATE_IP
1482	richard	1423	dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1424
1387	richard	1425	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1426	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1427	EOF
1356	richard	1428	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1429	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1430	# Configuration file for "dnsmasq with blacklist"
1387	richard	1431	# Add Toulouse blacklist domains
1472	richard	1432	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1433	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1434	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1435	listen-address=$PRIVATE_IP
		1436	port=54
		1437	no-dhcp-interface=$INTIF
1387	richard	1438	no-dhcp-interface=tun0
1472	richard	1439	no-dhcp-interface=lo
498	richard	1440	bind-interfaces
		1441	cache-size=256
		1442	domain=$DOMAIN
		1443	domain-needed
		1444	expand-hosts
		1445	bogus-priv
		1446	filterwin2k
		1447	server=$DNS1
		1448	server=$DNS2
		1449	EOF
1379	richard	1450	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1451	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1452	# Configuration file for "dnsmasq with whitelist"
1356	richard	1453	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1454	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1455	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1456	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1457	listen-address=$PRIVATE_IP
		1458	port=55
		1459	no-dhcp-interface=$INTIF
1387	richard	1460	no-dhcp-interface=tun0
1472	richard	1461	no-dhcp-interface=lo
1356	richard	1462	bind-interfaces
		1463	cache-size=256
		1464	domain=$DOMAIN
		1465	domain-needed
		1466	expand-hosts
		1467	bogus-priv
		1468	filterwin2k
1472	richard	1469	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1470	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1471	EOF
1472	richard	1472	# 4th dnsmasq listen on udp 56 ("blackhole")
		1473	cat << EOF > /etc/dnsmasq-blackhole.conf
		1474	# Configuration file for "dnsmasq as a blackhole"
		1475	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1476	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1477	pid-file=/var/run/dnsmasq-blackhole.pid
		1478	listen-address=$PRIVATE_IP
		1479	port=56
		1480	no-dhcp-interface=$INTIF
		1481	no-dhcp-interface=tun0
		1482	no-dhcp-interface=lo
		1483	bind-interfaces
		1484	cache-size=256
		1485	domain=$DOMAIN
		1486	domain-needed
		1487	expand-hosts
		1488	bogus-priv
		1489	filterwin2k
		1490	EOF
		1491
1372	richard	1492	# Start after chilli (which create tun0)
		1493	$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1494	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1495	for list in blacklist whitelist blackhole
		1496	do
		1497	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1498	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1499	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1500	done
308	richard	1501	} # End dnsmasq
		1502
		1503	##########################################################
1221	richard	1504	## Fonction "BL" ##
308	richard	1505	##########################################################
		1506	BL ()
		1507	{
1386	richard	1508	# modify iptables boot file to start alcasar-iptables.sh when the system is booting
		1509	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		1510	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
1384	richard	1511	# copy and extract toulouse BL
648	richard	1512	rm -rf $DIR_DG/lists/blacklists
		1513	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1514	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1515	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1516	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1517	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1518	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1519	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1520	# creation of file for the rehabilited domains and urls
648	richard	1521	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1522	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1523	touch $DIR_DG/lists/exceptionsitelist
		1524	touch $DIR_DG/lists/exceptionurllist
311	richard	1525	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1526	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1527	# Dansguardian filter config for ALCASAR
		1528	EOF
648	richard	1529	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1530	# Dansguardian domain filter config for ALCASAR
		1531	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1532	#**
		1533	# block all SSL and CONNECT tunnels
		1534	**s
		1535	# block all SSL and CONNECT tunnels specified only as an IP
		1536	*ips
		1537	# block all sites specified only by an IP
		1538	*ip
		1539	EOF
1000	richard	1540	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1541	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1542	# Bing - add 'adlt=strict'
		1543	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1544	# Youtube - add 'edufilter=your_ID'
885	richard	1545	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1546	EOF
1000	richard	1547	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1548	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1549	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1550	if [ "$mode" != "update" ]; then
