WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1499 2014-11-26 23:13:07Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1378	richard	30	# testing : connectivity tests, free space test and mageia version test
1221	richard	31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
1389	richard	36	# radius : FreeRadius initialisation
		37	# radius_web : copy ans modifiy original "freeradius web" in ACC
		38	# chilli : coovachilli initialisation (+authentication page)
		39	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	40	# antivirus : HAVP + libclamav configuration
1485	richard	41	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	42	# ulogd : log system in userland (match NFLOG target of iptables)
		43	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	44	# dnsmasq : Name server configuration
		45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		59	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		65	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		66	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		67	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		68	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	69	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	70	DB_RADIUS="radius" # database name used by FreeRadius server
		71	DB_USER="radius" # user name allows to request the users database
1349	richard	72	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	73	# ***** Network parameters - paramètres réseau *****
1469	richard	74	HOSTNAME="alcasar" # default hostname
1243	richard	75	DOMAIN="localdomain" # default local domain
1471	richard	76	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1336	richard	77	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	78	MTU="1500"
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
967	franck	87	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		88	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	89	fi
975	franck	90	echo "Taper sur Entrée pour continuer !"
		91	echo "Enter to continue."
959	franck	92	read a
		93	}
		94
1	root	95	header_install ()
		96	{
		97	clear
		98	echo "-----------------------------------------------------------------------------"
460	richard	99	echo " ALCASAR V$VERSION Installation"
1	root	100	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		101	echo "-----------------------------------------------------------------------------"
1389	richard	102	}
1	root	103
		104	##################################################################
1221	richard	105	## Function "testing" ##
1378	richard	106	## - Test of Mageia version ##
1342	richard	107	## - Test of free space on /var (>10G) ##
1005	richard	108	## - Test of Internet access ##
29	richard	109	##################################################################
		110	testing ()
		111	{
1362	richard	112	# Test if ALCASAR is already installed
		113	if [ -e $CONF_FILE ]
		114	then
		115	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	116	if [ $Lang == "fr" ]
1362	richard	117	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		118	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	119	fi
1362	richard	120	response=0
		121	PTN='^[oOnNyY]$'
		122	until [[ $(expr $response : $PTN) -gt 0 ]]
		123	do
		124	if [ $Lang == "fr" ]
		125	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		126	else echo -n "Do you want to update (Y/n)?";
		127	fi
		128	read response
		129	done
		130	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		131	then
		132	rm -f /tmp/alcasar-conf*
		133	else
1471	richard	134	# Create a backup of running importants files
1362	richard	135	$DIR_SCRIPTS/alcasar-conf.sh --create
		136	mode="update"
		137	fi
		138	else
1365	richard	139	if [ ! -d /var/log/netflow/porttracker ]
		140	then
1378	richard	141	# Test of free space on /var
1365	richard	142	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		143	if [ $free_space -lt 10 ]
		144	then
		145	if [ $Lang == "fr" ]
		146	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		147	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		148	fi
		149	exit 0
1362	richard	150	fi
1378	richard	151	fi
		152	# Test of Mageia version
		153	# extract the current Mageia version and hardware architecture (i586 ou X64)
		154	fic=`cat /etc/product.id`
		155	unknown_os=0
		156	old="$IFS"
		157	IFS=","
		158	set $fic
		159	for i in $*
		160	do
		161	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		162	then
		163	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		164	unknown_os=`expr $unknown_os + 1`
		165	fi
		166	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		167	then
		168	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		169	unknown_os=`expr $unknown_os + 1`
		170	fi
		171	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		172	then
		173	ARCH=`echo $i\|cut -d"=" -f2`
		174	unknown_os=`expr $unknown_os + 1`
		175	fi
		176	done
		177	IFS="$old"
		178	if [[ ( $unknown_os != 3 \|\| "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]
		179	then
		180	if [ $Lang == "fr" ]
		181	then
		182	echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."
		183	echo "Le système d'exploitation doit être remplacé (Mageia4)"
		184	else
		185	echo "The automatic update of ALCASAR can't be performed."
		186	echo "The OS must be replaced (Mageia4)"
		187	fi
		188	if [ -e /tmp/alcasar-conf.tar.gz ]
		189	then
		190	echo
		191	if [ $Lang == "fr" ]
		192	then
		193	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
		194	echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"
		195	echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
		196	else
		197	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
		198	echo "2 - Install Linux-Mageia4 (cf. installation doc)"
		199	echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
		200	fi
		201	fi
		202	exit 0
		203	fi
1342	richard	204	fi
1378	richard	205	if [ $Lang == "fr" ]
784	richard	206	then echo -n "Tests des paramètres réseau : "
595	richard	207	else echo -n "Network parameters tests : "
		208	fi
1471	richard	209
		210	# Test of Ethernet links state
		211	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		212	for i in $DOWN_IF
		213	do
		214	if [ $Lang == "fr" ]
		215	then
		216	echo "Échec"
		217	echo "Le lien réseau de la carte $i n'est pas actif."
		218	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		219	else
		220	echo "Failed"
		221	echo "The link state of $i interface is down."
		222	echo "Make sure that this network card is connected to a switch or an A.P."
		223	fi
		224	exit 0
		225	done
		226	echo -n "."
		227
		228	# Test EXTIF config files
1499	richard	229	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		230	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
		231	PUBLIC_GATEWAY=`ip route list\|grep ^default\|cut -d" " -f3`
1471	richard	232	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		233	then
784	richard	234	if [ $Lang == "fr" ]
		235	then
		236	echo "Échec"
		237	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		238	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	239	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	240	else
		241	echo "Failed"
		242	echo "The Internet connected network card ($EXTIF) isn't well configured."
		243	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	244	echo "Apply the new configuration 'systemctl restart network'"
784	richard	245	fi
830	richard	246	echo "DEVICE=$EXTIF"
784	richard	247	echo "IPADDR="
		248	echo "NETMASK="
		249	echo "GATEWAY="
		250	echo "DNS1="
		251	echo "DNS2="
830	richard	252	echo "ONBOOT=yes"
784	richard	253	exit 0
		254	fi
		255	echo -n "."
1471	richard	256
		257	# Test if router is alive (Box FAI)
784	richard	258	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	259	if [ $Lang == "fr" ]
		260	then
		261	echo "Échec"
		262	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		263	echo "Réglez ce problème puis relancez ce script."
		264	else
		265	echo "Failed"
		266	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		267	echo "Resolv this problem, then restart this script."
		268	fi
29	richard	269	exit 0
		270	fi
308	richard	271	echo -n "."
978	franck	272	# On teste le lien vers le routeur par defaut
1499	richard	273	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	274	if [ $(expr $arp_reply) -eq 0 ]
308	richard	275	then
595	richard	276	if [ $Lang == "fr" ]
		277	then
		278	echo "Échec"
1499	richard	279	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	280	echo "Réglez ce problème puis relancez ce script."
		281	else
		282	echo "Failed"
		283	echo "The Internet gateway doesn't answered"
		284	echo "Resolv this problem, then restart this script."
		285	fi
308	richard	286	exit 0
		287	fi
		288	echo -n "."
421	franck	289	# On teste la connectivité Internet
29	richard	290	rm -rf /tmp/con_ok.html
308	richard	291	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	292	if [ ! -e /tmp/con_ok.html ]
		293	then
595	richard	294	if [ $Lang == "fr" ]
		295	then
		296	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		297	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		298	echo "Vérifiez la validité des adresses IP des DNS."
		299	else
		300	echo "The Internet connection try failed (google.fr)."
