WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1525 2014-12-21 10:50:00Z franck $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1007	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
672	richard	22	#
1342	richard	23	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, havp, libclamav, Ulog, fail2ban, NFsen and NFdump
1	root	24
		25	# Options :
376	franck	26	# -i or --install
		27	# -u or --uninstall
1	root	28
376	franck	29	# Functions :
1378	richard	30	# testing : connectivity tests, free space test and mageia version test
1221	richard	31	# init : Installation of RPM and scripts
		32	# network : Network parameters
		33	# ACC : ALCASAR Control Center installation
		34	# CA : Certification Authority initialization
		35	# init_db : Initilization of radius database managed with MariaDB
1389	richard	36	# radius : FreeRadius initialisation
		37	# radius_web : copy ans modifiy original "freeradius web" in ACC
		38	# chilli : coovachilli initialisation (+authentication page)
		39	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	40	# antivirus : HAVP + libclamav configuration
1485	richard	41	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	42	# ulogd : log system in userland (match NFLOG target of iptables)
		43	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	44	# dnsmasq : Name server configuration
		45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		59	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		65	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		66	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		67	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		68	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	69	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	70	DB_RADIUS="radius" # database name used by FreeRadius server
		71	DB_USER="radius" # user name allows to request the users database
1349	richard	72	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	73	# ***** Network parameters - paramètres réseau *****
1469	richard	74	HOSTNAME="alcasar" # default hostname
1243	richard	75	DOMAIN="localdomain" # default local domain
1471	richard	76	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1507	richard	77	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	78	MTU="1500"
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
967	franck	87	then cat $DIR_INSTALL/gpl-3.0.fr.txt \| more
		88	else cat $DIR_INSTALL/gpl-3.0.txt \| more
959	franck	89	fi
975	franck	90	echo "Taper sur Entrée pour continuer !"
		91	echo "Enter to continue."
959	franck	92	read a
		93	}
		94
1	root	95	header_install ()
		96	{
		97	clear
		98	echo "-----------------------------------------------------------------------------"
460	richard	99	echo " ALCASAR V$VERSION Installation"
1	root	100	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		101	echo "-----------------------------------------------------------------------------"
1389	richard	102	}
1	root	103
		104	##################################################################
1221	richard	105	## Function "testing" ##
1378	richard	106	## - Test of Mageia version ##
1342	richard	107	## - Test of free space on /var (>10G) ##
1005	richard	108	## - Test of Internet access ##
29	richard	109	##################################################################
		110	testing ()
		111	{
1362	richard	112	# Test if ALCASAR is already installed
		113	if [ -e $CONF_FILE ]
		114	then
		115	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	116	if [ $Lang == "fr" ]
1362	richard	117	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		118	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	119	fi
1362	richard	120	response=0
		121	PTN='^[oOnNyY]$'
		122	until [[ $(expr $response : $PTN) -gt 0 ]]
		123	do
		124	if [ $Lang == "fr" ]
		125	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		126	else echo -n "Do you want to update (Y/n)?";
		127	fi
		128	read response
		129	done
		130	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		131	then
		132	rm -f /tmp/alcasar-conf*
		133	else
1471	richard	134	# Create a backup of running importants files
1362	richard	135	$DIR_SCRIPTS/alcasar-conf.sh --create
		136	mode="update"
		137	fi
		138	else
1365	richard	139	if [ ! -d /var/log/netflow/porttracker ]
		140	then
1378	richard	141	# Test of free space on /var
1365	richard	142	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		143	if [ $free_space -lt 10 ]
		144	then
		145	if [ $Lang == "fr" ]
		146	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		147	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		148	fi
		149	exit 0
1362	richard	150	fi
1378	richard	151	fi
		152	# Test of Mageia version
		153	# extract the current Mageia version and hardware architecture (i586 ou X64)
		154	fic=`cat /etc/product.id`
		155	unknown_os=0
		156	old="$IFS"
		157	IFS=","
		158	set $fic
		159	for i in $*
		160	do
		161	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		162	then
		163	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		164	unknown_os=`expr $unknown_os + 1`
		165	fi
		166	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		167	then
		168	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		169	unknown_os=`expr $unknown_os + 1`
		170	fi
		171	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		172	then
		173	ARCH=`echo $i\|cut -d"=" -f2`
		174	unknown_os=`expr $unknown_os + 1`
		175	fi
		176	done
		177	IFS="$old"
		178	if [[ ( $unknown_os != 3 \|\| "$DISTRIBUTION" != "Mageia" ) && ( "$CURRENT_VERSION" != "4" ) ]]
		179	then
		180	if [ $Lang == "fr" ]
		181	then
		182	echo "L'installation ou la mise @ jour d'ALCASAR ne peut pas être réalisée."
		183	echo "Le système d'exploitation doit être remplacé (Mageia4)"
		184	else
		185	echo "The automatic update of ALCASAR can't be performed."
		186	echo "The OS must be replaced (Mageia4)"
		187	fi
		188	if [ -e /tmp/alcasar-conf.tar.gz ]
		189	then
		190	echo
		191	if [ $Lang == "fr" ]
		192	then
		193	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
		194	echo "2 - Installez Linux-Mageia4 (cf. doc d'installation)"
		195	echo "3 - copiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
		196	else
		197	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
		198	echo "2 - Install Linux-Mageia4 (cf. installation doc)"
		199	echo "3 - Copy the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
		200	fi
		201	fi
		202	exit 0
		203	fi
1342	richard	204	fi
1378	richard	205	if [ $Lang == "fr" ]
784	richard	206	then echo -n "Tests des paramètres réseau : "
595	richard	207	else echo -n "Network parameters tests : "
		208	fi
1471	richard	209
		210	# Test of Ethernet links state
		211	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		212	for i in $DOWN_IF
		213	do
		214	if [ $Lang == "fr" ]
		215	then
		216	echo "Échec"
		217	echo "Le lien réseau de la carte $i n'est pas actif."
		218	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		219	else
		220	echo "Failed"
		221	echo "The link state of $i interface is down."
		222	echo "Make sure that this network card is connected to a switch or an A.P."
		223	fi
		224	exit 0
		225	done
		226	echo -n "."
		227
		228	# Test EXTIF config files
1499	richard	229	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		230	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
		231	PUBLIC_GATEWAY=`ip route list\|grep ^default\|cut -d" " -f3`
1471	richard	232	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		233	then
784	richard	234	if [ $Lang == "fr" ]
		235	then
		236	echo "Échec"
		237	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		238	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	239	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	240	else
		241	echo "Failed"
		242	echo "The Internet connected network card ($EXTIF) isn't well configured."
		243	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	244	echo "Apply the new configuration 'systemctl restart network'"
784	richard	245	fi
830	richard	246	echo "DEVICE=$EXTIF"
784	richard	247	echo "IPADDR="
		248	echo "NETMASK="
		249	echo "GATEWAY="
		250	echo "DNS1="
		251	echo "DNS2="
830	richard	252	echo "ONBOOT=yes"
784	richard	253	exit 0
		254	fi
		255	echo -n "."
1471	richard	256
		257	# Test if router is alive (Box FAI)
784	richard	258	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	259	if [ $Lang == "fr" ]
		260	then
		261	echo "Échec"
		262	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		263	echo "Réglez ce problème puis relancez ce script."
		264	else
		265	echo "Failed"
		266	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		267	echo "Resolv this problem, then restart this script."
		268	fi
29	richard	269	exit 0
		270	fi
308	richard	271	echo -n "."
978	franck	272	# On teste le lien vers le routeur par defaut
1499	richard	273	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	274	if [ $(expr $arp_reply) -eq 0 ]
308	richard	275	then
595	richard	276	if [ $Lang == "fr" ]
		277	then
		278	echo "Échec"
1499	richard	279	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	280	echo "Réglez ce problème puis relancez ce script."
		281	else
		282	echo "Failed"
		283	echo "The Internet gateway doesn't answered"
		284	echo "Resolv this problem, then restart this script."
		285	fi
308	richard	286	exit 0
		287	fi
		288	echo -n "."