		1551	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1552	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1387	richard	1553	# !!! we can be banned by DNS server (waiting for a cool solution $DIR_DEST_SBIN/alcasar-bl.sh --ip_retrieving
654	richard	1554	fi
308	richard	1555	}
219	jeremy	1556
1	root	1557	##########################################################
1221	richard	1558	## Fonction "cron" ##
1	root	1559	## - Mise en place des différents fichiers de cron ##
		1560	##########################################################
		1561	cron ()
		1562	{
		1563	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1564	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1565	cat <<EOF > /etc/crontab
		1566	SHELL=/bin/bash
		1567	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1568	MAILTO=root
		1569	HOME=/
		1570
		1571	# run-parts
		1572	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1573	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1574	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1575	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1576	EOF
		1577	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1578	cat <<EOF >> /etc/anacrontab
667	franck	1579	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1580	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1581	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1582	EOF
1247	crox53	1583
811	richard	1584	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1585	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1586	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1587	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1588	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1589	EOF
952	franck	1590	cat <<EOF > /etc/cron.d/alcasar-archive
		1591	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1592	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1593	EOF
667	franck	1594	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1595	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1596	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1597	EOF
722	franck	1598	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1599	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1600	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1601	EOF
1247	crox53	1602	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1603	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1604	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1605	#EOF
1159	crox53	1606
1	root	1607	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1608	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1609	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1610	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1611	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1612	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1613	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1614	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1615	rm -f /etc/cron.daily/freeradius-web
		1616	rm -f /etc/cron.monthly/freeradius-web
		1617	cat << EOF > /etc/cron.d/freeradius-web
		1618	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1619	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1620	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1621	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1622	EOF
671	franck	1623	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1624	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1625	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1626	EOF
808	franck	1627	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1628	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1629	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1630	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1631	EOF
522	richard	1632	# suppression des crons usagers
		1633	rm -f /var/spool/cron/*
1	root	1634	} # End cron
		1635
		1636	##################################################################
1221	richard	1637	## Fonction "Fail2Ban" ##
1163	crox53	1638	##- Modification de la configuration de fail2ban ##
		1639	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1640	##################################################################
		1641	fail2ban()
		1642	{
1191	crox53	1643	$DIR_CONF/fail2ban.sh
1474	richard	1644	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1645	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
		1646	[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log
1165	crox53	1647	chmod 644 /var/log/fail2ban.log
1192	crox53	1648	chmod 644 /var/Save/logs/security/watchdog.log
1418	richard	1649	/usr/bin/touch /var/log/auth.log
		1650
1411	richard	1651
		1652	# Edition de l'unité fail2ban
1418	richard	1653	[ -e /usr/lib/systemd/system/fail2ban.service ] && cp /usr/lib/systemd/system/fail2ban.service /usr/lib/systemd/system/fail2ban.service.default
1411	richard	1654	$SED '/Type/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1655	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1411	richard	1656
		1657
1163	crox53	1658	} #Fin de fail2ban_install()
		1659
		1660	##################################################################
1376	richard	1661	## Fonction "gammu_smsd" ##
		1662	## - Creation de la base de donnée Gammu ##
		1663	## - Creation du fichier de config: gammu_smsd_conf ##