		301	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		302	echo "Verify the DNS IP addresses"
		303	fi
29	richard	304	exit 0
		305	fi
		306	rm -rf /tmp/con_ok.html
308	richard	307	echo ". : ok"
1389	richard	308	} # end of testing ()
302	richard	309
		310	##################################################################
1221	richard	311	## Function "init" ##
302	richard	312	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		313	## - Installation et modification des scripts du portail ##
		314	##################################################################
		315	init ()
		316	{
527	richard	317	if [ "$mode" != "update" ]
302	richard	318	then
		319	# On affecte le nom d'organisme
597	richard	320	header_install
302	richard	321	ORGANISME=!
		322	PTN='^[a-zA-Z0-9-]*$'
580	richard	323	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	324	do
595	richard	325	if [ $Lang == "fr" ]
597	richard	326	then echo -n "Entrez le nom de votre organisme : "
		327	else echo -n "Enter the name of your organism : "
595	richard	328	fi
330	franck	329	read ORGANISME
613	richard	330	if [ "$ORGANISME" == "" ]
330	franck	331	then
		332	ORGANISME=!
		333	fi
		334	done
302	richard	335	fi
1	root	336	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	337	rm -f $PASSWD_FILE
1350	richard	338	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		339	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	340	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	341	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	342	$SED "/^password.*/d" /boot/grub/menu.lst
		343	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	344	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	345	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	346	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	347	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	348	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	349	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	350	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	351	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		352	echo "$secretuam" >> $PASSWD_FILE
1350	richard	353	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	354	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		355	echo "$secretradius" >> $PASSWD_FILE
		356	chmod 640 $PASSWD_FILE
977	richard	357	# Scripts and conf files copy
		358	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	359	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	360	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	361	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	362	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	363	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	364	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		365	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	366	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		367	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	368	# generate central conf file
		369	cat <<EOF > $CONF_FILE
612	richard	370	##########################################
		371	## ##
		372	## ALCASAR Parameters ##
		373	## ##
		374	##########################################
1	root	375
612	richard	376	INSTALL_DATE=$DATE
		377	VERSION=$VERSION
		378	ORGANISM=$ORGANISME
923	franck	379	DOMAIN=$DOMAIN
612	richard	380	EOF
628	richard	381	chmod o-rwx $CONF_FILE
1	root	382	} # End of init ()
		383
		384	##################################################################
1221	richard	385	## Function "network" ##
1	root	386	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	387	## - Nommage DNS du système ##
1336	richard	388	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	389	## - Modification du fichier /etc/hosts ##
		390	## - Configuration du serveur de temps (NTP) ##
		391	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		392	##################################################################
		393	network ()
		394	{
		395	header_install
636	richard	396	if [ "$mode" != "update" ]
		397	then
		398	if [ $Lang == "fr" ]
		399	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		400	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		401	fi
		402	response=0
		403	PTN='^[oOyYnN]$'
		404	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	405	do
595	richard	406	if [ $Lang == "fr" ]
659	richard	407	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	408	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	409	fi
1	root	410	read response
		411	done
636	richard	412	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		413	then
		414	PRIVATE_IP_MASK="0"
		415	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		416	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	417	do
595	richard	418	if [ $Lang == "fr" ]
597	richard	419	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		420	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	421	fi
597	richard	422	read PRIVATE_IP_MASK
1	root	423	done
636	richard	424	else
		425	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		426	fi
595	richard	427	else
637	richard	428	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		429	rm -rf conf/etc/alcasar.conf
1	root	430	fi
861	richard	431	# Define LAN side global parameters
1243	richard	432	hostname $HOSTNAME.$DOMAIN
		433	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	434	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	435	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	436	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	437	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	438	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	439	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		440	then
		441	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		442	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		443	fi
		444	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		445	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	446	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	447	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	448	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		449	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	450	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		451	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	452	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	453	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	454	# Define Internet parameters
1499	richard	455	DNS1=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|head -n 1` # 1st DNS server
		456	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		457	if [ $nb_dns == 2 ]
		458	then
		459	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		460	fi
70	franck	461	DNS1=${DNS1:=208.67.220.220}
		462	DNS2=${DNS2:=208.67.222.222}
1499	richard	463	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	464	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	465	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	466	# Wrtie the conf file
1469	richard	467	echo "EXTIF=$EXTIF" >> $CONF_FILE
		468	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	469	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		470	if [ $IP_SETTING == "dhcp" ]
		471	then
		472	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
		473	echo "GW=dhcp" >> $CONF_FILE
		474	else
		475	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
		476	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		477	fi
994	franck	478	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	479	echo "DNS1=$DNS1" >> $CONF_FILE
		480	echo "DNS2=$DNS2" >> $CONF_FILE
		481	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	482	echo "DHCP=on" >> $CONF_FILE
914	franck	483	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		484	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		485	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	486	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1499	richard	487	# network default
597	richard	488	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	489	cat <<EOF > /etc/sysconfig/network
		490	NETWORKING=yes
1243	richard	491	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	492	FORWARD_IPV4=true
		493	EOF
1499	richard	494	# /etc/hosts config
1	root	495	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		496	cat <<EOF > /etc/hosts
503	richard	497	127.0.0.1 localhost
1353	richard	498	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	499	EOF
1499	richard	500	# EXTIF (Internet) config
		501	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		502	if [ $IP_SETTING == "dhcp" ]
		503	then
		504	$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		505	$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		506	echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		507	else
		508	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	509	DEVICE=$EXTIF
		510	BOOTPROTO=static
597	richard	511	IPADDR=$PUBLIC_IP
		512	NETMASK=$PUBLIC_NETMASK
		513	GATEWAY=$PUBLIC_GATEWAY
14	richard	514	DNS1=127.0.0.1
1499	richard	515	RESOLV_MODS=yes
14	richard	516	ONBOOT=yes
		517	METRIC=10
		518	MII_NOT_SUPPORTED=yes
		519	IPV6INIT=no
		520	IPV6TO4INIT=no
		521	ACCOUNTING=no
		522	USERCTL=no
994	franck	523	MTU=$MTU
14	richard	524	EOF
1499	richard	525	fi
1336	richard	526	# Config INTIF (consultation LAN) in normal mode
841	richard	527	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		528	DEVICE=$INTIF
		529	BOOTPROTO=static
		530	ONBOOT=yes
		531	NOZEROCONF=yes
		532	MII_NOT_SUPPORTED=yes
		533	IPV6INIT=no
		534	IPV6TO4INIT=no
		535	ACCOUNTING=no
		536	USERCTL=no
		537	EOF
1336	richard	538	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	539	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	540	DEVICE=$INTIF
		541	BOOTPROTO=static
		542	IPADDR=$PRIVATE_IP
604	richard	543	NETMASK=$PRIVATE_NETMASK
1	root	544	ONBOOT=yes
		545	METRIC=10
		546	NOZEROCONF=yes
		547	MII_NOT_SUPPORTED=yes
14	richard	548	IPV6INIT=no
		549	IPV6TO4INIT=no
		550	ACCOUNTING=no
		551	USERCTL=no
1	root	552	EOF
440	franck	553	# Mise à l'heure du serveur
		554	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		555	cat <<EOF > /etc/ntp/step-tickers
455	franck	556	0.fr.pool.ntp.org # adapt to your country
		557	1.fr.pool.ntp.org
		558	2.fr.pool.ntp.org
440	franck	559	EOF
		560	# Configuration du serveur de temps (sur lui même)
1	root	561	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		562	cat <<EOF > /etc/ntp.conf
456	franck	563	server 0.fr.pool.ntp.org # adapt to your country
447	franck	564	server 1.fr.pool.ntp.org
		565	server 2.fr.pool.ntp.org
		566	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	567	fudge 127.127.1.0 stratum 10
604	richard	568	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	569	restrict 127.0.0.1
310	richard	570	driftfile /var/lib/ntp/drift
1	root	571	logfile /var/log/ntp.log
		572	EOF
440	franck	573
310	richard	574	chown -R ntp:ntp /var/lib/ntp
1	root	575	# Renseignement des fichiers hosts.allow et hosts.deny
		576	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		577	cat <<EOF > /etc/hosts.allow
		578	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	579	sshd: ALL
1	root	580	ntpd: $PRIVATE_NETWORK_SHORT
		581	EOF
		582	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		583	cat <<EOF > /etc/hosts.deny
		584	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		585	EOF
790	richard	586	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	587	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	588	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	589	# load conntrack ftp module
		590	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		591	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	592	# load ipt_NETFLOW module
		593	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1157	stephane	594	#
860	richard	595	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	596	} # End of network ()
		597
		598	##################################################################
1221	richard	599	## Function "ACC" ##
		600	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	601	## - configuration du serveur web (Apache) ##
		602	## - définition du 1er comptes de gestion ##
		603	## - sécurisation des accès ##
		604	##################################################################
1221	richard	605	ACC ()
1	root	606	{
		607	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		608	mkdir $DIR_WEB
		609	# Copie et configuration des fichiers du centre de gestion
316	richard	610	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	611	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	612	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		613	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		614	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		615	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		616	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	617	chown -R apache:apache $DIR_WEB/*
1489	richard	618	# create the backup structure :
		619	# - base = users database
		620	# - system_backup = alcasar conf file + users database
		621	# - archive = tarball of "base + http firewall + netflow"
		622	# - security = watchdog disconnection)
		623	for i in system_backup base archive security;
1	root	624	do
		625	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		626	done
5	franck	627	chown -R root:apache $DIR_SAVE
71	richard	628	# Configuration et sécurisation php
		629	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	630	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		631	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	632	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		633	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	634	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		635	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		636	# Configuration et sécurisation Apache
790	richard	637	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	638	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	639	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	640	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	641	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		642	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		643	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	644	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		645	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		646	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		647	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		648	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		649	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	650	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	651	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		652	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		653	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		654	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		655	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		656	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	657	</body>
		658	</html>
		659	EOF
		660	# Définition du premier compte lié au profil 'admin'
509	richard	661	header_install
510	richard	662	if [ "$mode" = "install" ]
		663	then
613	richard	664	admin_portal=!
