WebSVN – ALCASAR – Blame – /alcasar.sh

Rev	Author	Line No.	Line
672	richard	1	#!/bin/bash
57	franck	2	# $Id: alcasar.sh 1570 2015-02-13 22:42:09Z richard $
1	root	3
		4	# alcasar.sh
959	franck	5
1157	stephane	6	# ALCASAR Install script - CopyLeft ALCASAR Team [Rexy + 3abtux + Steweb + Crox + ...]
		7	# Ce programme est un logiciel libre ; This software is free and open source
959	franck	8	# elle que publiée par la Free Software Foundation ; soit la version 3 de la Licence.
		9	# Ce programme est distribué dans l'espoir qu'il sera utile, mais SANS AUCUNE GARANTIE ;
		10	# sans même une garantie implicite de COMMERCIABILITE ou DE CONFORMITE A UNE UTILISATION PARTICULIERE.
		11	# Voir la Licence Publique Générale GNU pour plus de détails.
		12
967	franck	13	# team@alcasar.net
959	franck	14
1	root	15	# by Franck BOUIJOUX, Pascal LEVANT and Richard REY
		16	# This script is distributed under the Gnu General Public License (GPL)
		17
672	richard	18	# Script d'installation d'ALCASAR (Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau)
1007	richard	19	# ALCASAR est architecturé autour d'une distribution Linux Mageia minimaliste et les logiciels libres suivants :
1	root	20	# Install script for ALCASAR (a secured and authenticated Internet access control captive portal)
1534	richard	21	# ALCASAR is based on a stripped Mageia (LSB) with the following open source softwares :
		22	# Coovachilli, freeradius, mariaDB, apache, netfilter, dansguardian, ntpd, openssl, dnsmasq, gammu, havp, libclamav, Ulog, fail2ban, tinyproxy, NFsen and NFdump
1	root	23
		24	# Options :
376	franck	25	# -i or --install
		26	# -u or --uninstall
1	root	27
376	franck	28	# Functions :
1378	richard	29	# testing : connectivity tests, free space test and mageia version test
1221	richard	30	# init : Installation of RPM and scripts
		31	# network : Network parameters
		32	# ACC : ALCASAR Control Center installation
		33	# CA : Certification Authority initialization
		34	# init_db : Initilization of radius database managed with MariaDB
1389	richard	35	# radius : FreeRadius initialisation
		36	# radius_web : copy ans modifiy original "freeradius web" in ACC
		37	# chilli : coovachilli initialisation (+authentication page)
		38	# dansguardian : DansGuardian filtering HTTP proxy configuration
1221	richard	39	# antivirus : HAVP + libclamav configuration
1485	richard	40	# tinyproxy : little proxy for user filtered with "WL + antivirus" and "antivirus"
1389	richard	41	# ulogd : log system in userland (match NFLOG target of iptables)
		42	# nfsen : : Configuration du grapheur nfsen pour apache
1253	richard	43	# dnsmasq : Name server configuration
1541	richard	44	# vnstat : little network stat daemon
1253	richard	45	# BL : BlackList of Toulouse configuration : split into 3 BL (for Dnsmasq, for dansguardian and for Netfilter)
1266	richard	46	# cron : Logs export + watchdog + connexion statistics
1389	richard	47	# fail2ban : Fail2ban IDS installation and configuration
		48	# gammu_smsd : Autoregister addon via SMS (gammu-smsd)
1266	richard	49	# post_install : Security, log rotation, etc.
1	root	50
		51	DATE=`date '+%d %B %Y - %Hh%M'`
		52	DATE_SHORT=`date '+%d/%m/%Y'`
595	richard	53	Lang=`echo $LANG\|cut -c 1-2`
1362	richard	54	mode="install"
1	root	55	# ***** Files parameters - paramètres fichiers *******
1015	richard	56	DIR_INSTALL=`pwd` # current directory
		57	DIR_CONF="$DIR_INSTALL/conf" # install directory (with conf files)
		58	DIR_SCRIPTS="$DIR_INSTALL/scripts" # install directory (with script files)
1564	richard	59	DIR_SAVE="/var/Save" # backup directory (traceability_log, user_db, security_log)
1015	richard	60	DIR_WEB="/var/www/html" # directory of APACHE
		61	DIR_DG="/etc/dansguardian" # directory of DansGuardian
		62	DIR_ACC="$DIR_WEB/acc" # directory of the 'ALCASAR Control Center'
		63	DIR_DEST_BIN="/usr/local/bin" # directory of ALCASAR scripts
		64	DIR_DEST_SBIN="/usr/local/sbin" # directory of ALCASAR admin scripts
		65	DIR_DEST_ETC="/usr/local/etc" # directory of ALCASAR conf files
		66	DIR_DEST_SHARE="/usr/local/share" # directory of share files used by ALCASAR (dnsmasq for instance)
		67	CONF_FILE="$DIR_DEST_ETC/alcasar.conf" # central ALCASAR conf file
		68	PASSWD_FILE="/root/ALCASAR-passwords.txt" # text file with the passwords and shared secrets
1	root	69	# ***** DBMS parameters - paramètres SGBD ******
1243	richard	70	DB_RADIUS="radius" # database name used by FreeRadius server
		71	DB_USER="radius" # user name allows to request the users database
1349	richard	72	DB_GAMMU="gammu" # database name used by Gammu-smsd
1	root	73	# ***** Network parameters - paramètres réseau *****
1469	richard	74	HOSTNAME="alcasar" # default hostname
1243	richard	75	DOMAIN="localdomain" # default local domain
1471	richard	76	EXTIF=`/sbin/ip route\|grep default\|cut -d" " -f5` # EXTIF is connected to the ISP broadband modem/router (In France : Box-FAI)
1507	richard	77	INTIF=`/sbin/ip link\|grep '^[[:digit:]]:'\|grep -v "lo\\|$EXTIF\\|tun0"\|cut -d" " -f2\|tr -d ":"` # INTIF is connected to the consultation network
1148	crox53	78	MTU="1500"
1243	richard	79	DEFAULT_PRIVATE_IP_MASK="192.168.182.1/24" # Default ALCASAR IP address
1	root	80	# **** Paths - chemin des commandes *****
		81	SED="/bin/sed -i"
		82	# **************** End of global parameters *******************
		83
959	franck	84	license ()
		85	{
		86	if [ $Lang == "fr" ]
1538	richard	87	then
		88	cat $DIR_INSTALL/gpl-warning.fr.txt \| more
		89	else
		90	cat $DIR_INSTALL/gpl-warning.txt \| more
959	franck	91	fi
1538	richard	92	response=0
		93	PTN='^[oOyYnN]$'
		94	until [[ $(expr $response : $PTN) -gt 0 ]]
		95	do
		96	if [ $Lang == "fr" ]
1563	franck	97	then echo -n "Acceptez-vous les termes de cette licence (O/n)? : "
1538	richard	98	else echo -n "Do you accept the terms of this license (Y/n)? : "
		99	fi
		100	read response
		101	done
		102	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		103	then
		104	exit 1
		105	fi
959	franck	106	}
		107
1	root	108	header_install ()
		109	{
		110	clear
		111	echo "-----------------------------------------------------------------------------"
460	richard	112	echo " ALCASAR V$VERSION Installation"
1	root	113	echo "Application Libre pour le Contrôle d'Accès Sécurisé et Authentifié au Réseau"
		114	echo "-----------------------------------------------------------------------------"
1389	richard	115	}
1	root	116
		117	##################################################################
1221	richard	118	## Function "testing" ##
1378	richard	119	## - Test of Mageia version ##
1529	richard	120	## - Test of ALCASAR version (if already installed) ##
1342	richard	121	## - Test of free space on /var (>10G) ##
1005	richard	122	## - Test of Internet access ##
29	richard	123	##################################################################
		124	testing ()
		125	{
1529	richard	126	# Test of Mageia version
		127	# extract the current Mageia version and hardware architecture (i586 ou X64)
		128	fic=`cat /etc/product.id`
		129	unknown_os=0
		130	old="$IFS"
		131	IFS=","
		132	set $fic
		133	for i in $*
		134	do
		135	if [ "`echo $i\|grep distribution\|cut -d'=' -f1`" == "distribution" ]
		136	then
		137	DISTRIBUTION=`echo $i\|cut -d"=" -f2`
		138	unknown_os=`expr $unknown_os + 1`
		139	fi
		140	if [ "`echo $i\|grep version\|cut -d'=' -f1`" == "version" ]
		141	then
		142	CURRENT_VERSION=`echo $i\|cut -d"=" -f2`
		143	unknown_os=`expr $unknown_os + 1`
		144	fi
		145	if [ "`echo $i\|grep arch\|cut -d'=' -f1`" == "arch" ]
		146	then
		147	ARCH=`echo $i\|cut -d"=" -f2`
		148	unknown_os=`expr $unknown_os + 1`
		149	fi
		150	done
		151	IFS="$old"
1362	richard	152	# Test if ALCASAR is already installed
		153	if [ -e $CONF_FILE ]
		154	then
		155	current_version=`cat $CONF_FILE \| grep VERSION \| cut -d"=" -f2`
1342	richard	156	if [ $Lang == "fr" ]
1362	richard	157	then echo -n "La version "; echo -n $current_version ; echo " d'ALCASAR est déjà installée";
		158	else echo -n "ALCASAR Version "; echo -n $current_version ; echo " is already installed";
1342	richard	159	fi
1362	richard	160	response=0
		161	PTN='^[oOnNyY]$'
		162	until [[ $(expr $response : $PTN) -gt 0 ]]
		163	do
		164	if [ $Lang == "fr" ]
		165	then echo -n "Voulez-vous effectuer une mise à jour (O/n)? ";
		166	else echo -n "Do you want to update (Y/n)?";
		167	fi
		168	read response
		169	done
		170	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		171	then
		172	rm -f /tmp/alcasar-conf*
		173	else
1564	richard	174	# Create the current conf file
1362	richard	175	$DIR_SCRIPTS/alcasar-conf.sh --create
		176	mode="update"
		177	fi
1529	richard	178	fi
		179	if [[ ( $unknown_os != 3 ) \|\| ("$DISTRIBUTION" != "Mageia" ) \|\| ( "$CURRENT_VERSION" != "4" ) ]]
		180	then
		181	if [ -e /tmp/alcasar-conf.tar.gz ] # update
1365	richard	182	then
1529	richard	183	echo
1378	richard	184	if [ $Lang == "fr" ]
		185	then
1529	richard	186	echo "La mise à jour automatique d'ALCASAR ne peut pas être réalisée."