		1664	## ##
		1665	##################################################################
		1666	gammu_smsd()
		1667	{
		1668	# Create 'gammu' databse
		1669	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1670	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1671	# Add a gammu database structure
		1672	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1673
		1674	# config file for the daemon
		1675	cat << EOF > /etc/gammu_smsd_conf
		1676	[gammu]
		1677	port = /dev/ttyUSB0
		1678	connection = at115200
		1679
		1680	;########################################################
		1681
		1682	[smsd]
		1683
		1684	PIN = 1234
		1685
		1686	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1687	logformat = textall
		1688	debuglevel = 0
		1689
		1690	service = sql
		1691	driver = native_mysql
		1692	user = $DB_USER
		1693	password = $radiuspwd
		1694	pc = localhost
		1695	database = $DB_GAMMU
		1696
		1697	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1698
		1699	StatusFrequency = 30
1380	richard	1700	;LoopSleep = 2
1376	richard	1701
		1702	;ResetFrequency = 300
		1703	;HardResetFrequency = 120
		1704
		1705	CheckSecurity = 1
		1706	CheckSignal = 1
		1707	CheckBattery = 0
		1708	EOF
		1709
		1710	chmod 755 /etc/gammu_smsd_conf
		1711
		1712	#Creation dossier de log Gammu-smsd
1382	richard	1713	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1714	chmod 755 /var/log/gammu-smsd
		1715
		1716	#Edition du script sql gammu <-> radius
1452	richard	1717	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1718	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1719
1380	richard	1720	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1721	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1722	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1723	EOF
		1724
1376	richard	1725	} # END gammu_smsd()
		1726
		1727	##################################################################
1221	richard	1728	## Fonction "post_install" ##
1	root	1729	## - Modification des bannières (locales et ssh) et des prompts ##
		1730	## - Installation de la structure de chiffrement pour root ##
		1731	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1732	## - Mise en place du la rotation des logs ##
5	franck	1733	## - Configuration dans le cas d'une mise à jour ##
1	root	1734	##################################################################
		1735	post_install()
		1736	{
		1737	# création de la bannière locale
1007	richard	1738	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1739	cp -f $DIR_CONF/banner /etc/mageia-release
		1740	echo " V$VERSION" >> /etc/mageia-release
1	root	1741	# création de la bannière SSH
1007	richard	1742	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1743	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1744	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1745	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1746	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1747	# postfix banner anonymisation
		1748	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1749	# sshd écoute côté LAN et WAN
1	root	1750	$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config
604	richard	1751	$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config
860	richard	1752	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1753	echo "SSH=off" >> $CONF_FILE
1063	richard	1754	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1755	echo "QOS=off" >> $CONF_FILE
		1756	echo "LDAP=off" >> $CONF_FILE
786	richard	1757	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1758	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1759	echo "MULTIWAN=off" >> $CONF_FILE
		1760	echo "FAILOVER=30" >> $CONF_FILE
		1761	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1762	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1763	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1764	# Coloration des prompts
		1765	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1766	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1767	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1768	# Droits d'exécution pour utilisateur apache et sysadmin
		1769	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1770	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1771	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1772	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1773	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1774	chmod 644 /etc/logrotate.d/*
714	franck	1775	# rectification sur versions précédentes de la compression des logs
706	franck	1776	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1777	# actualisation des fichiers logs compressés
1342	richard	1778	for dir in firewall dansguardian httpd
706	franck	1779	do
714	franck	1780	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1781	done
1221	richard	1782	# create the alcasar-load_balancing unit
		1783	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1784	# This file is part of systemd.
		1785	#
		1786	# systemd is free software; you can redistribute it and/or modify it
		1787	# under the terms of the GNU General Public License as published by
		1788	# the Free Software Foundation; either version 2 of the License, or
		1789	# (at your option) any later version.
		1790
		1791	# This unit lauches alcasar-load-balancing.sh script.