		665	PTN='^[a-zA-Z0-9-]*$'
		666	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		667	do
		668	header_install
		669	if [ $Lang == "fr" ]
		670	then
		671	echo ""
		672	echo "Définissez un premier compte d'administration du portail :"
		673	echo
		674	echo -n "Nom : "
		675	else
		676	echo ""
		677	echo "Define the first account allow to administrate the portal :"
		678	echo
		679	echo -n "Account : "
		680	fi
		681	read admin_portal
		682	if [ "$admin_portal" == "" ]
		683	then
		684	admin_portal=!
		685	fi
		686	done
1268	richard	687	# Creation of keys file for the admin account ("admin")
510	richard	688	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		689	mkdir -p $DIR_DEST_ETC/digest
		690	chmod 755 $DIR_DEST_ETC/digest
		691	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		692	do
1350	richard	693	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	694	done
		695	$DIR_DEST_SBIN/alcasar-profil.sh --list
		696	fi
434	richard	697	# synchronisation horaire
		698	ntpd -q -g &
1	root	699	# Sécurisation du centre
988	franck	700	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	701	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	702	<Directory $DIR_ACC>
1	root	703	SSLRequireSSL
		704	AllowOverride None
		705	Order deny,allow
		706	Deny from all
		707	Allow from 127.0.0.1
		708	Allow from $PRIVATE_NETWORK_MASK
990	franck	709	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	710	require valid-user
		711	AuthType digest
1243	richard	712	AuthName $HOSTNAME.$DOMAIN
1	root	713	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	714	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	715	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	716	</Directory>
316	richard	717	<Directory $DIR_ACC/admin>
1	root	718	SSLRequireSSL
		719	AllowOverride None
		720	Order deny,allow
		721	Deny from all
		722	Allow from 127.0.0.1
		723	Allow from $PRIVATE_NETWORK_MASK
990	franck	724	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	725	require valid-user
		726	AuthType digest
1243	richard	727	AuthName $HOSTNAME.$DOMAIN
1	root	728	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	729	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	730	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	731	</Directory>
344	richard	732	<Directory $DIR_ACC/manager>
1	root	733	SSLRequireSSL
		734	AllowOverride None
		735	Order deny,allow
		736	Deny from all
		737	Allow from 127.0.0.1
		738	Allow from $PRIVATE_NETWORK_MASK
990	franck	739	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	740	require valid-user
		741	AuthType digest
1243	richard	742	AuthName $HOSTNAME.$DOMAIN
1	root	743	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	744	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	745	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	746	</Directory>
316	richard	747	<Directory $DIR_ACC/backup>
		748	SSLRequireSSL
		749	AllowOverride None
		750	Order deny,allow
		751	Deny from all
		752	Allow from 127.0.0.1
		753	Allow from $PRIVATE_NETWORK_MASK
990	franck	754	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	755	require valid-user
		756	AuthType digest
1243	richard	757	AuthName $HOSTNAME.$DOMAIN
316	richard	758	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	759	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	760	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	761	</Directory>
811	richard	762	Alias /save/ "$DIR_SAVE/"
		763	<Directory $DIR_SAVE>
		764	SSLRequireSSL
		765	Options Indexes
		766	Order deny,allow
		767	Deny from all
		768	Allow from 127.0.0.1
		769	Allow from $PRIVATE_NETWORK_MASK
990	franck	770	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	771	require valid-user
		772	AuthType digest
1243	richard	773	AuthName $HOSTNAME.$DOMAIN
811	richard	774	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	775	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	776	</Directory>
1	root	777	EOF
1378	richard	778	# Launch after coova
		779	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1410	richard	780	# Error page management
		781	FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
		782	[ -e $FIC_ERROR_DOC ] \|\| cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default
		783
		784	cat <<EOF > $FIC_ERROR_DOC
		785	Alias /error/ "/var/www/html/"
		786
		787	<Directory "/usr/share/httpd/error">
		788	AllowOverride None
		789	Options IncludesNoExec
		790	AddOutputFilter Includes html
		791	AddHandler type-map var
		792	Require all granted
		793	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		794	ForceLanguagePriority Prefer Fallback
		795	</Directory>
		796
		797	ErrorDocument 400 /error/error.php?error=400
		798	ErrorDocument 401 /error/error.php?error=401
		799	ErrorDocument 403 /error/error.php?error=403
		800	ErrorDocument 404 /error/error.php?error=404
		801	ErrorDocument 405 /error/error.php?error=405
		802	ErrorDocument 408 /error/error.php?error=408
		803	ErrorDocument 410 /error/error.php?error=410
		804	ErrorDocument 411 /error/error.php?error=411
		805	ErrorDocument 412 /error/error.php?error=412
		806	ErrorDocument 413 /error/error.php?error=413
		807	ErrorDocument 414 /error/error.php?error=414
		808	ErrorDocument 415 /error/error.php?error=415
		809	ErrorDocument 500 /error/error.php?error=500
		810	ErrorDocument 501 /error/error.php?error=501
		811	ErrorDocument 502 /error/error.php?error=502
		812	ErrorDocument 503 /error/error.php?error=503
		813	ErrorDocument 506 /error/error.php?error=506
		814	EOF
		815
1389	richard	816	} # End of ACC ()
1	root	817
		818	##########################################################################################
1221	richard	819	## Fonction "CA" ##
1	root	820	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		821	##########################################################################################
1221	richard	822	CA ()
1	root	823	{
510	richard	824	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	825	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	826	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	827
		828	#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		829	#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
		830	#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
		831
		832	cat <<EOF > $FIC_VIRTUAL_SSL
		833	# default SSL virtual host, used for all HTTPS requests that do not
		834	# match a ServerName or ServerAlias in any <VirtualHost> block.