		187	echo "1 - Récupérez le fichier de configuration actuel (/tmp/alcasar-conf.tar.gz)."
1564	richard	188	echo "2 - Installez Linux-Mageia 4.1 (cf. doc d'installation)"
1529	richard	189	echo "3 - recopiez le fichier 'alcasar-conf.tar.gz' dans le répertoire '/tmp' avant de lancer l'installation d'ALCASAR"
1378	richard	190	else
		191	echo "The automatic update of ALCASAR can't be performed."
1529	richard	192	echo "1 - Retrieve the configuration file (/tmp/alcasar-conf.tar.gz)"
1564	richard	193	echo "2 - Install Linux-Mageia 4.1 (cf. installation doc)"
1529	richard	194	echo "3 - Copy again the file 'alcasar-conf.tar.gz' in the folder '/tmp' before launching the installation of ALCASAR"
1378	richard	195	fi
1529	richard	196	else
		197	if [ $Lang == "fr" ]
		198	then
		199	echo "L'installation d'ALCASAR ne peut pas être réalisée."
		200	else
		201	echo "The installation of ALCASAR can't be performed."
1378	richard	202	fi
		203	fi
1529	richard	204	echo
		205	if [ $Lang == "fr" ]
		206	then
		207	echo "Le système d'exploitation doit être remplacé (Mageia4.1)"
		208	else
		209	echo "The OS must be replaced (Mageia4.1)"
		210	fi
		211	exit 0
1342	richard	212	fi
1529	richard	213	if [ ! -d /var/log/netflow/porttracker ]
		214	then
		215	# Test of free space on /var
		216	free_space=`df -BG --output=avail /var\|tail -1\|tr -d [:space:]G`
		217	if [ $free_space -lt 10 ]
		218	then
		219	if [ $Lang == "fr" ]
		220	then echo "place disponible sur /var insufisante ($free_space Go au lieu de 10 Go au minimum)"
		221	else echo "not enough free space on /var ($free_space GB instead of at least 10 GB)"
		222	fi
		223	exit 0
		224	fi
		225	fi
1378	richard	226	if [ $Lang == "fr" ]
784	richard	227	then echo -n "Tests des paramètres réseau : "
595	richard	228	else echo -n "Network parameters tests : "
		229	fi
1471	richard	230	# Test of Ethernet links state
		231	DOWN_IF=`/sbin/ip link\|grep "NO-CARRIER"\|cut -d":" -f2\|tr -d " "`
		232	for i in $DOWN_IF
		233	do
		234	if [ $Lang == "fr" ]
		235	then
		236	echo "Échec"
		237	echo "Le lien réseau de la carte $i n'est pas actif."
		238	echo "Assurez-vous que cette carte est bien connectée à un équipement (commutateur, A.P., etc.)"
		239	else
		240	echo "Failed"
		241	echo "The link state of $i interface is down."
		242	echo "Make sure that this network card is connected to a switch or an A.P."
		243	fi
		244	exit 0
		245	done
		246	echo -n "."
		247
		248	# Test EXTIF config files
1499	richard	249	PUBLIC_IP_MASK=`ip addr show $EXTIF\|grep "inet "\|cut -d" " -f6`
		250	PUBLIC_IP=`echo $PUBLIC_IP_MASK \| cut -d"/" -f1`
		251	PUBLIC_GATEWAY=`ip route list\|grep ^default\|cut -d" " -f3`
1471	richard	252	if [ `echo $PUBLIC_IP\|wc -c` -lt 7 ] \|\| [ `echo $PUBLIC_GATEWAY\|wc -c` -lt 7 ]
		253	then
784	richard	254	if [ $Lang == "fr" ]
		255	then
		256	echo "Échec"
		257	echo "La carte réseau connectée à Internet ($EXTIF) n'est pas correctement configurée."
		258	echo "Renseignez les champs suivants dans le fichier '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	259	echo "Appliquez les changements : 'systemctl restart network'"
784	richard	260	else
		261	echo "Failed"
		262	echo "The Internet connected network card ($EXTIF) isn't well configured."
		263	echo "The folowing parametres must be set in the file '/etc/sysconfig/network-scripts/ifcfg-$EXTIF' :"
1362	richard	264	echo "Apply the new configuration 'systemctl restart network'"
784	richard	265	fi
830	richard	266	echo "DEVICE=$EXTIF"
784	richard	267	echo "IPADDR="
		268	echo "NETMASK="
		269	echo "GATEWAY="
		270	echo "DNS1="
		271	echo "DNS2="
830	richard	272	echo "ONBOOT=yes"
784	richard	273	exit 0
		274	fi
		275	echo -n "."
1471	richard	276
		277	# Test if router is alive (Box FAI)
784	richard	278	if [ `ip route list\|grep -c ^default` -ne "1" ] ; then
595	richard	279	if [ $Lang == "fr" ]
		280	then
		281	echo "Échec"
		282	echo "Vous n'avez pas configuré l'accès à Internet ou le câble réseau n'est pas sur la bonne carte."
		283	echo "Réglez ce problème puis relancez ce script."
		284	else
		285	echo "Failed"
		286	echo "You haven't configured Internet access or Internet link is on the wrong Ethernet card"
		287	echo "Resolv this problem, then restart this script."
		288	fi
29	richard	289	exit 0
		290	fi
308	richard	291	echo -n "."
978	franck	292	# On teste le lien vers le routeur par defaut
1499	richard	293	arp_reply=`/usr/sbin/arping -b -I$EXTIF -c1 -w2 $PUBLIC_GATEWAY\|grep response\|cut -d" " -f2`
527	richard	294	if [ $(expr $arp_reply) -eq 0 ]
308	richard	295	then
595	richard	296	if [ $Lang == "fr" ]
		297	then
		298	echo "Échec"
1499	richard	299	echo "Le routeur de site ou la Box Internet ($PUBLIC_GATEWAY) ne répond pas."
595	richard	300	echo "Réglez ce problème puis relancez ce script."
		301	else
		302	echo "Failed"
		303	echo "The Internet gateway doesn't answered"
		304	echo "Resolv this problem, then restart this script."
		305	fi
308	richard	306	exit 0
		307	fi
		308	echo -n "."
421	franck	309	# On teste la connectivité Internet
29	richard	310	rm -rf /tmp/con_ok.html
308	richard	311	/usr/bin/curl www.google.fr -s -o /tmp/con_ok.html
29	richard	312	if [ ! -e /tmp/con_ok.html ]
		313	then
595	richard	314	if [ $Lang == "fr" ]
		315	then
		316	echo "La tentative de connexion vers Internet a échoué (google.fr)."
		317	echo "Vérifiez que la carte $EXTIF est bien connectée au routeur du FAI."
		318	echo "Vérifiez la validité des adresses IP des DNS."
		319	else
		320	echo "The Internet connection try failed (google.fr)."
		321	echo "Please, verify that the $EXTIF card is connected with the Internet gateway."
		322	echo "Verify the DNS IP addresses"
		323	fi
29	richard	324	exit 0
		325	fi
		326	rm -rf /tmp/con_ok.html
308	richard	327	echo ". : ok"
1389	richard	328	} # end of testing ()
302	richard	329
		330	##################################################################
1221	richard	331	## Function "init" ##
302	richard	332	## - Création du fichier "/root/ALCASAR_parametres.txt" ##
		333	## - Installation et modification des scripts du portail ##
		334	##################################################################
		335	init ()
		336	{
527	richard	337	if [ "$mode" != "update" ]
302	richard	338	then
		339	# On affecte le nom d'organisme
597	richard	340	header_install
302	richard	341	ORGANISME=!
		342	PTN='^[a-zA-Z0-9-]*$'
580	richard	343	until [[ $(expr $ORGANISME : $PTN) -gt 0 ]]
302	richard	344	do
595	richard	345	if [ $Lang == "fr" ]
597	richard	346	then echo -n "Entrez le nom de votre organisme : "
		347	else echo -n "Enter the name of your organism : "
595	richard	348	fi
330	franck	349	read ORGANISME
613	richard	350	if [ "$ORGANISME" == "" ]
