WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	`#!/bin/bash`
57	franck	2	`# $Id: alcasar.sh 1484 2014-11-11 23:14:36Z richard $`
1	root	3
		4	`# alcasar.sh`
959	franck	5
1157	stephane	6	`# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]`
		7	`# Ce programme est un logiciel libre ; This software is free and open source`
959	franck	8	`# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.`
		9	`# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;`
		10	`# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.`
		11	`# Voir la Licence Publique Générale GNU pour plus de détails.`
		12
967	franck	13	`# team@alcasar.net`
959	franck	14
1	root	15	`# by Franck BOUIJOUX, Pascal LEVANT and Richard REY`
		16	`# This script is distributed under the Gnu General Public License (GPL)`
		17
672	richard	18	`# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)`
1007	richard	19	`# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :`
1	root	20	`# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)`
1007	richard	21	`# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :`
672	richard	22	`#`
1342	richard	23	`# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump`
1	root	24
		25	`# Options :`
376	franck	26	`# -i or --install`
		27	`# -u or --uninstall`
1	root	28
376	franck	29	`# Functions :`
1378	richard	30	`# testing : connectivity tests, free space test and mageia version test`
1221	richard	31	`# init : Installation of RPM and scripts`
		32	`# network : Network parameters`
		33	`# ACC : ALCASAR Control Center installation`
		34	`# CA : Certification Authority initialization`
		35	`# init_db : Initilization of radius database managed with MariaDB`
1389	richard	36	`# radius : FreeRadius initialisation`
		37	`# radius_web : copy ans modifiy original "freeradius web" in ACC`
		38	`# chilli : coovachilli initialisation (+authentication page)`
		39	`# dansguardian : DansGuardian filtering HTTP proxy configuration`
1221	richard	40	`# antivirus : HAVP + libclamav configuration`
1389	richard	41	`# ulogd : log system in userland (match NFLOG target of iptables)`
		42	`# nfsen : : Configuration du grapheur nfsen pour apache`
1253	richard	43	`# dnsmasq : Name server configuration`
		44	`# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)`
1266	richard	45	`# cron : Logs export + watchdog + connexion statistics`
1389	richard	46	`# fail2ban : Fail2ban IDS installation and configuration`
		47	`# gammu_smsd : Autoregister addon via SMS (gammu-smsd)`
1266	richard	48	`# post_install : Security, log rotation, etc.`
1	root	49
		50	DATE=`date '+%d %B %Y - %Hh%M'`
		51	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	52	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	53	`mode="install"`
1	root	54	`# ***** Files parameters - paramètres fichiers *******`
1015	richard	55	DIR_INSTALL=`pwd` # current directory
		56	`DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)`
		57	`DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)`
		58	`DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)`
		59	`DIR_WEB="/var/www/html" # directory of APACHE`
		60	`DIR_DG="/etc/dansguardian" # directory of DansGuardian`
		61	`DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'`
		62	`DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts`
		63	`DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts`
		64	`DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files`
		65	`DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)`
		66	`CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file`
		67	`PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets`
1	root	68	`# ***** DBMS parameters - paramètres SGBD ******`
1243	richard	69	`DB_RADIUS="radius" # database name used by FreeRadius server`
		70	`DB_USER="radius" # user name allows to request the users database`
1349	richard	71	`DB_GAMMU="gammu" # database name used by Gammu-smsd`
1	root	72	`# ***** Network parameters - paramètres réseau *****`
1469	richard	73	`HOSTNAME="alcasar" # default hostname`
1243	richard	74	`DOMAIN="localdomain" # default local domain`
1471	richard	75	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1336	richard	76	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	77	`MTU="1500"`
1243	richard	78	`DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address`
1	root	79	`# **** Paths - chemin des commandes *****`
		80	`SED="/bin/sed -i"`
		81	`# **************** End of global parameters *******************`
		82
959	franck	83	`license ()`
		84	`{`
		85	`if [ $Lang == "fr" ]`
967	franck	86	`then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more`
		87	`else cat $DIR_INSTALL/gpl-3.0.txt \| more`
959	franck	88	`fi`
975	franck	89	`echo "Taper sur Entrée pour continuer !"`
		90	`echo "Enter to continue."`
959	franck	91	`read a`
		92	`}`
		93
1	root	94	`header_install ()`
		95	`{`
		96	`clear`
		97	`echo "-----------------------------------------------------------------------------"`
460	richard	98	`echo " ALCASAR V$VERSION Installation"`
1	root	99	`echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"`
		100	`echo "-----------------------------------------------------------------------------"`
1389	richard	101	`}`
1	root	102
		103	`##################################################################`
1221	richard	104	`## Function "testing" ##`
1378	richard	105	`## - Test of Mageia version ##`
1342	richard	106	`## - Test of free space on /var (>10G) ##`
1005	richard	107	`## - Test of Internet access ##`
29	richard	108	`##################################################################`
		109	`testing ()`
		110	`{`
1362	richard	111	`# Test if ALCASAR is already installed`
		112	`if [ -e $CONF_FILE ]`
		113	`then`
		114	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	115	`if [ $Lang == "fr" ]`
1362	richard	116	`then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";`
		117	`else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";`
1342	richard	118	`fi`
1362	richard	119	`response=0`
		120	`PTN='^[oOnNyY]$'`
		121	`until [[ $(expr $response : $PTN) -gt 0 ]]`
		122	`do`
		123	`if [ $Lang == "fr" ]`
		124	`then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";`
		125	`else echo -n "Do you want to update (Y/n)?";`
		126	`fi`
		127	`read response`
		128	`done`
		129	`if [ "$response" = "n" ] \|\| [ "$response" = "N" ]`
		130	`then`
		131	`rm -f /tmp/alcasar-conf*`
		132	`else`
1471	richard	133	`# Create a backup of running importants files`
1362	richard	134	`$DIR_SCRIPTS/alcasar-conf.sh --create`
		135	`mode="update"`
		136	`fi`
		137	`else`
1365	richard	138	`if [ ! -d /var/log/netflow/porttracker ]`
		139	`then`
1378	richard	140	`# Test of free space on /var`
1365	richard	141	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		142	`if [ $free_space -lt 10 ]`
		143	`then`
		144	`if [ $Lang == "fr" ]`
		145	`then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"`
		146	`else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"`
		147	`fi`
		148	`exit 0`
1362	richard	149	`fi`
1378	richard	150	`fi`
		151	`# Test of Mageia version`
		152	`# extract the current Mageia version and hardware architecture (i586 ou X64)`
		153	fic=`cat /etc/product.id`
		154	`unknown_os=0`
		155	`old="$IFS"`
		156	`IFS=","`
		157	`set $fic`
		158	`for i in $*`
		159	`do`
		160	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		161	`then`
		162	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		163	unknown_os=`expr $unknown_os + 1`
		164	`fi`
		165	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		166	`then`
		167	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		168	unknown_os=`expr $unknown_os + 1`
		169	`fi`
		170	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		171	`then`
		172	ARCH=`echo $i\|cut -d"=" -f2`
		173	unknown_os=`expr $unknown_os + 1`
		174	`fi`
		175	`done`
		176	`IFS="$old"`
		177	`if [[ ( $unknown_os != 3 \|\| "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]`
		178	`then`
		179	`if [ $Lang == "fr" ]`
		180	`then`
		181	`echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."`
		182	`echo "Le système d'exploitation doit être remplacé (Mageia4)"`
		183	`else`
		184	`echo "The automatic update of ALCASAR can't be performed."`
		185	`echo "The OS must be replaced (Mageia4)"`
		186	`fi`
		187	`if [ -e /tmp/alcasar-conf.tar.gz ]`
		188	`then`
		189	`echo`
		190	`if [ $Lang == "fr" ]`
		191	`then`
		192	`echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."`
		193	`echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"`
		194	`echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"`
		195	`else`
		196	`echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"`
		197	`echo "2 - Install Linux-Mageia4 (cf. installation doc)"`
		198	`echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"`
		199	`fi`
		200	`fi`
		201	`exit 0`
		202	`fi`
1342	richard	203	`fi`
1378	richard	204	`if [ $Lang == "fr" ]`
784	richard	205	`then echo -n "Tests des paramètres réseau : "`
595	richard	206	`else echo -n "Network parameters tests : "`
		207	`fi`
1471	richard	208
		209	`# Test of Ethernet links state`
		210	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		211	`for i in $DOWN_IF`
		212	`do`
		213	`if [ $Lang == "fr" ]`
		214	`then`
		215	`echo "Échec"`
		216	`echo "Le lien réseau de la carte $i n'est pas actif."`
		217	`echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"`
		218	`else`
		219	`echo "Failed"`
		220	`echo "The link state of $i interface is down."`
		221	`echo "Make sure that this network card is connected to a switch or an A.P."`
		222	`fi`
		223	`exit 0`
		224	`done`
		225	`echo -n "."`
		226
		227	`# Test EXTIF config files`
784	richard	228	PUBLIC_IP=`grep IPADDR /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
		229	PUBLIC_GATEWAY=`grep GATEWAY /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2`
1471	richard	230	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		231	`then`
784	richard	232	`if [ $Lang == "fr" ]`
		233	`then`
		234	`echo "Échec"`
		235	`echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."`
		236	`echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"`
1362	richard	237	`echo "Appliquez les changements : 'systemctl restart network'"`
784	richard	238	`else`
		239	`echo "Failed"`
		240	`echo "The Internet connected network card ($EXTIF) isn't well configured."`
		241	`echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"`
1362	richard	242	`echo "Apply the new configuration 'systemctl restart network'"`
784	richard	243	`fi`
830	richard	244	`echo "DEVICE=$EXTIF"`
784	richard	245	`echo "IPADDR="`
		246	`echo "NETMASK="`
		247	`echo "GATEWAY="`
		248	`echo "DNS1="`
		249	`echo "DNS2="`
830	richard	250	`echo "ONBOOT=yes"`
784	richard	251	`exit 0`
		252	`fi`
		253	`echo -n "."`
1471	richard	254
		255	`# Test if router is alive (Box FAI)`
784	richard	256	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	257	`if [ $Lang == "fr" ]`
		258	`then`
		259	`echo "Échec"`
		260	`echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."`
		261	`echo "Réglez ce problème puis relancez ce script."`
		262	`else`
		263	`echo "Failed"`
		264	`echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"`
		265	`echo "Resolv this problem, then restart this script."`
		266	`fi`
29	richard	267	`exit 0`
		268	`fi`
308	richard	269	`echo -n "."`
978	franck	270	`# On teste le lien vers le routeur par defaut`
308	richard	271	IP_GW=`ip route list\|grep ^default\|cut -d" " -f3`
		272	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $IP_GW\|grep response\|cut -d" " -f2`
527	richard	273	`if [ $(expr $arp_reply) -eq 0 ]`
308	richard	274	`then`
595	richard	275	`if [ $Lang == "fr" ]`
		276	`then`
		277	`echo "Échec"`
		278	`echo "Le routeur de site ou la Box Internet ($IP_GW) ne répond pas."`
		279	`echo "Réglez ce problème puis relancez ce script."`
		280	`else`
		281	`echo "Failed"`
		282	`echo "The Internet gateway doesn't answered"`
		283	`echo "Resolv this problem, then restart this script."`
		284	`fi`
308	richard	285	`exit 0`