		1792	[Unit]
		1793	Description=alcasar-load_balancing.sh execution
		1794	After=network.target iptables.service
		1795
		1796	[Service]
		1797	Type=oneshot
		1798	RemainAfterExit=yes
		1799	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1800	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1801	TimeoutSec=0
		1802	SysVStartPriority=99
		1803
		1804	[Install]
		1805	WantedBy=multi-user.target
1157	stephane	1806	EOF
1221	richard	1807	# processes launched at boot time (SYSV)
1371	richard	1808	for i in havp
1221	richard	1809	do
		1810	/sbin/chkconfig --add $i
		1811	done
		1812	# processes launched at boot time (Systemctl)
1472	richard	1813	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
1221	richard	1814	do
1389	richard	1815	systemctl -q enable $i.service
1221	richard	1816	done
1452	richard	1817
		1818	# disable processes at boot time (Systemctl)
		1819	for i in ulogd
		1820	do
		1821	systemctl -q disable $i.service
		1822	done
		1823
1221	richard	1824	# Apply French Security Agency (ANSSI) rules
1362	richard	1825	# ignore ICMP broadcast (smurf attack)
		1826	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1827	# ignore ICMP errors bogus
		1828	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1829	# remove ICMP redirects responces
		1830	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1831	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1832	# enable SYN Cookies (Syn flood attacks)
		1833	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1834	# enable kernel antispoofing
		1835	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1836	# ignore source routing
		1837	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1838	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1839	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1840	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1841	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1842	# remove Magic SysReq Keys
1363	richard	1843	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1844	# switch to multi-users runlevel (instead of x11)
1221	richard	1845	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1846	# GRUB modifications
		1847	# limit wait time to 3s
		1848	# create an alcasar entry instead of linux-nonfb
		1849	# change display to 1024*768 (vga791)
1221	richard	1850	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1851	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1852	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1853	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1854	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1855	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1856	# Remove unused services and users
1378	richard	1857	for svc in sshd.service
1221	richard	1858	do
1362	richard	1859	/bin/systemctl -q disable $svc
1221	richard	1860	done
		1861	# Load and apply the previous conf file
		1862	if [ "$mode" = "update" ]
532	richard	1863	then
1266	richard	1864	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1865	$DIR_DEST_BIN/alcasar-conf.sh --load
		1866	PARENT_SCRIPT=`basename $0`
		1867	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1868	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1869	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1870	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1871	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1872	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1873	then
		1874	header_install
		1875	if [ $Lang == "fr" ]
		1876	then
		1877	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1878	echo
		1879	echo -n "Nom : "
		1880	else
		1881	echo "This update need to redefine the first admin account"
		1882	echo
		1883	echo -n "Account : "
		1884	fi
		1885	read admin_portal
		1886	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1887	mkdir -p $DIR_DEST_ETC/digest
		1888	chmod 755 $DIR_DEST_ETC/digest
		1889	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1890	do
1350	richard	1891	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1892	done
		1893	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1894	fi
532	richard	1895	fi
1221	richard	1896	rm -f /tmp/alcasar-conf*
		1897	chown -R root:apache $DIR_DEST_ETC/*
		1898	chmod -R 660 $DIR_DEST_ETC/*
		1899	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1900	# Apply and save the firewall rules
		1901	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1902	sleep 2
1	root	1903	cd $DIR_INSTALL
5	franck	1904	echo ""
1	root	1905	echo "#############################################################################"
638	richard	1906	if [ $Lang == "fr" ]
		1907	then
		1908	echo "# Fin d'installation d'ALCASAR #"
		1909	echo "# #"
		1910	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1911	echo "# des Accès au Réseau ( ALCASAR ) #"
		1912	echo "# #"
		1913	echo "#############################################################################"
		1914	echo
		1915	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1916	echo