421	franck	289	# On teste la connectivité Internet
29	richard	290	rm -rf /tmp/con_ok.html
308	richard	291	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	292	if [ ! -e /tmp/con_ok.html ]
		293	then
595	richard	294	if [ $Lang == "fr" ]
		295	then
		296	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		297	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		298	echo "Vérifiez la validité des adresses IP des DNS."
		299	else
		300	echo "The Internet connection try failed (google.fr)."
		301	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		302	echo "Verify the DNS IP addresses"
		303	fi
29	richard	304	exit 0
		305	fi
		306	rm -rf /tmp/con_ok.html
308	richard	307	echo ". : ok"
1389	richard	308	} # end of testing ()
302	richard	309
		310	##################################################################
1221	richard	311	## Function "init" ##
302	richard	312	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		313	## - Installation et modification des scripts du portail ##
		314	##################################################################
		315	init ()
		316	{
527	richard	317	if [ "$mode" != "update" ]
302	richard	318	then
		319	# On affecte le nom d'organisme
597	richard	320	header_install
302	richard	321	ORGANISME=!
		322	PTN='^[a-zA-Z0-9-]*$'
580	richard	323	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	324	do
595	richard	325	if [ $Lang == "fr" ]
597	richard	326	then echo -n "Entrez le nom de votre organisme : "
		327	else echo -n "Enter the name of your organism : "
595	richard	328	fi
330	franck	329	read ORGANISME
613	richard	330	if [ "$ORGANISME" == "" ]
330	franck	331	then
		332	ORGANISME=!
		333	fi
		334	done
302	richard	335	fi
1	root	336	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	337	rm -f $PASSWD_FILE
1350	richard	338	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		339	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	340	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	341	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	342	$SED "/^password.*/d" /boot/grub/menu.lst
		343	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	344	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	345	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	346	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	347	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	348	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	349	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	350	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	351	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		352	echo "$secretuam" >> $PASSWD_FILE
1350	richard	353	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	354	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		355	echo "$secretradius" >> $PASSWD_FILE
		356	chmod 640 $PASSWD_FILE
977	richard	357	# Scripts and conf files copy
		358	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	359	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	360	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	361	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	362	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	363	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	364	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		365	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	366	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		367	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	368	# generate central conf file
		369	cat <<EOF > $CONF_FILE
612	richard	370	##########################################
		371	## ##
		372	## ALCASAR Parameters ##
		373	## ##
		374	##########################################
1	root	375
612	richard	376	INSTALL_DATE=$DATE
		377	VERSION=$VERSION
		378	ORGANISM=$ORGANISME
923	franck	379	DOMAIN=$DOMAIN
612	richard	380	EOF
628	richard	381	chmod o-rwx $CONF_FILE
1	root	382	} # End of init ()
		383
		384	##################################################################
1221	richard	385	## Function "network" ##
1	root	386	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	387	## - Nommage DNS du système ##
1336	richard	388	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	389	## - Modification du fichier /etc/hosts ##
		390	## - Configuration du serveur de temps (NTP) ##
		391	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		392	##################################################################
		393	network ()
		394	{
		395	header_install
636	richard	396	if [ "$mode" != "update" ]
		397	then
		398	if [ $Lang == "fr" ]
		399	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		400	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		401	fi
		402	response=0
		403	PTN='^[oOyYnN]$'
		404	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	405	do
595	richard	406	if [ $Lang == "fr" ]
659	richard	407	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	408	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	409	fi
1	root	410	read response
		411	done
636	richard	412	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		413	then
		414	PRIVATE_IP_MASK="0"
		415	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		416	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	417	do
595	richard	418	if [ $Lang == "fr" ]
597	richard	419	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		420	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	421	fi
597	richard	422	read PRIVATE_IP_MASK
1	root	423	done
636	richard	424	else
		425	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		426	fi
595	richard	427	else
637	richard	428	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		429	rm -rf conf/etc/alcasar.conf
1	root	430	fi
861	richard	431	# Define LAN side global parameters
1243	richard	432	hostname $HOSTNAME.$DOMAIN
		433	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	434	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	435	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	436	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	437	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	438	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	439	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		440	then
		441	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		442	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		443	fi
		444	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		445	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	446	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	447	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	448	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		449	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	450	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		451	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	452	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	453	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	454	# Define Internet parameters
1499	richard	455	DNS1=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|head -n 1` # 1st DNS server
		456	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		457	if [ $nb_dns == 2 ]
		458	then
		459	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		460	fi
70	franck	461	DNS1=${DNS1:=208.67.220.220}
		462	DNS2=${DNS2:=208.67.222.222}
1499	richard	463	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	464	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	465	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	466	# Wrtie the conf file
1469	richard	467	echo "EXTIF=$EXTIF" >> $CONF_FILE
		468	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	469	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		470	if [ $IP_SETTING == "dhcp" ]
		471	then
		472	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
		473	echo "GW=dhcp" >> $CONF_FILE
		474	else
		475	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
		476	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		477	fi
994	franck	478	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	479	echo "DNS1=$DNS1" >> $CONF_FILE
		480	echo "DNS2=$DNS2" >> $CONF_FILE
		481	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	482	echo "DHCP=on" >> $CONF_FILE
914	franck	483	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		484	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		485	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	486	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1499	richard	487	# network default
597	richard	488	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	489	cat <<EOF > /etc/sysconfig/network
		490	NETWORKING=yes
1243	richard	491	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	492	FORWARD_IPV4=true
		493	EOF
1499	richard	494	# /etc/hosts config
1	root	495	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		496	cat <<EOF > /etc/hosts
503	richard	497	127.0.0.1 localhost
1353	richard	498	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	499	EOF
1499	richard	500	# EXTIF (Internet) config
		501	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		502	if [ $IP_SETTING == "dhcp" ]
		503	then
		504	$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		505	$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		506	echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		507	else
		508	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	509	DEVICE=$EXTIF
		510	BOOTPROTO=static
597	richard	511	IPADDR=$PUBLIC_IP
		512	NETMASK=$PUBLIC_NETMASK
		513	GATEWAY=$PUBLIC_GATEWAY
14	richard	514	DNS1=127.0.0.1
1499	richard	515	RESOLV_MODS=yes
14	richard	516	ONBOOT=yes
		517	METRIC=10
		518	MII_NOT_SUPPORTED=yes
		519	IPV6INIT=no
		520	IPV6TO4INIT=no
		521	ACCOUNTING=no
		522	USERCTL=no
994	franck	523	MTU=$MTU
14	richard	524	EOF
1499	richard	525	fi
1336	richard	526	# Config INTIF (consultation LAN) in normal mode
841	richard	527	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		528	DEVICE=$INTIF
		529	BOOTPROTO=static
		530	ONBOOT=yes
		531	NOZEROCONF=yes
		532	MII_NOT_SUPPORTED=yes
		533	IPV6INIT=no
		534	IPV6TO4INIT=no
		535	ACCOUNTING=no
		536	USERCTL=no
		537	EOF
1336	richard	538	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	539	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	540	DEVICE=$INTIF
		541	BOOTPROTO=static
		542	IPADDR=$PRIVATE_IP
604	richard	543	NETMASK=$PRIVATE_NETMASK
1	root	544	ONBOOT=yes
		545	METRIC=10
		546	NOZEROCONF=yes
		547	MII_NOT_SUPPORTED=yes
14	richard	548	IPV6INIT=no
		549	IPV6TO4INIT=no
		550	ACCOUNTING=no
		551	USERCTL=no
1	root	552	EOF
440	franck	553	# Mise à l'heure du serveur
		554	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		555	cat <<EOF > /etc/ntp/step-tickers
455	franck	556	0.fr.pool.ntp.org # adapt to your country
		557	1.fr.pool.ntp.org
		558	2.fr.pool.ntp.org
440	franck	559	EOF
		560	# Configuration du serveur de temps (sur lui même)
1	root	561	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		562	cat <<EOF > /etc/ntp.conf
456	franck	563	server 0.fr.pool.ntp.org # adapt to your country
447	franck	564	server 1.fr.pool.ntp.org
		565	server 2.fr.pool.ntp.org
		566	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	567	fudge 127.127.1.0 stratum 10
604	richard	568	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	569	restrict 127.0.0.1
310	richard	570	driftfile /var/lib/ntp/drift
1	root	571	logfile /var/log/ntp.log
		572	EOF
440	franck	573
310	richard	574	chown -R ntp:ntp /var/lib/ntp
1	root	575	# Renseignement des fichiers hosts.allow et hosts.deny