		286	`fi`
		287	`echo -n "."`
421	franck	288	`# On teste la connectivité Internet`
29	richard	289	`rm -rf /tmp/con_ok.html`
308	richard	290	`/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html`
29	richard	291	`if [ ! -e /tmp/con_ok.html ]`
		292	`then`
595	richard	293	`if [ $Lang == "fr" ]`
		294	`then`
		295	`echo "La tentative de connexion vers Internet a échoué (google.fr)."`
		296	`echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."`
		297	`echo "Vérifiez la validité des adresses IP des DNS."`
		298	`else`
		299	`echo "The Internet connection try failed (google.fr)."`
		300	`echo "Please, verify that the $EXTIF card is connected with the Internet gateway."`
		301	`echo "Verify the DNS IP addresses"`
		302	`fi`
29	richard	303	`exit 0`
		304	`fi`
		305	`rm -rf /tmp/con_ok.html`
308	richard	306	`echo ". : ok"`
1389	richard	307	`} # end of testing ()`
302	richard	308
		309	`##################################################################`
1221	richard	310	`## Function "init" ##`
302	richard	311	`## - Création du fichier "/root/ALCASAR_parametres.txt" ##`
		312	`## - Installation et modification des scripts du portail ##`
		313	`##################################################################`
		314	`init ()`
		315	`{`
527	richard	316	`if [ "$mode" != "update" ]`
302	richard	317	`then`
		318	`# On affecte le nom d'organisme`
597	richard	319	`header_install`
302	richard	320	`ORGANISME=!`
		321	`PTN='^[a-zA-Z0-9-]*$'`
580	richard	322	`until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]`
302	richard	323	`do`
595	richard	324	`if [ $Lang == "fr" ]`
597	richard	325	`then echo -n "Entrez le nom de votre organisme : "`
		326	`else echo -n "Enter the name of your organism : "`
595	richard	327	`fi`
330	franck	328	`read ORGANISME`
613	richard	329	`if [ "$ORGANISME" == "" ]`
330	franck	330	`then`
		331	`ORGANISME=!`
		332	`fi`
		333	`done`
302	richard	334	`fi`
1	root	335	`# On crée aléatoirement les mots de passe et les secrets partagés`
628	richard	336	`rm -f $PASSWD_FILE`
1350	richard	337	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		338	`echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE`
628	richard	339	`echo "$grubpwd" >> $PASSWD_FILE`
1348	richard	340	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	341	`$SED "/^password.*/d" /boot/grub/menu.lst`
		342	`$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst`
1350	richard	343	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	344	`echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE`
628	richard	345	`echo "root / $mysqlpwd" >> $PASSWD_FILE`
1350	richard	346	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	347	`echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE`
628	richard	348	`echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE`
1350	richard	349	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	350	`echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE`
		351	`echo "$secretuam" >> $PASSWD_FILE`
1350	richard	352	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	353	`echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE`
		354	`echo "$secretradius" >> $PASSWD_FILE`
		355	`chmod 640 $PASSWD_FILE`
977	richard	356	`# Scripts and conf files copy`
		357	`# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}`
5	franck	358	`cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*`
977	richard	359	`# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}`
5	franck	360	`cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*`
977	richard	361	`# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}`
648	richard	362	`cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*`
1	root	363	`$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh`
		364	`$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh`
5	franck	365	`$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh`
		366	`$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh`
628	richard	367	`# generate central conf file`
		368	`cat <<EOF > $CONF_FILE`
612	richard	369	`##########################################`
		370	`## ##`
		371	`## ALCASAR Parameters ##`
		372	`## ##`
		373	`##########################################`
1	root	374
612	richard	375	`INSTALL_DATE=$DATE`
		376	`VERSION=$VERSION`
		377	`ORGANISM=$ORGANISME`
923	franck	378	`DOMAIN=$DOMAIN`
612	richard	379	`EOF`
628	richard	380	`chmod o-rwx $CONF_FILE`
1	root	381	`} # End of init ()`
		382
		383	`##################################################################`
1221	richard	384	`## Function "network" ##`
1	root	385	`## - Définition du plan d'adressage du réseau de consultation ##`
595	richard	386	`## - Nommage DNS du système ##`
1336	richard	387	`## - Configuration de l'interface INTIF (réseau de consultation)##`
1	root	388	`## - Modification du fichier /etc/hosts ##`
		389	`## - Configuration du serveur de temps (NTP) ##`
		390	`## - Renseignement des fichiers hosts.allow et hosts.deny ##`
		391	`##################################################################`
		392	`network ()`
		393	`{`
		394	`header_install`
636	richard	395	`if [ "$mode" != "update" ]`
		396	`then`
		397	`if [ $Lang == "fr" ]`
		398	`then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"`
		399	`else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"`
		400	`fi`
		401	`response=0`
		402	`PTN='^[oOyYnN]$'`
		403	`until [[ $(expr $response : $PTN) -gt 0 ]]`
1	root	404	`do`
595	richard	405	`if [ $Lang == "fr" ]`
659	richard	406	`then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "`
618	richard	407	`else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "`
595	richard	408	`fi`
1	root	409	`read response`
		410	`done`
636	richard	411	`if [ "$response" = "n" ] \|\| [ "$response" = "N" ]`
		412	`then`
		413	`PRIVATE_IP_MASK="0"`
		414	`PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'`
		415	`until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]`
1	root	416	`do`
595	richard	417	`if [ $Lang == "fr" ]`
597	richard	418	`then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "`
		419	`else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "`
595	richard	420	`fi`
597	richard	421	`read PRIVATE_IP_MASK`
1	root	422	`done`
636	richard	423	`else`
		424	`PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK`
		425	`fi`
595	richard	426	`else`
637	richard	427	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		428	`rm -rf conf/etc/alcasar.conf`
1	root	429	`fi`
861	richard	430	`# Define LAN side global parameters`
1243	richard	431	`hostname $HOSTNAME.$DOMAIN`
		432	`echo $HOSTNAME.$DOMAIN > /etc/hostname`
977	richard	433	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
		434	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
		435	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
		436	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
		437	`PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24`
		438	classe=$((PRIVATE_PREFIX/8)); classe_sup=`expr $classe + 1`; classe_sup_sup=`expr $classe + 2` # ie.: 2=classe B, 3=classe C
		439	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		440	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
		441	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f$classe_sup` # last octet of LAN address
		442	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f$classe_sup` # last octet of LAN broadcast
837	richard	443	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
977	richard	444	PRIVATE_SECOND_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 2` # second network address (ex.: 192.168.182.2)
837	richard	445	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	446	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	447	`# Define Internet parameters`
14	richard	448	`[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF`
		449	DNS1=`grep DNS1 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 1er DNS
		450	DNS2=`grep DNS2 /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2` # @ip 2ème DNS
70	franck	451	`DNS1=${DNS1:=208.67.220.220}`
		452	`DNS2=${DNS2:=208.67.222.222}`
597	richard	453	PUBLIC_NETMASK=`grep NETMASK /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF\|cut -d"=" -f2`
1052	richard	454	DEFAULT_PUBLIC_NETMASK=`ipcalc -m $PUBLIC_IP \| cut -d"=" -f2`
784	richard	455	`PUBLIC_NETMASK=${PUBLIC_NETMASK:=$DEFAULT_PUBLIC_NETMASK}`
1052	richard	456	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	457	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1469	richard	458	`echo "EXTIF=$EXTIF" >> $CONF_FILE`
		459	`echo "INTIF=$INTIF" >> $CONF_FILE`
765	stephane	460	`echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE`
994	franck	461	`echo "PUBLIC_MTU=$MTU" >> $CONF_FILE`
628	richard	462	`echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE`
		463	`echo "DNS1=$DNS1" >> $CONF_FILE`
		464	`echo "DNS2=$DNS2" >> $CONF_FILE`
		465	`echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE`
1484	richard	466	`echo "DHCP=on" >> $CONF_FILE`
914	franck	467	`echo "EXT_DHCP_IP=none" >> $CONF_FILE`
		468	`echo "RELAY_DHCP_IP=none" >> $CONF_FILE`
		469	`echo "RELAY_DHCP_PORT=none" >> $CONF_FILE`
597	richard	470	`[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default`
841	richard	471	`# config network`
1	root	472	`cat <<EOF > /etc/sysconfig/network`
		473	`NETWORKING=yes`
1243	richard	474	`HOSTNAME="$HOSTNAME.$DOMAIN"`
1	root	475	`FORWARD_IPV4=true`
		476	`EOF`
841	richard	477	`# config /etc/hosts`
1	root	478	`[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default`
		479	`cat <<EOF > /etc/hosts`
503	richard	480	`127.0.0.1 localhost`
1353	richard	481	`$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME`
1	root	482	`EOF`
1336	richard	483	`# Config EXTIF (Internet)`
14	richard	484	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF`
		485	`DEVICE=$EXTIF`
		486	`BOOTPROTO=static`
597	richard	487	`IPADDR=$PUBLIC_IP`
		488	`NETMASK=$PUBLIC_NETMASK`
		489	`GATEWAY=$PUBLIC_GATEWAY`
14	richard	490	`DNS1=127.0.0.1`
		491	`ONBOOT=yes`
		492	`METRIC=10`
		493	`NOZEROCONF=yes`
		494	`MII_NOT_SUPPORTED=yes`
		495	`IPV6INIT=no`
		496	`IPV6TO4INIT=no`
		497	`ACCOUNTING=no`
		498	`USERCTL=no`
994	franck	499	`MTU=$MTU`
14	richard	500	`EOF`
1336	richard	501	`# Config INTIF (consultation LAN) in normal mode`
841	richard	502	`cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF`
		503	`DEVICE=$INTIF`
		504	`BOOTPROTO=static`
		505	`ONBOOT=yes`
		506	`NOZEROCONF=yes`
		507	`MII_NOT_SUPPORTED=yes`
		508	`IPV6INIT=no`
		509	`IPV6TO4INIT=no`
		510	`ACCOUNTING=no`
		511	`USERCTL=no`
		512	`EOF`
1336	richard	513	`# Config of INTIF in bypass mode (see "alcasar-bypass.sh")`
793	richard	514	`cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF`
1	root	515	`DEVICE=$INTIF`
		516	`BOOTPROTO=static`
		517	`IPADDR=$PRIVATE_IP`
604	richard	518	`NETMASK=$PRIVATE_NETMASK`
1	root	519	`ONBOOT=yes`
		520	`METRIC=10`
		521	`NOZEROCONF=yes`
		522	`MII_NOT_SUPPORTED=yes`
14	richard	523	`IPV6INIT=no`
		524	`IPV6TO4INIT=no`
		525	`ACCOUNTING=no`
		526	`USERCTL=no`
1	root	527	`EOF`
440	franck	528	`# Mise à l'heure du serveur`
		529	`[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default`
		530	`cat <<EOF > /etc/ntp/step-tickers`
455	franck	531	`0.fr.pool.ntp.org # adapt to your country`
		532	`1.fr.pool.ntp.org`
		533	`2.fr.pool.ntp.org`
440	franck	534	`EOF`
		535	`# Configuration du serveur de temps (sur lui même)`
1	root	536	`[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default`
		537	`cat <<EOF > /etc/ntp.conf`
456	franck	538	`server 0.fr.pool.ntp.org # adapt to your country`
447	franck	539	`server 1.fr.pool.ntp.org`
		540	`server 2.fr.pool.ntp.org`
		541	`server 127.127.1.0 # local clock si NTP internet indisponible ...`
411	richard	542	`fudge 127.127.1.0 stratum 10`
604	richard	543	`restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap`
1	root	544	`restrict 127.0.0.1`
310	richard	545	`driftfile /var/lib/ntp/drift`
1	root	546	`logfile /var/log/ntp.log`
		547	`EOF`
440	franck	548
310	richard	549	`chown -R ntp:ntp /var/lib/ntp`