330	franck	351	then
		352	ORGANISME=!
		353	fi
		354	done
302	richard	355	fi
1	root	356	# On crée aléatoirement les mots de passe et les secrets partagés
628	richard	357	rm -f $PASSWD_FILE
1350	richard	358	grubpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
		359	echo -n "Password to protect the GRUB boot menu (!!!qwerty keyboard) : " > $PASSWD_FILE
628	richard	360	echo "$grubpwd" >> $PASSWD_FILE
1348	richard	361	md5_grubpwd=`/usr/bin/openssl passwd -1 $grubpwd`
384	richard	362	$SED "/^password.*/d" /boot/grub/menu.lst
		363	$SED "1ipassword --md5 $md5_grubpwd" /boot/grub/menu.lst
1350	richard	364	mysqlpwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	365	echo -n "Name and password of Mysql/mariadb administrator : " >> $PASSWD_FILE
628	richard	366	echo "root / $mysqlpwd" >> $PASSWD_FILE
1350	richard	367	radiuspwd=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
1003	richard	368	echo -n "Name and password of Mysql/mariadb user : " >> $PASSWD_FILE
628	richard	369	echo "$DB_USER / $radiuspwd" >> $PASSWD_FILE
1350	richard	370	secretuam=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	371	echo -n "Shared secret between the script 'intercept.php' and coova-chilli : " >> $PASSWD_FILE
		372	echo "$secretuam" >> $PASSWD_FILE
1350	richard	373	secretradius=`cat /dev/urandom \| tr -dc [:alnum:] \| head -c8`
628	richard	374	echo -n "Shared secret between coova-chilli and FreeRadius : " >> $PASSWD_FILE
		375	echo "$secretradius" >> $PASSWD_FILE
		376	chmod 640 $PASSWD_FILE
977	richard	377	# Scripts and conf files copy
		378	# - in /usr/local/bin : alcasar-{CA.sh,conf.sh,import-clean.sh,iptables-bypass.sh,iptables.sh,log.sh,watchdog.sh}
5	franck	379	cp -f $DIR_SCRIPTS/alcasar* $DIR_DEST_BIN/. ; chown root:root $DIR_DEST_BIN/alcasar* ; chmod 740 $DIR_DEST_BIN/alcasar*
977	richard	380	# - in /usr/local/sbin : alcasar-{bl.sh,bypass.sh,dateLog.sh,havp.sh,logout.sh,mysql.sh,nf.sh,profil.sh,uninstall.sh,version-list.sh,load-balancing.sh}
5	franck	381	cp -f $DIR_SCRIPTS/sbin/alcasar* $DIR_DEST_SBIN/. ; chown root:root $DIR_DEST_SBIN/alcasar* ; chmod 740 $DIR_DEST_SBIN/alcasar*
977	richard	382	# - in /usr/local/etc : alcasar-{bl-categories-enabled,dns-name,iptables-local.sh,services}
648	richard	383	cp -f $DIR_CONF/etc/alcasar* $DIR_DEST_ETC/. ; chown root:apache $DIR_DEST_ETC/alcasar* ; chmod 660 $DIR_DEST_ETC/alcasar*
1	root	384	$SED "s?^radiussecret.*?radiussecret=\"$secretradius\"?g" $DIR_DEST_SBIN/alcasar-logout.sh
		385	$SED "s?^DB_RADIUS=.*?DB_RADIUS=\"$DB_RADIUS\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh
5	franck	386	$SED "s?^DB_USER=.*?DB_USER=\"$DB_USER\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
		387	$SED "s?^radiuspwd=.*?radiuspwd=\"$radiuspwd\"?g" $DIR_DEST_SBIN/alcasar-mysql.sh $DIR_DEST_BIN/alcasar-conf.sh
628	richard	388	# generate central conf file
		389	cat <<EOF > $CONF_FILE
612	richard	390	##########################################
		391	## ##
		392	## ALCASAR Parameters ##
		393	## ##
		394	##########################################
1	root	395
612	richard	396	INSTALL_DATE=$DATE
		397	VERSION=$VERSION
		398	ORGANISM=$ORGANISME
923	franck	399	DOMAIN=$DOMAIN
612	richard	400	EOF
628	richard	401	chmod o-rwx $CONF_FILE
1	root	402	} # End of init ()
		403
		404	##################################################################
1221	richard	405	## Function "network" ##
1	root	406	## - Définition du plan d'adressage du réseau de consultation ##
595	richard	407	## - Nommage DNS du système ##
1336	richard	408	## - Configuration de l'interface INTIF (réseau de consultation)##
1	root	409	## - Modification du fichier /etc/hosts ##
		410	## - Configuration du serveur de temps (NTP) ##
		411	## - Renseignement des fichiers hosts.allow et hosts.deny ##
		412	##################################################################
		413	network ()
		414	{
		415	header_install
636	richard	416	if [ "$mode" != "update" ]
		417	then
		418	if [ $Lang == "fr" ]
		419	then echo "Par défaut, l'adresse IP d'ALCASAR sur le réseau de consultation est : $DEFAULT_PRIVATE_IP_MASK"
		420	else echo "The default ALCASAR IP address on consultation network is : $DEFAULT_PRIVATE_IP_MASK"
		421	fi
		422	response=0
		423	PTN='^[oOyYnN]$'
		424	until [[ $(expr $response : $PTN) -gt 0 ]]
1	root	425	do
595	richard	426	if [ $Lang == "fr" ]
659	richard	427	then echo -n "Voulez-vous utiliser cette adresse et ce plan d'adressage (recommandé) (O/n)? : "
618	richard	428	else echo -n "Do you want to use this IP address and this IP addressing plan (recommanded) (Y/n)? : "
595	richard	429	fi
1	root	430	read response
		431	done
636	richard	432	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		433	then
		434	PRIVATE_IP_MASK="0"
		435	PTN='^$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$.$[01]\?[[:digit:]][[:digit:]]\?\\|2[0-4][[:digit:]]\\|25[0-5]$/[012]\?[[:digit:]]$'
		436	until [[ $(expr $PRIVATE_IP_MASK : $PTN) -gt 0 ]]
1	root	437	do
595	richard	438	if [ $Lang == "fr" ]
597	richard	439	then echo -n "Entrez l'adresse IP d'ALCASAR au format CIDR (a.b.c.d/xx) : "
		440	else echo -n "Enter ALCASAR IP address in CIDR format (a.b.c.d/xx) : "
595	richard	441	fi
597	richard	442	read PRIVATE_IP_MASK
1	root	443	done
636	richard	444	else
		445	PRIVATE_IP_MASK=$DEFAULT_PRIVATE_IP_MASK
		446	fi
595	richard	447	else
637	richard	448	PRIVATE_IP_MASK=`grep PRIVATE_IP conf/etc/alcasar.conf\|cut -d"=" -f2`
		449	rm -rf conf/etc/alcasar.conf
1	root	450	fi
861	richard	451	# Define LAN side global parameters
1243	richard	452	hostname $HOSTNAME.$DOMAIN
		453	echo $HOSTNAME.$DOMAIN > /etc/hostname
977	richard	454	PRIVATE_NETWORK=`/bin/ipcalc -n $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network address (ie.: 192.168.182.0)
1499	richard	455	private_network_ending=`echo $PRIVATE_NETWORK \| cut -d"." -f4` # last octet of LAN address
977	richard	456	PRIVATE_NETMASK=`/bin/ipcalc -m $PRIVATE_IP_MASK \| cut -d"=" -f2` # private network mask (ie.: 255.255.255.0)
1499	richard	457	PRIVATE_PREFIX=`/bin/ipcalc -p $PRIVATE_IP_MASK \|cut -d"=" -f2` # network prefix (ie. 24)
977	richard	458	PRIVATE_IP=`echo $PRIVATE_IP_MASK \| cut -d"/" -f1` # ALCASAR private ip address (consultation LAN side)
1499	richard	459	if [ $PRIVATE_IP == $PRIVATE_NETWORK ] # when entering network address instead of ip address
		460	then
		461	PRIVATE_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1`
		462	PRIVATE_IP_MASK=`echo $PRIVATE_IP/$PRIVATE_PREFIX`
		463	fi
		464	private_ip_ending=`echo $PRIVATE_IP \| cut -d"." -f4` # last octet of LAN address
		465	PRIVATE_SECOND_IP=`echo $PRIVATE_IP \| cut -d"." -f1-3`"."`expr $private_ip_ending + 1` # second network address (ex.: 192.168.182.2)
977	richard	466	PRIVATE_NETWORK_MASK=$PRIVATE_NETWORK/$PRIVATE_PREFIX # ie.: 192.168.182.0/24
1499	richard	467	classe=$((PRIVATE_PREFIX/8)) # ie.: 2=classe B, 3=classe C
977	richard	468	PRIVATE_NETWORK_SHORT=`echo $PRIVATE_NETWORK \| cut -d"." -f1-$classe`. # compatibility with hosts.allow et hosts.deny (ie.: 192.168.182.)