		576	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		577	cat <<EOF > /etc/hosts.allow
		578	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	579	sshd: ALL
1	root	580	ntpd: $PRIVATE_NETWORK_SHORT
		581	EOF
		582	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		583	cat <<EOF > /etc/hosts.deny
		584	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		585	EOF
790	richard	586	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	587	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	588	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	589	# load conntrack ftp module
		590	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		591	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	592	# load ipt_NETFLOW module
		593	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	594	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		595	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		596	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		597	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1515	richard	598	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
1157	stephane	599	#
860	richard	600	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	601	} # End of network ()
		602
		603	##################################################################
1221	richard	604	## Function "ACC" ##
		605	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	606	## - configuration du serveur web (Apache) ##
		607	## - définition du 1er comptes de gestion ##
		608	## - sécurisation des accès ##
		609	##################################################################
1221	richard	610	ACC ()
1	root	611	{
		612	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		613	mkdir $DIR_WEB
		614	# Copie et configuration des fichiers du centre de gestion
316	richard	615	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	616	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	617	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		618	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		619	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		620	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		621	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	622	chown -R apache:apache $DIR_WEB/*
1489	richard	623	# create the backup structure :
		624	# - base = users database
		625	# - system_backup = alcasar conf file + users database
		626	# - archive = tarball of "base + http firewall + netflow"
		627	# - security = watchdog disconnection)
		628	for i in system_backup base archive security;
1	root	629	do
		630	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		631	done
5	franck	632	chown -R root:apache $DIR_SAVE
71	richard	633	# Configuration et sécurisation php
		634	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	635	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		636	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	637	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		638	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	639	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		640	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		641	# Configuration et sécurisation Apache
790	richard	642	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	643	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	644	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	645	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1	root	646	$SED "s?^ServerTokens.*?ServerTokens Prod?g" /etc/httpd/conf/httpd.conf
		647	$SED "s?^ServerSignature.*?ServerSignature Off?g" /etc/httpd/conf/httpd.conf
		648	$SED "s?^#ErrorDocument 404 /missing.html.*?ErrorDocument 404 /index.html?g" /etc/httpd/conf/httpd.conf
790	richard	649	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/httpd.conf
		650	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/httpd.conf
		651	$SED "s?^LoadModule autoindex_module.*?#LoadModule autoindex_module modules/mod_autoindex.so?g" /etc/httpd/conf/httpd.conf
		652	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/httpd.conf
		653	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/httpd.conf
		654	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/httpd.conf
990	franck	655	$SED "s?LoadModule speling_module.*?LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/httpd.conf
1359	richard	656	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		657	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
		658	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		659	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		660	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		661	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	662	</body>
		663	</html>
		664	EOF
		665	# Définition du premier compte lié au profil 'admin'
509	richard	666	header_install
510	richard	667	if [ "$mode" = "install" ]
		668	then
613	richard	669	admin_portal=!
		670	PTN='^[a-zA-Z0-9-]*$'
		671	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		672	do
		673	header_install
		674	if [ $Lang == "fr" ]
		675	then
		676	echo ""
		677	echo "Définissez un premier compte d'administration du portail :"
		678	echo
		679	echo -n "Nom : "
		680	else
		681	echo ""
		682	echo "Define the first account allow to administrate the portal :"
		683	echo
		684	echo -n "Account : "
		685	fi
		686	read admin_portal
		687	if [ "$admin_portal" == "" ]
		688	then
		689	admin_portal=!
		690	fi
		691	done
1268	richard	692	# Creation of keys file for the admin account ("admin")
510	richard	693	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		694	mkdir -p $DIR_DEST_ETC/digest
		695	chmod 755 $DIR_DEST_ETC/digest
		696	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		697	do
1350	richard	698	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	699	done
		700	$DIR_DEST_SBIN/alcasar-profil.sh --list
		701	fi
434	richard	702	# synchronisation horaire
		703	ntpd -q -g &
1	root	704	# Sécurisation du centre
988	franck	705	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	706	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	707	<Directory $DIR_ACC>
1	root	708	SSLRequireSSL
		709	AllowOverride None
		710	Order deny,allow
		711	Deny from all
		712	Allow from 127.0.0.1
		713	Allow from $PRIVATE_NETWORK_MASK
990	franck	714	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	715	require valid-user
		716	AuthType digest
1243	richard	717	AuthName $HOSTNAME.$DOMAIN
1	root	718	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	719	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	720	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	721	</Directory>
316	richard	722	<Directory $DIR_ACC/admin>
1	root	723	SSLRequireSSL
		724	AllowOverride None
		725	Order deny,allow
		726	Deny from all
		727	Allow from 127.0.0.1
		728	Allow from $PRIVATE_NETWORK_MASK
990	franck	729	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	730	require valid-user
		731	AuthType digest
1243	richard	732	AuthName $HOSTNAME.$DOMAIN
1	root	733	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	734	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	735	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	736	</Directory>
344	richard	737	<Directory $DIR_ACC/manager>
1	root	738	SSLRequireSSL
		739	AllowOverride None
		740	Order deny,allow
		741	Deny from all
		742	Allow from 127.0.0.1
		743	Allow from $PRIVATE_NETWORK_MASK
990	franck	744	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	745	require valid-user
		746	AuthType digest
1243	richard	747	AuthName $HOSTNAME.$DOMAIN
1	root	748	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	749	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	750	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	751	</Directory>
316	richard	752	<Directory $DIR_ACC/backup>
		753	SSLRequireSSL
		754	AllowOverride None
		755	Order deny,allow
		756	Deny from all
		757	Allow from 127.0.0.1
		758	Allow from $PRIVATE_NETWORK_MASK
990	franck	759	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	760	require valid-user
		761	AuthType digest
1243	richard	762	AuthName $HOSTNAME.$DOMAIN
316	richard	763	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	764	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	765	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	766	</Directory>
811	richard	767	Alias /save/ "$DIR_SAVE/"
		768	<Directory $DIR_SAVE>
		769	SSLRequireSSL
		770	Options Indexes
		771	Order deny,allow
		772	Deny from all
		773	Allow from 127.0.0.1
		774	Allow from $PRIVATE_NETWORK_MASK
990	franck	775	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	776	require valid-user
		777	AuthType digest
1243	richard	778	AuthName $HOSTNAME.$DOMAIN
811	richard	779	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	780	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	781	</Directory>
1	root	782	EOF
1378	richard	783	# Launch after coova
		784	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1410	richard	785	# Error page management
		786	FIC_ERROR_DOC=`find /etc/httpd/conf -type f -name multilang-errordoc.conf`
		787	[ -e $FIC_ERROR_DOC ] \|\| cp $FIC_ERROR_DOC $FIC_ERROR_DOC.default
		788
		789	cat <<EOF > $FIC_ERROR_DOC
		790	Alias /error/ "/var/www/html/"
		791
		792	<Directory "/usr/share/httpd/error">
		793	AllowOverride None
		794	Options IncludesNoExec
		795	AddOutputFilter Includes html
		796	AddHandler type-map var
		797	Require all granted
		798	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		799	ForceLanguagePriority Prefer Fallback
		800	</Directory>
		801
		802	ErrorDocument 400 /error/error.php?error=400
		803	ErrorDocument 401 /error/error.php?error=401
		804	ErrorDocument 403 /error/error.php?error=403
		805	ErrorDocument 404 /error/error.php?error=404
		806	ErrorDocument 405 /error/error.php?error=405
		807	ErrorDocument 408 /error/error.php?error=408
		808	ErrorDocument 410 /error/error.php?error=410
		809	ErrorDocument 411 /error/error.php?error=411
		810	ErrorDocument 412 /error/error.php?error=412
		811	ErrorDocument 413 /error/error.php?error=413
		812	ErrorDocument 414 /error/error.php?error=414
		813	ErrorDocument 415 /error/error.php?error=415
		814	ErrorDocument 500 /error/error.php?error=500
		815	ErrorDocument 501 /error/error.php?error=501
		816	ErrorDocument 502 /error/error.php?error=502
		817	ErrorDocument 503 /error/error.php?error=503
		818	ErrorDocument 506 /error/error.php?error=506
		819	EOF
		820
1525	franck	821	# Initialization of Vnstat
		822	/usr/bin/vnstat -u -i eth0
		823
1389	richard	824	} # End of ACC ()
1	root	825
		826	##########################################################################################
1221	richard	827	## Fonction "CA" ##
1	root	828	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		829	##########################################################################################
1221	richard	830	CA ()
1	root	831	{
510	richard	832	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	833	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	834	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	835
		836	#$SED "s?localhost.crt?alcasar.crt?g" $FIC_VIRTUAL_SSL
		837	#$SED "s?localhost.key?alcasar.key?g" $FIC_VIRTUAL_SSL
		838	#$SED "s?^#SSLCertificateChainFile.*?SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt?" $FIC_VIRTUAL_SSL
		839
		840	cat <<EOF > $FIC_VIRTUAL_SSL
		841	# default SSL virtual host, used for all HTTPS requests that do not
		842	# match a ServerName or ServerAlias in any <VirtualHost> block.