1	root	550	`# Renseignement des fichiers hosts.allow et hosts.deny`
		551	`[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default`
		552	`cat <<EOF > /etc/hosts.allow`
		553	`ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP`
604	richard	554	`sshd: ALL`
1	root	555	`ntpd: $PRIVATE_NETWORK_SHORT`
		556	`EOF`
		557	`[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default`
		558	`cat <<EOF > /etc/hosts.deny`
		559	`ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &`
		560	`EOF`
790	richard	561	`chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)`
860	richard	562	`# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)`
1069	richard	563	`echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked`
790	richard	564	`# load conntrack ftp module`
		565	`[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default`
		566	`echo "ip_conntrack_ftp" >> /etc/modprobe.preload`
1159	crox53	567	`# load ipt_NETFLOW module`
		568	`echo "ipt_NETFLOW" >> /etc/modprobe.preload`
1157	stephane	569	`#`
860	richard	570	`# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh`
1	root	571	`} # End of network ()`
		572
		573	`##################################################################`
1221	richard	574	`## Function "ACC" ##`
		575	`## - installation du centre de gestion (ALCASAR Control Center) ##`
1	root	576	`## - configuration du serveur web (Apache) ##`
		577	`## - définition du 1er comptes de gestion ##`
		578	`## - sécurisation des accès ##`
		579	`##################################################################`
1221	richard	580	`ACC ()`
1	root	581	`{`
		582	`[ -d $DIR_WEB ] && rm -rf $DIR_WEB`
		583	`mkdir $DIR_WEB`
		584	`# Copie et configuration des fichiers du centre de gestion`
316	richard	585	`cp -rf $DIR_INSTALL/web/* $DIR_WEB/`
972	richard	586	`echo "$VERSION" > $DIR_WEB/VERSION`
316	richard	587	`$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php`
		588	`$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php`
		589	`$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php`
		590	`$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php`
		591	`chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php`
5	franck	592	`chown -R apache:apache $DIR_WEB/*`
1342	richard	593	`for i in system_backup base logs/firewall logs/httpd logs/security;`
1	root	594	`do`
		595	`[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i`
		596	`done`
5	franck	597	`chown -R root:apache $DIR_SAVE`
71	richard	598	`# Configuration et sécurisation php`
		599	`[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default`
534	richard	600	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		601	`$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini`
411	richard	602	`$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini`
		603	`$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini`
71	richard	604	`$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini`
		605	`$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini`
		606	`# Configuration et sécurisation Apache`
790	richard	607	`rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*`
1	root	608	`[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default`
1243	richard	609	`$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf`
303	richard	610	`$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf`
1	root	611	`$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf`
		612	`$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf`
		613	`$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf`
790	richard	614	`$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf`
		615	`$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf`
		616	`$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf`
		617	`$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf`
		618	`$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf`
		619	`$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf`
990	franck	620	`$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf`
1359	richard	621	`[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default`
		622	`$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF`
		623	`[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default`
		624	`$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html`
		625	`[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default`
		626	`cat <<EOF > /usr/share/httpd/error/include/bottom.html`
1	root	627	`</body>`
		628	`</html>`
		629	`EOF`
		630	`# Définition du premier compte lié au profil 'admin'`
509	richard	631	`header_install`
510	richard	632	`if [ "$mode" = "install" ]`
		633	`then`
613	richard	634	`admin_portal=!`
		635	`PTN='^[a-zA-Z0-9-]*$'`
		636	`until [[ $(expr $admin_portal : $PTN) -gt 0 ]]`
		637	`do`
		638	`header_install`
		639	`if [ $Lang == "fr" ]`
		640	`then`
		641	`echo ""`
		642	`echo "Définissez un premier compte d'administration du portail :"`
		643	`echo`
		644	`echo -n "Nom : "`
		645	`else`
		646	`echo ""`
		647	`echo "Define the first account allow to administrate the portal :"`
		648	`echo`
		649	`echo -n "Account : "`
		650	`fi`
		651	`read admin_portal`
		652	`if [ "$admin_portal" == "" ]`
		653	`then`
		654	`admin_portal=!`
		655	`fi`
		656	`done`
1268	richard	657	`# Creation of keys file for the admin account ("admin")`
510	richard	658	`[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest`
		659	`mkdir -p $DIR_DEST_ETC/digest`
		660	`chmod 755 $DIR_DEST_ETC/digest`
		661	`until [ -s $DIR_DEST_ETC/digest/key_admin ]`
		662	`do`
1350	richard	663	`/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal`
510	richard	664	`done`
		665	`$DIR_DEST_SBIN/alcasar-profil.sh --list`
		666	`fi`
434	richard	667	`# synchronisation horaire`
		668	`ntpd -q -g &`
1	root	669	`# Sécurisation du centre`
988	franck	670	`rm -f /etc/httpd/conf/webapps.d/alcasar*`
1	root	671	`cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf`
316	richard	672	`<Directory $DIR_ACC>`
1	root	673	`SSLRequireSSL`
		674	`AllowOverride None`
		675	`Order deny,allow`
		676	`Deny from all`
		677	`Allow from 127.0.0.1`
		678	`Allow from $PRIVATE_NETWORK_MASK`
990	franck	679	`# Allow from AA.BB.CC.DD/32 # Allow from specific @IP`
1	root	680	`require valid-user`
		681	`AuthType digest`
1243	richard	682	`AuthName $HOSTNAME.$DOMAIN`
1	root	683	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
434	richard	684	`AuthUserFile $DIR_DEST_ETC/digest/key_all`
1243	richard	685	`ErrorDocument 404 https://$HOSTNAME.$DOMAIN/`
1	root	686	`</Directory>`
316	richard	687	`<Directory $DIR_ACC/admin>`
1	root	688	`SSLRequireSSL`
		689	`AllowOverride None`
		690	`Order deny,allow`
		691	`Deny from all`
		692	`Allow from 127.0.0.1`
		693	`Allow from $PRIVATE_NETWORK_MASK`
990	franck	694	`# Allow from AA.BB.CC.DD/32 # Allow from specific @IP`
1	root	695	`require valid-user`
		696	`AuthType digest`
1243	richard	697	`AuthName $HOSTNAME.$DOMAIN`
1	root	698	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
434	richard	699	`AuthUserFile $DIR_DEST_ETC/digest/key_admin`
1243	richard	700	`ErrorDocument 404 https://$HOSTNAME.$DOMAIN/`
1	root	701	`</Directory>`
344	richard	702	`<Directory $DIR_ACC/manager>`
1	root	703	`SSLRequireSSL`
		704	`AllowOverride None`
		705	`Order deny,allow`
		706	`Deny from all`
		707	`Allow from 127.0.0.1`
		708	`Allow from $PRIVATE_NETWORK_MASK`
990	franck	709	`# Allow from AA.BB.CC.DD/32 # Allow from specific @IP`
1	root	710	`require valid-user`
		711	`AuthType digest`
1243	richard	712	`AuthName $HOSTNAME.$DOMAIN`
1	root	713	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
434	richard	714	`AuthUserFile $DIR_DEST_ETC/digest/key_manager`
1243	richard	715	`ErrorDocument 404 https://$HOSTNAME.$DOMAIN/`
1	root	716	`</Directory>`
316	richard	717	`<Directory $DIR_ACC/backup>`
		718	`SSLRequireSSL`
		719	`AllowOverride None`
		720	`Order deny,allow`
		721	`Deny from all`
		722	`Allow from 127.0.0.1`
		723	`Allow from $PRIVATE_NETWORK_MASK`
990	franck	724	`# Allow from AA.BB.CC.DD/32 # Allow from specific @IP`
316	richard	725	`require valid-user`
		726	`AuthType digest`
1243	richard	727	`AuthName $HOSTNAME.$DOMAIN`
316	richard	728	`BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On`
434	richard	729	`AuthUserFile $DIR_DEST_ETC/digest/key_backup`
1243	richard	730	`ErrorDocument 404 https://$HOSTNAME.$DOMAIN/`
316	richard	731	`</Directory>`
811	richard	732	`Alias /save/ "$DIR_SAVE/"`
		733	`<Directory $DIR_SAVE>`
		734	`SSLRequireSSL`
		735	`Options Indexes`
		736	`Order deny,allow`
		737	`Deny from all`
		738	`Allow from 127.0.0.1`
		739	`Allow from $PRIVATE_NETWORK_MASK`
990	franck	740	`# Allow from AA.BB.CC.DD/32 # Allow from specific @IP`
811	richard	741	`require valid-user`
		742	`AuthType digest`
1243	richard	743	`AuthName $HOSTNAME.$DOMAIN`
811	richard	744	`AuthUserFile $DIR_DEST_ETC/digest/key_backup`
1243	richard	745	`ErrorDocument 404 https://$HOSTNAME.$DOMAIN/`
811	richard	746	`</Directory>`
1	root	747	`EOF`
1378	richard	748	`# Launch after coova`
		749	`$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service`
1410	richard	750	`# Error page management`
		751	FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
		752	`[ -e $FIC_ERROR_DOC ] \|\| cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default`
		753
		754	`cat <<EOF > $FIC_ERROR_DOC`
		755	`Alias /error/ "/var/www/html/"`
		756
		757	`<Directory "/usr/share/httpd/error">`
		758	`AllowOverride None`
		759	`Options IncludesNoExec`
		760	`AddOutputFilter Includes html`
		761	`AddHandler type-map var`
		762	`Require all granted`
		763	`LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr`
		764	`ForceLanguagePriority Prefer Fallback`
		765	`</Directory>`
		766
		767	`ErrorDocument 400 /error/error.php?error=400`
		768	`ErrorDocument 401 /error/error.php?error=401`
		769	`ErrorDocument 403 /error/error.php?error=403`
		770	`ErrorDocument 404 /error/error.php?error=404`
		771	`ErrorDocument 405 /error/error.php?error=405`
		772	`ErrorDocument 408 /error/error.php?error=408`
		773	`ErrorDocument 410 /error/error.php?error=410`
		774	`ErrorDocument 411 /error/error.php?error=411`
		775	`ErrorDocument 412 /error/error.php?error=412`
		776	`ErrorDocument 413 /error/error.php?error=413`
		777	`ErrorDocument 414 /error/error.php?error=414`
		778	`ErrorDocument 415 /error/error.php?error=415`
		779	`ErrorDocument 500 /error/error.php?error=500`
		780	`ErrorDocument 501 /error/error.php?error=501`
		781	`ErrorDocument 502 /error/error.php?error=502`
		782	`ErrorDocument 503 /error/error.php?error=503`
		783	`ErrorDocument 506 /error/error.php?error=506`
		784	`EOF`
		785
1389	richard	786	`} # End of ACC ()`
1	root	787
		788	`##########################################################################################`
1221	richard	789	`## Fonction "CA" ##`
1	root	790	`## - Création d'une Autorité de Certification et du certificat serveur pour apache ##`
		791	`##########################################################################################`
1221	richard	792	`CA ()`
1	root	793	`{`
510	richard	794	`$DIR_DEST_BIN/alcasar-CA.sh`
800	richard	795	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	796	`[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default`
1410	richard	797
		798	`#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL`
		799	`#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL`
		800	`#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL`
		801
		802	`cat <<EOF > $FIC_VIRTUAL_SSL`
		803	`# default SSL virtual host, used for all HTTPS requests that do not`
		804	`# match a ServerName or ServerAlias in any <VirtualHost> block.`
		805
		806	`<VirtualHost _default_:443>`
		807	`# general configuration`
		808	`ServerAdmin root@localhost`
		809	`ServerName localhost`
		810
		811	`# SSL configuration`
		812	`SSLEngine on`
		813	`SSLCertificateFile /etc/pki/tls/certs/alcasar.crt`
		814	`SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key`
		815	`SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt`
		816	`CustomLog logs/ssl_request_log \`