		469	PRIVATE_BROADCAST=`/bin/ipcalc -b $PRIVATE_NETWORK_MASK \| cut -d"=" -f2` # private network broadcast (ie.: 192.168.182.255)
1499	richard	470	private_broadcast_ending=`echo $PRIVATE_BROADCAST \| cut -d"." -f4` # last octet of LAN broadcast
		471	PRIVATE_FIRST_IP=`echo $PRIVATE_NETWORK \| cut -d"." -f1-3`"."`expr $private_network_ending + 1` # First network address (ex.: 192.168.182.1)
837	richard	472	PRIVATE_LAST_IP=`echo $PRIVATE_BROADCAST \| cut -d"." -f1-3`"."`expr $private_broadcast_ending - 1` # last network address (ex.: 192.168.182.254)
1336	richard	473	PRIVATE_MAC=`/sbin/ip link show $INTIF \| grep ether \| cut -d" " -f6` # MAC address of INTIF
841	richard	474	# Define Internet parameters
1499	richard	475	DNS1=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|head -n 1` # 1st DNS server
		476	nb_dns=`grep ^nameserver /etc/resolv.conf\|wc -l`
		477	if [ $nb_dns == 2 ]
		478	then
		479	DNS2=`grep ^nameserver /etc/resolv.conf\|cut -d" " -f2\|tail -n 1` # 2nd DNS server (if exist)
		480	fi
70	franck	481	DNS1=${DNS1:=208.67.220.220}
		482	DNS2=${DNS2:=208.67.222.222}
1499	richard	483	PUBLIC_NETMASK=`/bin/ipcalc -m $PUBLIC_IP_MASK \| cut -d"=" -f2`
1052	richard	484	PUBLIC_PREFIX=`/bin/ipcalc -p $PUBLIC_IP $PUBLIC_NETMASK\|cut -d"=" -f2`
1069	richard	485	PUBLIC_NETWORK=`/bin/ipcalc -n $PUBLIC_IP/$PUBLIC_PREFIX\|cut -d"=" -f2`
1499	richard	486	# Wrtie the conf file
1469	richard	487	echo "EXTIF=$EXTIF" >> $CONF_FILE
		488	echo "INTIF=$INTIF" >> $CONF_FILE
1499	richard	489	IP_SETTING=`grep BOOTPROTO /etc/sysconfig/network-scripts/ifcfg-$EXTIF\|cut -d"=" -f2` # IP setting (static or dynamic)
		490	if [ $IP_SETTING == "dhcp" ]
		491	then
		492	echo "PUBLIC_IP=dhcp" >> $CONF_FILE
		493	echo "GW=dhcp" >> $CONF_FILE
		494	else
		495	echo "PUBLIC_IP=$PUBLIC_IP/$PUBLIC_PREFIX" >> $CONF_FILE
		496	echo "GW=$PUBLIC_GATEWAY" >> $CONF_FILE
		497	fi
994	franck	498	echo "PUBLIC_MTU=$MTU" >> $CONF_FILE
628	richard	499	echo "DNS1=$DNS1" >> $CONF_FILE
		500	echo "DNS2=$DNS2" >> $CONF_FILE
		501	echo "PRIVATE_IP=$PRIVATE_IP_MASK" >> $CONF_FILE
1484	richard	502	echo "DHCP=on" >> $CONF_FILE
914	franck	503	echo "EXT_DHCP_IP=none" >> $CONF_FILE
		504	echo "RELAY_DHCP_IP=none" >> $CONF_FILE
		505	echo "RELAY_DHCP_PORT=none" >> $CONF_FILE
1488	richard	506	echo "PROTOCOLS_FILTERING=off" >> $CONF_FILE
1499	richard	507	# network default
597	richard	508	[ -e /etc/sysconfig/network.default ] \|\| cp /etc/sysconfig/network /etc/sysconfig/network.default
1	root	509	cat <<EOF > /etc/sysconfig/network
		510	NETWORKING=yes
1243	richard	511	HOSTNAME="$HOSTNAME.$DOMAIN"
1	root	512	FORWARD_IPV4=true
		513	EOF
1499	richard	514	# /etc/hosts config
1	root	515	[ -e /etc/hosts.default ] \|\| cp /etc/hosts /etc/hosts.default
		516	cat <<EOF > /etc/hosts
503	richard	517	127.0.0.1 localhost
1353	richard	518	$PRIVATE_IP $HOSTNAME.$DOMAIN $HOSTNAME $ORGANISME.$DOMAIN $ORGANISME
1	root	519	EOF
1499	richard	520	# EXTIF (Internet) config
		521	[ -e /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF ] \|\| cp /etc/sysconfig/network-scripts/ifcfg-$EXTIF /etc/sysconfig/network-scripts/default-ifcfg-$EXTIF
		522	if [ $IP_SETTING == "dhcp" ]
		523	then
		524	$SED "s?^RESOLV_MODS=.*?RESOLV_MODS=yes?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		525	$SED "s?^PEERDNS=.*?PEERDNS=no?g" /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		526	echo "DNS1=127.0.0.1" >> /etc/sysconfig/network-scripts/ifcfg-$EXTIF
		527	else
		528	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$EXTIF
14	richard	529	DEVICE=$EXTIF
		530	BOOTPROTO=static
597	richard	531	IPADDR=$PUBLIC_IP
		532	NETMASK=$PUBLIC_NETMASK
		533	GATEWAY=$PUBLIC_GATEWAY
14	richard	534	DNS1=127.0.0.1
1499	richard	535	RESOLV_MODS=yes
14	richard	536	ONBOOT=yes
		537	METRIC=10
		538	MII_NOT_SUPPORTED=yes
		539	IPV6INIT=no
		540	IPV6TO4INIT=no
		541	ACCOUNTING=no
		542	USERCTL=no
994	franck	543	MTU=$MTU
14	richard	544	EOF
1499	richard	545	fi
1336	richard	546	# Config INTIF (consultation LAN) in normal mode
841	richard	547	cat <<EOF > /etc/sysconfig/network-scripts/ifcfg-$INTIF
		548	DEVICE=$INTIF
		549	BOOTPROTO=static
		550	ONBOOT=yes
		551	NOZEROCONF=yes
		552	MII_NOT_SUPPORTED=yes
		553	IPV6INIT=no
		554	IPV6TO4INIT=no
		555	ACCOUNTING=no
		556	USERCTL=no
1552	richard	557	ETHTOOL_OPTS="autoneg off speed 100 duplex full"
841	richard	558	EOF
1558	richard	559	cp -f /etc/sysconfig/network-scripts/ifcfg-$INTIF /etc/sysconfig/network-scripts/default-ifcfg-$INTIF
1336	richard	560	# Config of INTIF in bypass mode (see "alcasar-bypass.sh")
1554	richard	561	cat <<EOF > /etc/sysconfig/network-scripts/bypass-ifcfg-$INTIF
1	root	562	DEVICE=$INTIF
		563	BOOTPROTO=static
		564	IPADDR=$PRIVATE_IP
604	richard	565	NETMASK=$PRIVATE_NETMASK
1	root	566	ONBOOT=yes
		567	METRIC=10
		568	NOZEROCONF=yes
		569	MII_NOT_SUPPORTED=yes
14	richard	570	IPV6INIT=no
		571	IPV6TO4INIT=no
		572	ACCOUNTING=no
		573	USERCTL=no
1554	richard	574	ETHTOOL_OPTS="autoneg off speed 100 duplex full"
1	root	575	EOF
440	franck	576	# Mise à l'heure du serveur
		577	[ -e /etc/ntp/step-tickers.default ] \|\| cp /etc/ntp/step-tickers /etc/ntp/step-tickers.default
		578	cat <<EOF > /etc/ntp/step-tickers
455	franck	579	0.fr.pool.ntp.org # adapt to your country
		580	1.fr.pool.ntp.org
		581	2.fr.pool.ntp.org
440	franck	582	EOF
		583	# Configuration du serveur de temps (sur lui même)
1	root	584	[ -e /etc/ntp.conf.default ] \|\| cp /etc/ntp.conf /etc/ntp.conf.default
		585	cat <<EOF > /etc/ntp.conf
456	franck	586	server 0.fr.pool.ntp.org # adapt to your country
447	franck	587	server 1.fr.pool.ntp.org
		588	server 2.fr.pool.ntp.org
		589	server 127.127.1.0 # local clock si NTP internet indisponible ...
411	richard	590	fudge 127.127.1.0 stratum 10
604	richard	591	restrict $PRIVATE_NETWORK mask $PRIVATE_NETMASK nomodify notrap
1	root	592	restrict 127.0.0.1
310	richard	593	driftfile /var/lib/ntp/drift
1	root	594	logfile /var/log/ntp.log
		595	EOF
440	franck	596
310	richard	597	chown -R ntp:ntp /var/lib/ntp
1	root	598	# Renseignement des fichiers hosts.allow et hosts.deny
		599	[ -e /etc/hosts.allow.default ] \|\| cp /etc/hosts.allow /etc/hosts.allow.default
		600	cat <<EOF > /etc/hosts.allow
		601	ALL: LOCAL, 127.0.0.1, localhost, $PRIVATE_IP
604	richard	602	sshd: ALL
1	root	603	ntpd: $PRIVATE_NETWORK_SHORT
		604	EOF
		605	[ -e /etc/host.deny.default ] \|\| cp /etc/hosts.deny /etc/hosts.deny.default
		606	cat <<EOF > /etc/hosts.deny
		607	ALL: ALL: spawn ( /bin/echo "service %d demandé par %c" \| /bin/mail -s "Tentative d'accès au service %d par %c REFUSE !!!" security ) &
		608	EOF
790	richard	609	chmod o+r $DIR_DEST_BIN/alcasar-iptables.sh #lecture possible pour apache (interface php du filtrage réseau)
860	richard	610	# create the ip_blocked file with a first line (LAN between ALCASAR and the Internet GW)
1069	richard	611	echo "#$PUBLIC_NETWORK/$PUBLIC_PREFIX LAN-ALCASAR-BOX" > $DIR_DEST_ETC/alcasar-ip-blocked
790	richard	612	# load conntrack ftp module
		613	[ -e /etc/modprobe.preload.default ] \|\| cp /etc/modprobe.preload /etc/modprobe.preload.default
		614	echo "ip_conntrack_ftp" >> /etc/modprobe.preload
1159	crox53	615	# load ipt_NETFLOW module
		616	echo "ipt_NETFLOW" >> /etc/modprobe.preload
1513	richard	617	# modify iptables service files (start with "alcasar-iptables.sh" and stop with flush)
		618	[ -e /lib/systemd/system/iptables.service.default ] \|\| cp /lib/systemd/system/iptables.service /lib/systemd/system/iptables.service.default
		619	$SED 's/ExecStart=\/usr\/libexec\/iptables.init start/ExecStart=\/usr\/local\/bin\/alcasar-iptables.sh/' /lib/systemd/system/iptables.service
		620	[ -e /usr/libexec/iptables.init.default ] \|\| cp /usr/libexec/iptables.init /usr/libexec/iptables.init.default
1515	richard	621	$SED "s?\[ -f \$IPTABLES_CONFIG \] .*?#&?" /usr/libexec/iptables.init # comment the test in order the stop function run (fluxh all rules & policies)
1157	stephane	622	#
860	richard	623	# the script "$DIR_DEST_BIN/alcasar-iptables.sh" is launched at the end in order to allow update via ssh
1	root	624	} # End of network ()
		625
		626	##################################################################
1221	richard	627	## Function "ACC" ##
		628	## - installation du centre de gestion (ALCASAR Control Center) ##
1	root	629	## - configuration du serveur web (Apache) ##
		630	## - définition du 1er comptes de gestion ##
		631	## - sécurisation des accès ##
		632	##################################################################
1221	richard	633	ACC ()
1	root	634	{
		635	[ -d $DIR_WEB ] && rm -rf $DIR_WEB
		636	mkdir $DIR_WEB
		637	# Copie et configuration des fichiers du centre de gestion
316	richard	638	cp -rf $DIR_INSTALL/web/* $DIR_WEB/
972	richard	639	echo "$VERSION" > $DIR_WEB/VERSION
316	richard	640	$SED "s?99/99/9999?$DATE_SHORT?g" $DIR_ACC/menu.php
		641	$SED "s?\$DB_RADIUS = .*?\$DB_RADIUS = \"$DB_RADIUS\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		642	$SED "s?\$DB_USER = .*?\$DB_USER = \"$DB_USER\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		643	$SED "s?\$radiuspwd = .*?\$radiuspwd = \"$radiuspwd\"\;?g" $DIR_ACC/phpsysinfo/includes/xml/portail.php
		644	chmod 640 $DIR_ACC/phpsysinfo/includes/xml/portail.php
5	franck	645	chown -R apache:apache $DIR_WEB/*
1489	richard	646	# create the backup structure :
		647	# - base = users database
		648	# - archive = tarball of "base + http firewall + netflow"
		649	# - security = watchdog disconnection)
1564	richard	650	for i in base archive security;
1	root	651	do
		652	[ -d $DIR_SAVE/$i ] \|\| mkdir -p $DIR_SAVE/$i
		653	done
5	franck	654	chown -R root:apache $DIR_SAVE
71	richard	655	# Configuration et sécurisation php