		843
		844	<VirtualHost _default_:443>
		845	# general configuration
		846	ServerAdmin root@localhost
		847	ServerName localhost
		848
		849	# SSL configuration
		850	SSLEngine on
		851	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		852	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		853	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		854	CustomLog logs/ssl_request_log \
		855	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		856	ErrorLog logs/ssl_error_log
		857	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		858	</VirtualHost>
		859	EOF
		860
5	franck	861	chown -R root:apache /etc/pki
1	root	862	chmod -R 750 /etc/pki
1389	richard	863	} # End of CA ()
1	root	864
		865	##########################################################################################
1221	richard	866	## Fonction "init_db" ##
1	root	867	## - Initialisation de la base Mysql ##
		868	## - Affectation du mot de passe de l'administrateur (root) ##
		869	## - Suppression des bases et des utilisateurs superflus ##
		870	## - Création de la base 'radius' ##
		871	## - Installation du schéma de cette base ##
		872	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		873	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		874	##########################################################################################
		875	init_db ()
		876	{
1355	richard	877	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	878	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		879	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	880	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	881	systemctl start mysqld.service
1	root	882	sleep 4
		883	mysqladmin -u root password $mysqlpwd
		884	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	885	# Secure the server
		886	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		887	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	888	# Create 'radius' database
1317	richard	889	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	890	# Add an empty radius database structure
364	franck	891	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	892	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	893	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1515	richard	894	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		895	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	896	systemctl daemon-reload
1389	richard	897	} # End of init_db ()
1	root	898
		899	##########################################################################
1389	richard	900	## Fonction "radius" ##
1	root	901	## - Paramètrage des fichiers de configuration FreeRadius ##
		902	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		903	## - Modification de fichier de conf pour l'accès à Mysql ##
		904	##########################################################################
1389	richard	905	radius ()
1	root	906	{
		907	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		908	chown -R radius:radius /etc/raddb
		909	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	910	# Set radius.conf parameters
1	root	911	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		912	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		913	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	914	# remove the proxy function
1	root	915	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		916	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	917	# remove EAP module
654	richard	918	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	919	# listen on loopback (should be modified later if EAP enabled)
1	root	920	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	921	# enable the SQL module (and SQL counter)
1	root	922	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		923	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		924	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	925	# only include modules for ALCASAR needs
		926	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		927	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		928	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		929	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		930	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		931	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	932	# remvove virtual server and copy our conf file
1	root	933	rm -f /etc/raddb/sites-enabled/*
1278	richard	934	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	935	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		936	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		937	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		938	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	939	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	940	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	941	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	942	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		943	cat << EOF > /etc/raddb/clients.conf
		944	client 127.0.0.1 {
		945	secret = $secretradius
		946	shortname = localhost
		947	}
		948	EOF
1278	richard	949	# sql.conf modification
1	root	950	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		951	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		952	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		953	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		954	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	955	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	956	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	957	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		958	# counter.conf modification (change the Max-All-Session-Time counter)
		959	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		960	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		961	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	962	# make certain that mysql is up before radius start
		963	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		964	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		965	systemctl daemon-reload
1389	richard	966	} # End radius ()
1	root	967
		968	##########################################################################
1389	richard	969	## Function "radius_web" ##
1	root	970	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		971	## - Création du lien vers la page de changement de mot de passe ##
		972	##########################################################################
1389	richard	973	radius_web ()
1	root	974	{
		975	# copie de l'interface d'origine dans la structure Alcasar
316	richard	976	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		977	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		978	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	979	# copie des fichiers modifiés
		980	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	981	chown -R apache:apache $DIR_ACC/manager/
344	richard	982	# Modification des fichiers de configuration
1	root	983	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	984	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	985	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		986	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		987	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		988	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		989	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		990	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		991	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	992	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	993	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	994	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	995	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	996	nas1_name: alcasar-$ORGANISME
1	root	997	nas1_model: Portail captif
		998	nas1_ip: $PRIVATE_IP
		999	nas1_port_num: 0
		1000	nas1_community: public
		1001	EOF
		1002	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		1003	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	1004	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	1005	# Ajout du mappage des attributs chillispot
		1006	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	1007	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	1008	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	1009	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	1010	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		1011	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	1012	chown -R apache:apache /etc/freeradius-web
1	root	1013	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		1014	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	1015	<Directory $DIR_WEB/pass>
1	root	1016	SSLRequireSSL
		1017	AllowOverride None
		1018	Order deny,allow
		1019	Deny from all
		1020	Allow from 127.0.0.1
		1021	Allow from $PRIVATE_NETWORK_MASK
1243	richard	1022	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	1023	</Directory>
		1024	EOF
1389	richard	1025	} # End of radius_web ()
1	root	1026
799	richard	1027	##################################################################################
1389	richard	1028	## Fonction "chilli" ##
799	richard	1029	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1030	## - Paramètrage de la page d'authentification (intercept.php) ##
		1031	##################################################################################
1389	richard	1032	chilli ()
1	root	1033	{
1370	richard	1034	# chilli unit for systemd
		1035	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1036	# This file is part of systemd.
		1037	#
		1038	# systemd is free software; you can redistribute it and/or modify it
		1039	# under the terms of the GNU General Public License as published by
		1040	# the Free Software Foundation; either version 2 of the License, or
		1041	# (at your option) any later version.
1370	richard	1042	[Unit]
		1043	Description=chilli is a captive portal daemon
		1044	After=network.target
		1045
		1046	[Service]
1379	richard	1047	Type=forking
1370	richard	1048	ExecStart=/usr/libexec/chilli start
		1049	ExecStop=/usr/libexec/chilli stop
		1050	ExecReload=/usr/libexec/chilli reload
		1051	PIDFile=/var/run/chilli.pid
		1052
		1053	[Install]
		1054	WantedBy=multi-user.target
		1055	EOF
799	richard	1056	# init file creation
1370	richard	1057	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1058	cat <<EOF > /usr/libexec/chilli
799	richard	1059	#!/bin/sh
		1060	#
		1061	# chilli CoovaChilli init
		1062	#
		1063	# chkconfig: 2345 65 35
		1064	# description: CoovaChilli
		1065	### BEGIN INIT INFO
		1066	# Provides: chilli
		1067	# Required-Start: network
		1068	# Should-Start:
		1069	# Required-Stop: network
		1070	# Should-Stop:
		1071	# Default-Start: 2 3 5
		1072	# Default-Stop:
		1073	# Description: CoovaChilli access controller
		1074	### END INIT INFO
		1075
		1076	[ -f /usr/sbin/chilli ] \|\| exit 0
		1077	. /etc/init.d/functions
		1078	CONFIG=/etc/chilli.conf
		1079	pidfile=/var/run/chilli.pid
		1080	[ -f \$CONFIG ] \|\| {
		1081	echo "\$CONFIG Not found"
		1082	exit 0
		1083	}
		1084	RETVAL=0
		1085	prog="chilli"
		1086	case \$1 in
		1087	start)
		1088	if [ -f \$pidfile ] ; then
		1089	gprintf "chilli is already running"
		1090	else
		1091	gprintf "Starting \$prog: "
		1092	rm -f /var/run/chilli* # cleaning
		1093	/sbin/modprobe tun >/dev/null 2>&1
		1094	echo 1 > /proc/sys/net/ipv4/ip_forward
		1095	[ -e /dev/net/tun ] \|\| {
		1096	(cd /dev;
		1097	mkdir net;
		1098	cd net;
		1099	mknod tun c 10 200)
		1100	}
1336	richard	1101	ifconfig $INTIF 0.0.0.0
799	richard	1102	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1103	RETVAL=$?