		835
		836	<VirtualHost _default_:443>
		837	# general configuration
		838	ServerAdmin root@localhost
		839	ServerName localhost
		840
		841	# SSL configuration
		842	SSLEngine on
		843	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		844	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		845	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		846	CustomLog logs/ssl_request_log \
		847	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		848	ErrorLog logs/ssl_error_log
		849	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		850	</VirtualHost>
		851	EOF
		852
5	franck	853	chown -R root:apache /etc/pki
1	root	854	chmod -R 750 /etc/pki
1389	richard	855	} # End of CA ()
1	root	856
		857	##########################################################################################
1221	richard	858	## Fonction "init_db" ##
1	root	859	## - Initialisation de la base Mysql ##
		860	## - Affectation du mot de passe de l'administrateur (root) ##
		861	## - Suppression des bases et des utilisateurs superflus ##
		862	## - Création de la base 'radius' ##
		863	## - Installation du schéma de cette base ##
		864	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		865	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		866	##########################################################################################
		867	init_db ()
		868	{
1355	richard	869	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	870	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		871	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	872	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	873	systemctl start mysqld.service
1	root	874	sleep 4
		875	mysqladmin -u root password $mysqlpwd
		876	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	877	# Secure the server
		878	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		879	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	880	# Create 'radius' database
1317	richard	881	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	882	# Add an empty radius database structure
364	franck	883	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	884	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	885	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
		886	$SED "/ExecStartPost=/a ExecStartPost=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	887	$SED "/ExecStartPost=/a ExecStop=[ -e /usr/local/sbin/alcasar-mysql.sh ] && /usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		888	systemctl daemon-reload
1389	richard	889	} # End of init_db ()
1	root	890
		891	##########################################################################
1389	richard	892	## Fonction "radius" ##
1	root	893	## - Paramètrage des fichiers de configuration FreeRadius ##
		894	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		895	## - Modification de fichier de conf pour l'accès à Mysql ##
		896	##########################################################################
1389	richard	897	radius ()
1	root	898	{
		899	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		900	chown -R radius:radius /etc/raddb
		901	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	902	# Set radius.conf parameters
1	root	903	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		904	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		905	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	906	# remove the proxy function
1	root	907	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		908	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	909	# remove EAP module
654	richard	910	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	911	# listen on loopback (should be modified later if EAP enabled)
1	root	912	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	913	# enable the SQL module (and SQL counter)
1	root	914	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		915	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		916	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	917	# only include modules for ALCASAR needs
		918	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		919	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		920	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		921	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		922	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		923	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	924	# remvove virtual server and copy our conf file
1	root	925	rm -f /etc/raddb/sites-enabled/*
1278	richard	926	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	927	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		928	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		929	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		930	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	931	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	932	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	933	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	934	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		935	cat << EOF > /etc/raddb/clients.conf
		936	client 127.0.0.1 {
		937	secret = $secretradius
		938	shortname = localhost
		939	}
		940	EOF
1278	richard	941	# sql.conf modification
1	root	942	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		943	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		944	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		945	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		946	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	947	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	948	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	949	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		950	# counter.conf modification (change the Max-All-Session-Time counter)
		951	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		952	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		953	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	954	# make certain that mysql is up before radius start
		955	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		956	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		957	systemctl daemon-reload
1389	richard	958	} # End radius ()
1	root	959
		960	##########################################################################
1389	richard	961	## Function "radius_web" ##
1	root	962	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		963	## - Création du lien vers la page de changement de mot de passe ##
		964	##########################################################################
1389	richard	965	radius_web ()
1	root	966	{
		967	# copie de l'interface d'origine dans la structure Alcasar
316	richard	968	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		969	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		970	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	971	# copie des fichiers modifiés
		972	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	973	chown -R apache:apache $DIR_ACC/manager/
344	richard	974	# Modification des fichiers de configuration
1	root	975	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	976	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	977	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		978	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		979	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		980	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		981	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		982	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		983	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	984	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	985	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	986	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	987	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	988	nas1_name: alcasar-$ORGANISME
1	root	989	nas1_model: Portail captif
		990	nas1_ip: $PRIVATE_IP
		991	nas1_port_num: 0
		992	nas1_community: public
		993	EOF
		994	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		995	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	996	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	997	# Ajout du mappage des attributs chillispot
		998	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	999	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	1000	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	1001	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	1002	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		1003	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	1004	chown -R apache:apache /etc/freeradius-web
1	root	1005	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		1006	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	1007	<Directory $DIR_WEB/pass>
1	root	1008	SSLRequireSSL
		1009	AllowOverride None
		1010	Order deny,allow
		1011	Deny from all
		1012	Allow from 127.0.0.1
		1013	Allow from $PRIVATE_NETWORK_MASK
1243	richard	1014	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	1015	</Directory>
		1016	EOF
1389	richard	1017	} # End of radius_web ()
1	root	1018
799	richard	1019	##################################################################################
1389	richard	1020	## Fonction "chilli" ##
799	richard	1021	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1022	## - Paramètrage de la page d'authentification (intercept.php) ##
		1023	##################################################################################
1389	richard	1024	chilli ()
1	root	1025	{
1370	richard	1026	# chilli unit for systemd
		1027	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1028	# This file is part of systemd.
		1029	#
		1030	# systemd is free software; you can redistribute it and/or modify it
		1031	# under the terms of the GNU General Public License as published by
		1032	# the Free Software Foundation; either version 2 of the License, or
		1033	# (at your option) any later version.
1370	richard	1034	[Unit]
		1035	Description=chilli is a captive portal daemon
		1036	After=network.target
		1037
		1038	[Service]
1379	richard	1039	Type=forking
1370	richard	1040	ExecStart=/usr/libexec/chilli start
		1041	ExecStop=/usr/libexec/chilli stop
		1042	ExecReload=/usr/libexec/chilli reload
		1043	PIDFile=/var/run/chilli.pid
		1044
		1045	[Install]
		1046	WantedBy=multi-user.target
		1047	EOF
799	richard	1048	# init file creation
1370	richard	1049	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1050	cat <<EOF > /usr/libexec/chilli
799	richard	1051	#!/bin/sh
		1052	#
		1053	# chilli CoovaChilli init
		1054	#
		1055	# chkconfig: 2345 65 35
		1056	# description: CoovaChilli
		1057	### BEGIN INIT INFO
		1058	# Provides: chilli
		1059	# Required-Start: network
		1060	# Should-Start:
		1061	# Required-Stop: network
		1062	# Should-Stop:
		1063	# Default-Start: 2 3 5
		1064	# Default-Stop:
		1065	# Description: CoovaChilli access controller
		1066	### END INIT INFO
		1067
		1068	[ -f /usr/sbin/chilli ] \|\| exit 0
		1069	. /etc/init.d/functions
		1070	CONFIG=/etc/chilli.conf
		1071	pidfile=/var/run/chilli.pid
		1072	[ -f \$CONFIG ] \|\| {
		1073	echo "\$CONFIG Not found"
		1074	exit 0
		1075	}
		1076	RETVAL=0
		1077	prog="chilli"
		1078	case \$1 in
		1079	start)
		1080	if [ -f \$pidfile ] ; then
		1081	gprintf "chilli is already running"
		1082	else
		1083	gprintf "Starting \$prog: "
		1084	rm -f /var/run/chilli* # cleaning
		1085	/sbin/modprobe tun >/dev/null 2>&1
		1086	echo 1 > /proc/sys/net/ipv4/ip_forward
		1087	[ -e /dev/net/tun ] \|\| {
		1088	(cd /dev;
		1089	mkdir net;
		1090	cd net;
		1091	mknod tun c 10 200)
		1092	}
1336	richard	1093	ifconfig $INTIF 0.0.0.0
799	richard	1094	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1095	RETVAL=$?