		817	`"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"`
		818	`ErrorLog logs/ssl_error_log`
		819	`ErrorLogFormat "[%t] [%m:%l] [client %a] %M"`
		820	`</VirtualHost>`
		821	`EOF`
		822
5	franck	823	`chown -R root:apache /etc/pki`
1	root	824	`chmod -R 750 /etc/pki`
1389	richard	825	`} # End of CA ()`
1	root	826
		827	`##########################################################################################`
1221	richard	828	`## Fonction "init_db" ##`
1	root	829	`## - Initialisation de la base Mysql ##`
		830	`## - Affectation du mot de passe de l'administrateur (root) ##`
		831	`## - Suppression des bases et des utilisateurs superflus ##`
		832	`## - Création de la base 'radius' ##`
		833	`## - Installation du schéma de cette base ##`
		834	`## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##`
		835	`## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##`
		836	`##########################################################################################`
		837	`init_db ()`
		838	`{`
1355	richard	839	`rm -rf /var/lib/mysql # to be sure that there is no former installation`
1	root	840	`[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default`
		841	`$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf`
1355	richard	842	`$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf`
1353	richard	843	`systemctl start mysqld.service`
1	root	844	`sleep 4`
		845	`mysqladmin -u root password $mysqlpwd`
		846	`MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"`
1355	richard	847	`# Secure the server`
		848	`$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"`
		849	`$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"`
615	richard	850	`# Create 'radius' database`
1317	richard	851	`$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"`
615	richard	852	`# Add an empty radius database structure`
364	franck	853	`mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql`
615	richard	854	`# modify the start script in order to close accounting connexion when the system is comming down or up`
1357	richard	855	`[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default`
		856	`$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service`
1355	richard	857	`$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service`
		858	`systemctl daemon-reload`
1389	richard	859	`} # End of init_db ()`
1	root	860
		861	`##########################################################################`
1389	richard	862	`## Fonction "radius" ##`
1	root	863	`## - Paramètrage des fichiers de configuration FreeRadius ##`
		864	`## - Affectation du secret partagé entre coova-chilli et freeradius ##`
		865	`## - Modification de fichier de conf pour l'accès à Mysql ##`
		866	`##########################################################################`
1389	richard	867	`radius ()`
1	root	868	`{`
		869	`cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/`
		870	`chown -R radius:radius /etc/raddb`
		871	`[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default`
1278	richard	872	`# Set radius.conf parameters`
1	root	873	`$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf`
		874	`$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf`
		875	`$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf`
1278	richard	876	`# remove the proxy function`
1	root	877	`$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf`
		878	`$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf`
1278	richard	879	`# remove EAP module`
654	richard	880	`$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf`
1278	richard	881	`# listen on loopback (should be modified later if EAP enabled)`
1	root	882	`$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf`
1278	richard	883	`# enable the SQL module (and SQL counter)`
1	root	884	`$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf`
		885	`$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf`
		886	`$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf`
1465	richard	887	`# only include modules for ALCASAR needs`
		888	`$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf`
		889	`$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf`
		890	`$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf`
		891	`$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf`
		892	`$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf`
		893	`$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf`
1278	richard	894	`# remvove virtual server and copy our conf file`
1	root	895	`rm -f /etc/raddb/sites-enabled/*`
1278	richard	896	`cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar`
1	root	897	`chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)`
		898	`chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap`
		899	`chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules`
		900	`ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar`
384	richard	901	`# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'`
1	root	902	`touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}`
1278	richard	903	`# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)`
1	root	904	`[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default`
		905	`cat << EOF > /etc/raddb/clients.conf`
		906	`client 127.0.0.1 {`
		907	`secret = $secretradius`
		908	`shortname = localhost`
		909	`}`
		910	`EOF`
1278	richard	911	`# sql.conf modification`
1	root	912	`[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default`
		913	`$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf`
		914	`$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf`
		915	`$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf`
		916	`$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf`
1278	richard	917	`# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)`
1	root	918	`[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default`
1278	richard	919	`cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf`
		920	`# counter.conf modification (change the Max-All-Session-Time counter)`
		921	`[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default`
		922	`cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf`
		923	`chown -R radius:radius /etc/raddb/sql/mysql/*`
1358	richard	924	`# make certain that mysql is up before radius start`
		925	`[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default`
		926	`$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service`
		927	`systemctl daemon-reload`
1389	richard	928	`} # End radius ()`
1	root	929
		930	`##########################################################################`
1389	richard	931	`## Function "radius_web" ##`
1	root	932	`## - Import, modification et paramètrage de l'interface "dialupadmin" ##`
		933	`## - Création du lien vers la page de changement de mot de passe ##`
		934	`##########################################################################`
1389	richard	935	`radius_web ()`
1	root	936	`{`
		937	`# copie de l'interface d'origine dans la structure Alcasar`
316	richard	938	`[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/`
		939	`rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme`
		940	`rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html`
344	richard	941	`# copie des fichiers modifiés`
		942	`cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/`
316	richard	943	`chown -R apache:apache $DIR_ACC/manager/`
344	richard	944	`# Modification des fichiers de configuration`
1	root	945	`[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default`
503	richard	946	`$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf`
1	root	947	`$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf`
		948	`$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf`
		949	`$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf`
		950	`$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf`
		951	`$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf`
		952	`$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf`
		953	`$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf`
946	richard	954	`$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf`
344	richard	955	`[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default`
1278	richard	956	`cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php`
131	richard	957	`cat <<EOF > /etc/freeradius-web/naslist.conf`
632	richard	958	`nas1_name: alcasar-$ORGANISME`
1	root	959	`nas1_model: Portail captif`
		960	`nas1_ip: $PRIVATE_IP`
		961	`nas1_port_num: 0`
		962	`nas1_community: public`
		963	`EOF`
		964	`# Modification des attributs visibles lors de la création d'un usager ou d'un groupe`
		965	`[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default`
1278	richard	966	`cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs`
114	richard	967	`# Ajout du mappage des attributs chillispot`
		968	`[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default`
1278	richard	969	`cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap`
1	root	970	`# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)`
1278	richard	971	`[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default`
1	root	972	`$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs`
		973	`$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs`
5	franck	974	`chown -R apache:apache /etc/freeradius-web`
1	root	975	`# Ajout de l'alias vers la page de "changement de mot de passe usager"`
		976	`cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf`
344	richard	977	`<Directory $DIR_WEB/pass>`
1	root	978	`SSLRequireSSL`
		979	`AllowOverride None`
		980	`Order deny,allow`
		981	`Deny from all`
		982	`Allow from 127.0.0.1`
		983	`Allow from $PRIVATE_NETWORK_MASK`
1243	richard	984	`ErrorDocument 404 https://$HOSTNAME.$DOMAIN`
1	root	985	`</Directory>`
		986	`EOF`
1389	richard	987	`} # End of radius_web ()`
1	root	988
799	richard	989	`##################################################################################`
1389	richard	990	`## Fonction "chilli" ##`
799	richard	991	`## - Création du fichier d'initialisation et de configuration de coova-chilli ##`
		992	`## - Paramètrage de la page d'authentification (intercept.php) ##`
		993	`##################################################################################`
1389	richard	994	`chilli ()`
1	root	995	`{`
1370	richard	996	`# chilli unit for systemd`
		997	`cat << EOF > /lib/systemd/system/chilli.service`
1372	richard	998	`# This file is part of systemd.`
		999	`#`
		1000	`# systemd is free software; you can redistribute it and/or modify it`
		1001	`# under the terms of the GNU General Public License as published by`
		1002	`# the Free Software Foundation; either version 2 of the License, or`
		1003	`# (at your option) any later version.`
1370	richard	1004	`[Unit]`
		1005	`Description=chilli is a captive portal daemon`
		1006	`After=network.target`
		1007
		1008	`[Service]`
1379	richard	1009	`Type=forking`
1370	richard	1010	`ExecStart=/usr/libexec/chilli start`
		1011	`ExecStop=/usr/libexec/chilli stop`
		1012	`ExecReload=/usr/libexec/chilli reload`
		1013	`PIDFile=/var/run/chilli.pid`
		1014
		1015	`[Install]`
		1016	`WantedBy=multi-user.target`
		1017	`EOF`
799	richard	1018	`# init file creation`
1370	richard	1019	`[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default`
		1020	`cat <<EOF > /usr/libexec/chilli`
799	richard	1021	`#!/bin/sh`
		1022	`#`
		1023	`# chilli CoovaChilli init`
		1024	`#`
		1025	`# chkconfig: 2345 65 35`
		1026	`# description: CoovaChilli`
		1027	`### BEGIN INIT INFO`
		1028	`# Provides: chilli`
		1029	`# Required-Start: network`
		1030	`# Should-Start:`
		1031	`# Required-Stop: network`
		1032	`# Should-Stop:`
		1033	`# Default-Start: 2 3 5`
		1034	`# Default-Stop:`
		1035	`# Description: CoovaChilli access controller`
		1036	`### END INIT INFO`
		1037
		1038	`[ -f /usr/sbin/chilli ] \|\| exit 0`
		1039	`. /etc/init.d/functions`
		1040	`CONFIG=/etc/chilli.conf`
		1041	`pidfile=/var/run/chilli.pid`
		1042	`[ -f \$CONFIG ] \|\| {`
		1043	`echo "\$CONFIG Not found"`
		1044	`exit 0`
		1045	`}`
		1046	`RETVAL=0`
		1047	`prog="chilli"`