		1104	fi
		1105	;;
		1106
		1107	reload)
		1108	killall -HUP chilli
		1109	;;
		1110
		1111	restart)
		1112	\$0 stop
		1113	sleep 2
		1114	\$0 start
		1115	;;
		1116
		1117	status)
		1118	status chilli
		1119	RETVAL=0
		1120	;;
		1121
		1122	stop)
		1123	if [ -f \$pidfile ] ; then
		1124	gprintf "Shutting down \$prog: "
		1125	killproc /usr/sbin/chilli
		1126	RETVAL=\$?
		1127	[ \$RETVAL = 0 ] && rm -f $pidfile
		1128	else
		1129	gprintf "chilli is not running"
		1130	fi
		1131	;;
		1132
		1133	*)
		1134	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1135	exit 1
		1136	esac
		1137	echo
		1138	EOF
1373	richard	1139	chmod a+x /usr/libexec/chilli
799	richard	1140	# conf file creation
346	richard	1141	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1142	cat <<EOF > /etc/chilli.conf
		1143	# coova config for ALCASAR
		1144	cmdsocket /var/run/chilli.sock
1336	richard	1145	unixipc chilli.$INTIF.ipc
		1146	pidfile /var/run/chilli.$INTIF.pid
346	richard	1147	net $PRIVATE_NETWORK_MASK
595	richard	1148	dhcpif $INTIF
841	richard	1149	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1150	#nodynip
865	richard	1151	#statip
		1152	dynip $PRIVATE_NETWORK_MASK
1249	richard	1153	domain $DOMAIN
355	richard	1154	dns1 $PRIVATE_IP
		1155	dns2 $PRIVATE_IP
346	richard	1156	uamlisten $PRIVATE_IP
503	richard	1157	uamport 3990
837	richard	1158	macauth
		1159	macpasswd password
1243	richard	1160	locationname $HOSTNAME.$DOMAIN
346	richard	1161	radiusserver1 127.0.0.1
		1162	radiusserver2 127.0.0.1
		1163	radiussecret $secretradius
		1164	radiusauthport 1812
		1165	radiusacctport 1813
1243	richard	1166	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1167	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1168	uamsecret $secretuam
1249	richard	1169	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1170	coaport 3799
1379	richard	1171	conup $DIR_DEST_BIN/alcasar-conup.sh
		1172	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1173	include $DIR_DEST_ETC/alcasar-uamallowed
		1174	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1175	#dhcpgateway
1157	stephane	1176	#dhcprelayagent
		1177	#dhcpgatewayport
346	richard	1178	EOF
1336	richard	1179	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1180	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1181	# create files for trusted domains and urls
1148	crox53	1182	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1183	chown root:apache $DIR_DEST_ETC/alcasar-*
		1184	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1185	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1186	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1187	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1188	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1189	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1190	if [ "$chilli_exist" == "1" ]
		1191	then
		1192	userdel -r chilli 2>/dev/null
		1193	fi
		1194	groupadd -f chilli
		1195	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1196	} # End of chilli ()
1349	richard	1197
1	root	1198	##################################################################
1389	richard	1199	## Fonction "dansguardian" ##
1	root	1200	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1201	##################################################################
1389	richard	1202	dansguardian ()
1	root	1203	{
		1204	mkdir /var/dansguardian
		1205	chown dansguardian /var/dansguardian
1375	richard	1206	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1207	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1208	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1209	# By default the filter is off
497	richard	1210	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1211	# French deny HTML page
497	richard	1212	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1213	# Listen only on LAN side
497	richard	1214	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1215	# DG send its flow to HAVP
		1216	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1217	# replace the default deny HTML page
1	root	1218	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1219	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1220	# Don't log
		1221	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1222	# Run 10 daemons (20 in largest server)
659	richard	1223	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1224	# on désactive par défaut le controle de contenu des pages html
497	richard	1225	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1226	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1227	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1228	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1229	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1230	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1231	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1232	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1233	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1234	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1235	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1236	touch $DIR_DG/lists/bannedextensionlist
		1237	touch $DIR_DG/lists/bannedmimetypelist
		1238	# 'Safesearch' regex actualisation
498	richard	1239	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1240	# empty LAN IP list that won't be WEB filtered
		1241	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1242	touch $DIR_DG/lists/exceptioniplist
		1243	# Keep a copy of URL & domain filter configuration files
		1244	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1245	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1246	} # End of dansguardian ()
1	root	1247
71	richard	1248	##################################################################
1221	richard	1249	## Fonction "antivirus" ##
1357	richard	1250	## - configuration of havp, libclamav and freshclam ##
71	richard	1251	##################################################################
		1252	antivirus ()
		1253	{
1358	richard	1254	# create 'havp' user
288	richard	1255	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1256	if [ "$havp_exist" == "1" ]
288	richard	1257	then
478	richard	1258	userdel -r havp 2>/dev/null
894	richard	1259	groupdel havp 2>/dev/null
288	richard	1260	fi
307	richard	1261	groupadd -f havp
1486	richard	1262	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1263	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1264	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1265	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1266	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1267	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1268	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1269	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1270	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1271	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1272	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1273	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1274	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1275	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1276	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1277	# skip checking of youtube flow (too heavy load / risk too low)
		1278	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1279	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1280	echo ".youtube.com/" >> /etc/havp/whitelist
1358	richard	1281	# replacement of init script
335	richard	1282	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1283	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1358	richard	1284	# replace of the intercept page (template)
340	richard	1285	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1286	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1287	# update virus database every 4 hours (24h/6)
1357	richard	1288	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1289	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1290	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1291	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1292	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1293	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1294	# update now
1382	richard	1295	/usr/bin/freshclam --no-warnings
1389	richard	1296	} # End of antivirus ()
71	richard	1297
1486	richard	1298	##########################################################################
		1299	## Fonction "tinyproxy" ##
		1300	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1301	##########################################################################
1485	richard	1302	tinyproxy ()
		1303	{
1486	richard	1304	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1305	if [ "$tinyproxy_exist" == "1" ]
		1306	then
		1307	userdel -r tinyproxy 2>/dev/null
		1308	groupdel tinyproxy 2>/dev/null
		1309	fi
		1310	groupadd -f tinyproxy
1488	richard	1311	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1518	richard	1312	mkdir -p var/run/tinyproxy /var/log/tinyproxy
1517	richard	1313	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1486	richard	1314	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1315	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1316	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1317	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1318	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1319	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1320	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1321	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1322	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1323	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1509	richard	1324	# Create the systemd unit
		1325	cat << EOF > /lib/systemd/system/tinyproxy.service
		1326	# This file is part of systemd.
		1327	#
		1328	# systemd is free software; you can redistribute it and/or modify it
		1329	# under the terms of the GNU General Public License as published by
		1330	# the Free Software Foundation; either version 2 of the License, or
		1331	# (at your option) any later version.
1485	richard	1332
1509	richard	1333	# This unit launches tinyproxy (a very light proxy).