		1096	fi
		1097	;;
		1098
		1099	reload)
		1100	killall -HUP chilli
		1101	;;
		1102
		1103	restart)
		1104	\$0 stop
		1105	sleep 2
		1106	\$0 start
		1107	;;
		1108
		1109	status)
		1110	status chilli
		1111	RETVAL=0
		1112	;;
		1113
		1114	stop)
		1115	if [ -f \$pidfile ] ; then
		1116	gprintf "Shutting down \$prog: "
		1117	killproc /usr/sbin/chilli
		1118	RETVAL=\$?
		1119	[ \$RETVAL = 0 ] && rm -f $pidfile
		1120	else
		1121	gprintf "chilli is not running"
		1122	fi
		1123	;;
		1124
		1125	*)
		1126	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1127	exit 1
		1128	esac
		1129	echo
		1130	EOF
1373	richard	1131	chmod a+x /usr/libexec/chilli
799	richard	1132	# conf file creation
346	richard	1133	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1134	cat <<EOF > /etc/chilli.conf
		1135	# coova config for ALCASAR
		1136	cmdsocket /var/run/chilli.sock
1336	richard	1137	unixipc chilli.$INTIF.ipc
		1138	pidfile /var/run/chilli.$INTIF.pid
346	richard	1139	net $PRIVATE_NETWORK_MASK
595	richard	1140	dhcpif $INTIF
841	richard	1141	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1142	#nodynip
865	richard	1143	#statip
		1144	dynip $PRIVATE_NETWORK_MASK
1249	richard	1145	domain $DOMAIN
355	richard	1146	dns1 $PRIVATE_IP
		1147	dns2 $PRIVATE_IP
346	richard	1148	uamlisten $PRIVATE_IP
503	richard	1149	uamport 3990
837	richard	1150	macauth
		1151	macpasswd password
1243	richard	1152	locationname $HOSTNAME.$DOMAIN
346	richard	1153	radiusserver1 127.0.0.1
		1154	radiusserver2 127.0.0.1
		1155	radiussecret $secretradius
		1156	radiusauthport 1812
		1157	radiusacctport 1813
1243	richard	1158	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1159	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1160	uamsecret $secretuam
1249	richard	1161	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1162	coaport 3799
1379	richard	1163	conup $DIR_DEST_BIN/alcasar-conup.sh
		1164	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1165	include $DIR_DEST_ETC/alcasar-uamallowed
		1166	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1167	#dhcpgateway
1157	stephane	1168	#dhcprelayagent
		1169	#dhcpgatewayport
346	richard	1170	EOF
1336	richard	1171	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1172	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1173	# create files for trusted domains and urls
1148	crox53	1174	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1175	chown root:apache $DIR_DEST_ETC/alcasar-*
		1176	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1177	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1178	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1179	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1180	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1181	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1182	if [ "$chilli_exist" == "1" ]
		1183	then
		1184	userdel -r chilli 2>/dev/null
		1185	fi
		1186	groupadd -f chilli
		1187	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1188	} # End of chilli ()
1349	richard	1189
1	root	1190	##################################################################
1389	richard	1191	## Fonction "dansguardian" ##
1	root	1192	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1193	##################################################################
1389	richard	1194	dansguardian ()
1	root	1195	{
		1196	mkdir /var/dansguardian
		1197	chown dansguardian /var/dansguardian
1375	richard	1198	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1199	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1200	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1201	# By default the filter is off
497	richard	1202	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1203	# French deny HTML page
497	richard	1204	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1205	# Listen only on LAN side
497	richard	1206	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1207	# DG send its flow to HAVP
		1208	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1209	# replace the default deny HTML page
1	root	1210	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1211	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1212	# Don't log
		1213	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1214	# Run 10 daemons (20 in largest server)
659	richard	1215	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1216	# on désactive par défaut le controle de contenu des pages html
497	richard	1217	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1218	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1219	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1220	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1221	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1222	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1223	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1224	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1225	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1226	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1227	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1228	touch $DIR_DG/lists/bannedextensionlist
		1229	touch $DIR_DG/lists/bannedmimetypelist
		1230	# 'Safesearch' regex actualisation
498	richard	1231	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1232	# empty LAN IP list that won't be WEB filtered
		1233	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1234	touch $DIR_DG/lists/exceptioniplist
		1235	# Keep a copy of URL & domain filter configuration files
		1236	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1237	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1238	} # End of dansguardian ()
1	root	1239
71	richard	1240	##################################################################
1221	richard	1241	## Fonction "antivirus" ##
1357	richard	1242	## - configuration of havp, libclamav and freshclam ##
71	richard	1243	##################################################################
		1244	antivirus ()
		1245	{
1358	richard	1246	# create 'havp' user
288	richard	1247	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1248	if [ "$havp_exist" == "1" ]
288	richard	1249	then
478	richard	1250	userdel -r havp 2>/dev/null
894	richard	1251	groupdel havp 2>/dev/null
288	richard	1252	fi
307	richard	1253	groupadd -f havp
1486	richard	1254	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1255	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1256	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1257	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1258	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1259	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1260	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1261	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1262	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1263	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1264	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1265	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1266	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1267	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1268	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1269	# skip checking of youtube flow (too heavy load / risk too low)
		1270	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1271	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1272	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1273	# replacement of init script
335	richard	1274	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1275	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1358	richard	1276	# replace of the intercept page (template)
340	richard	1277	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1278	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1279	# update virus database every 4 hours (24h/6)
1357	richard	1280	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1281	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1282	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1283	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1284	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1285	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1286	# update now
1382	richard	1287	/usr/bin/freshclam --no-warnings
1389	richard	1288	} # End of antivirus ()
71	richard	1289
1486	richard	1290	##########################################################################
		1291	## Fonction "tinyproxy" ##
		1292	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1293	##########################################################################
1485	richard	1294	tinyproxy ()
		1295	{
1486	richard	1296	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1297	if [ "$tinyproxy_exist" == "1" ]
		1298	then
		1299	userdel -r tinyproxy 2>/dev/null
		1300	groupdel tinyproxy 2>/dev/null
		1301	fi
		1302	groupadd -f tinyproxy
1488	richard	1303	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1486	richard	1304	mkdir -p /var/log/tinyproxy /var/run/tinyproxy
		1305	chown -R tinyproxy:tinyproxy /var/log/tinyproxy /var/run/tinyproxy
		1306	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1307	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1308	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1309	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1310	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
		1311	$SED "s?^#LogFile.*?LogFile /var/log/tinyproxy/tinyproxy.log?g" /etc/tinyproxy/tinyproxy.conf
		1312	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1313	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1314	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1485	richard	1315
		1316	} # end of tinyproxy
1	root	1317	##################################################################################
1389	richard	1318	## function "ulogd" ##
476	richard	1319	## - Ulog config for multi-log files ##
		1320	##################################################################################
1389	richard	1321	ulogd ()
476	richard	1322	{
		1323	# Three instances of ulogd (three different logfiles)
		1324	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1325	nl=1
1358	richard	1326	for log_type in traceability ssh ext-access
478	richard	1327	do
1365	richard	1328	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1329	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1330	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
478	richard	1331	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1332	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1333	[emu1]
478	richard	1334	file="/var/log/firewall/$log_type.log"
		1335	sync=1
		1336	EOF
1452	richard	1337	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1338	nl=`expr $nl + 1`
		1339	done
476	richard	1340	chown -R root:apache /var/log/firewall
		1341	chmod 750 /var/log/firewall
		1342	chmod 640 /var/log/firewall/*
1389	richard	1343	} # End of ulogd ()
476	richard	1344
1159	crox53	1345
		1346	##########################################################
1389	richard	1347	## Function "nfsen" ##
1159	crox53	1348	##########################################################
1389	richard	1349	nfsen()
1	root	1350	{
1393	richard	1351	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1352	# Add PortTracker plugin
1395	richard	1353	for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1354	do
		1355	[ ! -d $i ] && mkdir $i && chown -R apache:apache $i && echo "$i created" \|\| echo "$i already exists"
		1356	done
1221	richard	1357	cp -f $DIR_CONF/nfsen/PortTracker.pm /tmp/nfsen-1.3.6p1/contrib/PortTracker/
1365	richard	1358	# use of our conf file and init unit
1221	richard	1359	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1365	richard	1360	# Installation of nfsen
1221	richard	1361	DirTmp=$(pwd)
		1362	cd /tmp/nfsen-1.3.6p1/
1365	richard	1363	/usr/bin/perl5 install.pl etc/nfsen.conf
		1364	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1365	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1366	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1367	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1395	richard	1368	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1369	chmod -R 770 /var/log/netflow/porttracker
1365	richard	1370	# Apache conf file
1394	richard	1371	cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1372	Alias /nfsen /var/www/nfsen
		1373	<Directory /var/www/nfsen/>
		1374	DirectoryIndex nfsen.php
		1375	Options -Indexes
		1376	AllowOverride all
		1377	order allow,deny
		1378	allow from all
		1379	AddType application/x-httpd-php .php
		1380	php_flag magic_quotes_gpc on
		1381	php_flag track_vars on
1	root	1382	</Directory>
		1383	EOF
1372	richard	1384	# nfsen unit for systemd
		1385	cat << EOF > /lib/systemd/system/nfsen.service
		1386	# This file is part of systemd.
