WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1547 2014-12-23 17:25:24Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1534	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
		22	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	23
		24	# Options :
376	franck	25	# -i or --install
		26	# -u or --uninstall
1	root	27
376	franck	28	# Functions :
1378	richard	29	# testing : connectivity tests, free space test and mageia version test
1221	richard	30	# init : Installation of RPM and scripts
		31	# network : Network parameters
		32	# ACC : ALCASAR Control Center installation
		33	# CA : Certification Authority initialization
		34	# init_db : Initilization of radius database managed with MariaDB
1389	richard	35	# radius : FreeRadius initialisation
		36	# radius_web : copy ans modifiy original "freeradius web" in ACC
		37	# chilli : coovachilli initialisation (+authentication page)
		38	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	39	# antivirus : HAVP + libclamav configuration
1485	richard	40	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
1541	richard	44	# vnstat : little network stat daemon
1253	richard	45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
		59	DIR_SAVE="/var/Save" # backup directory (system_backup, user_db_backup, logs)
		60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		65	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		66	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		67	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		68	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	69	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	70	DB_RADIUS="radius" # database name used by FreeRadius server
		71	DB_USER="radius" # user name allows to request the users database
1349	richard	72	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	73	# ***** Network parameters - paramètres réseau *****
1469	richard	74	HOSTNAME="alcasar" # default hostname
1243	richard	75	DOMAIN="localdomain" # default local domain
1471	richard	76	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1507	richard	77	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	78	MTU="1500"
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
1538	richard	87	then
		88	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		89	else
		90	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	91	fi
1538	richard	92	response=0
		93	PTN='^[oOyYnN]$'
		94	until [[ $(expr $response : $PTN) -gt 0 ]]
		95	do
		96	if [ $Lang == "fr" ]
		97	then echo -n "Accéptez-vous les termes de cette licence (O/n)? : "
		98	else echo -n "Do you accept the terms of this license (Y/n)? : "
		99	fi
		100	read response
		101	done
		102	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		103	then
		104	exit 1
		105	fi
959	franck	106	}
		107
1	root	108	header_install ()
		109	{
		110	clear
		111	echo "-----------------------------------------------------------------------------"
460	richard	112	echo " ALCASAR V$VERSION Installation"
1	root	113	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		114	echo "-----------------------------------------------------------------------------"
1389	richard	115	}
1	root	116
		117	##################################################################
1221	richard	118	## Function "testing" ##
1378	richard	119	## - Test of Mageia version ##
1529	richard	120	## - Test of ALCASAR version (if already installed) ##
1342	richard	121	## - Test of free space on /var (>10G) ##
1005	richard	122	## - Test of Internet access ##
29	richard	123	##################################################################
		124	testing ()
		125	{
1529	richard	126	# Test of Mageia version
		127	# extract the current Mageia version and hardware architecture (i586 ou X64)
		128	fic=`cat /etc/product.id`
		129	unknown_os=0
		130	old="$IFS"
		131	IFS=","
		132	set $fic
		133	for i in $*
		134	do
		135	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		136	then
		137	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		138	unknown_os=`expr $unknown_os + 1`
		139	fi
		140	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		141	then
		142	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		143	unknown_os=`expr $unknown_os + 1`
		144	fi
		145	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		146	then
		147	ARCH=`echo $i\|cut -d"=" -f2`
		148	unknown_os=`expr $unknown_os + 1`
		149	fi
		150	done
		151	IFS="$old"
1362	richard	152	# Test if ALCASAR is already installed
		153	if [ -e $CONF_FILE ]
		154	then
		155	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	156	if [ $Lang == "fr" ]
1362	richard	157	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		158	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	159	fi
1362	richard	160	response=0
		161	PTN='^[oOnNyY]$'
		162	until [[ $(expr $response : $PTN) -gt 0 ]]
		163	do
		164	if [ $Lang == "fr" ]
		165	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		166	else echo -n "Do you want to update (Y/n)?";
		167	fi
		168	read response
		169	done
		170	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		171	then
		172	rm -f /tmp/alcasar-conf*
		173	else
1471	richard	174	# Create a backup of running importants files
1362	richard	175	$DIR_SCRIPTS/alcasar-conf.sh --create
		176	mode="update"
		177	fi
1529	richard	178	fi
		179	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "4" ) ]]
		180	then
		181	if [ -e /tmp/alcasar-conf.tar.gz ] # update
1365	richard	182	then
1529	richard	183	echo
1378	richard	184	if [ $Lang == "fr" ]
		185	then
1529	richard	186	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		187	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
		188	echo "2 - Installez Linux-Mageia4.1 (cf. doc d'installation)"
		189	echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
1378	richard	190	else
		191	echo "The automatic update of ALCASAR can't be performed."
1529	richard	192	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
		193	echo "2 - Install Linux-Mageia4.1 (cf. installation doc)"
		194	echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
1378	richard	195	fi
1529	richard	196	else
		197	if [ $Lang == "fr" ]
		198	then
		199	echo "L'installation d'ALCASAR ne peut pas être réalisée."
		200	else
		201	echo "The installation of ALCASAR can't be performed."
1378	richard	202	fi
		203	fi
1529	richard	204	echo
		205	if [ $Lang == "fr" ]
		206	then
		207	echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
		208	else
		209	echo "The OS must be replaced (Mageia4.1)"
		210	fi
		211	exit 0
1342	richard	212	fi
1529	richard	213	if [ ! -d /var/log/netflow/porttracker ]
		214	then
		215	# Test of free space on /var
		216	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		217	if [ $free_space -lt 10 ]
		218	then
		219	if [ $Lang == "fr" ]
		220	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		221	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		222	fi
		223	exit 0
		224	fi
		225	fi
1378	richard	226	if [ $Lang == "fr" ]
784	richard	227	then echo -n "Tests des paramètres réseau : "
595	richard	228	else echo -n "Network parameters tests : "
		229	fi
1471	richard	230	# Test of Ethernet links state
		231	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		232	for i in $DOWN_IF
		233	do
		234	if [ $Lang == "fr" ]
		235	then
		236	echo "Échec"
		237	echo "Le lien réseau de la carte $i n'est pas actif."
		238	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		239	else
		240	echo "Failed"
		241	echo "The link state of $i interface is down."
		242	echo "Make sure that this network card is connected to a switch or an A.P."
		243	fi
		244	exit 0
		245	done
		246	echo -n "."
		247
		248	# Test EXTIF config files
1499	richard	249	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		250	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
		251	PUBLIC_GATEWAY=`ip route list\|grep ^default\|cut -d" " -f3`
1471	richard	252	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		253	then
784	richard	254	if [ $Lang == "fr" ]
		255	then
		256	echo "Échec"
		257	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		258	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	259	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	260	else
		261	echo "Failed"
		262	echo "The Internet connected network card ($EXTIF) isn't well configured."
		263	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	264	echo "Apply the new configuration 'systemctl restart network'"
784	richard	265	fi
830	richard	266	echo "DEVICE=$EXTIF"
784	richard	267	echo "IPADDR="
		268	echo "NETMASK="
		269	echo "GATEWAY="
		270	echo "DNS1="
		271	echo "DNS2="
830	richard	272	echo "ONBOOT=yes"
784	richard	273	exit 0
		274	fi
		275	echo -n "."
1471	richard	276
		277	# Test if router is alive (Box FAI)
784	richard	278	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	279	if [ $Lang == "fr" ]
		280	then
		281	echo "Échec"
		282	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		283	echo "Réglez ce problème puis relancez ce script."
		284	else
		285	echo "Failed"
		286	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		287	echo "Resolv this problem, then restart this script."
		288	fi
29	richard	289	exit 0
		290	fi
308	richard	291	echo -n "."
978	franck	292	# On teste le lien vers le routeur par defaut
1499	richard	293	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	294	if [ $(expr $arp_reply) -eq 0 ]
308	richard	295	then
595	richard	296	if [ $Lang == "fr" ]
		297	then
		298	echo "Échec"
1499	richard	299	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	300	echo "Réglez ce problème puis relancez ce script."