		1048	`case \$1 in`
		1049	`start)`
		1050	`if [ -f \$pidfile ] ; then`
		1051	`gprintf "chilli is already running"`
		1052	`else`
		1053	`gprintf "Starting \$prog: "`
		1054	`rm -f /var/run/chilli* # cleaning`
		1055	`/sbin/modprobe tun >/dev/null 2>&1`
		1056	`echo 1 > /proc/sys/net/ipv4/ip_forward`
		1057	`[ -e /dev/net/tun ] \|\| {`
		1058	`(cd /dev;`
		1059	`mkdir net;`
		1060	`cd net;`
		1061	`mknod tun c 10 200)`
		1062	`}`
1336	richard	1063	`ifconfig $INTIF 0.0.0.0`
799	richard	1064	`daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &`
		1065	`RETVAL=$?`
		1066	`fi`
		1067	`;;`
		1068
		1069	`reload)`
		1070	`killall -HUP chilli`
		1071	`;;`
		1072
		1073	`restart)`
		1074	`\$0 stop`
		1075	`sleep 2`
		1076	`\$0 start`
		1077	`;;`
		1078
		1079	`status)`
		1080	`status chilli`
		1081	`RETVAL=0`
		1082	`;;`
		1083
		1084	`stop)`
		1085	`if [ -f \$pidfile ] ; then`
		1086	`gprintf "Shutting down \$prog: "`
		1087	`killproc /usr/sbin/chilli`
		1088	`RETVAL=\$?`
		1089	`[ \$RETVAL = 0 ] && rm -f $pidfile`
		1090	`else`
		1091	`gprintf "chilli is not running"`
		1092	`fi`
		1093	`;;`
		1094
		1095	`*)`
		1096	`echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"`
		1097	`exit 1`
		1098	`esac`
		1099	`echo`
		1100	`EOF`
1373	richard	1101	`chmod a+x /usr/libexec/chilli`
799	richard	1102	`# conf file creation`
346	richard	1103	`[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default`
		1104	`cat <<EOF > /etc/chilli.conf`
		1105	`# coova config for ALCASAR`
		1106	`cmdsocket /var/run/chilli.sock`
1336	richard	1107	`unixipc chilli.$INTIF.ipc`
		1108	`pidfile /var/run/chilli.$INTIF.pid`
346	richard	1109	`net $PRIVATE_NETWORK_MASK`
595	richard	1110	`dhcpif $INTIF`
841	richard	1111	`ethers $DIR_DEST_ETC/alcasar-ethers`
861	richard	1112	`#nodynip`
865	richard	1113	`#statip`
		1114	`dynip $PRIVATE_NETWORK_MASK`
1249	richard	1115	`domain $DOMAIN`
355	richard	1116	`dns1 $PRIVATE_IP`
		1117	`dns2 $PRIVATE_IP`
346	richard	1118	`uamlisten $PRIVATE_IP`
503	richard	1119	`uamport 3990`
837	richard	1120	`macauth`
		1121	`macpasswd password`
1243	richard	1122	`locationname $HOSTNAME.$DOMAIN`
346	richard	1123	`radiusserver1 127.0.0.1`
		1124	`radiusserver2 127.0.0.1`
		1125	`radiussecret $secretradius`
		1126	`radiusauthport 1812`
		1127	`radiusacctport 1813`
1243	richard	1128	`uamserver https://$HOSTNAME.$DOMAIN/intercept.php`
		1129	`radiusnasid $HOSTNAME.$DOMAIN`
346	richard	1130	`uamsecret $secretuam`
1249	richard	1131	`uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN`
346	richard	1132	`coaport 3799`
1379	richard	1133	`conup $DIR_DEST_BIN/alcasar-conup.sh`
		1134	`condown $DIR_DEST_BIN/alcasar-condown.sh`
503	richard	1135	`include $DIR_DEST_ETC/alcasar-uamallowed`
		1136	`include $DIR_DEST_ETC/alcasar-uamdomain`
1294	richard	1137	`#dhcpgateway`
1157	stephane	1138	`#dhcprelayagent`
		1139	`#dhcpgatewayport`
346	richard	1140	`EOF`
1336	richard	1141	`# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)`
977	richard	1142	`echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers`
840	richard	1143	`# create files for trusted domains and urls`
1148	crox53	1144	`touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain`
503	richard	1145	`chown root:apache $DIR_DEST_ETC/alcasar-*`
		1146	`chmod 660 $DIR_DEST_ETC/alcasar-*`
847	richard	1147	`# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)`
526	stephane	1148	`$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php`
		1149	`$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php`
796	richard	1150	`# user 'chilli' creation (in order to run conup/off and up/down scripts`
		1151	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1152	`if [ "$chilli_exist" == "1" ]`
		1153	`then`
		1154	`userdel -r chilli 2>/dev/null`
		1155	`fi`
		1156	`groupadd -f chilli`
		1157	`useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli`
1389	richard	1158	`} # End of chilli ()`
1349	richard	1159
1	root	1160	`##################################################################`
1389	richard	1161	`## Fonction "dansguardian" ##`
1	root	1162	`## - Paramètrage du gestionnaire de contenu Dansguardian ##`
		1163	`##################################################################`
1389	richard	1164	`dansguardian ()`
1	root	1165	`{`
		1166	`mkdir /var/dansguardian`
		1167	`chown dansguardian /var/dansguardian`
1375	richard	1168	`$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service`
1391	richard	1169	`$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service`
497	richard	1170	`[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default`
1293	richard	1171	`# By default the filter is off`
497	richard	1172	`$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf`
1293	richard	1173	`# French deny HTML page`
497	richard	1174	`$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf`
1293	richard	1175	`# Listen only on LAN side`
497	richard	1176	`$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf`
1342	richard	1177	`# DG send its flow to HAVP`
		1178	`$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf`
1293	richard	1179	`# replace the default deny HTML page`
1	root	1180	`cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/`
		1181	`cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html`
1293	richard	1182	`# Don't log`
		1183	`$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf`
		1184	`# Run 10 daemons (20 in largest server)`
659	richard	1185	`$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf`
1	root	1186	`# on désactive par défaut le controle de contenu des pages html`
497	richard	1187	`$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf`
		1188	`cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default`
		1189	`$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)`
1	root	1190	`# on désactive par défaut le contrôle d'URL par expressions régulières`
497	richard	1191	`cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default`
		1192	`$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)`
1	root	1193	`# on désactive par défaut le contrôle de téléchargement de fichiers`
497	richard	1194	`[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default`
		1195	`$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf`
		1196	`[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default`
		1197	`[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default`
		1198	`touch $DIR_DG/lists/bannedextensionlist`
		1199	`touch $DIR_DG/lists/bannedmimetypelist`
		1200	`# 'Safesearch' regex actualisation`
498	richard	1201	`$SED "s?images?search?g" $DIR_DG/lists/urlregexplist`
497	richard	1202	`# empty LAN IP list that won't be WEB filtered`
		1203	`[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default`
		1204	`touch $DIR_DG/lists/exceptioniplist`
		1205	`# Keep a copy of URL & domain filter configuration files`
		1206	`[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default`
		1207	`[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default`
1389	richard	1208	`} # End of dansguardian ()`
1	root	1209
71	richard	1210	`##################################################################`
1221	richard	1211	`## Fonction "antivirus" ##`
1357	richard	1212	`## - configuration of havp, libclamav and freshclam ##`
71	richard	1213	`##################################################################`
		1214	`antivirus ()`
		1215	`{`
1358	richard	1216	`# create 'havp' user`
288	richard	1217	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1218	`if [ "$havp_exist" == "1" ]`
288	richard	1219	`then`
478	richard	1220	`userdel -r havp 2>/dev/null`
894	richard	1221	`groupdel havp 2>/dev/null`
288	richard	1222	`fi`
307	richard	1223	`groupadd -f havp`
796	richard	1224	`useradd -r -g havp -s /bin/false -c "system user for havp" havp`
1366	richard	1225	`mkdir -p /var/tmp/havp /var/log/havp /var/run/havp`
1484	richard	1226	`mkdir -p /var/tmp/havp2 /var/log/havp2 /var/run/havp2`
		1227	`chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp`
		1228	`chown -R havp:havp /var/tmp/havp2 /var/log/havp2 /var/run/havp2`
109	richard	1229	`[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default`
		1230	`$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config`
1484	richard	1231	`$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile`
		1232	`$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode`
631	richard	1233	`$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback`
1484	richard	1234	`$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on 8090 (on loopback)`
990	franck	1235	`$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format`
631	richard	1236	`$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV`
		1237	`$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches`
659	richard	1238	`$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously`
835	richard	1239	`$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files`
		1240	`$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files`
1393	richard	1241	`cp /etc/havp/havp.config /etc/havp/havp2.config`
		1242	`$SED "s?^PIDFILE.*?PIDFILE /var/run/havp/havp2.pid?g" /etc/havp/havp2.config # pidfile`
		1243	`$SED "s?^TRANSPARENT.*?TRANSPARENT true?g" /etc/havp/havp2.config # transparent mode`
1484	richard	1244	`$SED "s?^BIND_ADDRESS.*?BIND_ADDRESS $PRIVATE_IP?g" /etc/havp/havp2.config # we listen only on tun0`
		1245	`$SED "s?^PORT.*?PORT 8090?g" /etc/havp/havp2.config # datas come on 8091`
1007	richard	1246	`# skip checking of youtube flow (too heavy load / risk too low)`
		1247	`[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default`
		1248	`echo "# Whitelist youtube flow" >> /etc/havp/whitelist`
		1249	`echo ".youtube.com/" >> /etc/havp/whitelist`
1358	richard	1250	`# replacement of init script`
335	richard	1251	`[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default`
481	franck	1252	`cp -f $DIR_CONF/havp-init /etc/init.d/havp`
1393	richard	1253	`cp /etc/init.d/havp /etc/init.d/havp2`
		1254	`$SED "s?^# description.*?# description: starts HAVP2 the High Availability Antivirus Proxy?g" /etc/init.d/havp2 # description`
		1255	`$SED "s?^HAVP_CONFIG.*?HAVP_CONFIG=/etc/havp/havp2.config?g" /etc/init.d/havp2 # config file`
1484	richard	1256	`$SED "s?^PIDFILE.*?PIDFILE=/var/run/havp2/havp.pid?g" /etc/init.d/havp2 # pidfile`
1393	richard	1257	`$SED "s?^NAME.*?NAME=havp2?g" /etc/init.d/havp2 # name`
		1258	`$SED "s?^DESC.*?DESC=havp2?g" /etc/init.d/havp2 # desc`
		1259	`$SED "s?^havp_mountpoint.*?havp_mountpoint=/var/tmp/havp2?g" /etc/init.d/havp2 # mountpoint`
		1260	`$SED "s?echo \"Reloading HAVP ...\".*?echo \"Reloading HAVP2 ...\"?g" /etc/init.d/havp2 # reloading havp`
		1261	`$SED "s?echo \"Error: HAVP not running\".*?echo \"Error : HAVP2 not running\"?g" /etc/init.d/havp2 # error havp`
		1262	`$SED "s?echo \"Error: HAVP not running or PIDFILE not readable\".*?echo \"Error : HAVP2 not running or PIDFILE not readable\"?g" /etc/init.d/havp2 # error havp`
		1263	`$SED "s?echo \"Error: HAVP not running or PIDFILE unreadable\".*?echo \"Error : HAVP2 not running or PIDFILE unreadable\"?g" /etc/init.d/havp2 # error havp`
		1264	`$SED "s?echo \"Shutting down HAVP ...\".*?echo \"Shutting down HAVP2 ...\"?g" /etc/init.d/havp2 # shutting down havp`
		1265	`$SED "s?status havp.*?status havp2?g" /etc/init.d/havp2 # status havp`
1358	richard	1266	`# replace of the intercept page (template)`
340	richard	1267	`cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html`
		1268	`cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html`
1358	richard	1269	`# update virus database every 4 hours (24h/6)`
1357	richard	1270	`[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default`
		1271	`$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf`
489	richard	1272	`$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf`
1357	richard	1273	`$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf`
1358	richard	1274	`$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf`
		1275	`$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf`