1518	richard	1334	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1335	[Unit]
		1336	Description=Tinyproxy Web Proxy Server
		1337	After=network.target iptables.service
		1338
		1339	[Service]
		1340	Type=forking
1518	richard	1341	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1342	ExecStartPre=/bin/sleep 2
		1343	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1344	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1345
		1346	[Install]
		1347	WantedBy=multi-user.target
		1348	EOF
		1349
1485	richard	1350	} # end of tinyproxy
1	root	1351	##################################################################################
1389	richard	1352	## function "ulogd" ##
476	richard	1353	## - Ulog config for multi-log files ##
		1354	##################################################################################
1389	richard	1355	ulogd ()
476	richard	1356	{
		1357	# Three instances of ulogd (three different logfiles)
		1358	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1359	nl=1
1358	richard	1360	for log_type in traceability ssh ext-access
478	richard	1361	do
1365	richard	1362	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1363	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1364	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
478	richard	1365	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1366	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1367	[emu1]
478	richard	1368	file="/var/log/firewall/$log_type.log"
		1369	sync=1
		1370	EOF
1452	richard	1371	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1372	nl=`expr $nl + 1`
		1373	done
476	richard	1374	chown -R root:apache /var/log/firewall
		1375	chmod 750 /var/log/firewall
		1376	chmod 640 /var/log/firewall/*
1389	richard	1377	} # End of ulogd ()
476	richard	1378
1159	crox53	1379
		1380	##########################################################
1389	richard	1381	## Function "nfsen" ##
1159	crox53	1382	##########################################################
1389	richard	1383	nfsen()
1	root	1384	{
1393	richard	1385	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1386	# Add PortTracker plugin
1395	richard	1387	for i in /var/www/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
		1388	do
1512	richard	1389	[ ! -d $i ] && mkdir $i && chown -R apache:apache $i
1395	richard	1390	done
1515	richard	1391	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm
1365	richard	1392	# use of our conf file and init unit
1221	richard	1393	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1365	richard	1394	# Installation of nfsen
1221	richard	1395	DirTmp=$(pwd)
		1396	cd /tmp/nfsen-1.3.6p1/
1365	richard	1397	/usr/bin/perl5 install.pl etc/nfsen.conf
		1398	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1399	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1400	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1401	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/nfsen/plugins/
1395	richard	1402	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1403	chmod -R 770 /var/log/netflow/porttracker
1365	richard	1404	# Apache conf file
1394	richard	1405	cat << EOF > /etc/httpd/conf/conf.d/nfsen.conf
1159	crox53	1406	Alias /nfsen /var/www/nfsen
		1407	<Directory /var/www/nfsen/>
		1408	DirectoryIndex nfsen.php
		1409	Options -Indexes
		1410	AllowOverride all
		1411	order allow,deny
		1412	allow from all
		1413	AddType application/x-httpd-php .php
		1414	php_flag magic_quotes_gpc on
		1415	php_flag track_vars on
1	root	1416	</Directory>
		1417	EOF
1372	richard	1418	# nfsen unit for systemd
		1419	cat << EOF > /lib/systemd/system/nfsen.service
		1420	# This file is part of systemd.
		1421	#
		1422	# systemd is free software; you can redistribute it and/or modify it
		1423	# under the terms of the GNU General Public License as published by
		1424	# the Free Software Foundation; either version 2 of the License, or
		1425	# (at your option) any later version.
		1426
		1427	# This unit launches nfsen (a Netflow grapher).
		1428	[Unit]
		1429	Description= NfSen init script
		1430	After=network.target iptables.service
		1431
		1432	[Service]
		1433	Type=oneshot
		1434	RemainAfterExit=yes
1393	richard	1435	PIDFile=/var/run/nfsen/nfsen.pid
		1436	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1437	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1438	ExecStart=/usr/bin/nfsen start
		1439	ExecStop=/usr/bin/nfsen stop
1393	richard	1440	ExecReload=/usr/bin/nfsen restart
1372	richard	1441	TimeoutSec=0
		1442
		1443	[Install]
		1444	WantedBy=multi-user.target
		1445	EOF
1365	richard	1446	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1447	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1448	# expire delay for the profile "live"
1393	richard	1449	systemctl start nfsen
		1450	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1451	# add SURFmap plugin
1509	richard	1452	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1512	richard	1453	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1509	richard	1454	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1512	richard	1455	cd /tmp/
		1456	/usr/bin/sh SURFmap/install.sh
1365	richard	1457	# clear the installation
1221	richard	1458	cd $DirTmp
1509	richard	1459	rm -rf /tmp/nfsen*
		1460	rm -rf /tmp/SURFmap*
1389	richard	1461	} # End of nfsen ()
1	root	1462
1390	richard	1463	##################################################
1389	richard	1464	## Function "dnsmasq" ##
1390	richard	1465	##################################################
1389	richard	1466	dnsmasq ()
219	jeremy	1467	{
		1468	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1469	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1470	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1471	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1472	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1473	cat << EOF > /etc/dnsmasq.conf
520	richard	1474	# Configuration file for "dnsmasq in forward mode"
1387	richard	1475	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1476	listen-address=$PRIVATE_IP
1390	richard	1477	pid-file=/var/run/dnsmasq.pid
259	richard	1478	listen-address=127.0.0.1
286	richard	1479	no-dhcp-interface=$INTIF
1387	richard	1480	no-dhcp-interface=tun0
		1481	no-dhcp-interface=lo
259	richard	1482	bind-interfaces
		1483	cache-size=256
		1484	domain=$DOMAIN
		1485	domain-needed
		1486	expand-hosts
		1487	bogus-priv
		1488	filterwin2k
		1489	server=$DNS1
		1490	server=$DNS2
1387	richard	1491	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1492	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1493	dhcp-option=option:router,$PRIVATE_IP
1482	richard	1494	dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1495
1387	richard	1496	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1497	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1498	EOF
1356	richard	1499	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1500	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1501	# Configuration file for "dnsmasq with blacklist"
1387	richard	1502	# Add Toulouse blacklist domains
1472	richard	1503	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1504	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1505	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1506	listen-address=$PRIVATE_IP
		1507	port=54
		1508	no-dhcp-interface=$INTIF
1387	richard	1509	no-dhcp-interface=tun0
1472	richard	1510	no-dhcp-interface=lo
498	richard	1511	bind-interfaces
		1512	cache-size=256
		1513	domain=$DOMAIN
		1514	domain-needed
		1515	expand-hosts
		1516	bogus-priv
		1517	filterwin2k
		1518	server=$DNS1
		1519	server=$DNS2
		1520	EOF
1379	richard	1521	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1522	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1523	# Configuration file for "dnsmasq with whitelist"
1356	richard	1524	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1525	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1526	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1527	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1528	listen-address=$PRIVATE_IP
		1529	port=55
		1530	no-dhcp-interface=$INTIF
1387	richard	1531	no-dhcp-interface=tun0
1472	richard	1532	no-dhcp-interface=lo
1356	richard	1533	bind-interfaces
		1534	cache-size=256
		1535	domain=$DOMAIN
		1536	domain-needed
		1537	expand-hosts
		1538	bogus-priv
		1539	filterwin2k
1472	richard	1540	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1541	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1542	EOF
1472	richard	1543	# 4th dnsmasq listen on udp 56 ("blackhole")
		1544	cat << EOF > /etc/dnsmasq-blackhole.conf
		1545	# Configuration file for "dnsmasq as a blackhole"
		1546	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1547	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1548	pid-file=/var/run/dnsmasq-blackhole.pid
		1549	listen-address=$PRIVATE_IP
		1550	port=56
		1551	no-dhcp-interface=$INTIF
		1552	no-dhcp-interface=tun0
		1553	no-dhcp-interface=lo
		1554	bind-interfaces
		1555	cache-size=256
		1556	domain=$DOMAIN
		1557	domain-needed
		1558	expand-hosts
		1559	bogus-priv
		1560	filterwin2k
		1561	EOF
		1562
1517	richard	1563	# the main instance should start after network and chilli (which create tun0)
		1564	[ -e /lib/systemd/system/dnsmasq.service.old ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.old
		1565	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1566	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1567	for list in blacklist whitelist blackhole
		1568	do
		1569	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1570	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1571	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1572	done
308	richard	1573	} # End dnsmasq
		1574
		1575	##########################################################
1221	richard	1576	## Fonction "BL" ##
308	richard	1577	##########################################################
		1578	BL ()
		1579	{
1384	richard	1580	# copy and extract toulouse BL
648	richard	1581	rm -rf $DIR_DG/lists/blacklists
		1582	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1583	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1584	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1585	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1586	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1587	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1588	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1589	# creation of file for the rehabilited domains and urls
648	richard	1590	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1591	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1592	touch $DIR_DG/lists/exceptionsitelist
		1593	touch $DIR_DG/lists/exceptionurllist
311	richard	1594	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1595	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1596	# Dansguardian filter config for ALCASAR
		1597	EOF
648	richard	1598	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1599	# Dansguardian domain filter config for ALCASAR
		1600	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1601	#**
		1602	# block all SSL and CONNECT tunnels