		301	else
		302	echo "Failed"
		303	echo "The Internet gateway doesn't answered"
		304	echo "Resolv this problem, then restart this script."
		305	fi
308	richard	306	exit 0
		307	fi
		308	echo -n "."
421	franck	309	# On teste la connectivité Internet
29	richard	310	rm -rf /tmp/con_ok.html
308	richard	311	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	312	if [ ! -e /tmp/con_ok.html ]
		313	then
595	richard	314	if [ $Lang == "fr" ]
		315	then
		316	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		317	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		318	echo "Vérifiez la validité des adresses IP des DNS."
		319	else
		320	echo "The Internet connection try failed (google.fr)."
		321	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		322	echo "Verify the DNS IP addresses"
		323	fi
29	richard	324	exit 0
		325	fi
		326	rm -rf /tmp/con_ok.html
308	richard	327	echo ". : ok"
1389	richard	328	} # end of testing ()
302	richard	329
		330	##################################################################
1221	richard	331	## Function "init" ##
302	richard	332	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		333	## - Installation et modification des scripts du portail ##
		334	##################################################################
		335	init ()
		336	{
527	richard	337	if [ "$mode" != "update" ]
302	richard	338	then
		339	# On affecte le nom d'organisme
597	richard	340	header_install
302	richard	341	ORGANISME=!
		342	PTN='^[a-zA-Z0-9-]*$'
580	richard	343	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	344	do
595	richard	345	if [ $Lang == "fr" ]
597	richard	346	then echo -n "Entrez le nom de votre organisme : "
		347	else echo -n "Enter the name of your organism : "
595	richard	348	fi
330	franck	349	read ORGANISME
613	richard	350	if [ "$ORGANISME" == "" ]
330	franck	351	then
		352	ORGANISME=!
		353	fi
		354	done
302	richard	355	fi
1	root	356	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	357	rm -f $PASSWD_FILE
1350	richard	358	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		359	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	360	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	361	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	362	$SED "/^password.*/d" /boot/grub/menu.lst
		363	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	364	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	365	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	366	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	367	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	368	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	369	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	370	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	371	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		372	echo "$secretuam" >> $PASSWD_FILE
1350	richard	373	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	374	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		375	echo "$secretradius" >> $PASSWD_FILE
		376	chmod 640 $PASSWD_FILE
977	richard	377	# Scripts and conf files copy
		378	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	379	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	380	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	381	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	382	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	383	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	384	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		385	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	386	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		387	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	388	# generate central conf file
		389	cat <<EOF > $CONF_FILE
612	richard	390	##########################################
		391	## ##
		392	## ALCASAR Parameters ##
		393	## ##
		394	##########################################
1	root	395
612	richard	396	INSTALL_DATE=$DATE
		397	VERSION=$VERSION
		398	ORGANISM=$ORGANISME
923	franck	399	DOMAIN=$DOMAIN
612	richard	400	EOF
628	richard	401	chmod o-rwx $CONF_FILE
1	root	402	} # End of init ()
		403
		404	##################################################################
1221	richard	405	## Function "network" ##
1	root	406	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	407	## - Nommage DNS du système ##
1336	richard	408	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	409	## - Modification du fichier /etc/hosts ##
		410	## - Configuration du serveur de temps (NTP) ##
		411	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		412	##################################################################
		413	network ()
		414	{
		415	header_install
636	richard	416	if [ "$mode" != "update" ]
		417	then
		418	if [ $Lang == "fr" ]
		419	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		420	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		421	fi
		422	response=0
		423	PTN='^[oOyYnN]$'
		424	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	425	do
595	richard	426	if [ $Lang == "fr" ]
659	richard	427	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	428	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	429	fi
1	root	430	read response
		431	done
636	richard	432	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		433	then
		434	PRIVATE_IP_MASK="0"
		435	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		436	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	437	do
595	richard	438	if [ $Lang == "fr" ]
597	richard	439	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		440	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	441	fi
597	richard	442	read PRIVATE_IP_MASK
1	root	443	done
636	richard	444	else
		445	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		446	fi
595	richard	447	else
637	richard	448	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		449	rm -rf conf/etc/alcasar.conf
1	root	450	fi
861	richard	451	# Define LAN side global parameters
1243	richard	452	hostname $HOSTNAME.$DOMAIN
		453	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	454	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	455	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	456	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	457	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	458	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	459	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		460	then
		461	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		462	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		463	fi
		464	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		465	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	466	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	467	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	468	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		469	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	470	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		471	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	472	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	473	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	474	# Define Internet parameters
1499	richard	475	DNS1=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|head -n 1` # 1st DNS server
		476	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		477	if [ $nb_dns == 2 ]
		478	then
		479	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		480	fi
70	franck	481	DNS1=${DNS1:=208.67.220.220}
		482	DNS2=${DNS2:=208.67.222.222}
1499	richard	483	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	484	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	485	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	486	# Wrtie the conf file
1469	richard	487	echo "EXTIF=$EXTIF" >> $CONF_FILE
		488	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	489	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		490	if [ $IP_SETTING == "dhcp" ]
		491	then
		492	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
		493	echo "GW=dhcp" >> $CONF_FILE
		494	else
		495	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
		496	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		497	fi
994	franck	498	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	499	echo "DNS1=$DNS1" >> $CONF_FILE
		500	echo "DNS2=$DNS2" >> $CONF_FILE
		501	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	502	echo "DHCP=on" >> $CONF_FILE
914	franck	503	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		504	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		505	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	506	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1499	richard	507	# network default
597	richard	508	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	509	cat <<EOF > /etc/sysconfig/network
		510	NETWORKING=yes
1243	richard	511	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	512	FORWARD_IPV4=true
		513	EOF
1499	richard	514	# /etc/hosts config
1	root	515	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		516	cat <<EOF > /etc/hosts
503	richard	517	127.0.0.1 localhost
1353	richard	518	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	519	EOF
1499	richard	520	# EXTIF (Internet) config
		521	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		522	if [ $IP_SETTING == "dhcp" ]
		523	then
		524	$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		525	$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		526	echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		527	else
		528	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	529	DEVICE=$EXTIF
		530	BOOTPROTO=static
597	richard	531	IPADDR=$PUBLIC_IP
		532	NETMASK=$PUBLIC_NETMASK
		533	GATEWAY=$PUBLIC_GATEWAY
14	richard	534	DNS1=127.0.0.1
1499	richard	535	RESOLV_MODS=yes
14	richard	536	ONBOOT=yes
		537	METRIC=10
		538	MII_NOT_SUPPORTED=yes
		539	IPV6INIT=no
		540	IPV6TO4INIT=no
		541	ACCOUNTING=no
		542	USERCTL=no
994	franck	543	MTU=$MTU
14	richard	544	EOF
1499	richard	545	fi
1336	richard	546	# Config INTIF (consultation LAN) in normal mode
841	richard	547	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		548	DEVICE=$INTIF
		549	BOOTPROTO=static
		550	ONBOOT=yes
		551	NOZEROCONF=yes
		552	MII_NOT_SUPPORTED=yes
		553	IPV6INIT=no
		554	IPV6TO4INIT=no
		555	ACCOUNTING=no
		556	USERCTL=no
		557	EOF
1336	richard	558	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
793	richard	559	cat <<EOF > /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1	root	560	DEVICE=$INTIF
		561	BOOTPROTO=static
		562	IPADDR=$PRIVATE_IP
604	richard	563	NETMASK=$PRIVATE_NETMASK
1	root	564	ONBOOT=yes
		565	METRIC=10
		566	NOZEROCONF=yes
		567	MII_NOT_SUPPORTED=yes
14	richard	568	IPV6INIT=no
		569	IPV6TO4INIT=no
		570	ACCOUNTING=no
		571	USERCTL=no
1	root	572	EOF
440	franck	573	# Mise à l'heure du serveur
		574	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		575	cat <<EOF > /etc/ntp/step-tickers
455	franck	576	0.fr.pool.ntp.org # adapt to your country
		577	1.fr.pool.ntp.org
		578	2.fr.pool.ntp.org
440	franck	579	EOF
		580	# Configuration du serveur de temps (sur lui même)
1	root	581	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		582	cat <<EOF > /etc/ntp.conf
456	franck	583	server 0.fr.pool.ntp.org # adapt to your country
447	franck	584	server 1.fr.pool.ntp.org
		585	server 2.fr.pool.ntp.org