		656	[ -e /etc/php.ini.default ] \|\| cp /etc/php.ini /etc/php.ini.default
534	richard	657	timezone=`cat /etc/sysconfig/clock\|grep ZONE\|cut -d"=" -f2`
		658	$SED "s?^;date.timezone =.*?date.timezone = $timezone?g" /etc/php.ini
411	richard	659	$SED "s?^upload_max_filesize.*?upload_max_filesize = 100M?g" /etc/php.ini
		660	$SED "s?^post_max_size.*?post_max_size = 100M?g" /etc/php.ini
71	richard	661	$SED "s?^html_errors.*?html_errors = Off?g" /etc/php.ini
		662	$SED "s?^expose_php.*?expose_php = Off?g" /etc/php.ini
		663	# Configuration et sécurisation Apache
790	richard	664	rm -rf /var/www/cgi-bin/* /var/www/perl/* /var/www/icons/README* /var/www/error/README*
1	root	665	[ -e /etc/httpd/conf/httpd.conf.default ] \|\| cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.default
1243	richard	666	$SED "s?^#ServerName.*?ServerName $HOSTNAME.$DOMAIN?g" /etc/httpd/conf/httpd.conf
303	richard	667	$SED "s?^Listen.*?Listen $PRIVATE_IP:80?g" /etc/httpd/conf/httpd.conf
1532	richard	668	$SED "s?Options Indexes.*?Options -Indexes?g" /etc/httpd/conf/httpd.conf
		669	echo "ServerTokens Prod" >> /etc/httpd/conf/httpd.conf
		670	echo "ServerSignature Off" >> /etc/httpd/conf/httpd.conf
		671	[ -e /etc/httpd/conf/modules.d/00_base.conf.default ] \|\| cp /etc/httpd/conf/modules.d/00_base.conf /etc/httpd/conf/modules.d/00_base.conf.default
		672	$SED "s?^LoadModule authn_anon_module.*?#LoadModule authn_anon_module modules/mod_authn_anon.so?g" /etc/httpd/conf/modules.d/00_base.conf
		673	$SED "s?^LoadModule status_module.*?#LoadModule status_module modules/mod_status.so?g" /etc/httpd/conf/modules.d/00_base.conf
		674	$SED "s?^LoadModule info_module.*?#LoadModule info_module modules/mod_info.so?g" /etc/httpd/conf/modules.d/00_base.conf
		675	$SED "s?^LoadModule imagemap_module.*?#LoadModule imagemap_module modules/mod_imagemap.so?g" /etc/httpd/conf/modules.d/00_base.conf
		676	$SED "s?^LoadModule rewrite_module.*?#LoadModule rewrite_module modules/mod_rewrite.so?g" /etc/httpd/conf/modules.d/00_base.conf
		677	$SED "s?^LoadModule speling_module.*?#LoadModule speling_module modules/mod_speling.so?g" /etc/httpd/conf/modules.d/00_base.conf
1359	richard	678	[ -e /etc/httpd/conf/conf.d/ssl.conf.default ] \|\| cp /etc/httpd/conf/conf.d/ssl.conf /etc/httpd/conf/conf.d/ssl.conf.default
		679	$SED "s?^Listen.*?Listen $PRIVATE_IP:443?g" /etc/httpd/conf/conf.d/ssl.conf # Listen only on INTIF
1532	richard	680	# Error page management
1534	richard	681	[ -e /etc/httpd/conf/conf.d/multilang-errordoc.conf.default ] \|\| cp /etc/httpd/conf/conf.d/multilang-errordoc.conf /etc/httpd/conf/conf.d/multilang-errordoc.conf.default
		682	cat <<EOF > /etc/httpd/conf/conf.d/multilang-errordoc.conf
1532	richard	683	Alias /error/ "/var/www/html/"
		684	<Directory "/usr/share/httpd/error">
		685	AllowOverride None
		686	Options IncludesNoExec
		687	AddOutputFilter Includes html
		688	AddHandler type-map var
		689	Require all granted
		690	LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
		691	ForceLanguagePriority Prefer Fallback
		692	</Directory>
		693	ErrorDocument 400 /error/error.php?error=400
		694	ErrorDocument 401 /error/error.php?error=401
		695	ErrorDocument 403 /error/error.php?error=403
		696	ErrorDocument 404 /error/error.php?error=404
		697	ErrorDocument 405 /error/error.php?error=405
		698	ErrorDocument 408 /error/error.php?error=408
		699	ErrorDocument 410 /error/error.php?error=410
		700	ErrorDocument 411 /error/error.php?error=411
		701	ErrorDocument 412 /error/error.php?error=412
		702	ErrorDocument 413 /error/error.php?error=413
		703	ErrorDocument 414 /error/error.php?error=414
		704	ErrorDocument 415 /error/error.php?error=415
		705	ErrorDocument 500 /error/error.php?error=500
		706	ErrorDocument 501 /error/error.php?error=501
		707	ErrorDocument 502 /error/error.php?error=502
		708	ErrorDocument 503 /error/error.php?error=503
		709	ErrorDocument 506 /error/error.php?error=506
		710	EOF
1359	richard	711	[ -e /usr/share/httpd/error/include/top.html.default ] \|\| cp /usr/share/httpd/error/include/top.html /usr/share/httpd/error/include/top.html.default
		712	$SED "s?background-color.*?background-color: #EFEFEF; }?g" /usr/share/httpd/error/include/top.html
		713	[ -e /usr/share/httpd/error/include/bottom.html.default ] \|\| cp /usr/share/httpd/error/include/bottom.html /usr/share/httpd/error/include/bottom.html.default
		714	cat <<EOF > /usr/share/httpd/error/include/bottom.html
1	root	715	</body>
		716	</html>
		717	EOF
		718	# Définition du premier compte lié au profil 'admin'
509	richard	719	header_install
510	richard	720	if [ "$mode" = "install" ]
		721	then
613	richard	722	admin_portal=!
		723	PTN='^[a-zA-Z0-9-]*$'
		724	until [[ $(expr $admin_portal : $PTN) -gt 0 ]]
		725	do
		726	header_install
		727	if [ $Lang == "fr" ]
		728	then
		729	echo ""
		730	echo "Définissez un premier compte d'administration du portail :"
		731	echo
		732	echo -n "Nom : "
		733	else
		734	echo ""
		735	echo "Define the first account allow to administrate the portal :"
		736	echo
		737	echo -n "Account : "
		738	fi
		739	read admin_portal
		740	if [ "$admin_portal" == "" ]
		741	then
		742	admin_portal=!
		743	fi
		744	done
1268	richard	745	# Creation of keys file for the admin account ("admin")
510	richard	746	[ -d $DIR_DEST_ETC/digest ] && rm -rf $DIR_DEST_ETC/digest
		747	mkdir -p $DIR_DEST_ETC/digest
		748	chmod 755 $DIR_DEST_ETC/digest
		749	until [ -s $DIR_DEST_ETC/digest/key_admin ]
		750	do
1350	richard	751	/usr/bin/htdigest -c $DIR_DEST_ETC/digest/key_admin $HOSTNAME.$DOMAIN $admin_portal
510	richard	752	done
		753	$DIR_DEST_SBIN/alcasar-profil.sh --list
		754	fi
434	richard	755	# synchronisation horaire
		756	ntpd -q -g &
1	root	757	# Sécurisation du centre
988	franck	758	rm -f /etc/httpd/conf/webapps.d/alcasar*
1	root	759	cat <<EOF > /etc/httpd/conf/webapps.d/alcasar.conf
316	richard	760	<Directory $DIR_ACC>
1	root	761	SSLRequireSSL
		762	AllowOverride None
		763	Order deny,allow
		764	Deny from all
		765	Allow from 127.0.0.1
		766	Allow from $PRIVATE_NETWORK_MASK
990	franck	767	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	768	require valid-user
		769	AuthType digest
1243	richard	770	AuthName $HOSTNAME.$DOMAIN
1	root	771	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	772	AuthUserFile $DIR_DEST_ETC/digest/key_all
1243	richard	773	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	774	</Directory>
316	richard	775	<Directory $DIR_ACC/admin>
1	root	776	SSLRequireSSL
		777	AllowOverride None
		778	Order deny,allow
		779	Deny from all
		780	Allow from 127.0.0.1
		781	Allow from $PRIVATE_NETWORK_MASK
990	franck	782	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	783	require valid-user
		784	AuthType digest
1243	richard	785	AuthName $HOSTNAME.$DOMAIN
1	root	786	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	787	AuthUserFile $DIR_DEST_ETC/digest/key_admin
1243	richard	788	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	789	</Directory>
344	richard	790	<Directory $DIR_ACC/manager>
1	root	791	SSLRequireSSL
		792	AllowOverride None
		793	Order deny,allow
		794	Deny from all
		795	Allow from 127.0.0.1
		796	Allow from $PRIVATE_NETWORK_MASK
990	franck	797	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
1	root	798	require valid-user
		799	AuthType digest
1243	richard	800	AuthName $HOSTNAME.$DOMAIN
1	root	801	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	802	AuthUserFile $DIR_DEST_ETC/digest/key_manager
1243	richard	803	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
1	root	804	</Directory>
316	richard	805	<Directory $DIR_ACC/backup>
		806	SSLRequireSSL
		807	AllowOverride None
		808	Order deny,allow
		809	Deny from all
		810	Allow from 127.0.0.1
		811	Allow from $PRIVATE_NETWORK_MASK
990	franck	812	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
316	richard	813	require valid-user
		814	AuthType digest
1243	richard	815	AuthName $HOSTNAME.$DOMAIN
316	richard	816	BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
434	richard	817	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	818	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
316	richard	819	</Directory>
811	richard	820	Alias /save/ "$DIR_SAVE/"
		821	<Directory $DIR_SAVE>
		822	SSLRequireSSL
		823	Options Indexes
		824	Order deny,allow
		825	Deny from all
		826	Allow from 127.0.0.1
		827	Allow from $PRIVATE_NETWORK_MASK
990	franck	828	# Allow from AA.BB.CC.DD/32 # Allow from specific @IP
811	richard	829	require valid-user
		830	AuthType digest
1243	richard	831	AuthName $HOSTNAME.$DOMAIN
811	richard	832	AuthUserFile $DIR_DEST_ETC/digest/key_backup
1243	richard	833	ErrorDocument 404 https://$HOSTNAME.$DOMAIN/
811	richard	834	</Directory>
1	root	835	EOF
1378	richard	836	# Launch after coova
		837	$SED "s?^After=.*?After=network.target remote-fs.target nss-lookup.target chilli.service?g" /lib/systemd/system/httpd.service
1389	richard	838	} # End of ACC ()
1	root	839
		840	##########################################################################################
1221	richard	841	## Fonction "CA" ##
1	root	842	## - Création d'une Autorité de Certification et du certificat serveur pour apache ##
		843	##########################################################################################
1221	richard	844	CA ()
1	root	845	{
510	richard	846	$DIR_DEST_BIN/alcasar-CA.sh
800	richard	847	FIC_VIRTUAL_SSL=`find /etc/httpd/conf -type f -name *default_ssl_vhost.conf`
303	richard	848	[ -e /etc/httpd/conf/vhosts-ssl.default ] \|\| cp $FIC_VIRTUAL_SSL /etc/httpd/conf/vhosts-ssl.default
1410	richard	849	cat <<EOF > $FIC_VIRTUAL_SSL
		850	# default SSL virtual host, used for all HTTPS requests that do not
		851	# match a ServerName or ServerAlias in any <VirtualHost> block.