1385	richard	1276	`# update now`
1382	richard	1277	`/usr/bin/freshclam --no-warnings`
1389	richard	1278	`} # End of antivirus ()`
71	richard	1279
1	root	1280	`##################################################################################`
1389	richard	1281	`## function "ulogd" ##`
476	richard	1282	`## - Ulog config for multi-log files ##`
		1283	`##################################################################################`
1389	richard	1284	`ulogd ()`
476	richard	1285	`{`
		1286	`# Three instances of ulogd (three different logfiles)`
		1287	`[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall`
478	richard	1288	`nl=1`
1358	richard	1289	`for log_type in traceability ssh ext-access`
478	richard	1290	`do`
1365	richard	1291	`[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service`
1369	richard	1292	`[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log`
1375	richard	1293	`cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf`
478	richard	1294	`$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf`
		1295	`cat << EOF >> /etc/ulogd-$log_type.conf`
1452	richard	1296	`[emu1]`
478	richard	1297	`file="/var/log/firewall/$log_type.log"`
		1298	`sync=1`
		1299	`EOF`
1452	richard	1300	`$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service`
478	richard	1301	nl=`expr $nl + 1`
		1302	`done`
476	richard	1303	`chown -R root:apache /var/log/firewall`
		1304	`chmod 750 /var/log/firewall`
		1305	`chmod 640 /var/log/firewall/*`
1389	richard	1306	`} # End of ulogd ()`
476	richard	1307
1159	crox53	1308
		1309	`##########################################################`
1389	richard	1310	`## Function "nfsen" ##`
1159	crox53	1311	`##########################################################`
1389	richard	1312	`nfsen()`
1	root	1313	`{`
1393	richard	1314	`tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/`
1365	richard	1315	`# Add PortTracker plugin`
1395	richard	1316	`for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins`
		1317	`do`
		1318	`[ ! -d $i ] && mkdir $i && chown -R apache:apache $i && echo "$i created" \|\| echo "$i already exists"`
		1319	`done`
1221	richard	1320	`cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/`
1365	richard	1321	`# use of our conf file and init unit`
1221	richard	1322	`cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/`
1365	richard	1323	`# Installation of nfsen`
1221	richard	1324	`DirTmp=$(pwd)`
		1325	`cd /tmp/nfsen-1.3.6p1/`
1365	richard	1326	`/usr/bin/perl5 install.pl etc/nfsen.conf`
		1327	`/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"`
		1328	`# Create RRD DB for porttracker (only in it still doesn't exist)`
1221	richard	1329	`cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/`
		1330	`cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/`
1395	richard	1331	`if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi`
		1332	`chmod -R 770 /var/log/netflow/porttracker`
1365	richard	1333	`# Apache conf file`
1394	richard	1334	`cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf`
1159	crox53	1335	`Alias /nfsen /var/www/nfsen`
		1336	`<Directory /var/www/nfsen/>`
		1337	`DirectoryIndex nfsen.php`
		1338	`Options -Indexes`
		1339	`AllowOverride all`
		1340	`order allow,deny`
		1341	`allow from all`
		1342	`AddType application/x-httpd-php .php`
		1343	`php_flag magic_quotes_gpc on`
		1344	`php_flag track_vars on`
1	root	1345	`</Directory>`
		1346	`EOF`
1372	richard	1347	`# nfsen unit for systemd`
		1348	`cat << EOF > /lib/systemd/system/nfsen.service`
		1349	`# This file is part of systemd.`
		1350	`#`
		1351	`# systemd is free software; you can redistribute it and/or modify it`
		1352	`# under the terms of the GNU General Public License as published by`
		1353	`# the Free Software Foundation; either version 2 of the License, or`
		1354	`# (at your option) any later version.`
		1355
		1356	`# This unit launches nfsen (a Netflow grapher).`
		1357	`[Unit]`
		1358	`Description= NfSen init script`
		1359	`After=network.target iptables.service`
		1360
		1361	`[Service]`
		1362	`Type=oneshot`
		1363	`RemainAfterExit=yes`
1393	richard	1364	`PIDFile=/var/run/nfsen/nfsen.pid`
		1365	`ExecStartPre=/bin/mkdir -p /var/run/nfsen`
		1366	`ExecStartPre=/bin/chown apache:apache /var/run/nfsen`
1372	richard	1367	`ExecStart=/usr/bin/nfsen start`
		1368	`ExecStop=/usr/bin/nfsen stop`
1393	richard	1369	`ExecReload=/usr/bin/nfsen restart`
1372	richard	1370	`TimeoutSec=0`
		1371
		1372	`[Install]`
		1373	`WantedBy=multi-user.target`
		1374	`EOF`
1365	richard	1375	`# Add the listen port to collect netflow packet (nfcapd)`
1393	richard	1376	`$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm`
1365	richard	1377	`# expire delay for the profile "live"`
1393	richard	1378	`systemctl start nfsen`
		1379	`/bin/nfsen -m live -e 62d 2>/dev/null`
1397	richard	1380	`# add SURFmap plugin`
1412	richard	1381	`tar xzf $DIR_CONF/nfsen/SURFmap_v3.3b1.tar.gz -C /tmp/`
1413	richard	1382	`cp $DIR_CONF/nfsen/install-surfmap.sh /tmp/SURFmap/install.sh`
1397	richard	1383	`cd /tmp/SURFmap`
		1384	`/usr/bin/sh install.sh`
1418	richard	1385
1365	richard	1386	`# clear the installation`
1221	richard	1387	`cd $DirTmp`
		1388	`rm -rf /tmp/nfsen-1.3.6p1/`
1397	richard	1389	`rm -rf /tmp/SURFmap/`
1389	richard	1390	`} # End of nfsen ()`
1	root	1391
1390	richard	1392	`##################################################`
1389	richard	1393	`## Function "dnsmasq" ##`
1390	richard	1394	`##################################################`
1389	richard	1395	`dnsmasq ()`
219	jeremy	1396	`{`
		1397	`[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq`
1356	richard	1398	`[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default`
1387	richard	1399	`$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance`
503	richard	1400	`[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default`
1472	richard	1401	`# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.`
503	richard	1402	`cat << EOF > /etc/dnsmasq.conf`
520	richard	1403	`# Configuration file for "dnsmasq in forward mode"`
1387	richard	1404	`conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions`
259	richard	1405	`listen-address=$PRIVATE_IP`
1390	richard	1406	`pid-file=/var/run/dnsmasq.pid`
259	richard	1407	`listen-address=127.0.0.1`
286	richard	1408	`no-dhcp-interface=$INTIF`
1387	richard	1409	`no-dhcp-interface=tun0`
		1410	`no-dhcp-interface=lo`
259	richard	1411	`bind-interfaces`
		1412	`cache-size=256`
		1413	`domain=$DOMAIN`
		1414	`domain-needed`
		1415	`expand-hosts`
		1416	`bogus-priv`
		1417	`filterwin2k`
		1418	`server=$DNS1`
		1419	`server=$DNS2`
1387	richard	1420	`# DHCP service is configured. It will be enabled in "bypass" mode`
865	richard	1421	`dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h`
632	richard	1422	`dhcp-option=option:router,$PRIVATE_IP`
1482	richard	1423	`dhcp-option=option:ntp-server,$PRIVATE_IP`
259	richard	1424
1387	richard	1425	`# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>`
420	franck	1426	`#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m`
259	richard	1427	`EOF`
1356	richard	1428	`# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")`
		1429	`cat << EOF > /etc/dnsmasq-blacklist.conf`
1390	richard	1430	`# Configuration file for "dnsmasq with blacklist"`
1387	richard	1431	`# Add Toulouse blacklist domains`
1472	richard	1432	`conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions`
1015	richard	1433	`conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled`
1390	richard	1434	`pid-file=/var/run/dnsmasq-blacklist.pid`
498	richard	1435	`listen-address=$PRIVATE_IP`
		1436	`port=54`
		1437	`no-dhcp-interface=$INTIF`
1387	richard	1438	`no-dhcp-interface=tun0`
1472	richard	1439	`no-dhcp-interface=lo`
498	richard	1440	`bind-interfaces`
		1441	`cache-size=256`
		1442	`domain=$DOMAIN`
		1443	`domain-needed`
		1444	`expand-hosts`
		1445	`bogus-priv`
		1446	`filterwin2k`
		1447	`server=$DNS1`
		1448	`server=$DNS2`
		1449	`EOF`
1379	richard	1450	`# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")`
1357	richard	1451	`cat << EOF > /etc/dnsmasq-whitelist.conf`
1390	richard	1452	`# Configuration file for "dnsmasq with whitelist"`
1356	richard	1453	`# Inclusion de la whitelist <domains> de Toulouse dans la configuration`
1472	richard	1454	`conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions`
1356	richard	1455	`conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled`
1472	richard	1456	`pid-file=/var/run/dnsmasq-whitelist.pid`
1356	richard	1457	`listen-address=$PRIVATE_IP`
		1458	`port=55`
		1459	`no-dhcp-interface=$INTIF`
1387	richard	1460	`no-dhcp-interface=tun0`
1472	richard	1461	`no-dhcp-interface=lo`
1356	richard	1462	`bind-interfaces`
		1463	`cache-size=256`
		1464	`domain=$DOMAIN`
		1465	`domain-needed`
		1466	`expand-hosts`
		1467	`bogus-priv`
		1468	`filterwin2k`
1472	richard	1469	`address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)`
		1470	`ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules`
1356	richard	1471	`EOF`
1472	richard	1472	`# 4th dnsmasq listen on udp 56 ("blackhole")`
		1473	`cat << EOF > /etc/dnsmasq-blackhole.conf`
		1474	`# Configuration file for "dnsmasq as a blackhole"`
		1475	`conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions`
		1476	`address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address`
		1477	`pid-file=/var/run/dnsmasq-blackhole.pid`
		1478	`listen-address=$PRIVATE_IP`
		1479	`port=56`
		1480	`no-dhcp-interface=$INTIF`
		1481	`no-dhcp-interface=tun0`
		1482	`no-dhcp-interface=lo`
		1483	`bind-interfaces`
		1484	`cache-size=256`
		1485	`domain=$DOMAIN`
		1486	`domain-needed`
		1487	`expand-hosts`
		1488	`bogus-priv`
		1489	`filterwin2k`
		1490	`EOF`
		1491
1372	richard	1492	`# Start after chilli (which create tun0)`
		1493	`$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service`
1474	richard	1494	`# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit`
		1495	`for list in blacklist whitelist blackhole`
		1496	`do`
		1497	`cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service`
		1498	`$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service`
		1499	`$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service`
		1500	`done`
308	richard	1501	`} # End dnsmasq`
		1502
		1503	`##########################################################`
1221	richard	1504	`## Fonction "BL" ##`
308	richard	1505	`##########################################################`
		1506	`BL ()`
		1507	`{`
1386	richard	1508	`# modify iptables boot file to start alcasar-iptables.sh when the system is booting`
		1509	`[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default`
		1510	`$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service`
1384	richard	1511	`# copy and extract toulouse BL`
648	richard	1512	`rm -rf $DIR_DG/lists/blacklists`
		1513	`tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1`
1383	richard	1514	`# creation of the OSSI BL and WL categories (domain name and url)`
878	richard	1515	`mkdir $DIR_DG/lists/blacklists/ossi`
1041	richard	1516	`touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl`
		1517	`touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl`
1384	richard	1518	`chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE`
		1519	`chmod -R g+rw $DIR_DG $DIR_DEST_SHARE`
1383	richard	1520	`# creation of file for the rehabilited domains and urls`
648	richard	1521	`[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default`
673	richard	1522	`[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default`
648	richard	1523	`touch $DIR_DG/lists/exceptionsitelist`
		1524	`touch $DIR_DG/lists/exceptionurllist`
311	richard	1525	`# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian`
648	richard	1526	`cat <<EOF > $DIR_DG/lists/bannedurllist`
311	richard	1527	`# Dansguardian filter config for ALCASAR`
		1528	`EOF`
648	richard	1529	`cat <<EOF > $DIR_DG/lists/bannedsitelist`
311	richard	1530	`# Dansguardian domain filter config for ALCASAR`
		1531	`# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)`
		1532	`#**`