		586	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	587	fudge 127.127.1.0 stratum 10
604	richard	588	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	589	restrict 127.0.0.1
310	richard	590	driftfile /var/lib/ntp/drift
1	root	591	logfile /var/log/ntp.log
		592	EOF
440	franck	593
310	richard	594	chown -R ntp:ntp /var/lib/ntp
1	root	595	# Renseignement des fichiers hosts.allow et hosts.deny
		596	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		597	cat <<EOF > /etc/hosts.allow
		598	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	599	sshd: ALL
1	root	600	ntpd: $PRIVATE_NETWORK_SHORT
		601	EOF
		602	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		603	cat <<EOF > /etc/hosts.deny
		604	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		605	EOF
790	richard	606	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	607	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	608	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	609	# load conntrack ftp module
		610	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		611	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	612	# load ipt_NETFLOW module
		613	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	614	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		615	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		616	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		617	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1515	richard	618	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
1157	stephane	619	#
860	richard	620	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	621	} # End of network ()
		622
		623	##################################################################
1221	richard	624	## Function "ACC" ##
		625	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	626	## - configuration du serveur web (Apache) ##
		627	## - définition du 1er comptes de gestion ##
		628	## - sécurisation des accès ##
		629	##################################################################
1221	richard	630	ACC ()
1	root	631	{
		632	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		633	mkdir $DIR_WEB
		634	# Copie et configuration des fichiers du centre de gestion
316	richard	635	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	636	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	637	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		638	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		639	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		640	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		641	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	642	chown -R apache:apache $DIR_WEB/*
1489	richard	643	# create the backup structure :
		644	# - base = users database
		645	# - system_backup = alcasar conf file + users database
		646	# - archive = tarball of "base + http firewall + netflow"
		647	# - security = watchdog disconnection)
		648	for i in system_backup base archive security;
1	root	649	do
		650	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		651	done
5	franck	652	chown -R root:apache $DIR_SAVE
71	richard	653	# Configuration et sécurisation php
		654	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	655	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		656	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	657	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		658	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	659	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		660	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		661	# Configuration et sécurisation Apache
790	richard	662	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	663	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	664	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	665	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1532	richard	666	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
		667	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
		668	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
		669	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] \|\| cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
		670	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
		671	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
		672	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
		673	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
		674	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
		675	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
1359	richard	676	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		677	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
1532	richard	678	# Error page management
1534	richard	679	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] \|\| cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
		680	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
1532	richard	681	Alias /error/ "/var/www/html/"
		682	<Directory "/usr/share/httpd/error">
		683	AllowOverride None
		684	Options IncludesNoExec
		685	AddOutputFilter Includes html
		686	AddHandler type-map var
		687	Require all granted
		688	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		689	ForceLanguagePriority Prefer Fallback
		690	</Directory>
		691	ErrorDocument 400 /error/error.php?error=400
		692	ErrorDocument 401 /error/error.php?error=401
		693	ErrorDocument 403 /error/error.php?error=403
		694	ErrorDocument 404 /error/error.php?error=404
		695	ErrorDocument 405 /error/error.php?error=405
		696	ErrorDocument 408 /error/error.php?error=408
		697	ErrorDocument 410 /error/error.php?error=410
		698	ErrorDocument 411 /error/error.php?error=411
		699	ErrorDocument 412 /error/error.php?error=412
		700	ErrorDocument 413 /error/error.php?error=413
		701	ErrorDocument 414 /error/error.php?error=414
		702	ErrorDocument 415 /error/error.php?error=415
		703	ErrorDocument 500 /error/error.php?error=500
		704	ErrorDocument 501 /error/error.php?error=501
		705	ErrorDocument 502 /error/error.php?error=502
		706	ErrorDocument 503 /error/error.php?error=503
		707	ErrorDocument 506 /error/error.php?error=506
		708	EOF
1359	richard	709	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		710	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		711	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		712	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	713	</body>
		714	</html>
		715	EOF
		716	# Définition du premier compte lié au profil 'admin'
509	richard	717	header_install
510	richard	718	if [ "$mode" = "install" ]
		719	then
613	richard	720	admin_portal=!
		721	PTN='^[a-zA-Z0-9-]*$'
		722	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		723	do
		724	header_install
		725	if [ $Lang == "fr" ]
		726	then
		727	echo ""
		728	echo "Définissez un premier compte d'administration du portail :"
		729	echo
		730	echo -n "Nom : "
		731	else
		732	echo ""
		733	echo "Define the first account allow to administrate the portal :"
		734	echo
		735	echo -n "Account : "
		736	fi
		737	read admin_portal
		738	if [ "$admin_portal" == "" ]
		739	then
		740	admin_portal=!
		741	fi
		742	done
1268	richard	743	# Creation of keys file for the admin account ("admin")
510	richard	744	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		745	mkdir -p $DIR_DEST_ETC/digest
		746	chmod 755 $DIR_DEST_ETC/digest
		747	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		748	do
1350	richard	749	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	750	done
		751	$DIR_DEST_SBIN/alcasar-profil.sh --list
		752	fi
434	richard	753	# synchronisation horaire
		754	ntpd -q -g &
1	root	755	# Sécurisation du centre
988	franck	756	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	757	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	758	<Directory $DIR_ACC>
1	root	759	SSLRequireSSL
		760	AllowOverride None
		761	Order deny,allow
		762	Deny from all
		763	Allow from 127.0.0.1
		764	Allow from $PRIVATE_NETWORK_MASK
990	franck	765	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	766	require valid-user
		767	AuthType digest
1243	richard	768	AuthName $HOSTNAME.$DOMAIN
1	root	769	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	770	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	771	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	772	</Directory>
316	richard	773	<Directory $DIR_ACC/admin>
1	root	774	SSLRequireSSL
		775	AllowOverride None
		776	Order deny,allow
		777	Deny from all
		778	Allow from 127.0.0.1
		779	Allow from $PRIVATE_NETWORK_MASK
990	franck	780	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	781	require valid-user
		782	AuthType digest
1243	richard	783	AuthName $HOSTNAME.$DOMAIN
1	root	784	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	785	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	786	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	787	</Directory>
344	richard	788	<Directory $DIR_ACC/manager>
1	root	789	SSLRequireSSL
		790	AllowOverride None
		791	Order deny,allow
		792	Deny from all
		793	Allow from 127.0.0.1
		794	Allow from $PRIVATE_NETWORK_MASK
990	franck	795	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	796	require valid-user
		797	AuthType digest
1243	richard	798	AuthName $HOSTNAME.$DOMAIN
1	root	799	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	800	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	801	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	802	</Directory>
316	richard	803	<Directory $DIR_ACC/backup>
		804	SSLRequireSSL
		805	AllowOverride None
		806	Order deny,allow
		807	Deny from all
		808	Allow from 127.0.0.1
		809	Allow from $PRIVATE_NETWORK_MASK
990	franck	810	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	811	require valid-user
		812	AuthType digest
1243	richard	813	AuthName $HOSTNAME.$DOMAIN
316	richard	814	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	815	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	816	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	817	</Directory>
811	richard	818	Alias /save/ "$DIR_SAVE/"
		819	<Directory $DIR_SAVE>
		820	SSLRequireSSL
		821	Options Indexes
		822	Order deny,allow
		823	Deny from all
		824	Allow from 127.0.0.1
		825	Allow from $PRIVATE_NETWORK_MASK
990	franck	826	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	827	require valid-user
		828	AuthType digest
1243	richard	829	AuthName $HOSTNAME.$DOMAIN
811	richard	830	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	831	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	832	</Directory>
1	root	833	EOF
1378	richard	834	# Launch after coova
		835	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1389	richard	836	} # End of ACC ()
1	root	837
		838	##########################################################################################
1221	richard	839	## Fonction "CA" ##
1	root	840	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		841	##########################################################################################
1221	richard	842	CA ()
1	root	843	{
510	richard	844	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	845	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	846	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	847	cat <<EOF > $FIC_VIRTUAL_SSL
		848	# default SSL virtual host, used for all HTTPS requests that do not
		849	# match a ServerName or ServerAlias in any <VirtualHost> block.