		852
		853	<VirtualHost _default_:443>
		854	# general configuration
		855	ServerAdmin root@localhost
		856	ServerName localhost
		857
		858	# SSL configuration
		859	SSLEngine on
		860	SSLCertificateFile /etc/pki/tls/certs/alcasar.crt
		861	SSLCertificateKeyFile /etc/pki/tls/private/alcasar.key
		862	SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
		863	CustomLog logs/ssl_request_log \
		864	"%t %{SSL_PROTOCOL}x %{SSL_CIPHER}x [%h] \"%r\" %b"
		865	ErrorLog logs/ssl_error_log
		866	ErrorLogFormat "[%t] [%m:%l] [client %a] %M"
		867	</VirtualHost>
		868	EOF
		869
5	franck	870	chown -R root:apache /etc/pki
1	root	871	chmod -R 750 /etc/pki
1389	richard	872	} # End of CA ()
1	root	873
		874	##########################################################################################
1221	richard	875	## Fonction "init_db" ##
1	root	876	## - Initialisation de la base Mysql ##
		877	## - Affectation du mot de passe de l'administrateur (root) ##
		878	## - Suppression des bases et des utilisateurs superflus ##
		879	## - Création de la base 'radius' ##
		880	## - Installation du schéma de cette base ##
		881	## - Import des tables de comptabilité (mtotacct, totacct) et info_usagers (userinfo) ##
		882	## ces table proviennent de 'dialupadmin' (paquetage freeradius-web) ##
		883	##########################################################################################
		884	init_db ()
		885	{
1355	richard	886	rm -rf /var/lib/mysql # to be sure that there is no former installation
1	root	887	[ -e /etc/my.cnf.default ] \|\| cp /etc/my.cnf /etc/my.cnf.default
		888	$SED "s?^#bind-address.*?bind-address=127.0.0.1?g" /etc/my.cnf
1355	richard	889	$SED "s?^tmpdir.*?tmpdir=/tmp?g" /etc/my.cnf
1353	richard	890	systemctl start mysqld.service
1	root	891	sleep 4
		892	mysqladmin -u root password $mysqlpwd
		893	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
1355	richard	894	# Secure the server
		895	$MYSQL="DROP DATABASE IF EXISTS test;DROP DATABASE IF EXISTS tmp;"
		896	$MYSQL="CONNECT mysql;DELETE from user where User='';DELETE FROM user WHERE User='root' AND Host NOT IN ('localhost','127.0.0.1','::1');FLUSH PRIVILEGES;"
615	richard	897	# Create 'radius' database
1317	richard	898	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_RADIUS;GRANT ALL ON $DB_RADIUS.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES;"
615	richard	899	# Add an empty radius database structure
364	franck	900	mysql -u$DB_USER -p$radiuspwd $DB_RADIUS < $DIR_CONF/radiusd-db-vierge.sql
615	richard	901	# modify the start script in order to close accounting connexion when the system is comming down or up
1357	richard	902	[ -e /lib/systemd/system/mysqld.service.default ] \|\| cp /lib/systemd/system/mysqld.service /lib/systemd/system/mysqld.service.default
1515	richard	903	$SED "/ExecStartPost=/a ExecStop=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /usr/lib/systemd/system/mysqld.service
		904	$SED "/ExecStartPost=/a ExecStartPost=/usr/local/sbin/alcasar-mysql.sh -acct_stop" /lib/systemd/system/mysqld.service
1355	richard	905	systemctl daemon-reload
1389	richard	906	} # End of init_db ()
1	root	907
		908	##########################################################################
1389	richard	909	## Fonction "radius" ##
1	root	910	## - Paramètrage des fichiers de configuration FreeRadius ##
		911	## - Affectation du secret partagé entre coova-chilli et freeradius ##
		912	## - Modification de fichier de conf pour l'accès à Mysql ##
		913	##########################################################################
1389	richard	914	radius ()
1	root	915	{
		916	cp -f $DIR_CONF/radiusd-db-vierge.sql /etc/raddb/
		917	chown -R radius:radius /etc/raddb
		918	[ -e /etc/raddb/radiusd.conf.default ] \|\| cp /etc/raddb/radiusd.conf /etc/raddb/radiusd.conf.default
1278	richard	919	# Set radius.conf parameters
1	root	920	$SED "s?^[\t ]#[\t ]user =.*?user = radius?g" /etc/raddb/radiusd.conf
		921	$SED "s?^[\t ]#[\t ]group =.*?group = radius?g" /etc/raddb/radiusd.conf
		922	$SED "s?^[\t ]status_server =.?status_server = no?g" /etc/raddb/radiusd.conf
1278	richard	923	# remove the proxy function
1	root	924	$SED "s?^[\t ]proxy_requests.?proxy_requests = no?g" /etc/raddb/radiusd.conf
		925	$SED "s?^[\t ]\$INCLUDE proxy.conf.?#\$INCLUDE proxy.conf?g" /etc/raddb/radiusd.conf
1278	richard	926	# remove EAP module
654	richard	927	$SED "s?^[\t ]\$INCLUDE eap.conf.?#\$INCLUDE eap.conf?g" /etc/raddb/radiusd.conf
1278	richard	928	# listen on loopback (should be modified later if EAP enabled)
1	root	929	$SED "s?^[\t ]ipaddr =.?ipaddr = 127.0.0.1?g" /etc/raddb/radiusd.conf
1278	richard	930	# enable the SQL module (and SQL counter)
1	root	931	$SED "s?^[\t ]#[\t ]\$INCLUDE sql.conf.*?\$INCLUDE sql.conf?g" /etc/raddb/radiusd.conf
		932	$SED "s?^[\t ]#[\t ]\$INCLUDE sql/mysql/counter.conf?\$INCLUDE sql/mysql/counter.conf?g" /etc/raddb/radiusd.conf
		933	$SED "s?^[\t ]*\$INCLUDE policy.conf?#\$INCLUDE policy.conf?g" /etc/raddb/radiusd.conf
1465	richard	934	# only include modules for ALCASAR needs
		935	$SED "s?^[\t ]\$INCLUDE \${confdir}/modules/.?\t#\$INCLUDE \${confdir}/modules/\n\t# we only include modules for ALCASAR needs\n\t\$INCLUDE \${confdir}/modules/attr_filter\n\t\$INCLUDE \${confdir}/modules/expiration\n\t\$INCLUDE \${confdir}/modules/logintime\n\t\$INCLUDE \${confdir}/modules/ldap\n\t\$INCLUDE \${confdir}/modules/pap?g" /etc/raddb/radiusd.conf
		936	$SED "s/^[\t ]exec$/\#\texec/g" /etc/raddb/radiusd.conf
		937	$SED "s?^[\t ]expr.?\#\texpr?g" /etc/raddb/radiusd.conf
		938	$SED "s?^[\t ]\# daily.?\#\tdaily\n\tsql?g" /etc/raddb/radiusd.conf
		939	$SED "s?^[\t ]logintime.?\tlogintime\n\tnoresetcounter\n\tdailycounter\n\tmonthlycounter\n\tattr_filter.access_reject\n\tattr_filter.accounting_response\n\tpap?g" /etc/raddb/radiusd.conf
		940	$SED "s?^[\t ]\$INCLUDE sites-enabled/.?\#\$INCLUDE sites-enabled/\n\#\tenable only alcasar virtual server\n\$INCLUDE sites-enabled/alcasar?g" /etc/raddb/radiusd.conf
1278	richard	941	# remvove virtual server and copy our conf file
1	root	942	rm -f /etc/raddb/sites-enabled/*
1278	richard	943	cp $DIR_CONF/radius/alcasar-radius /etc/raddb/sites-available/alcasar
1	root	944	chown radius:apache /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap # droits rw pour apache (module ldap)
		945	chmod 660 /etc/raddb/sites-available/alcasar /etc/raddb/modules/ldap
		946	chgrp apache /etc/raddb /etc/raddb/sites-available /etc/raddb/modules
		947	ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
384	richard	948	# Inutile dans notre fonctionnement mais les liens sont recréés par un update de radius ... donc forcé en tant que fichier à 'vide'
1	root	949	touch /etc/raddb/sites-enabled/{inner-tunnel,control-socket,default}
1278	richard	950	# client.conf configuration (127.0.0.1 suffit mais on laisse le deuxième client pour la future gestion de l'EAP)
1	root	951	[ -e /etc/raddb/clients.conf.default ] \|\| cp -f /etc/raddb/clients.conf /etc/raddb/clients.conf.default
		952	cat << EOF > /etc/raddb/clients.conf
		953	client 127.0.0.1 {
		954	secret = $secretradius
		955	shortname = localhost
		956	}
		957	EOF
1278	richard	958	# sql.conf modification
1	root	959	[ -e /etc/raddb/sql.conf.default ] \|\| cp /etc/raddb/sql.conf /etc/raddb/sql.conf.default
		960	$SED "s?^[\t ]login =.?login = \"$DB_USER\"?g" /etc/raddb/sql.conf
		961	$SED "s?^[\t ]password =.?password = \"$radiuspwd\"?g" /etc/raddb/sql.conf
		962	$SED "s?^[\t ]radius_db =.?radius_db = \"$DB_RADIUS\"?g" /etc/raddb/sql.conf
		963	$SED "s?^[\t ]sqltrace =.?sqltrace = no?g" /etc/raddb/sql.conf
1278	richard	964	# dialup.conf modification (case sensitive for username, check simultaneous use, patch on 'postauth' table, etc.)