		1533	`# block all SSL and CONNECT tunnels`
		1534	`**s`
		1535	`# block all SSL and CONNECT tunnels specified only as an IP`
		1536	`*ips`
		1537	`# block all sites specified only by an IP`
		1538	`*ip`
		1539	`EOF`
1000	richard	1540	`# Add Bing and Youtube to the safesearch url regext list (parental control)`
878	richard	1541	`cat <<EOF >> $DIR_DG/lists/urlregexplist`
		1542	`# Bing - add 'adlt=strict'`
		1543	`#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"`
		1544	`# Youtube - add 'edufilter=your_ID'`
885	richard	1545	`#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"`
878	richard	1546	`EOF`
1000	richard	1547	`# change the the google safesearch ("safe=strict" instead of "safe=vss")`
1003	richard	1548	`$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist`
1370	richard	1549	`# adapt the BL to ALCASAR architecture. Enable the default categories`
654	richard	1550	`if [ "$mode" != "update" ]; then`
		1551	`$DIR_DEST_SBIN/alcasar-bl.sh --adapt`
1370	richard	1552	`$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice`
1387	richard	1553	`# !!! we can be banned by DNS server (waiting for a cool solution $DIR_DEST_SBIN/alcasar-bl.sh --ip_retrieving`
654	richard	1554	`fi`
308	richard	1555	`}`
219	jeremy	1556
1	root	1557	`##########################################################`
1221	richard	1558	`## Fonction "cron" ##`
1	root	1559	`## - Mise en place des différents fichiers de cron ##`
		1560	`##########################################################`
		1561	`cron ()`
		1562	`{`
		1563	`# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00`
		1564	`[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default`
		1565	`cat <<EOF > /etc/crontab`
		1566	`SHELL=/bin/bash`
		1567	`PATH=/sbin:/bin:/usr/sbin:/usr/bin`
		1568	`MAILTO=root`
		1569	`HOME=/`
		1570
		1571	`# run-parts`
		1572	`01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly`
		1573	`02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily`
		1574	`22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly`
		1575	`42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly`
		1576	`EOF`
		1577	`[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default`
		1578	`cat <<EOF >> /etc/anacrontab`
667	franck	1579	`7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql`
1380	richard	1580	`7 10 cron.logExport nice /etc/cron.d/alcasar-archive`
667	franck	1581	`7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import`
1	root	1582	`EOF`
1247	crox53	1583
811	richard	1584	`cat <<EOF > /etc/cron.d/alcasar-mysql`
868	richard	1585	`# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)`
955	richard	1586	`45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump`
905	franck	1587	`# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours`
917	franck	1588	`40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null`
1	root	1589	`EOF`
952	franck	1590	`cat <<EOF > /etc/cron.d/alcasar-archive`
		1591	`# Archive des logs et de la base de données (tous les lundi à 5h35)`
		1592	`35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now`
		1593	`EOF`
667	franck	1594	`cat << EOF > /etc/cron.d/alcasar-clean_import`
713	franck	1595	`# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h`
503	richard	1596	`30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh`
168	franck	1597	`EOF`
722	franck	1598	`cat << EOF > /etc/cron.d/alcasar-distrib-updates`
		1599	`# mise à jour automatique de la distribution tous les jours 3h30`
762	franck	1600	`30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1`
722	franck	1601	`EOF`
1247	crox53	1602	`#cat << EOF > /etc/cron.d/alcasar-netflow`
1159	crox53	1603	`# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)`
1247	crox53	1604	`#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh`
		1605	`#EOF`
1159	crox53	1606
1	root	1607	`# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).`
		1608	`# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).`
		1609	`# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')`
		1610	`# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')`
		1611	`# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)`
		1612	`# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)`
		1613	`$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct`
		1614	`$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct`
		1615	`rm -f /etc/cron.daily/freeradius-web`
		1616	`rm -f /etc/cron.monthly/freeradius-web`
		1617	`cat << EOF > /etc/cron.d/freeradius-web`
		1618	`1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1`
		1619	`5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1`
		1620	`10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1`
		1621	`15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1`
		1622	`EOF`
671	franck	1623	`cat << EOF > /etc/cron.d/alcasar-watchdog`
713	franck	1624	`# activation du "chien de garde" (watchdog) toutes les 3'`
1	root	1625	`/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1`
		1626	`EOF`
808	franck	1627	`# activation du "chien de garde des services" (watchdog) toutes les 18'`
		1628	`cat << EOF > /etc/cron.d/alcasar-daemon-watchdog`
		1629	`# activation du "chien de garde" (daemon-watchdog) toutes les 18'`
		1630	`/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1`
		1631	`EOF`
522	richard	1632	`# suppression des crons usagers`
		1633	`rm -f /var/spool/cron/*`
1	root	1634	`} # End cron`
		1635
		1636	`##################################################################`
1221	richard	1637	`## Fonction "Fail2Ban" ##`
1163	crox53	1638	`##- Modification de la configuration de fail2ban ##`
		1639	`##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##`
		1640	`##################################################################`
		1641	`fail2ban()`
		1642	`{`
1191	crox53	1643	`$DIR_CONF/fail2ban.sh`
1474	richard	1644	`# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp`
1192	crox53	1645	`[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log`
		1646	`[ -e /var/Save/logs/security/watchdog.log ] \|\| touch /var/Save/logs/security/watchdog.log`
1165	crox53	1647	`chmod 644 /var/log/fail2ban.log`
1192	crox53	1648	`chmod 644 /var/Save/logs/security/watchdog.log`
1418	richard	1649	`/usr/bin/touch /var/log/auth.log`
		1650
1411	richard	1651
		1652	`# Edition de l'unité fail2ban`
1418	richard	1653	`[ -e /usr/lib/systemd/system/fail2ban.service ] && cp /usr/lib/systemd/system/fail2ban.service /usr/lib/systemd/system/fail2ban.service.default`
1411	richard	1654	`$SED '/Type/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service`
1418	richard	1655	`$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service`
1411	richard	1656
		1657
1163	crox53	1658	`} #Fin de fail2ban_install()`
		1659
		1660	`##################################################################`
1376	richard	1661	`## Fonction "gammu_smsd" ##`
		1662	`## - Creation de la base de donnée Gammu ##`
		1663	`## - Creation du fichier de config: gammu_smsd_conf ##`
		1664	`## ##`
		1665	`##################################################################`
		1666	`gammu_smsd()`
		1667	`{`
		1668	`# Create 'gammu' databse`
		1669	`MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"`
		1670	`$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"`
		1671	`# Add a gammu database structure`
		1672	`mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql`
		1673
		1674	`# config file for the daemon`
		1675	`cat << EOF > /etc/gammu_smsd_conf`
		1676	`[gammu]`
		1677	`port = /dev/ttyUSB0`
		1678	`connection = at115200`
		1679
		1680	`;########################################################`
		1681
		1682	`[smsd]`
		1683
		1684	`PIN = 1234`
		1685
		1686	`logfile = /var/log/gammu-smsd/gammu-smsd.log`
		1687	`logformat = textall`
		1688	`debuglevel = 0`
		1689
		1690	`service = sql`
		1691	`driver = native_mysql`
		1692	`user = $DB_USER`
		1693	`password = $radiuspwd`
		1694	`pc = localhost`
		1695	`database = $DB_GAMMU`
		1696
		1697	`RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms`
		1698
		1699	`StatusFrequency = 30`
1380	richard	1700	`;LoopSleep = 2`
1376	richard	1701
		1702	`;ResetFrequency = 300`
		1703	`;HardResetFrequency = 120`
		1704
		1705	`CheckSecurity = 1`
		1706	`CheckSignal = 1`
		1707	`CheckBattery = 0`
		1708	`EOF`
		1709
		1710	`chmod 755 /etc/gammu_smsd_conf`
		1711
		1712	`#Creation dossier de log Gammu-smsd`
1382	richard	1713	`[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd`
1376	richard	1714	`chmod 755 /var/log/gammu-smsd`
		1715
		1716	`#Edition du script sql gammu <-> radius`
1452	richard	1717	`$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh`
		1718	`$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh`
1376	richard	1719
1380	richard	1720	`#Création de la règle udev pour les Huawei // idVendor: 12d1`
		1721	`cat << EOF > /etc/udev/rules.d/66-huawei.rules`
		1722	`KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"`
		1723	`EOF`
		1724
1376	richard	1725	`} # END gammu_smsd()`
		1726
		1727	`##################################################################`
1221	richard	1728	`## Fonction "post_install" ##`
1	root	1729	`## - Modification des bannières (locales et ssh) et des prompts ##`
		1730	`## - Installation de la structure de chiffrement pour root ##`
		1731	`## - Mise en place du sudoers et de la sécurité sur les fichiers##`
		1732	`## - Mise en place du la rotation des logs ##`
5	franck	1733	`## - Configuration dans le cas d'une mise à jour ##`
1	root	1734	`##################################################################`
		1735	`post_install()`
		1736	`{`
		1737	`# création de la bannière locale`
1007	richard	1738	`[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default`
		1739	`cp -f $DIR_CONF/banner /etc/mageia-release`
		1740	`echo " V$VERSION" >> /etc/mageia-release`
1	root	1741	`# création de la bannière SSH`
1007	richard	1742	`cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh`
5	franck	1743	`chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh`
1	root	1744	`[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default`
		1745	`$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config`
		1746	`$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config`
793	richard	1747	`# postfix banner anonymisation`
		1748	`$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf`
604	richard	1749	`# sshd écoute côté LAN et WAN`
1	root	1750	`$SED "s?^#ListenAddress 0\.0\.0\.0?ListenAddress $PRIVATE_IP?g" /etc/ssh/sshd_config`
604	richard	1751	`$SED "/^ListenAddress $PRIVATE_IP/a\ListenAddress $PUBLIC_IP" /etc/ssh/sshd_config`
860	richard	1752	`# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)`
628	richard	1753	`echo "SSH=off" >> $CONF_FILE`
1063	richard	1754	`echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE`
628	richard	1755	`echo "QOS=off" >> $CONF_FILE`
		1756	`echo "LDAP=off" >> $CONF_FILE`
786	richard	1757	`echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE`
885	richard	1758	`echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE`
1078	franck	1759	`echo "MULTIWAN=off" >> $CONF_FILE`
		1760	`echo "FAILOVER=30" >> $CONF_FILE`
		1761	`echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE`
1336	richard	1762	`echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE`
		1763	`echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE`
1	root	1764	`# Coloration des prompts`
		1765	`[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default`
5	franck	1766	`cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc`
630	franck	1767	`$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc`
1	root	1768	`# Droits d'exécution pour utilisateur apache et sysadmin`
		1769	`[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default`
5	franck	1770	`cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers`
629	richard	1771	`$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers`
1342	richard	1772	`# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)`
1	root	1773	`cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/`