		850
		851	<VirtualHost _default_:443>
		852	# general configuration
		853	ServerAdmin root@localhost
		854	ServerName localhost
		855
		856	# SSL configuration
		857	SSLEngine on
		858	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		859	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		860	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		861	CustomLog logs/ssl_request_log \
		862	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		863	ErrorLog logs/ssl_error_log
		864	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		865	</VirtualHost>
		866	EOF
		867
5	franck	868	chown -R root:apache /etc/pki
1	root	869	chmod -R 750 /etc/pki
1389	richard	870	} # End of CA ()
1	root	871
		872	##########################################################################################
1221	richard	873	## Fonction "init_db" ##
1	root	874	## - Initialisation de la base Mysql ##
		875	## - Affectation du mot de passe de l'administrateur (root) ##
		876	## - Suppression des bases et des utilisateurs superflus ##
		877	## - Création de la base 'radius' ##
		878	## - Installation du schéma de cette base ##
		879	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		880	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		881	##########################################################################################
		882	init_db ()
		883	{
1355	richard	884	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	885	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		886	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	887	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	888	systemctl start mysqld.service
1	root	889	sleep 4
		890	mysqladmin -u root password $mysqlpwd
		891	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	892	# Secure the server
		893	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		894	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	895	# Create 'radius' database
1317	richard	896	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	897	# Add an empty radius database structure
364	franck	898	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	899	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	900	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1515	richard	901	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		902	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	903	systemctl daemon-reload
1389	richard	904	} # End of init_db ()
1	root	905
		906	##########################################################################
1389	richard	907	## Fonction "radius" ##
1	root	908	## - Paramètrage des fichiers de configuration FreeRadius ##
		909	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		910	## - Modification de fichier de conf pour l'accès à Mysql ##
		911	##########################################################################
1389	richard	912	radius ()
1	root	913	{
		914	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		915	chown -R radius:radius /etc/raddb
		916	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	917	# Set radius.conf parameters
1	root	918	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		919	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		920	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	921	# remove the proxy function
1	root	922	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		923	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	924	# remove EAP module
654	richard	925	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	926	# listen on loopback (should be modified later if EAP enabled)
1	root	927	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	928	# enable the SQL module (and SQL counter)
1	root	929	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		930	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		931	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	932	# only include modules for ALCASAR needs
		933	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		934	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		935	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		936	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		937	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		938	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	939	# remvove virtual server and copy our conf file
1	root	940	rm -f /etc/raddb/sites-enabled/*
1278	richard	941	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	942	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		943	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		944	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		945	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	946	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	947	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	948	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	949	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		950	cat << EOF > /etc/raddb/clients.conf
		951	client 127.0.0.1 {
		952	secret = $secretradius
		953	shortname = localhost
		954	}
		955	EOF
1278	richard	956	# sql.conf modification
1	root	957	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		958	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		959	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		960	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		961	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	962	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	963	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	964	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		965	# counter.conf modification (change the Max-All-Session-Time counter)
		966	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		967	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		968	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	969	# make certain that mysql is up before radius start
		970	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		971	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		972	systemctl daemon-reload
1389	richard	973	} # End radius ()
1	root	974
		975	##########################################################################
1389	richard	976	## Function "radius_web" ##
1	root	977	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		978	## - Création du lien vers la page de changement de mot de passe ##
		979	##########################################################################
1389	richard	980	radius_web ()
1	root	981	{
		982	# copie de l'interface d'origine dans la structure Alcasar
316	richard	983	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		984	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		985	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	986	# copie des fichiers modifiés
		987	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	988	chown -R apache:apache $DIR_ACC/manager/
344	richard	989	# Modification des fichiers de configuration
1	root	990	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	991	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	992	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		993	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		994	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		995	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		996	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		997	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		998	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	999	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	1000	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	1001	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	1002	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	1003	nas1_name: alcasar-$ORGANISME
1	root	1004	nas1_model: Portail captif
		1005	nas1_ip: $PRIVATE_IP
		1006	nas1_port_num: 0
		1007	nas1_community: public
		1008	EOF
		1009	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		1010	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	1011	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	1012	# Ajout du mappage des attributs chillispot
		1013	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	1014	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	1015	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	1016	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	1017	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		1018	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	1019	chown -R apache:apache /etc/freeradius-web
1	root	1020	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		1021	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	1022	<Directory $DIR_WEB/pass>
1	root	1023	SSLRequireSSL
		1024	AllowOverride None
		1025	Order deny,allow
		1026	Deny from all
		1027	Allow from 127.0.0.1
		1028	Allow from $PRIVATE_NETWORK_MASK
1243	richard	1029	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	1030	</Directory>
		1031	EOF
1389	richard	1032	} # End of radius_web ()
1	root	1033
799	richard	1034	##################################################################################
1389	richard	1035	## Fonction "chilli" ##
799	richard	1036	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1037	## - Paramètrage de la page d'authentification (intercept.php) ##
		1038	##################################################################################
1389	richard	1039	chilli ()
1	root	1040	{
1370	richard	1041	# chilli unit for systemd
		1042	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1043	# This file is part of systemd.
		1044	#
		1045	# systemd is free software; you can redistribute it and/or modify it
		1046	# under the terms of the GNU General Public License as published by
		1047	# the Free Software Foundation; either version 2 of the License, or
		1048	# (at your option) any later version.
1370	richard	1049	[Unit]
		1050	Description=chilli is a captive portal daemon
		1051	After=network.target
		1052
		1053	[Service]
1379	richard	1054	Type=forking
1370	richard	1055	ExecStart=/usr/libexec/chilli start
		1056	ExecStop=/usr/libexec/chilli stop
		1057	ExecReload=/usr/libexec/chilli reload
		1058	PIDFile=/var/run/chilli.pid
		1059
		1060	[Install]
		1061	WantedBy=multi-user.target
		1062	EOF
799	richard	1063	# init file creation
1370	richard	1064	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1065	cat <<EOF > /usr/libexec/chilli
799	richard	1066	#!/bin/sh
		1067	#
		1068	# chilli CoovaChilli init
		1069	#
		1070	# chkconfig: 2345 65 35
		1071	# description: CoovaChilli
		1072	### BEGIN INIT INFO
		1073	# Provides: chilli
		1074	# Required-Start: network
		1075	# Should-Start:
		1076	# Required-Stop: network
		1077	# Should-Stop:
		1078	# Default-Start: 2 3 5
		1079	# Default-Stop:
		1080	# Description: CoovaChilli access controller
		1081	### END INIT INFO
		1082
		1083	[ -f /usr/sbin/chilli ] \|\| exit 0
		1084	. /etc/init.d/functions
		1085	CONFIG=/etc/chilli.conf
		1086	pidfile=/var/run/chilli.pid
		1087	[ -f \$CONFIG ] \|\| {
		1088	echo "\$CONFIG Not found"
		1089	exit 0
		1090	}
		1091	RETVAL=0
		1092	prog="chilli"
		1093	case \$1 in
		1094	start)
		1095	if [ -f \$pidfile ] ; then
		1096	gprintf "chilli is already running"
		1097	else
		1098	gprintf "Starting \$prog: "
		1099	rm -f /var/run/chilli* # cleaning
		1100	/sbin/modprobe tun >/dev/null 2>&1
		1101	echo 1 > /proc/sys/net/ipv4/ip_forward
		1102	[ -e /dev/net/tun ] \|\| {
		1103	(cd /dev;
		1104	mkdir net;
		1105	cd net;
		1106	mknod tun c 10 200)
		1107	}
1336	richard	1108	ifconfig $INTIF 0.0.0.0
799	richard	1109	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1110	RETVAL=$?