		1387	#
		1388	# systemd is free software; you can redistribute it and/or modify it
		1389	# under the terms of the GNU General Public License as published by
		1390	# the Free Software Foundation; either version 2 of the License, or
		1391	# (at your option) any later version.
		1392
		1393	# This unit launches nfsen (a Netflow grapher).
		1394	[Unit]
		1395	Description= NfSen init script
		1396	After=network.target iptables.service
		1397
		1398	[Service]
		1399	Type=oneshot
		1400	RemainAfterExit=yes
1393	richard	1401	PIDFile=/var/run/nfsen/nfsen.pid
		1402	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1403	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1404	ExecStart=/usr/bin/nfsen start
		1405	ExecStop=/usr/bin/nfsen stop
1393	richard	1406	ExecReload=/usr/bin/nfsen restart
1372	richard	1407	TimeoutSec=0
		1408
		1409	[Install]
		1410	WantedBy=multi-user.target
		1411	EOF
1365	richard	1412	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1413	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1414	# expire delay for the profile "live"
1393	richard	1415	systemctl start nfsen
		1416	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1417	# add SURFmap plugin
1412	richard	1418	tar xzf $DIR_CONF/nfsen/SURFmap_v3.3b1.tar.gz -C /tmp/
1413	richard	1419	cp $DIR_CONF/nfsen/install-surfmap.sh /tmp/SURFmap/install.sh
1397	richard	1420	cd /tmp/SURFmap
		1421	/usr/bin/sh install.sh
1418	richard	1422
1365	richard	1423	# clear the installation
1221	richard	1424	cd $DirTmp
		1425	rm -rf /tmp/nfsen-1.3.6p1/
1397	richard	1426	rm -rf /tmp/SURFmap/
1389	richard	1427	} # End of nfsen ()
1	root	1428
1390	richard	1429	##################################################
1389	richard	1430	## Function "dnsmasq" ##
1390	richard	1431	##################################################
1389	richard	1432	dnsmasq ()
219	jeremy	1433	{
		1434	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1435	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1436	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1437	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1438	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1439	cat << EOF > /etc/dnsmasq.conf
520	richard	1440	# Configuration file for "dnsmasq in forward mode"
1387	richard	1441	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1442	listen-address=$PRIVATE_IP
1390	richard	1443	pid-file=/var/run/dnsmasq.pid
259	richard	1444	listen-address=127.0.0.1
286	richard	1445	no-dhcp-interface=$INTIF
1387	richard	1446	no-dhcp-interface=tun0
		1447	no-dhcp-interface=lo
259	richard	1448	bind-interfaces
		1449	cache-size=256
		1450	domain=$DOMAIN
		1451	domain-needed
		1452	expand-hosts
		1453	bogus-priv
		1454	filterwin2k
		1455	server=$DNS1
		1456	server=$DNS2
1387	richard	1457	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1458	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1459	dhcp-option=option:router,$PRIVATE_IP
1482	richard	1460	dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1461
1387	richard	1462	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1463	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1464	EOF
1356	richard	1465	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1466	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1467	# Configuration file for "dnsmasq with blacklist"
1387	richard	1468	# Add Toulouse blacklist domains
1472	richard	1469	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1470	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1471	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1472	listen-address=$PRIVATE_IP
		1473	port=54
		1474	no-dhcp-interface=$INTIF
1387	richard	1475	no-dhcp-interface=tun0
1472	richard	1476	no-dhcp-interface=lo
498	richard	1477	bind-interfaces
		1478	cache-size=256
		1479	domain=$DOMAIN
		1480	domain-needed
		1481	expand-hosts
		1482	bogus-priv
		1483	filterwin2k
		1484	server=$DNS1
		1485	server=$DNS2
		1486	EOF
1379	richard	1487	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1488	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1489	# Configuration file for "dnsmasq with whitelist"
1356	richard	1490	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1491	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1492	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1493	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1494	listen-address=$PRIVATE_IP
		1495	port=55
		1496	no-dhcp-interface=$INTIF
1387	richard	1497	no-dhcp-interface=tun0
1472	richard	1498	no-dhcp-interface=lo
1356	richard	1499	bind-interfaces
		1500	cache-size=256
		1501	domain=$DOMAIN
		1502	domain-needed
		1503	expand-hosts
		1504	bogus-priv
		1505	filterwin2k
1472	richard	1506	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1507	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1508	EOF
1472	richard	1509	# 4th dnsmasq listen on udp 56 ("blackhole")
		1510	cat << EOF > /etc/dnsmasq-blackhole.conf
		1511	# Configuration file for "dnsmasq as a blackhole"
		1512	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1513	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1514	pid-file=/var/run/dnsmasq-blackhole.pid
		1515	listen-address=$PRIVATE_IP
		1516	port=56
		1517	no-dhcp-interface=$INTIF
		1518	no-dhcp-interface=tun0
		1519	no-dhcp-interface=lo
		1520	bind-interfaces
		1521	cache-size=256
		1522	domain=$DOMAIN
		1523	domain-needed
		1524	expand-hosts
		1525	bogus-priv
		1526	filterwin2k
		1527	EOF
		1528
1372	richard	1529	# Start after chilli (which create tun0)
		1530	$SED "s?^After=.*?After=syslog.target network.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1531	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1532	for list in blacklist whitelist blackhole
		1533	do
		1534	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1535	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1536	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1537	done
308	richard	1538	} # End dnsmasq
		1539
		1540	##########################################################
1221	richard	1541	## Fonction "BL" ##
308	richard	1542	##########################################################
		1543	BL ()
		1544	{
1386	richard	1545	# modify iptables boot file to start alcasar-iptables.sh when the system is booting
		1546	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		1547	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
1384	richard	1548	# copy and extract toulouse BL
648	richard	1549	rm -rf $DIR_DG/lists/blacklists
		1550	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1551	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1552	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1553	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1554	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1555	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1556	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1557	# creation of file for the rehabilited domains and urls
648	richard	1558	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1559	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1560	touch $DIR_DG/lists/exceptionsitelist
		1561	touch $DIR_DG/lists/exceptionurllist
311	richard	1562	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1563	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1564	# Dansguardian filter config for ALCASAR
		1565	EOF
648	richard	1566	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1567	# Dansguardian domain filter config for ALCASAR
		1568	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1569	#**
		1570	# block all SSL and CONNECT tunnels
		1571	**s
		1572	# block all SSL and CONNECT tunnels specified only as an IP
		1573	*ips
		1574	# block all sites specified only by an IP
		1575	*ip
		1576	EOF
1000	richard	1577	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1578	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1579	# Bing - add 'adlt=strict'
		1580	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1581	# Youtube - add 'edufilter=your_ID'
885	richard	1582	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1583	EOF
1000	richard	1584	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1585	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1586	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1587	if [ "$mode" != "update" ]; then
		1588	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1589	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
1387	richard	1590	# !!! we can be banned by DNS server (waiting for a cool solution $DIR_DEST_SBIN/alcasar-bl.sh --ip_retrieving
654	richard	1591	fi
308	richard	1592	}
219	jeremy	1593
1	root	1594	##########################################################
1221	richard	1595	## Fonction "cron" ##
1	root	1596	## - Mise en place des différents fichiers de cron ##
		1597	##########################################################
		1598	cron ()
		1599	{
		1600	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1601	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1602	cat <<EOF > /etc/crontab
		1603	SHELL=/bin/bash
		1604	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1605	MAILTO=root
		1606	HOME=/
		1607
		1608	# run-parts
		1609	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1610	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1611	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1612	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1613	EOF