1	root	965	[ -e /etc/raddb/sql/mysql/dialup.conf.default ] \|\| cp /etc/raddb/sql/mysql/dialup.conf /etc/raddb/sql/mysql/dialup.conf.default
1278	richard	966	cp -f $DIR_CONF/radius/dialup.conf /etc/raddb/sql/mysql/dialup.conf
		967	# counter.conf modification (change the Max-All-Session-Time counter)
		968	[ -e /etc/raddb/sql/mysql/counter.conf.default ] \|\| cp /etc/raddb/sql/mysql/counter.conf /etc/raddb/sql/mysql/counter.conf.default
		969	cp -f $DIR_CONF/radius/counter.conf /etc/raddb/sql/mysql/counter.conf
		970	chown -R radius:radius /etc/raddb/sql/mysql/*
1358	richard	971	# make certain that mysql is up before radius start
		972	[ -e /lib/systemd/system/radiusd.service.default ] \|\| cp /lib/systemd/system/radiusd.service /lib/systemd/system/radiusd.service.default
		973	$SED "s?^After=.*?After=syslog.target network.target mysqld.service?g" /lib/systemd/system/radiusd.service
		974	systemctl daemon-reload
1389	richard	975	} # End radius ()
1	root	976
		977	##########################################################################
1389	richard	978	## Function "radius_web" ##
1	root	979	## - Import, modification et paramètrage de l'interface "dialupadmin" ##
		980	## - Création du lien vers la page de changement de mot de passe ##
		981	##########################################################################
1389	richard	982	radius_web ()
1	root	983	{
		984	# copie de l'interface d'origine dans la structure Alcasar
316	richard	985	[ -d /usr/share/freeradius-web ] && cp -rf /usr/share/freeradius-web/* $DIR_ACC/manager/
		986	rm -f $DIR_ACC/manager/index.html $DIR_ACC/manager/readme
		987	rm -f $DIR_ACC/manager/htdocs/about.html $DIR_ACC/manager/htdocs/index.html $DIR_ACC/manager/htdocs/content.html
344	richard	988	# copie des fichiers modifiés
		989	cp -rf $DIR_INSTALL/web/acc/manager/* $DIR_ACC/manager/
316	richard	990	chown -R apache:apache $DIR_ACC/manager/
344	richard	991	# Modification des fichiers de configuration
1	root	992	[ -e /etc/freeradius-web/admin.conf.default ] \|\| cp /etc/freeradius-web/admin.conf /etc/freeradius-web/admin.conf.default
503	richard	993	$SED "s?^general_domain:.*?general_domain: $DOMAIN?g" /etc/freeradius-web/admin.conf
1	root	994	$SED "s?^sql_username:.*?sql_username: $DB_USER?g" /etc/freeradius-web/admin.conf
		995	$SED "s?^sql_password:.*?sql_password: $radiuspwd?g" /etc/freeradius-web/admin.conf
		996	$SED "s?^sql_debug:.*?sql_debug: false?g" /etc/freeradius-web/admin.conf
		997	$SED "s?^sql_usergroup_table: .*?sql_usergroup_table: radusergroup?g" /etc/freeradius-web/admin.conf
		998	$SED "s?^sql_password_attribute:.*?sql_password_attribute: Crypt-Password?g" /etc/freeradius-web/admin.conf
		999	$SED "s?^general_finger_type.*?# general_finger_type: snmp?g" /etc/freeradius-web/admin.conf
		1000	$SED "s?^general_stats_use_totacct.*?general_stats_use_totacct: yes?g" /etc/freeradius-web/admin.conf
946	richard	1001	$SED "s?^general_charset.*?general_charset: utf-8?g" /etc/freeradius-web/admin.conf
344	richard	1002	[ -e /etc/freeradius-web/config.php.default ] \|\| cp /etc/freeradius-web/config.php /etc/freeradius-web/config.php.default
1278	richard	1003	cp -f $DIR_CONF/radius/freeradiusweb-config.php /etc/freeradius-web/config.php
131	richard	1004	cat <<EOF > /etc/freeradius-web/naslist.conf
632	richard	1005	nas1_name: alcasar-$ORGANISME
1	root	1006	nas1_model: Portail captif
		1007	nas1_ip: $PRIVATE_IP
		1008	nas1_port_num: 0
		1009	nas1_community: public
		1010	EOF
		1011	# Modification des attributs visibles lors de la création d'un usager ou d'un groupe
		1012	[ -e /etc/freeradius-web/user_edit.attrs.default ] \|\| mv /etc/freeradius-web/user_edit.attrs /etc/freeradius-web/user_edit.attrs.default
1278	richard	1013	cp -f $DIR_CONF/radius/user_edit.attrs /etc/freeradius-web/user_edit.attrs
114	richard	1014	# Ajout du mappage des attributs chillispot
		1015	[ -e /etc/freeradius-web/sql.attrmap.default ] \|\| mv /etc/freeradius-web/sql.attrmap /etc/freeradius-web/sql.attrmap.default
1278	richard	1016	cp -f $DIR_CONF/radius/sql.attrmap /etc/freeradius-web/sql.attrmap
1	root	1017	# Modification des attributs visibles sur les pages des statistiques (suppression NAS_IP et NAS_port)
1278	richard	1018	[ -e /etc/freeradius-web/sql.attrs.default ] \|\| cp /etc/freeradius-web/sql.attrs /etc/freeradius-web/sql.attrs.default
1	root	1019	$SED "s?^NASIPAddress.*?NASIPAddress\tNas IP Address\tno?g" /etc/freeradius-web/sql.attrs
		1020	$SED "s?^NASPortId.*?NASPortId\tNas Port\tno?g" /etc/freeradius-web/sql.attrs
5	franck	1021	chown -R apache:apache /etc/freeradius-web
1	root	1022	# Ajout de l'alias vers la page de "changement de mot de passe usager"
		1023	cat <<EOF >> /etc/httpd/conf/webapps.d/alcasar.conf
344	richard	1024	<Directory $DIR_WEB/pass>
1	root	1025	SSLRequireSSL
		1026	AllowOverride None
		1027	Order deny,allow
		1028	Deny from all
		1029	Allow from 127.0.0.1
		1030	Allow from $PRIVATE_NETWORK_MASK
1243	richard	1031	ErrorDocument 404 https://$HOSTNAME.$DOMAIN
1	root	1032	</Directory>
		1033	EOF
1389	richard	1034	} # End of radius_web ()
1	root	1035
799	richard	1036	##################################################################################
1389	richard	1037	## Fonction "chilli" ##
799	richard	1038	## - Création du fichier d'initialisation et de configuration de coova-chilli ##
		1039	## - Paramètrage de la page d'authentification (intercept.php) ##
		1040	##################################################################################
1389	richard	1041	chilli ()
1	root	1042	{
1370	richard	1043	# chilli unit for systemd
		1044	cat << EOF > /lib/systemd/system/chilli.service
1372	richard	1045	# This file is part of systemd.
		1046	#
		1047	# systemd is free software; you can redistribute it and/or modify it
		1048	# under the terms of the GNU General Public License as published by
		1049	# the Free Software Foundation; either version 2 of the License, or
		1050	# (at your option) any later version.
1370	richard	1051	[Unit]
		1052	Description=chilli is a captive portal daemon
		1053	After=network.target
		1054
		1055	[Service]
1379	richard	1056	Type=forking
1370	richard	1057	ExecStart=/usr/libexec/chilli start
		1058	ExecStop=/usr/libexec/chilli stop
		1059	ExecReload=/usr/libexec/chilli reload
		1060	PIDFile=/var/run/chilli.pid
		1061
		1062	[Install]
		1063	WantedBy=multi-user.target
		1064	EOF
799	richard	1065	# init file creation
1370	richard	1066	[ -e /etc/init.d/chilli.default ] \|\| mv /etc/init.d/chilli /etc/init.d/chilli.default
		1067	cat <<EOF > /usr/libexec/chilli
799	richard	1068	#!/bin/sh
		1069	#
		1070	# chilli CoovaChilli init
		1071	#
		1072	# chkconfig: 2345 65 35
		1073	# description: CoovaChilli
		1074	### BEGIN INIT INFO
		1075	# Provides: chilli
		1076	# Required-Start: network
		1077	# Should-Start:
		1078	# Required-Stop: network
		1079	# Should-Stop:
		1080	# Default-Start: 2 3 5
		1081	# Default-Stop:
		1082	# Description: CoovaChilli access controller
		1083	### END INIT INFO
		1084
		1085	[ -f /usr/sbin/chilli ] \|\| exit 0
		1086	. /etc/init.d/functions
		1087	CONFIG=/etc/chilli.conf
		1088	pidfile=/var/run/chilli.pid
		1089	[ -f \$CONFIG ] \|\| {
		1090	echo "\$CONFIG Not found"
		1091	exit 0
		1092	}
		1093	RETVAL=0
		1094	prog="chilli"
		1095	case \$1 in
		1096	start)
		1097	if [ -f \$pidfile ] ; then
		1098	gprintf "chilli is already running"
		1099	else
		1100	gprintf "Starting \$prog: "
		1101	rm -f /var/run/chilli* # cleaning
		1102	/sbin/modprobe tun >/dev/null 2>&1
		1103	echo 1 > /proc/sys/net/ipv4/ip_forward
		1104	[ -e /dev/net/tun ] \|\| {
		1105	(cd /dev;
		1106	mkdir net;
		1107	cd net;
		1108	mknod tun c 10 200)