		1111	fi
		1112	;;
		1113
		1114	reload)
		1115	killall -HUP chilli
		1116	;;
		1117
		1118	restart)
		1119	\$0 stop
		1120	sleep 2
		1121	\$0 start
		1122	;;
		1123
		1124	status)
		1125	status chilli
		1126	RETVAL=0
		1127	;;
		1128
		1129	stop)
		1130	if [ -f \$pidfile ] ; then
		1131	gprintf "Shutting down \$prog: "
		1132	killproc /usr/sbin/chilli
		1133	RETVAL=\$?
		1134	[ \$RETVAL = 0 ] && rm -f $pidfile
		1135	else
		1136	gprintf "chilli is not running"
		1137	fi
		1138	;;
		1139
		1140	*)
		1141	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1142	exit 1
		1143	esac
		1144	echo
		1145	EOF
1373	richard	1146	chmod a+x /usr/libexec/chilli
799	richard	1147	# conf file creation
346	richard	1148	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1149	cat <<EOF > /etc/chilli.conf
		1150	# coova config for ALCASAR
		1151	cmdsocket /var/run/chilli.sock
1336	richard	1152	unixipc chilli.$INTIF.ipc
		1153	pidfile /var/run/chilli.$INTIF.pid
346	richard	1154	net $PRIVATE_NETWORK_MASK
595	richard	1155	dhcpif $INTIF
841	richard	1156	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1157	#nodynip
865	richard	1158	#statip
		1159	dynip $PRIVATE_NETWORK_MASK
1249	richard	1160	domain $DOMAIN
355	richard	1161	dns1 $PRIVATE_IP
		1162	dns2 $PRIVATE_IP
346	richard	1163	uamlisten $PRIVATE_IP
503	richard	1164	uamport 3990
837	richard	1165	macauth
		1166	macpasswd password
1243	richard	1167	locationname $HOSTNAME.$DOMAIN
346	richard	1168	radiusserver1 127.0.0.1
		1169	radiusserver2 127.0.0.1
		1170	radiussecret $secretradius
		1171	radiusauthport 1812
		1172	radiusacctport 1813
1243	richard	1173	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1174	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1175	uamsecret $secretuam
1249	richard	1176	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1177	coaport 3799
1379	richard	1178	conup $DIR_DEST_BIN/alcasar-conup.sh
		1179	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1180	include $DIR_DEST_ETC/alcasar-uamallowed
		1181	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1182	#dhcpgateway
1157	stephane	1183	#dhcprelayagent
		1184	#dhcpgatewayport
346	richard	1185	EOF
1336	richard	1186	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1187	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1188	# create files for trusted domains and urls
1148	crox53	1189	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1190	chown root:apache $DIR_DEST_ETC/alcasar-*
		1191	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1192	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1193	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1194	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1195	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1196	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1197	if [ "$chilli_exist" == "1" ]
		1198	then
		1199	userdel -r chilli 2>/dev/null
		1200	fi
		1201	groupadd -f chilli
		1202	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1203	} # End of chilli ()
1349	richard	1204
1	root	1205	##################################################################
1389	richard	1206	## Fonction "dansguardian" ##
1	root	1207	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1208	##################################################################
1389	richard	1209	dansguardian ()
1	root	1210	{
		1211	mkdir /var/dansguardian
		1212	chown dansguardian /var/dansguardian
1375	richard	1213	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1214	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1215	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1216	# By default the filter is off
497	richard	1217	$SED "s/^reportinglevel =.*/reportinglevel = -1/g" $DIR_DG/dansguardian.conf
1293	richard	1218	# French deny HTML page
497	richard	1219	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1220	# Listen only on LAN side
497	richard	1221	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1222	# DG send its flow to HAVP
		1223	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1224	# replace the default deny HTML page
1	root	1225	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1226	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1227	# Don't log
		1228	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1229	# Run 10 daemons (20 in largest server)
659	richard	1230	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1231	# on désactive par défaut le controle de contenu des pages html
497	richard	1232	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1233	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1234	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1235	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1236	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1237	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1238	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1239	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1240	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1241	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1242	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1243	touch $DIR_DG/lists/bannedextensionlist
		1244	touch $DIR_DG/lists/bannedmimetypelist
		1245	# 'Safesearch' regex actualisation
498	richard	1246	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1247	# empty LAN IP list that won't be WEB filtered
		1248	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1249	touch $DIR_DG/lists/exceptioniplist
		1250	# Keep a copy of URL & domain filter configuration files
		1251	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1252	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1253	} # End of dansguardian ()
1	root	1254
71	richard	1255	##################################################################
1221	richard	1256	## Fonction "antivirus" ##
1357	richard	1257	## - configuration of havp, libclamav and freshclam ##
71	richard	1258	##################################################################
		1259	antivirus ()
		1260	{
1358	richard	1261	# create 'havp' user
288	richard	1262	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1263	if [ "$havp_exist" == "1" ]
288	richard	1264	then
478	richard	1265	userdel -r havp 2>/dev/null
894	richard	1266	groupdel havp 2>/dev/null
288	richard	1267	fi
307	richard	1268	groupadd -f havp
1486	richard	1269	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1270	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1271	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1272	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1273	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1274	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1275	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1276	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1277	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1278	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1279	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1280	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1281	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1282	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1283	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1284	# skip checking of youtube flow (too heavy load / risk too low)
		1285	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1286	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1287	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1288	# adapt init script and systemd unit
335	richard	1289	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1290	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1291	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1292	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1293	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1294	# replace of the intercept page (template)
340	richard	1295	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1296	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1297	# update virus database every 4 hours (24h/6)
1357	richard	1298	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1299	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1300	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1301	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1302	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1303	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1304	# update now
1382	richard	1305	/usr/bin/freshclam --no-warnings
1389	richard	1306	} # End of antivirus ()
71	richard	1307
1486	richard	1308	##########################################################################
		1309	## Fonction "tinyproxy" ##
		1310	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1311	##########################################################################
1485	richard	1312	tinyproxy ()
		1313	{
1486	richard	1314	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1315	if [ "$tinyproxy_exist" == "1" ]
		1316	then
		1317	userdel -r tinyproxy 2>/dev/null
		1318	groupdel tinyproxy 2>/dev/null
		1319	fi
		1320	groupadd -f tinyproxy
1488	richard	1321	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1518	richard	1322	mkdir -p var/run/tinyproxy /var/log/tinyproxy
1517	richard	1323	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1486	richard	1324	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1325	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1326	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1327	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1328	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1329	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1330	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1331	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1332	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1333	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1334	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1335	# Create the systemd unit
		1336	cat << EOF > /lib/systemd/system/tinyproxy.service
		1337	# This file is part of systemd.
		1338	#
		1339	# systemd is free software; you can redistribute it and/or modify it
		1340	# under the terms of the GNU General Public License as published by
		1341	# the Free Software Foundation; either version 2 of the License, or
		1342	# (at your option) any later version.
1485	richard	1343
1509	richard	1344	# This unit launches tinyproxy (a very light proxy).