		1614	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1615	cat <<EOF >> /etc/anacrontab
667	franck	1616	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1617	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1618	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1619	EOF
1247	crox53	1620
811	richard	1621	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1622	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1623	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1624	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1625	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1626	EOF
952	franck	1627	cat <<EOF > /etc/cron.d/alcasar-archive
		1628	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1629	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1630	EOF
667	franck	1631	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1632	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1633	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1634	EOF
722	franck	1635	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1636	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1637	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1638	EOF
1247	crox53	1639	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1640	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1641	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1642	#EOF
1159	crox53	1643
1	root	1644	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1645	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1646	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1647	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1648	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1649	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1650	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1651	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1652	rm -f /etc/cron.daily/freeradius-web
		1653	rm -f /etc/cron.monthly/freeradius-web
		1654	cat << EOF > /etc/cron.d/freeradius-web
		1655	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1656	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1657	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1658	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1659	EOF
671	franck	1660	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1661	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1662	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1663	EOF
808	franck	1664	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1665	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1666	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1667	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1668	EOF
522	richard	1669	# suppression des crons usagers
		1670	rm -f /var/spool/cron/*
1	root	1671	} # End cron
		1672
		1673	##################################################################
1221	richard	1674	## Fonction "Fail2Ban" ##
1163	crox53	1675	##- Modification de la configuration de fail2ban ##
		1676	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1677	##################################################################
		1678	fail2ban()
		1679	{
1191	crox53	1680	$DIR_CONF/fail2ban.sh
1474	richard	1681	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1682	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1683	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1684	chmod 644 /var/log/fail2ban.log
1489	richard	1685	chmod 644 /var/Save/security/watchdog.log
1418	richard	1686	/usr/bin/touch /var/log/auth.log
		1687
1411	richard	1688
		1689	# Edition de l'unité fail2ban
1418	richard	1690	[ -e /usr/lib/systemd/system/fail2ban.service ] && cp /usr/lib/systemd/system/fail2ban.service /usr/lib/systemd/system/fail2ban.service.default
1411	richard	1691	$SED '/Type/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1692	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1411	richard	1693
		1694
1163	crox53	1695	} #Fin de fail2ban_install()
		1696
		1697	##################################################################
1376	richard	1698	## Fonction "gammu_smsd" ##
		1699	## - Creation de la base de donnée Gammu ##
		1700	## - Creation du fichier de config: gammu_smsd_conf ##
		1701	## ##
		1702	##################################################################
		1703	gammu_smsd()
		1704	{
		1705	# Create 'gammu' databse
		1706	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1707	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1708	# Add a gammu database structure
		1709	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1710
		1711	# config file for the daemon
		1712	cat << EOF > /etc/gammu_smsd_conf
		1713	[gammu]
		1714	port = /dev/ttyUSB0
		1715	connection = at115200
		1716
		1717	;########################################################
		1718
		1719	[smsd]
		1720
		1721	PIN = 1234
		1722
		1723	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1724	logformat = textall
		1725	debuglevel = 0
		1726
		1727	service = sql
		1728	driver = native_mysql
		1729	user = $DB_USER
		1730	password = $radiuspwd
		1731	pc = localhost
		1732	database = $DB_GAMMU
		1733
		1734	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1735
		1736	StatusFrequency = 30
1380	richard	1737	;LoopSleep = 2
1376	richard	1738
		1739	;ResetFrequency = 300
		1740	;HardResetFrequency = 120
		1741
		1742	CheckSecurity = 1
		1743	CheckSignal = 1
		1744	CheckBattery = 0
		1745	EOF
		1746
		1747	chmod 755 /etc/gammu_smsd_conf
		1748
		1749	#Creation dossier de log Gammu-smsd
1382	richard	1750	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1751	chmod 755 /var/log/gammu-smsd
		1752
		1753	#Edition du script sql gammu <-> radius
1452	richard	1754	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1755	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1756
1380	richard	1757	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1758	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1759	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1760	EOF
		1761
1376	richard	1762	} # END gammu_smsd()
		1763
		1764	##################################################################
1221	richard	1765	## Fonction "post_install" ##
1	root	1766	## - Modification des bannières (locales et ssh) et des prompts ##
		1767	## - Installation de la structure de chiffrement pour root ##
		1768	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1769	## - Mise en place du la rotation des logs ##
5	franck	1770	## - Configuration dans le cas d'une mise à jour ##
1	root	1771	##################################################################
		1772	post_install()
		1773	{
		1774	# création de la bannière locale
1007	richard	1775	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1776	cp -f $DIR_CONF/banner /etc/mageia-release
		1777	echo " V$VERSION" >> /etc/mageia-release
1	root	1778	# création de la bannière SSH
1007	richard	1779	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1780	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1781	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1782	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1783	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1784	# postfix banner anonymisation
		1785	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1786	# sshd écoute côté LAN et WAN
1499	richard	1787	$SED "s?^#ListenAddress.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
860	richard	1788	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1789	echo "SSH=off" >> $CONF_FILE
1063	richard	1790	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1791	echo "QOS=off" >> $CONF_FILE
		1792	echo "LDAP=off" >> $CONF_FILE
786	richard	1793	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1794	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1795	echo "MULTIWAN=off" >> $CONF_FILE
		1796	echo "FAILOVER=30" >> $CONF_FILE
		1797	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1798	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1799	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1800	# Coloration des prompts
		1801	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1802	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1803	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1804	# Droits d'exécution pour utilisateur apache et sysadmin
		1805	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1806	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1807	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1808	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1809	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1810	chmod 644 /etc/logrotate.d/*
714	franck	1811	# rectification sur versions précédentes de la compression des logs
706	franck	1812	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1813	# actualisation des fichiers logs compressés
1342	richard	1814	for dir in firewall dansguardian httpd
706	franck	1815	do
714	franck	1816	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1817	done
1221	richard	1818	# create the alcasar-load_balancing unit
		1819	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1820	# This file is part of systemd.
		1821	#
		1822	# systemd is free software; you can redistribute it and/or modify it
		1823	# under the terms of the GNU General Public License as published by
		1824	# the Free Software Foundation; either version 2 of the License, or
		1825	# (at your option) any later version.
		1826
		1827	# This unit lauches alcasar-load-balancing.sh script.