		1603	**s
		1604	# block all SSL and CONNECT tunnels specified only as an IP
		1605	*ips
		1606	# block all sites specified only by an IP
		1607	*ip
		1608	EOF
1000	richard	1609	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1610	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1611	# Bing - add 'adlt=strict'
		1612	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1613	# Youtube - add 'edufilter=your_ID'
885	richard	1614	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1615	EOF
1000	richard	1616	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1617	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1618	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1619	if [ "$mode" != "update" ]; then
		1620	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1621	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
654	richard	1622	fi
308	richard	1623	}
219	jeremy	1624
1	root	1625	##########################################################
1221	richard	1626	## Fonction "cron" ##
1	root	1627	## - Mise en place des différents fichiers de cron ##
		1628	##########################################################
		1629	cron ()
		1630	{
		1631	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1632	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1633	cat <<EOF > /etc/crontab
		1634	SHELL=/bin/bash
		1635	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1636	MAILTO=root
		1637	HOME=/
		1638
		1639	# run-parts
		1640	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1641	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1642	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1643	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1644	EOF
		1645	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1646	cat <<EOF >> /etc/anacrontab
667	franck	1647	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1648	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1649	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1650	EOF
1247	crox53	1651
811	richard	1652	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1653	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1654	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1655	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1656	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1657	EOF
952	franck	1658	cat <<EOF > /etc/cron.d/alcasar-archive
		1659	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1660	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1661	EOF
667	franck	1662	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1663	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1664	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1665	EOF
722	franck	1666	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1667	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1668	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1669	EOF
1247	crox53	1670	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1671	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1672	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1673	#EOF
1159	crox53	1674
1	root	1675	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1676	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1677	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1678	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1679	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1680	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1681	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1682	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1683	rm -f /etc/cron.daily/freeradius-web
		1684	rm -f /etc/cron.monthly/freeradius-web
		1685	cat << EOF > /etc/cron.d/freeradius-web
		1686	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1687	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1688	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1689	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1690	EOF
671	franck	1691	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1692	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1693	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1694	EOF
808	franck	1695	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1696	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1697	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1698	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1699	EOF
522	richard	1700	# suppression des crons usagers
		1701	rm -f /var/spool/cron/*
1	root	1702	} # End cron
		1703
		1704	##################################################################
1221	richard	1705	## Fonction "Fail2Ban" ##
1163	crox53	1706	##- Modification de la configuration de fail2ban ##
		1707	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1708	##################################################################
		1709	fail2ban()
		1710	{
1191	crox53	1711	$DIR_CONF/fail2ban.sh
1474	richard	1712	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1713	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1714	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1715	chmod 644 /var/log/fail2ban.log
1489	richard	1716	chmod 644 /var/Save/security/watchdog.log
1418	richard	1717	/usr/bin/touch /var/log/auth.log
1515	richard	1718	# fail2ban unit
		1719	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1720	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1721	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1722	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1163	crox53	1723	} #Fin de fail2ban_install()
		1724
		1725	##################################################################
1376	richard	1726	## Fonction "gammu_smsd" ##
		1727	## - Creation de la base de donnée Gammu ##
		1728	## - Creation du fichier de config: gammu_smsd_conf ##
		1729	## ##
		1730	##################################################################
		1731	gammu_smsd()
		1732	{
		1733	# Create 'gammu' databse
		1734	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1735	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1736	# Add a gammu database structure
		1737	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1738
		1739	# config file for the daemon
		1740	cat << EOF > /etc/gammu_smsd_conf
		1741	[gammu]
		1742	port = /dev/ttyUSB0
		1743	connection = at115200
		1744
		1745	;########################################################
		1746
		1747	[smsd]
		1748
		1749	PIN = 1234
		1750
		1751	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1752	logformat = textall
		1753	debuglevel = 0
		1754
		1755	service = sql
		1756	driver = native_mysql
		1757	user = $DB_USER
		1758	password = $radiuspwd
		1759	pc = localhost
		1760	database = $DB_GAMMU
		1761
		1762	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1763
		1764	StatusFrequency = 30
1380	richard	1765	;LoopSleep = 2
1376	richard	1766
		1767	;ResetFrequency = 300
		1768	;HardResetFrequency = 120
		1769
		1770	CheckSecurity = 1
		1771	CheckSignal = 1
		1772	CheckBattery = 0
		1773	EOF
		1774
		1775	chmod 755 /etc/gammu_smsd_conf
		1776
		1777	#Creation dossier de log Gammu-smsd
1382	richard	1778	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1779	chmod 755 /var/log/gammu-smsd
		1780
		1781	#Edition du script sql gammu <-> radius
1452	richard	1782	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1783	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1784
1380	richard	1785	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1786	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1787	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1788	EOF
		1789
1376	richard	1790	} # END gammu_smsd()
		1791
		1792	##################################################################
1221	richard	1793	## Fonction "post_install" ##
1	root	1794	## - Modification des bannières (locales et ssh) et des prompts ##
		1795	## - Installation de la structure de chiffrement pour root ##
		1796	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1797	## - Mise en place du la rotation des logs ##
5	franck	1798	## - Configuration dans le cas d'une mise à jour ##
1	root	1799	##################################################################
		1800	post_install()
		1801	{
		1802	# création de la bannière locale
1007	richard	1803	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1804	cp -f $DIR_CONF/banner /etc/mageia-release
		1805	echo " V$VERSION" >> /etc/mageia-release
1	root	1806	# création de la bannière SSH
1007	richard	1807	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1808	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1809	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1810	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1811	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1812	# postfix banner anonymisation
		1813	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1814	# sshd écoute côté LAN et WAN
1499	richard	1815	$SED "s?^#ListenAddress.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
860	richard	1816	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1817	echo "SSH=off" >> $CONF_FILE
1063	richard	1818	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1819	echo "QOS=off" >> $CONF_FILE
		1820	echo "LDAP=off" >> $CONF_FILE
786	richard	1821	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1822	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1823	echo "MULTIWAN=off" >> $CONF_FILE
		1824	echo "FAILOVER=30" >> $CONF_FILE
		1825	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1826	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1827	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1828	# Coloration des prompts
		1829	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1830	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1831	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1832	# Droits d'exécution pour utilisateur apache et sysadmin
		1833	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1834	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1835	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1342	richard	1836	# prise en compte de la rotation des logs sur 1 an (concerne mysql, httpd, dansguardian, radiusd, ulogd)
1	root	1837	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1838	chmod 644 /etc/logrotate.d/*
714	franck	1839	# rectification sur versions précédentes de la compression des logs
706	franck	1840	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1841	# actualisation des fichiers logs compressés
1342	richard	1842	for dir in firewall dansguardian httpd
706	franck	1843	do
714	franck	1844	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1845	done
1221	richard	1846	# create the alcasar-load_balancing unit
		1847	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1848	# This file is part of systemd.
		1849	#
		1850	# systemd is free software; you can redistribute it and/or modify it
		1851	# under the terms of the GNU General Public License as published by
		1852	# the Free Software Foundation; either version 2 of the License, or
		1853	# (at your option) any later version.
		1854
		1855	# This unit lauches alcasar-load-balancing.sh script.