1518	richard	1345	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1346	[Unit]
		1347	Description=Tinyproxy Web Proxy Server
		1348	After=network.target iptables.service
		1349
		1350	[Service]
		1351	Type=forking
1518	richard	1352	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1353	ExecStartPre=/bin/sleep 2
		1354	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1355	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1356
		1357	[Install]
		1358	WantedBy=multi-user.target
		1359	EOF
		1360
1485	richard	1361	} # end of tinyproxy
1	root	1362	##################################################################################
1389	richard	1363	## function "ulogd" ##
476	richard	1364	## - Ulog config for multi-log files ##
		1365	##################################################################################
1389	richard	1366	ulogd ()
476	richard	1367	{
		1368	# Three instances of ulogd (three different logfiles)
		1369	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1370	nl=1
1358	richard	1371	for log_type in traceability ssh ext-access
478	richard	1372	do
1365	richard	1373	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1374	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1375	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
478	richard	1376	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1377	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1378	[emu1]
478	richard	1379	file="/var/log/firewall/$log_type.log"
		1380	sync=1
		1381	EOF
1452	richard	1382	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1383	nl=`expr $nl + 1`
		1384	done
476	richard	1385	chown -R root:apache /var/log/firewall
		1386	chmod 750 /var/log/firewall
		1387	chmod 640 /var/log/firewall/*
1389	richard	1388	} # End of ulogd ()
476	richard	1389
1159	crox53	1390
		1391	##########################################################
1389	richard	1392	## Function "nfsen" ##
1159	crox53	1393	##########################################################
1389	richard	1394	nfsen()
1	root	1395	{
1393	richard	1396	tar xzf ./conf/nfsen/nfsen-1.3.6p1.tar.gz -C /tmp/
1365	richard	1397	# Add PortTracker plugin
1534	richard	1398	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1399	do
1536	richard	1400	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1401	done
1515	richard	1402	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm
1365	richard	1403	# use of our conf file and init unit
1221	richard	1404	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.6p1/etc/
1365	richard	1405	# Installation of nfsen
1221	richard	1406	DirTmp=$(pwd)
		1407	cd /tmp/nfsen-1.3.6p1/
1365	richard	1408	/usr/bin/perl5 install.pl etc/nfsen.conf
		1409	/usr/bin/perl5 install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
		1410	# Create RRD DB for porttracker (only in it still doesn't exist)
1221	richard	1411	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
1534	richard	1412	cp /tmp/nfsen-1.3.6p1/contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1413	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1414	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1415	# nfsen unit for systemd
		1416	cat << EOF > /lib/systemd/system/nfsen.service
		1417	# This file is part of systemd.
		1418	#
		1419	# systemd is free software; you can redistribute it and/or modify it
		1420	# under the terms of the GNU General Public License as published by
		1421	# the Free Software Foundation; either version 2 of the License, or
		1422	# (at your option) any later version.
		1423
		1424	# This unit launches nfsen (a Netflow grapher).
		1425	[Unit]
		1426	Description= NfSen init script
		1427	After=network.target iptables.service
		1428
		1429	[Service]
		1430	Type=oneshot
		1431	RemainAfterExit=yes
1393	richard	1432	PIDFile=/var/run/nfsen/nfsen.pid
		1433	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1434	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1435	ExecStart=/usr/bin/nfsen start
		1436	ExecStop=/usr/bin/nfsen stop
1393	richard	1437	ExecReload=/usr/bin/nfsen restart
1372	richard	1438	TimeoutSec=0
		1439
		1440	[Install]
		1441	WantedBy=multi-user.target
		1442	EOF
1365	richard	1443	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1444	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1445	# expire delay for the profile "live"
1393	richard	1446	systemctl start nfsen
		1447	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1448	# add SURFmap plugin
1509	richard	1449	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1512	richard	1450	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1509	richard	1451	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1512	richard	1452	cd /tmp/
		1453	/usr/bin/sh SURFmap/install.sh
1544	richard	1454	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1365	richard	1455	# clear the installation
1221	richard	1456	cd $DirTmp
1509	richard	1457	rm -rf /tmp/nfsen*
		1458	rm -rf /tmp/SURFmap*
1389	richard	1459	} # End of nfsen ()
1	root	1460
1390	richard	1461	##################################################
1541	richard	1462	## Function "vnstat" ##
		1463	## Initialization of Vnstat and vnstat phpFE ##
		1464	##################################################
		1465	vnstat ()
		1466	{
		1467	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
		1468	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
		1469	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1470	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
		1471	$SED "s?\$iface_title.*?\$iface_title['$EXTIF'] = 'Internet outbound';?g" $DIR_ACC/manager/stats/config.php
		1472	/usr/bin/vnstat -u -i $EXTIF
		1473	} # End of vnstat
		1474	##################################################
1389	richard	1475	## Function "dnsmasq" ##
1390	richard	1476	##################################################
1389	richard	1477	dnsmasq ()
219	jeremy	1478	{
		1479	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1480	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1481	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1482	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1483	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1484	cat << EOF > /etc/dnsmasq.conf
520	richard	1485	# Configuration file for "dnsmasq in forward mode"
1387	richard	1486	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1487	listen-address=$PRIVATE_IP
1390	richard	1488	pid-file=/var/run/dnsmasq.pid
259	richard	1489	listen-address=127.0.0.1
286	richard	1490	no-dhcp-interface=$INTIF
1387	richard	1491	no-dhcp-interface=tun0
		1492	no-dhcp-interface=lo
259	richard	1493	bind-interfaces
		1494	cache-size=256
		1495	domain=$DOMAIN
		1496	domain-needed
		1497	expand-hosts
		1498	bogus-priv
		1499	filterwin2k
		1500	server=$DNS1
		1501	server=$DNS2
1387	richard	1502	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1503	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1504	dhcp-option=option:router,$PRIVATE_IP
1482	richard	1505	dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1506
1387	richard	1507	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1508	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1509	EOF
1356	richard	1510	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1511	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1512	# Configuration file for "dnsmasq with blacklist"
1387	richard	1513	# Add Toulouse blacklist domains
1472	richard	1514	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1515	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1516	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1517	listen-address=$PRIVATE_IP
		1518	port=54
		1519	no-dhcp-interface=$INTIF
1387	richard	1520	no-dhcp-interface=tun0
1472	richard	1521	no-dhcp-interface=lo
498	richard	1522	bind-interfaces
		1523	cache-size=256
		1524	domain=$DOMAIN
		1525	domain-needed
		1526	expand-hosts
		1527	bogus-priv
		1528	filterwin2k
		1529	server=$DNS1
		1530	server=$DNS2
		1531	EOF
1379	richard	1532	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1533	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1534	# Configuration file for "dnsmasq with whitelist"
1356	richard	1535	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1536	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1537	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1538	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1539	listen-address=$PRIVATE_IP
		1540	port=55
		1541	no-dhcp-interface=$INTIF
1387	richard	1542	no-dhcp-interface=tun0
1472	richard	1543	no-dhcp-interface=lo
1356	richard	1544	bind-interfaces
		1545	cache-size=256
		1546	domain=$DOMAIN
		1547	domain-needed
		1548	expand-hosts
		1549	bogus-priv
		1550	filterwin2k
1472	richard	1551	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1552	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1553	EOF
1472	richard	1554	# 4th dnsmasq listen on udp 56 ("blackhole")
		1555	cat << EOF > /etc/dnsmasq-blackhole.conf
		1556	# Configuration file for "dnsmasq as a blackhole"
		1557	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1558	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1559	pid-file=/var/run/dnsmasq-blackhole.pid
		1560	listen-address=$PRIVATE_IP
		1561	port=56
		1562	no-dhcp-interface=$INTIF
		1563	no-dhcp-interface=tun0
		1564	no-dhcp-interface=lo
		1565	bind-interfaces
		1566	cache-size=256
		1567	domain=$DOMAIN
		1568	domain-needed
		1569	expand-hosts
		1570	bogus-priv
		1571	filterwin2k
		1572	EOF
		1573
1517	richard	1574	# the main instance should start after network and chilli (which create tun0)
1547	richard	1575	[ -e /lib/systemd/system/dnsmasq.service.default ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1517	richard	1576	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1577	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1578	for list in blacklist whitelist blackhole
		1579	do
		1580	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1581	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1582	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1583	done
308	richard	1584	} # End dnsmasq
		1585
		1586	##########################################################
1221	richard	1587	## Fonction "BL" ##
308	richard	1588	##########################################################
		1589	BL ()
		1590	{
1384	richard	1591	# copy and extract toulouse BL
648	richard	1592	rm -rf $DIR_DG/lists/blacklists
		1593	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1594	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1595	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1596	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1597	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1598	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1599	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1600	# creation of file for the rehabilited domains and urls
648	richard	1601	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1602	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1603	touch $DIR_DG/lists/exceptionsitelist
		1604	touch $DIR_DG/lists/exceptionurllist
311	richard	1605	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1606	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1607	# Dansguardian filter config for ALCASAR
		1608	EOF