		1828	[Unit]
		1829	Description=alcasar-load_balancing.sh execution
		1830	After=network.target iptables.service
		1831
		1832	[Service]
		1833	Type=oneshot
		1834	RemainAfterExit=yes
		1835	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1836	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1837	TimeoutSec=0
		1838	SysVStartPriority=99
		1839
		1840	[Install]
		1841	WantedBy=multi-user.target
1157	stephane	1842	EOF
1221	richard	1843	# processes launched at boot time (SYSV)
1486	richard	1844	for i in havp tinyproxy
1221	richard	1845	do
		1846	/sbin/chkconfig --add $i
		1847	done
		1848	# processes launched at boot time (Systemctl)
1472	richard	1849	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban
1221	richard	1850	do
1389	richard	1851	systemctl -q enable $i.service
1221	richard	1852	done
1452	richard	1853
		1854	# disable processes at boot time (Systemctl)
		1855	for i in ulogd
		1856	do
		1857	systemctl -q disable $i.service
		1858	done
		1859
1221	richard	1860	# Apply French Security Agency (ANSSI) rules
1362	richard	1861	# ignore ICMP broadcast (smurf attack)
		1862	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1863	# ignore ICMP errors bogus
		1864	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1865	# remove ICMP redirects responces
		1866	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1867	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1868	# enable SYN Cookies (Syn flood attacks)
		1869	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1870	# enable kernel antispoofing
		1871	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1872	# ignore source routing
		1873	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1874	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1875	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1876	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1877	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1878	# remove Magic SysReq Keys
1363	richard	1879	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1880	# switch to multi-users runlevel (instead of x11)
1221	richard	1881	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1882	# GRUB modifications
		1883	# limit wait time to 3s
		1884	# create an alcasar entry instead of linux-nonfb
		1885	# change display to 1024*768 (vga791)
1221	richard	1886	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1887	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1888	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1889	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1890	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1891	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1892	# Remove unused services and users
1378	richard	1893	for svc in sshd.service
1221	richard	1894	do
1362	richard	1895	/bin/systemctl -q disable $svc
1221	richard	1896	done
		1897	# Load and apply the previous conf file
		1898	if [ "$mode" = "update" ]
532	richard	1899	then
1266	richard	1900	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1901	$DIR_DEST_BIN/alcasar-conf.sh --load
		1902	PARENT_SCRIPT=`basename $0`
		1903	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1904	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1905	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1906	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1907	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1908	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1909	then
		1910	header_install
		1911	if [ $Lang == "fr" ]
		1912	then
		1913	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1914	echo
		1915	echo -n "Nom : "
		1916	else
		1917	echo "This update need to redefine the first admin account"
		1918	echo
		1919	echo -n "Account : "
		1920	fi
		1921	read admin_portal
		1922	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1923	mkdir -p $DIR_DEST_ETC/digest
		1924	chmod 755 $DIR_DEST_ETC/digest
		1925	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1926	do
1350	richard	1927	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1928	done
		1929	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1930	fi
532	richard	1931	fi
1221	richard	1932	rm -f /tmp/alcasar-conf*
		1933	chown -R root:apache $DIR_DEST_ETC/*
		1934	chmod -R 660 $DIR_DEST_ETC/*
		1935	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1936	# Apply and save the firewall rules
		1937	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1938	sleep 2
1	root	1939	cd $DIR_INSTALL
5	franck	1940	echo ""
1	root	1941	echo "#############################################################################"
638	richard	1942	if [ $Lang == "fr" ]
		1943	then
		1944	echo "# Fin d'installation d'ALCASAR #"
		1945	echo "# #"
		1946	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1947	echo "# des Accès au Réseau ( ALCASAR ) #"
		1948	echo "# #"
		1949	echo "#############################################################################"
		1950	echo
		1951	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1952	echo
		1953	echo "- Lisez attentivement la documentation d'exploitation"
		1954	echo
		1955	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1956	echo
		1957	echo " Appuyez sur 'Entrée' pour continuer"
		1958	else
		1959	echo "# Enf of ALCASAR install process #"
		1960	echo "# #"
		1961	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1962	echo "# des Accès au Réseau ( ALCASAR ) #"
		1963	echo "# #"
		1964	echo "#############################################################################"
		1965	echo
		1966	echo "- The system will be rebooted in order to operate ALCASAR"
		1967	echo
		1968	echo "- Read the exploitation documentation"
		1969	echo
		1970	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1971	echo
		1972	echo " Hit 'Enter' to continue"
		1973	fi
815	richard	1974	sleep 2
		1975	if [ "$mode" != "update" ]
820	richard	1976	then
815	richard	1977	read a
		1978	fi
774	richard	1979	clear
1	root	1980	reboot
		1981	} # End post_install ()
		1982
		1983	#################################
1005	richard	1984	# Main Install loop #
1	root	1985	#################################
832	richard	1986	dir_exec=`dirname "$0"`
		1987	if [ $dir_exec != "." ]
		1988	then
		1989	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		1990	echo "Launch this program from the ALCASAR archive directory"
		1991	exit 0
		1992	fi
		1993	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	1994	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	1995	nb_args=$#
		1996	args=$1
		1997	if [ $nb_args -eq 0 ]
		1998	then
		1999	nb_args=1
		2000	args="-h"
		2001	fi
1062	richard	2002	chmod -R u+x $DIR_SCRIPTS/*
1	root	2003	case $args in
		2004	-\? \| -h* \| --h*)
		2005	echo "$usage"
		2006	exit 0
		2007	;;
291	franck	2008	-i \| --install)
959	franck	2009	license
5	franck	2010	header_install
29	richard	2011	testing
595	richard	2012	# RPMs install
		2013	$DIR_SCRIPTS/alcasar-urpmi.sh
		2014	if [ "$?" != "0" ]
1	root	2015	then
595	richard	2016	exit 0
		2017	fi
1249	richard	2018	if [ -e $CONF_FILE ]
595	richard	2019	then
597	richard	2020	# Uninstall the running version
532	richard	2021	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	2022	fi
636	richard	2023	# Test if manual update
1362	richard	2024	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2025	then
636	richard	2026	header_install
595	richard	2027	if [ $Lang == "fr" ]
636	richard	2028	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2029	else echo "The configuration file of an old version has been found";
595	richard	2030	fi
597	richard	2031	response=0
		2032	PTN='^[oOnNyY]$'
		2033	until [[ $(expr $response : $PTN) -gt 0 ]]
		2034	do
		2035	if [ $Lang == "fr" ]
		2036	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2037	else echo -n "Do you want to use it (Y/n)?";
		2038	fi
		2039	read response
		2040	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2041	then rm -f /tmp/alcasar-conf*
		2042	fi
		2043	done
		2044	fi
636	richard	2045	# Test if update
1057	richard	2046	if [ -e /tmp/alcasar-conf* ]
597	richard	2047	then
		2048	if [ $Lang == "fr" ]
		2049	then echo "#### Installation avec mise à jour ####";
		2050	else echo "#### Installation with update ####";
		2051	fi
636	richard	2052	# Extract the central configuration file
1057	richard	2053	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2054	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2055	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2056	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2057	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2058	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2059	mode="update"
1	root	2060	fi
1486	richard	2061	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2062	do
		2063	$func
1362	richard	2064	# echo "* 'debug' : end of function $func *"; read a
14	richard	2065	done
5	franck	2066	;;
291	franck	2067	-u \| --uninstall)
5	franck	2068	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2069	then
597	richard	2070	if [ $Lang == "fr" ]
		2071	then echo "ALCASAR n'est pas installé!";
		2072	else echo "ALCASAR isn't installed!";
		2073	fi
1	root	2074	exit 0
		2075	fi
5	franck	2076	response=0
		2077	PTN='^[oOnN]$'
580	richard	2078	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2079	do
597	richard	2080	if [ $Lang == "fr" ]
		2081	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2082	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2083	fi
5	franck	2084	read response
		2085	done
1103	richard	2086	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2087	then
1103	richard	2088	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2089	else
		2090	rm -f /tmp/alcasar-conf*
1	root	2091	fi
597	richard	2092	# Uninstall the running version
65	richard	2093	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2094	;;
		2095	*)
		2096	echo "Argument inconnu :$1";
460	richard	2097	echo "Unknown argument :$1";
1	root	2098	echo "$usage"
		2099	exit 1
		2100	;;
		2101	esac
10	franck	2102	# end of script
366	franck	2103

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1499