		1856	[Unit]
		1857	Description=alcasar-load_balancing.sh execution
		1858	After=network.target iptables.service
		1859
		1860	[Service]
		1861	Type=oneshot
		1862	RemainAfterExit=yes
		1863	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1864	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1865	TimeoutSec=0
		1866	SysVStartPriority=99
		1867
		1868	[Install]
		1869	WantedBy=multi-user.target
1157	stephane	1870	EOF
1221	richard	1871	# processes launched at boot time (Systemctl)
1525	franck	1872	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1221	richard	1873	do
1389	richard	1874	systemctl -q enable $i.service
1221	richard	1875	done
1452	richard	1876
		1877	# disable processes at boot time (Systemctl)
		1878	for i in ulogd
		1879	do
		1880	systemctl -q disable $i.service
		1881	done
		1882
1221	richard	1883	# Apply French Security Agency (ANSSI) rules
1362	richard	1884	# ignore ICMP broadcast (smurf attack)
		1885	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1886	# ignore ICMP errors bogus
		1887	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1888	# remove ICMP redirects responces
		1889	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1890	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1891	# enable SYN Cookies (Syn flood attacks)
		1892	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1893	# enable kernel antispoofing
		1894	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1895	# ignore source routing
		1896	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1897	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1898	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1899	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1900	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1901	# remove Magic SysReq Keys
1363	richard	1902	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1903	# switch to multi-users runlevel (instead of x11)
1221	richard	1904	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1905	# GRUB modifications
		1906	# limit wait time to 3s
		1907	# create an alcasar entry instead of linux-nonfb
		1908	# change display to 1024*768 (vga791)
1221	richard	1909	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1910	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1911	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1912	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1913	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1914	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1915	# Remove unused services and users
1502	richard	1916	for svc in sshd
1221	richard	1917	do
1502	richard	1918	/bin/systemctl -q disable $svc.service
1221	richard	1919	done
		1920	# Load and apply the previous conf file
		1921	if [ "$mode" = "update" ]
532	richard	1922	then
1266	richard	1923	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1924	$DIR_DEST_BIN/alcasar-conf.sh --load
		1925	PARENT_SCRIPT=`basename $0`
		1926	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1927	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1928	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1929	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1930	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1931	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1932	then
		1933	header_install
		1934	if [ $Lang == "fr" ]
		1935	then
		1936	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1937	echo
		1938	echo -n "Nom : "
		1939	else
		1940	echo "This update need to redefine the first admin account"
		1941	echo
		1942	echo -n "Account : "
		1943	fi
		1944	read admin_portal
		1945	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1946	mkdir -p $DIR_DEST_ETC/digest
		1947	chmod 755 $DIR_DEST_ETC/digest
		1948	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1949	do
1350	richard	1950	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1951	done
		1952	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1953	fi
532	richard	1954	fi
1221	richard	1955	rm -f /tmp/alcasar-conf*
		1956	chown -R root:apache $DIR_DEST_ETC/*
		1957	chmod -R 660 $DIR_DEST_ETC/*
		1958	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1959	# Apply and save the firewall rules
		1960	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1961	sleep 2
1	root	1962	cd $DIR_INSTALL
5	franck	1963	echo ""
1	root	1964	echo "#############################################################################"
638	richard	1965	if [ $Lang == "fr" ]
		1966	then
		1967	echo "# Fin d'installation d'ALCASAR #"
		1968	echo "# #"
		1969	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1970	echo "# des Accès au Réseau ( ALCASAR ) #"
		1971	echo "# #"
		1972	echo "#############################################################################"
		1973	echo
		1974	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1975	echo
		1976	echo "- Lisez attentivement la documentation d'exploitation"
		1977	echo
		1978	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1979	echo
		1980	echo " Appuyez sur 'Entrée' pour continuer"
		1981	else
		1982	echo "# Enf of ALCASAR install process #"
		1983	echo "# #"
		1984	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1985	echo "# des Accès au Réseau ( ALCASAR ) #"
		1986	echo "# #"
		1987	echo "#############################################################################"
		1988	echo
		1989	echo "- The system will be rebooted in order to operate ALCASAR"
		1990	echo
		1991	echo "- Read the exploitation documentation"
		1992	echo
		1993	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1994	echo
		1995	echo " Hit 'Enter' to continue"
		1996	fi
815	richard	1997	sleep 2
		1998	if [ "$mode" != "update" ]
820	richard	1999	then
815	richard	2000	read a
		2001	fi
774	richard	2002	clear
1	root	2003	reboot
		2004	} # End post_install ()
		2005
		2006	#################################
1005	richard	2007	# Main Install loop #
1	root	2008	#################################
832	richard	2009	dir_exec=`dirname "$0"`
		2010	if [ $dir_exec != "." ]
		2011	then
		2012	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		2013	echo "Launch this program from the ALCASAR archive directory"
		2014	exit 0
		2015	fi
		2016	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	2017	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	2018	nb_args=$#
		2019	args=$1
		2020	if [ $nb_args -eq 0 ]
		2021	then
		2022	nb_args=1
		2023	args="-h"
		2024	fi
1062	richard	2025	chmod -R u+x $DIR_SCRIPTS/*
1	root	2026	case $args in
		2027	-\? \| -h* \| --h*)
		2028	echo "$usage"
		2029	exit 0
		2030	;;
291	franck	2031	-i \| --install)
959	franck	2032	license
5	franck	2033	header_install
29	richard	2034	testing
595	richard	2035	# RPMs install
		2036	$DIR_SCRIPTS/alcasar-urpmi.sh
		2037	if [ "$?" != "0" ]
1	root	2038	then
595	richard	2039	exit 0
		2040	fi
1249	richard	2041	if [ -e $CONF_FILE ]
595	richard	2042	then
597	richard	2043	# Uninstall the running version
532	richard	2044	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	2045	fi
636	richard	2046	# Test if manual update
1362	richard	2047	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2048	then
636	richard	2049	header_install
595	richard	2050	if [ $Lang == "fr" ]
636	richard	2051	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2052	else echo "The configuration file of an old version has been found";
595	richard	2053	fi
597	richard	2054	response=0
		2055	PTN='^[oOnNyY]$'
		2056	until [[ $(expr $response : $PTN) -gt 0 ]]
		2057	do
		2058	if [ $Lang == "fr" ]
		2059	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2060	else echo -n "Do you want to use it (Y/n)?";
		2061	fi
		2062	read response
		2063	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2064	then rm -f /tmp/alcasar-conf*
		2065	fi
		2066	done
		2067	fi
636	richard	2068	# Test if update
1057	richard	2069	if [ -e /tmp/alcasar-conf* ]
597	richard	2070	then
		2071	if [ $Lang == "fr" ]
		2072	then echo "#### Installation avec mise à jour ####";
		2073	else echo "#### Installation with update ####";
		2074	fi
636	richard	2075	# Extract the central configuration file
1057	richard	2076	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2077	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2078	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2079	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2080	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2081	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2082	mode="update"
1	root	2083	fi
1486	richard	2084	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2085	do
		2086	$func
1362	richard	2087	# echo "* 'debug' : end of function $func *"; read a
14	richard	2088	done
5	franck	2089	;;
291	franck	2090	-u \| --uninstall)
5	franck	2091	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2092	then
597	richard	2093	if [ $Lang == "fr" ]
		2094	then echo "ALCASAR n'est pas installé!";
		2095	else echo "ALCASAR isn't installed!";
		2096	fi
1	root	2097	exit 0
		2098	fi
5	franck	2099	response=0
		2100	PTN='^[oOnN]$'
580	richard	2101	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2102	do
597	richard	2103	if [ $Lang == "fr" ]
		2104	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2105	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2106	fi
5	franck	2107	read response
		2108	done
1103	richard	2109	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2110	then
1103	richard	2111	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2112	else
		2113	rm -f /tmp/alcasar-conf*
1	root	2114	fi
597	richard	2115	# Uninstall the running version
65	richard	2116	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2117	;;
		2118	*)
		2119	echo "Argument inconnu :$1";
460	richard	2120	echo "Unknown argument :$1";
1	root	2121	echo "$usage"
		2122	exit 1
		2123	;;
		2124	esac
10	franck	2125	# end of script
366	franck	2126

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1525