648	richard	1609	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1610	# Dansguardian domain filter config for ALCASAR
		1611	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1612	#**
		1613	# block all SSL and CONNECT tunnels
		1614	**s
		1615	# block all SSL and CONNECT tunnels specified only as an IP
		1616	*ips
		1617	# block all sites specified only by an IP
		1618	*ip
		1619	EOF
1000	richard	1620	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1621	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1622	# Bing - add 'adlt=strict'
		1623	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1624	# Youtube - add 'edufilter=your_ID'
885	richard	1625	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1626	EOF
1000	richard	1627	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1628	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1629	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1630	if [ "$mode" != "update" ]; then
		1631	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1632	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
654	richard	1633	fi
308	richard	1634	}
219	jeremy	1635
1	root	1636	##########################################################
1221	richard	1637	## Fonction "cron" ##
1	root	1638	## - Mise en place des différents fichiers de cron ##
		1639	##########################################################
		1640	cron ()
		1641	{
		1642	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1643	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1644	cat <<EOF > /etc/crontab
		1645	SHELL=/bin/bash
		1646	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1647	MAILTO=root
		1648	HOME=/
		1649
		1650	# run-parts
		1651	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1652	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1653	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1654	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1655	EOF
		1656	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1657	cat <<EOF >> /etc/anacrontab
667	franck	1658	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1659	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1660	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1661	EOF
1247	crox53	1662
811	richard	1663	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1664	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1665	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1666	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1667	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1668	EOF
952	franck	1669	cat <<EOF > /etc/cron.d/alcasar-archive
		1670	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1671	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1672	EOF
667	franck	1673	cat << EOF > /etc/cron.d/alcasar-clean_import
713	franck	1674	# suppression des fichiers de mots de passe lors d'imports massifs par fichier de plus de 24h
503	richard	1675	30 * * * * root $DIR_DEST_BIN/alcasar-import-clean.sh
168	franck	1676	EOF
722	franck	1677	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1678	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1679	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1680	EOF
1247	crox53	1681	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1682	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1683	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1684	#EOF
1159	crox53	1685
1	root	1686	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1687	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1688	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1689	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1690	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1691	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1692	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1693	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1694	rm -f /etc/cron.daily/freeradius-web
		1695	rm -f /etc/cron.monthly/freeradius-web
		1696	cat << EOF > /etc/cron.d/freeradius-web
		1697	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1698	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1699	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1700	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1701	EOF
671	franck	1702	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1703	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1704	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1705	EOF
808	franck	1706	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1707	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1708	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1709	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1710	EOF
522	richard	1711	# suppression des crons usagers
		1712	rm -f /var/spool/cron/*
1	root	1713	} # End cron
		1714
		1715	##################################################################
1221	richard	1716	## Fonction "Fail2Ban" ##
1163	crox53	1717	##- Modification de la configuration de fail2ban ##
		1718	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1719	##################################################################
		1720	fail2ban()
		1721	{
1191	crox53	1722	$DIR_CONF/fail2ban.sh
1474	richard	1723	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1724	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1725	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1726	chmod 644 /var/log/fail2ban.log
1489	richard	1727	chmod 644 /var/Save/security/watchdog.log
1418	richard	1728	/usr/bin/touch /var/log/auth.log
1515	richard	1729	# fail2ban unit
		1730	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1731	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1732	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1733	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1163	crox53	1734	} #Fin de fail2ban_install()
		1735
		1736	##################################################################
1376	richard	1737	## Fonction "gammu_smsd" ##
		1738	## - Creation de la base de donnée Gammu ##
		1739	## - Creation du fichier de config: gammu_smsd_conf ##
		1740	## ##
		1741	##################################################################
		1742	gammu_smsd()
		1743	{
		1744	# Create 'gammu' databse
		1745	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1746	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1747	# Add a gammu database structure
		1748	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1749
		1750	# config file for the daemon
		1751	cat << EOF > /etc/gammu_smsd_conf
		1752	[gammu]
		1753	port = /dev/ttyUSB0
		1754	connection = at115200
		1755
		1756	;########################################################
		1757
		1758	[smsd]
		1759
		1760	PIN = 1234
		1761
		1762	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1763	logformat = textall
		1764	debuglevel = 0
		1765
		1766	service = sql
		1767	driver = native_mysql
		1768	user = $DB_USER
		1769	password = $radiuspwd
		1770	pc = localhost
		1771	database = $DB_GAMMU
		1772
		1773	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1774
		1775	StatusFrequency = 30
1380	richard	1776	;LoopSleep = 2
1376	richard	1777
		1778	;ResetFrequency = 300
		1779	;HardResetFrequency = 120
		1780
		1781	CheckSecurity = 1
		1782	CheckSignal = 1
		1783	CheckBattery = 0
		1784	EOF
		1785
		1786	chmod 755 /etc/gammu_smsd_conf
		1787
		1788	#Creation dossier de log Gammu-smsd
1382	richard	1789	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1790	chmod 755 /var/log/gammu-smsd
		1791
		1792	#Edition du script sql gammu <-> radius
1452	richard	1793	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1794	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1795
1380	richard	1796	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1797	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1798	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1799	EOF
		1800
1376	richard	1801	} # END gammu_smsd()
		1802
		1803	##################################################################
1221	richard	1804	## Fonction "post_install" ##
1	root	1805	## - Modification des bannières (locales et ssh) et des prompts ##
		1806	## - Installation de la structure de chiffrement pour root ##
		1807	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1808	## - Mise en place du la rotation des logs ##
5	franck	1809	## - Configuration dans le cas d'une mise à jour ##
1	root	1810	##################################################################
		1811	post_install()
		1812	{
		1813	# création de la bannière locale
1007	richard	1814	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1815	cp -f $DIR_CONF/banner /etc/mageia-release
		1816	echo " V$VERSION" >> /etc/mageia-release
1	root	1817	# création de la bannière SSH
1007	richard	1818	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1819	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1820	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1821	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1822	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1823	# postfix banner anonymisation
		1824	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1825	# sshd écoute côté LAN et WAN
1499	richard	1826	$SED "s?^#ListenAddress.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
860	richard	1827	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1828	echo "SSH=off" >> $CONF_FILE
1063	richard	1829	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1830	echo "QOS=off" >> $CONF_FILE
		1831	echo "LDAP=off" >> $CONF_FILE
786	richard	1832	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1833	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1834	echo "MULTIWAN=off" >> $CONF_FILE
		1835	echo "FAILOVER=30" >> $CONF_FILE
		1836	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1837	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1838	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1839	# Coloration des prompts
		1840	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1841	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1842	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1843	# Droits d'exécution pour utilisateur apache et sysadmin
		1844	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1845	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1846	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	1847	# Modify some logrotate files (gammu, ulogd)
1	root	1848	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1849	chmod 644 /etc/logrotate.d/*
714	franck	1850	# rectification sur versions précédentes de la compression des logs
706	franck	1851	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1852	# actualisation des fichiers logs compressés
1342	richard	1853	for dir in firewall dansguardian httpd
706	franck	1854	do
714	franck	1855	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1856	done
1221	richard	1857	# create the alcasar-load_balancing unit
		1858	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1859	# This file is part of systemd.
		1860	#
		1861	# systemd is free software; you can redistribute it and/or modify it
		1862	# under the terms of the GNU General Public License as published by
		1863	# the Free Software Foundation; either version 2 of the License, or
		1864	# (at your option) any later version.
		1865
		1866	# This unit lauches alcasar-load-balancing.sh script.