		1774	`chmod 644 /etc/logrotate.d/*`
714	franck	1775	`# rectification sur versions précédentes de la compression des logs`
706	franck	1776	`$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf`
		1777	`# actualisation des fichiers logs compressés`
1342	richard	1778	`for dir in firewall dansguardian httpd`
706	franck	1779	`do`
714	franck	1780	`find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;`
706	franck	1781	`done`
1221	richard	1782	`# create the alcasar-load_balancing unit`
		1783	`cat << EOF > /lib/systemd/system/alcasar-load_balancing.service`
1184	crox53	1784	`# This file is part of systemd.`
		1785	`#`
		1786	`# systemd is free software; you can redistribute it and/or modify it`
		1787	`# under the terms of the GNU General Public License as published by`
		1788	`# the Free Software Foundation; either version 2 of the License, or`
		1789	`# (at your option) any later version.`
		1790
		1791	`# This unit lauches alcasar-load-balancing.sh script.`
		1792	`[Unit]`
		1793	`Description=alcasar-load_balancing.sh execution`
		1794	`After=network.target iptables.service`
		1795
		1796	`[Service]`
		1797	`Type=oneshot`
		1798	`RemainAfterExit=yes`
		1799	`ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start`
		1800	`ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop`
		1801	`TimeoutSec=0`
		1802	`SysVStartPriority=99`
		1803
		1804	`[Install]`
		1805	`WantedBy=multi-user.target`
1157	stephane	1806	`EOF`
1221	richard	1807	`# processes launched at boot time (SYSV)`
1371	richard	1808	`for i in havp`
1221	richard	1809	`do`
		1810	`/sbin/chkconfig --add $i`
		1811	`done`
		1812	`# processes launched at boot time (Systemctl)`
1472	richard	1813	`for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban`
1221	richard	1814	`do`
1389	richard	1815	`systemctl -q enable $i.service`
1221	richard	1816	`done`
1452	richard	1817
		1818	`# disable processes at boot time (Systemctl)`
		1819	`for i in ulogd`
		1820	`do`
		1821	`systemctl -q disable $i.service`
		1822	`done`
		1823
1221	richard	1824	`# Apply French Security Agency (ANSSI) rules`
1362	richard	1825	`# ignore ICMP broadcast (smurf attack)`
		1826	`echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf`
		1827	`# ignore ICMP errors bogus`
		1828	`echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf`
		1829	`# remove ICMP redirects responces`
		1830	`echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf`
		1831	`echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf`
		1832	`# enable SYN Cookies (Syn flood attacks)`
		1833	`echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf`
		1834	`# enable kernel antispoofing`
		1835	`echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf`
		1836	`# ignore source routing`
		1837	`echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf`
		1838	`# set conntrack timer to 1h (3600s) instead of 5 weeks`
		1839	`echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf`
1157	stephane	1840	`# disable log_martians (ALCASAR is often installed between two private network addresses)`
1363	richard	1841	`echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf`
1362	richard	1842	`# remove Magic SysReq Keys`
1363	richard	1843	`[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf`
1003	richard	1844	`# switch to multi-users runlevel (instead of x11)`
1221	richard	1845	`ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target`
1005	richard	1846	`# GRUB modifications`
		1847	`# limit wait time to 3s`
		1848	`# create an alcasar entry instead of linux-nonfb`
		1849	`# change display to 1024*768 (vga791)`
1221	richard	1850	`$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst`
		1851	`$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst`
		1852	`$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst`
		1853	`$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst`
		1854	`$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst`
		1855	`$SED "/^gfxmenu/d" /boot/grub/menu.lst`
1003	richard	1856	`# Remove unused services and users`
1378	richard	1857	`for svc in sshd.service`
1221	richard	1858	`do`
1362	richard	1859	`/bin/systemctl -q disable $svc`
1221	richard	1860	`done`
		1861	`# Load and apply the previous conf file`
		1862	`if [ "$mode" = "update" ]`
532	richard	1863	`then`
1266	richard	1864	`$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs`
1221	richard	1865	`$DIR_DEST_BIN/alcasar-conf.sh --load`
		1866	PARENT_SCRIPT=`basename $0`
		1867	`export PARENT_SCRIPT # to avoid stop&start process during the installation process`
		1868	`$DIR_DEST_BIN/alcasar-conf.sh --apply`
		1869	`$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE`
		1870	`$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE`
1269	richard	1871	`if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])`
		1872	`# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)`
		1873	`then`
		1874	`header_install`
		1875	`if [ $Lang == "fr" ]`
		1876	`then`
		1877	`echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"`
		1878	`echo`
		1879	`echo -n "Nom : "`
		1880	`else`
		1881	`echo "This update need to redefine the first admin account"`
		1882	`echo`
		1883	`echo -n "Account : "`
		1884	`fi`
		1885	`read admin_portal`
		1886	`[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest`
		1887	`mkdir -p $DIR_DEST_ETC/digest`
		1888	`chmod 755 $DIR_DEST_ETC/digest`
		1889	`until [ -s $DIR_DEST_ETC/digest/key_admin ]`
		1890	`do`
1350	richard	1891	`/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal`
1269	richard	1892	`done`
		1893	`$DIR_DEST_SBIN/alcasar-profil.sh --list`
		1894	`fi`
532	richard	1895	`fi`
1221	richard	1896	`rm -f /tmp/alcasar-conf*`
		1897	`chown -R root:apache $DIR_DEST_ETC/*`
		1898	`chmod -R 660 $DIR_DEST_ETC/*`
		1899	`chmod ug+x $DIR_DEST_ETC/digest`
1045	franck	1900	`# Apply and save the firewall rules`
		1901	`sh $DIR_DEST_BIN/alcasar-iptables.sh`
		1902	`sleep 2`
1	root	1903	`cd $DIR_INSTALL`
5	franck	1904	`echo ""`
1	root	1905	`echo "#############################################################################"`
638	richard	1906	`if [ $Lang == "fr" ]`
		1907	`then`
		1908	`echo "# Fin d'installation d'ALCASAR #"`
		1909	`echo "# #"`
		1910	`echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"`
		1911	`echo "# des Accès au Réseau ( ALCASAR ) #"`
		1912	`echo "# #"`
		1913	`echo "#############################################################################"`
		1914	`echo`
		1915	`echo "- ALCASAR sera fonctionnel après redémarrage du système"`
		1916	`echo`
		1917	`echo "- Lisez attentivement la documentation d'exploitation"`
		1918	`echo`
		1919	`echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"`
		1920	`echo`
		1921	`echo " Appuyez sur 'Entrée' pour continuer"`
		1922	`else`
		1923	`echo "# Enf of ALCASAR install process #"`
		1924	`echo "# #"`
		1925	`echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"`
		1926	`echo "# des Accès au Réseau ( ALCASAR ) #"`
		1927	`echo "# #"`
		1928	`echo "#############################################################################"`
		1929	`echo`
		1930	`echo "- The system will be rebooted in order to operate ALCASAR"`
		1931	`echo`
		1932	`echo "- Read the exploitation documentation"`
		1933	`echo`
		1934	`echo "- The ALCASAR Control Center (ACC) is at http://alcasar"`
		1935	`echo`
		1936	`echo " Hit 'Enter' to continue"`
		1937	`fi`
815	richard	1938	`sleep 2`
		1939	`if [ "$mode" != "update" ]`
820	richard	1940	`then`
815	richard	1941	`read a`
		1942	`fi`
774	richard	1943	`clear`
1	root	1944	`reboot`
		1945	`} # End post_install ()`
		1946
		1947	`#################################`
1005	richard	1948	`# Main Install loop #`
1	root	1949	`#################################`
832	richard	1950	dir_exec=`dirname "$0"`
		1951	`if [ $dir_exec != "." ]`
		1952	`then`
		1953	`echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"`
		1954	`echo "Launch this program from the ALCASAR archive directory"`
		1955	`exit 0`
		1956	`fi`
		1957	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1958	`usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"`
1	root	1959	`nb_args=$#`
		1960	`args=$1`
		1961	`if [ $nb_args -eq 0 ]`
		1962	`then`
		1963	`nb_args=1`
		1964	`args="-h"`
		1965	`fi`
1062	richard	1966	`chmod -R u+x $DIR_SCRIPTS/*`
1	root	1967	`case $args in`
		1968	`-\? \| -h* \| --h*)`
		1969	`echo "$usage"`
		1970	`exit 0`
		1971	`;;`
291	franck	1972	`-i \| --install)`
959	franck	1973	`license`
5	franck	1974	`header_install`
29	richard	1975	`testing`
595	richard	1976	`# RPMs install`
		1977	`$DIR_SCRIPTS/alcasar-urpmi.sh`
		1978	`if [ "$?" != "0" ]`
1	root	1979	`then`
595	richard	1980	`exit 0`
		1981	`fi`
1249	richard	1982	`if [ -e $CONF_FILE ]`
595	richard	1983	`then`
597	richard	1984	`# Uninstall the running version`
532	richard	1985	`$DIR_SCRIPTS/sbin/alcasar-uninstall.sh`
595	richard	1986	`fi`
636	richard	1987	`# Test if manual update`
1362	richard	1988	`if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]`
595	richard	1989	`then`
636	richard	1990	`header_install`
595	richard	1991	`if [ $Lang == "fr" ]`
636	richard	1992	`then echo "Le fichier de configuration d'une ancienne version a été trouvé";`
		1993	`else echo "The configuration file of an old version has been found";`
595	richard	1994	`fi`
597	richard	1995	`response=0`
		1996	`PTN='^[oOnNyY]$'`
		1997	`until [[ $(expr $response : $PTN) -gt 0 ]]`
		1998	`do`
		1999	`if [ $Lang == "fr" ]`
		2000	`then echo -n "Voulez-vous l'utiliser (O/n)? ";`
		2001	`else echo -n "Do you want to use it (Y/n)?";`
		2002	`fi`
		2003	`read response`
		2004	`if [ "$response" = "n" ] \|\| [ "$response" = "N" ]`
		2005	`then rm -f /tmp/alcasar-conf*`
		2006	`fi`
		2007	`done`
		2008	`fi`
636	richard	2009	`# Test if update`
1057	richard	2010	`if [ -e /tmp/alcasar-conf* ]`
597	richard	2011	`then`
		2012	`if [ $Lang == "fr" ]`
		2013	`then echo "#### Installation avec mise à jour ####";`
		2014	`else echo "#### Installation with update ####";`
		2015	`fi`
636	richard	2016	`# Extract the central configuration file`
1057	richard	2017	`tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf`
637	richard	2018	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2019	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2020	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2021	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2022	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2023	`mode="update"`
1	root	2024	`fi`
1389	richard	2025	`for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install`
5	franck	2026	`do`
		2027	`$func`
1362	richard	2028	`# echo "* 'debug' : end of function $func *"; read a`
14	richard	2029	`done`
5	franck	2030	`;;`
291	franck	2031	`-u \| --uninstall)`
5	franck	2032	`if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]`
1	root	2033	`then`
597	richard	2034	`if [ $Lang == "fr" ]`
		2035	`then echo "ALCASAR n'est pas installé!";`
		2036	`else echo "ALCASAR isn't installed!";`
		2037	`fi`
1	root	2038	`exit 0`
		2039	`fi`
5	franck	2040	`response=0`
		2041	`PTN='^[oOnN]$'`
580	richard	2042	`until [[ $(expr $response : $PTN) -gt 0 ]]`
5	franck	2043	`do`
597	richard	2044	`if [ $Lang == "fr" ]`
		2045	`then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";`
854	richard	2046	`else echo -n "Do you want to create the running version configuration file (Y/n)? ";`
597	richard	2047	`fi`
5	franck	2048	`read response`
		2049	`done`
1103	richard	2050	`if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]`
1	root	2051	`then`
1103	richard	2052	`$DIR_SCRIPTS/alcasar-conf.sh --create`
498	richard	2053	`else`
		2054	`rm -f /tmp/alcasar-conf*`
1	root	2055	`fi`
597	richard	2056	`# Uninstall the running version`
65	richard	2057	`$DIR_SCRIPTS/sbin/alcasar-uninstall.sh`
1	root	2058	`;;`
		2059	`*)`
		2060	`echo "Argument inconnu :$1";`
460	richard	2061	`echo "Unknown argument :$1";`
1	root	2062	`echo "$usage"`
		2063	`exit 1`
		2064	`;;`
		2065	`esac`
10	franck	2066	`# end of script`
366	franck	2067

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1484