		1917	echo "- Lisez attentivement la documentation d'exploitation"
		1918	echo
		1919	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1920	echo
		1921	echo " Appuyez sur 'Entrée' pour continuer"
		1922	else
		1923	echo "# Enf of ALCASAR install process #"
		1924	echo "# #"
		1925	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1926	echo "# des Accès au Réseau ( ALCASAR ) #"
		1927	echo "# #"
		1928	echo "#############################################################################"
		1929	echo
		1930	echo "- The system will be rebooted in order to operate ALCASAR"
		1931	echo
		1932	echo "- Read the exploitation documentation"
		1933	echo
		1934	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1935	echo
		1936	echo " Hit 'Enter' to continue"
		1937	fi
815	richard	1938	sleep 2
		1939	if [ "$mode" != "update" ]
820	richard	1940	then
815	richard	1941	read a
		1942	fi
774	richard	1943	clear
1	root	1944	reboot
		1945	} # End post_install ()
		1946
		1947	#################################
1005	richard	1948	# Main Install loop #
1	root	1949	#################################
832	richard	1950	dir_exec=`dirname "$0"`
		1951	if [ $dir_exec != "." ]
		1952	then
		1953	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1954	echo "Launch this program from the ALCASAR archive directory"
		1955	exit 0
		1956	fi
		1957	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1958	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1959	nb_args=$#
		1960	args=$1
		1961	if [ $nb_args -eq 0 ]
		1962	then
		1963	nb_args=1
		1964	args="-h"
		1965	fi
1062	richard	1966	chmod -R u+x $DIR_SCRIPTS/*
1	root	1967	case $args in
		1968	-\? \| -h* \| --h*)
		1969	echo "$usage"
		1970	exit 0
		1971	;;
291	franck	1972	-i \| --install)
959	franck	1973	license
5	franck	1974	header_install
29	richard	1975	testing
595	richard	1976	# RPMs install
		1977	$DIR_SCRIPTS/alcasar-urpmi.sh
		1978	if [ "$?" != "0" ]
1	root	1979	then
595	richard	1980	exit 0
		1981	fi
1249	richard	1982	if [ -e $CONF_FILE ]
595	richard	1983	then
597	richard	1984	# Uninstall the running version
532	richard	1985	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	1986	fi
636	richard	1987	# Test if manual update
1362	richard	1988	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	1989	then
636	richard	1990	header_install
595	richard	1991	if [ $Lang == "fr" ]
636	richard	1992	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		1993	else echo "The configuration file of an old version has been found";
595	richard	1994	fi
597	richard	1995	response=0
		1996	PTN='^[oOnNyY]$'
		1997	until [[ $(expr $response : $PTN) -gt 0 ]]
		1998	do
		1999	if [ $Lang == "fr" ]
		2000	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2001	else echo -n "Do you want to use it (Y/n)?";
		2002	fi
		2003	read response
		2004	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2005	then rm -f /tmp/alcasar-conf*
		2006	fi
		2007	done
		2008	fi
636	richard	2009	# Test if update
1057	richard	2010	if [ -e /tmp/alcasar-conf* ]
597	richard	2011	then
		2012	if [ $Lang == "fr" ]
		2013	then echo "#### Installation avec mise à jour ####";
		2014	else echo "#### Installation with update ####";
		2015	fi
636	richard	2016	# Extract the central configuration file
1057	richard	2017	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2018	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2019	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2020	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2021	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2022	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2023	mode="update"
1	root	2024	fi
1389	richard	2025	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2026	do
		2027	$func
1362	richard	2028	# echo "* 'debug' : end of function $func *"; read a
14	richard	2029	done
5	franck	2030	;;
291	franck	2031	-u \| --uninstall)
5	franck	2032	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2033	then
597	richard	2034	if [ $Lang == "fr" ]
		2035	then echo "ALCASAR n'est pas installé!";
		2036	else echo "ALCASAR isn't installed!";
		2037	fi
1	root	2038	exit 0
		2039	fi
5	franck	2040	response=0
		2041	PTN='^[oOnN]$'
580	richard	2042	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2043	do
597	richard	2044	if [ $Lang == "fr" ]
		2045	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2046	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2047	fi
5	franck	2048	read response
		2049	done
1103	richard	2050	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2051	then
1103	richard	2052	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2053	else
		2054	rm -f /tmp/alcasar-conf*
1	root	2055	fi
597	richard	2056	# Uninstall the running version
65	richard	2057	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2058	;;
		2059	*)
		2060	echo "Argument inconnu :$1";
460	richard	2061	echo "Unknown argument :$1";
1	root	2062	echo "$usage"
		2063	exit 1
		2064	;;
		2065	esac
10	franck	2066	# end of script
366	franck	2067

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1484