		1867	[Unit]
		1868	Description=alcasar-load_balancing.sh execution
		1869	After=network.target iptables.service
		1870
		1871	[Service]
		1872	Type=oneshot
		1873	RemainAfterExit=yes
		1874	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1875	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1876	TimeoutSec=0
		1877	SysVStartPriority=99
		1878
		1879	[Install]
		1880	WantedBy=multi-user.target
1157	stephane	1881	EOF
1221	richard	1882	# processes launched at boot time (Systemctl)
1525	franck	1883	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1221	richard	1884	do
1389	richard	1885	systemctl -q enable $i.service
1221	richard	1886	done
1452	richard	1887
		1888	# disable processes at boot time (Systemctl)
		1889	for i in ulogd
		1890	do
		1891	systemctl -q disable $i.service
		1892	done
		1893
1221	richard	1894	# Apply French Security Agency (ANSSI) rules
1362	richard	1895	# ignore ICMP broadcast (smurf attack)
		1896	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1897	# ignore ICMP errors bogus
		1898	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1899	# remove ICMP redirects responces
		1900	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1901	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1902	# enable SYN Cookies (Syn flood attacks)
		1903	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1904	# enable kernel antispoofing
		1905	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1906	# ignore source routing
		1907	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1908	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1909	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1910	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1911	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1912	# remove Magic SysReq Keys
1363	richard	1913	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1914	# switch to multi-users runlevel (instead of x11)
1221	richard	1915	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1916	# GRUB modifications
		1917	# limit wait time to 3s
		1918	# create an alcasar entry instead of linux-nonfb
		1919	# change display to 1024*768 (vga791)
1221	richard	1920	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1921	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1922	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1923	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1924	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1925	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1926	# Remove unused services and users
1502	richard	1927	for svc in sshd
1221	richard	1928	do
1502	richard	1929	/bin/systemctl -q disable $svc.service
1221	richard	1930	done
		1931	# Load and apply the previous conf file
		1932	if [ "$mode" = "update" ]
532	richard	1933	then
1266	richard	1934	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1935	$DIR_DEST_BIN/alcasar-conf.sh --load
		1936	PARENT_SCRIPT=`basename $0`
		1937	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1938	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1939	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1940	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
1269	richard	1941	if [ $MAJ_PREVIOUS_VERSION -lt 2 ] \|\| ([ $MAJ_PREVIOUS_VERSION -eq 2 ] && [ $MIN_PREVIOUS_VERSION -lt 8 ])
		1942	# update needed for versions previous then 2.8 due to the integration of the domainname ("localdomain" by default)
		1943	then
		1944	header_install
		1945	if [ $Lang == "fr" ]
		1946	then
		1947	echo "Cette mise à jour nécessite de redéfinir le premier compte d'administration du portail"
		1948	echo
		1949	echo -n "Nom : "
		1950	else
		1951	echo "This update need to redefine the first admin account"
		1952	echo
		1953	echo -n "Account : "
		1954	fi
		1955	read admin_portal
		1956	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		1957	mkdir -p $DIR_DEST_ETC/digest
		1958	chmod 755 $DIR_DEST_ETC/digest
		1959	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		1960	do
1350	richard	1961	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
1269	richard	1962	done
		1963	$DIR_DEST_SBIN/alcasar-profil.sh --list
		1964	fi
532	richard	1965	fi
1221	richard	1966	rm -f /tmp/alcasar-conf*
		1967	chown -R root:apache $DIR_DEST_ETC/*
		1968	chmod -R 660 $DIR_DEST_ETC/*
		1969	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1970	# Apply and save the firewall rules
		1971	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1972	sleep 2
1	root	1973	cd $DIR_INSTALL
5	franck	1974	echo ""
1	root	1975	echo "#############################################################################"
638	richard	1976	if [ $Lang == "fr" ]
		1977	then
		1978	echo "# Fin d'installation d'ALCASAR #"
		1979	echo "# #"
		1980	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1981	echo "# des Accès au Réseau ( ALCASAR ) #"
		1982	echo "# #"
		1983	echo "#############################################################################"
		1984	echo
		1985	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1986	echo
		1987	echo "- Lisez attentivement la documentation d'exploitation"
		1988	echo
		1989	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1990	echo
		1991	echo " Appuyez sur 'Entrée' pour continuer"
		1992	else
		1993	echo "# Enf of ALCASAR install process #"
		1994	echo "# #"
		1995	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1996	echo "# des Accès au Réseau ( ALCASAR ) #"
		1997	echo "# #"
		1998	echo "#############################################################################"
		1999	echo
		2000	echo "- The system will be rebooted in order to operate ALCASAR"
		2001	echo
		2002	echo "- Read the exploitation documentation"
		2003	echo
		2004	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		2005	echo
		2006	echo " Hit 'Enter' to continue"
		2007	fi
815	richard	2008	sleep 2
		2009	if [ "$mode" != "update" ]
820	richard	2010	then
815	richard	2011	read a
		2012	fi
774	richard	2013	clear
1	root	2014	reboot
		2015	} # End post_install ()
		2016
		2017	#################################
1005	richard	2018	# Main Install loop #
1	root	2019	#################################
832	richard	2020	dir_exec=`dirname "$0"`
		2021	if [ $dir_exec != "." ]
		2022	then
		2023	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		2024	echo "Launch this program from the ALCASAR archive directory"
		2025	exit 0
		2026	fi
		2027	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	2028	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	2029	nb_args=$#
		2030	args=$1
		2031	if [ $nb_args -eq 0 ]
		2032	then
		2033	nb_args=1
		2034	args="-h"
		2035	fi
1062	richard	2036	chmod -R u+x $DIR_SCRIPTS/*
1	root	2037	case $args in
		2038	-\? \| -h* \| --h*)
		2039	echo "$usage"
		2040	exit 0
		2041	;;
291	franck	2042	-i \| --install)
1538	richard	2043	header_install
959	franck	2044	license
1544	richard	2045	header_install
29	richard	2046	testing
595	richard	2047	# RPMs install
		2048	$DIR_SCRIPTS/alcasar-urpmi.sh
		2049	if [ "$?" != "0" ]
1	root	2050	then
595	richard	2051	exit 0
		2052	fi
1249	richard	2053	if [ -e $CONF_FILE ]
595	richard	2054	then
597	richard	2055	# Uninstall the running version
532	richard	2056	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	2057	fi
636	richard	2058	# Test if manual update
1362	richard	2059	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2060	then
636	richard	2061	header_install
595	richard	2062	if [ $Lang == "fr" ]
636	richard	2063	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2064	else echo "The configuration file of an old version has been found";
595	richard	2065	fi
597	richard	2066	response=0
		2067	PTN='^[oOnNyY]$'
		2068	until [[ $(expr $response : $PTN) -gt 0 ]]
		2069	do
		2070	if [ $Lang == "fr" ]
		2071	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2072	else echo -n "Do you want to use it (Y/n)?";
		2073	fi
		2074	read response
		2075	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2076	then rm -f /tmp/alcasar-conf*
		2077	fi
		2078	done
		2079	fi
636	richard	2080	# Test if update
1057	richard	2081	if [ -e /tmp/alcasar-conf* ]
597	richard	2082	then
		2083	if [ $Lang == "fr" ]
		2084	then echo "#### Installation avec mise à jour ####";
		2085	else echo "#### Installation with update ####";
		2086	fi
636	richard	2087	# Extract the central configuration file
1057	richard	2088	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2089	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2090	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2091	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2092	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2093	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2094	mode="update"
1	root	2095	fi
1541	richard	2096	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2097	do
		2098	$func
1362	richard	2099	# echo "* 'debug' : end of function $func *"; read a
14	richard	2100	done
5	franck	2101	;;
291	franck	2102	-u \| --uninstall)
5	franck	2103	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2104	then
597	richard	2105	if [ $Lang == "fr" ]
		2106	then echo "ALCASAR n'est pas installé!";
		2107	else echo "ALCASAR isn't installed!";
		2108	fi
1	root	2109	exit 0
		2110	fi
5	franck	2111	response=0
		2112	PTN='^[oOnN]$'
580	richard	2113	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2114	do
597	richard	2115	if [ $Lang == "fr" ]
		2116	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2117	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2118	fi
5	franck	2119	read response
		2120	done
1103	richard	2121	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2122	then
1103	richard	2123	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2124	else
		2125	rm -f /tmp/alcasar-conf*
1	root	2126	fi
597	richard	2127	# Uninstall the running version
65	richard	2128	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2129	;;
		2130	*)
		2131	echo "Argument inconnu :$1";
460	richard	2132	echo "Unknown argument :$1";
1	root	2133	echo "$usage"
		2134	exit 1
		2135	;;
		2136	esac
10	franck	2137	# end of script
366	franck	2138

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1547