		1109	}
1336	richard	1110	ifconfig $INTIF 0.0.0.0
799	richard	1111	daemon /usr/sbin/chilli -c \$CONFIG --pidfile=\$pidfile &
		1112	RETVAL=$?
		1113	fi
		1114	;;
		1115
		1116	reload)
		1117	killall -HUP chilli
		1118	;;
		1119
		1120	restart)
		1121	\$0 stop
		1122	sleep 2
		1123	\$0 start
		1124	;;
		1125
		1126	status)
		1127	status chilli
		1128	RETVAL=0
		1129	;;
		1130
		1131	stop)
		1132	if [ -f \$pidfile ] ; then
		1133	gprintf "Shutting down \$prog: "
		1134	killproc /usr/sbin/chilli
		1135	RETVAL=\$?
		1136	[ \$RETVAL = 0 ] && rm -f $pidfile
		1137	else
		1138	gprintf "chilli is not running"
		1139	fi
		1140	;;
		1141
		1142	*)
		1143	echo "Usage: \$0 {start\|stop\|restart\|reload\|status}"
		1144	exit 1
		1145	esac
		1146	echo
		1147	EOF
1373	richard	1148	chmod a+x /usr/libexec/chilli
799	richard	1149	# conf file creation
346	richard	1150	[ -e /etc/chilli.conf.default ] \|\| cp /etc/chilli.conf /etc/chilli.conf.default
		1151	cat <<EOF > /etc/chilli.conf
		1152	# coova config for ALCASAR
		1153	cmdsocket /var/run/chilli.sock
1336	richard	1154	unixipc chilli.$INTIF.ipc
1551	richard	1155	pidfile /var/run/chilli.pid
346	richard	1156	net $PRIVATE_NETWORK_MASK
595	richard	1157	dhcpif $INTIF
841	richard	1158	ethers $DIR_DEST_ETC/alcasar-ethers
861	richard	1159	#nodynip
865	richard	1160	#statip
		1161	dynip $PRIVATE_NETWORK_MASK
1249	richard	1162	domain $DOMAIN
355	richard	1163	dns1 $PRIVATE_IP
		1164	dns2 $PRIVATE_IP
346	richard	1165	uamlisten $PRIVATE_IP
503	richard	1166	uamport 3990
837	richard	1167	macauth
		1168	macpasswd password
1243	richard	1169	locationname $HOSTNAME.$DOMAIN
346	richard	1170	radiusserver1 127.0.0.1
		1171	radiusserver2 127.0.0.1
		1172	radiussecret $secretradius
		1173	radiusauthport 1812
		1174	radiusacctport 1813
1243	richard	1175	uamserver https://$HOSTNAME.$DOMAIN/intercept.php
		1176	radiusnasid $HOSTNAME.$DOMAIN
346	richard	1177	uamsecret $secretuam
1249	richard	1178	uamallowed $HOSTNAME,$HOSTNAME.$DOMAIN
346	richard	1179	coaport 3799
1379	richard	1180	conup $DIR_DEST_BIN/alcasar-conup.sh
		1181	condown $DIR_DEST_BIN/alcasar-condown.sh
503	richard	1182	include $DIR_DEST_ETC/alcasar-uamallowed
		1183	include $DIR_DEST_ETC/alcasar-uamdomain
1294	richard	1184	#dhcpgateway
1157	stephane	1185	#dhcprelayagent
		1186	#dhcpgatewayport
346	richard	1187	EOF
1336	richard	1188	# create file for DHCP static ip. Reserve the second IP address for INTIF (the first one is for tun0)
977	richard	1189	echo "$PRIVATE_MAC $PRIVATE_SECOND_IP" > $DIR_DEST_ETC/alcasar-ethers
840	richard	1190	# create files for trusted domains and urls
1148	crox53	1191	touch $DIR_DEST_ETC/alcasar-uamallowed $DIR_DEST_ETC/alcasar-uamdomain
503	richard	1192	chown root:apache $DIR_DEST_ETC/alcasar-*
		1193	chmod 660 $DIR_DEST_ETC/alcasar-*
847	richard	1194	# Configuration des fichier WEB d'interception (secret partagé avec coova-chilli)
526	stephane	1195	$SED "s?^\$uamsecret =.*?\$uamsecret = \"$secretuam\";?g" $DIR_WEB/intercept.php
		1196	$SED "s?^\$userpassword=1.*?\$userpassword=1;?g" $DIR_WEB/intercept.php
796	richard	1197	# user 'chilli' creation (in order to run conup/off and up/down scripts
		1198	chilli_exist=`grep chilli /etc/passwd\|wc -l`
		1199	if [ "$chilli_exist" == "1" ]
		1200	then
		1201	userdel -r chilli 2>/dev/null
		1202	fi
		1203	groupadd -f chilli
		1204	useradd -r -g chilli -s /bin/false -c "system user for coova-chilli" chilli
1389	richard	1205	} # End of chilli ()
1349	richard	1206
1	root	1207	##################################################################
1389	richard	1208	## Fonction "dansguardian" ##
1	root	1209	## - Paramètrage du gestionnaire de contenu Dansguardian ##
		1210	##################################################################
1389	richard	1211	dansguardian ()
1	root	1212	{
		1213	mkdir /var/dansguardian
		1214	chown dansguardian /var/dansguardian
1375	richard	1215	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dansguardian -c /etc/dansguardian/dansguardian.conf?g" /lib/systemd/system/dansguardian.service
1391	richard	1216	$SED "s?^After=.*?After=network.target chilli.service?g" /lib/systemd/system/dansguardian.service
497	richard	1217	[ -e $DIR_DG/dansguardian.conf.default ] \|\| cp $DIR_DG/dansguardian.conf $DIR_DG/dansguardian.conf.default
1293	richard	1218	# By default the filter is off
1556	richard	1219	$SED "s/^reportinglevel =.*/reportinglevel = 3/g" $DIR_DG/dansguardian.conf
1293	richard	1220	# French deny HTML page
497	richard	1221	$SED "s?^language =.*?language = french?g" $DIR_DG/dansguardian.conf
1293	richard	1222	# Listen only on LAN side
497	richard	1223	$SED "s?^filterip.*?filterip = $PRIVATE_IP?g" $DIR_DG/dansguardian.conf
1342	richard	1224	# DG send its flow to HAVP
		1225	$SED "s?^proxyport.*?proxyport = 8090?g" $DIR_DG/dansguardian.conf
1293	richard	1226	# replace the default deny HTML page
1	root	1227	cp -f $DIR_CONF/template.html /usr/share/dansguardian/languages/ukenglish/
		1228	cp -f $DIR_CONF/template-fr.html /usr/share/dansguardian/languages/french/template.html
1293	richard	1229	# Don't log
		1230	$SED "s?^loglevel =.*?loglevel = 0?g" $DIR_DG/dansguardian.conf
		1231	# Run 10 daemons (20 in largest server)
659	richard	1232	$SED "s?^minchildren =.*?minchildren = 10?g" $DIR_DG/dansguardian.conf
1	root	1233	# on désactive par défaut le controle de contenu des pages html
497	richard	1234	$SED "s?^weightedphrasemode =.*?weightedphrasemode = 0?g" $DIR_DG/dansguardian.conf
		1235	cp $DIR_DG/lists/bannedphraselist $DIR_DG/lists/bannedphraselist.default
		1236	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedphraselist # (on commente ce qui ne l'est pas)
1	root	1237	# on désactive par défaut le contrôle d'URL par expressions régulières
497	richard	1238	cp $DIR_DG/lists/bannedregexpurllist $DIR_DG/lists/bannedregexpurllist.default
		1239	$SED "s?^[^#]?#&?g" $DIR_DG/lists/bannedregexpurllist # (on commente ce qui ne l'est pas)
1	root	1240	# on désactive par défaut le contrôle de téléchargement de fichiers
497	richard	1241	[ -e $DIR_DG/dansguardianf1.conf.default ] \|\| cp $DIR_DG/dansguardianf1.conf $DIR_DG/dansguardianf1.conf.default
		1242	$SED "s?^blockdownloads =.*?blockdownloads = off?g" $DIR_DG/dansguardianf1.conf
		1243	[ -e $DIR_DG/lists/bannedextensionlist.default ] \|\| mv $DIR_DG/lists/bannedextensionlist $DIR_DG/lists/bannedextensionlist.default
		1244	[ -e $DIR_DG/lists/bannedmimetypelist.default ] \|\| mv $DIR_DG/lists/bannedmimetypelist $DIR_DG/lists/bannedmimetypelist.default
		1245	touch $DIR_DG/lists/bannedextensionlist
		1246	touch $DIR_DG/lists/bannedmimetypelist
		1247	# 'Safesearch' regex actualisation
498	richard	1248	$SED "s?images?search?g" $DIR_DG/lists/urlregexplist
497	richard	1249	# empty LAN IP list that won't be WEB filtered
		1250	[ -e $DIR_DG/lists/exceptioniplist.default ] \|\| mv $DIR_DG/lists/exceptioniplist $DIR_DG/lists/exceptioniplist.default
		1251	touch $DIR_DG/lists/exceptioniplist
		1252	# Keep a copy of URL & domain filter configuration files
		1253	[ -e $DIR_DG/lists/bannedsitelist.default ] \|\| mv $DIR_DG/lists/bannedsitelist $DIR_DG/lists/bannedsitelist.default
		1254	[ -e $DIR_DG/lists/bannedurllist.default ] \|\| mv $DIR_DG/lists/bannedurllist $DIR_DG/lists/bannedurllist.default
1389	richard	1255	} # End of dansguardian ()
1	root	1256
71	richard	1257	##################################################################
1221	richard	1258	## Fonction "antivirus" ##
1357	richard	1259	## - configuration of havp, libclamav and freshclam ##
71	richard	1260	##################################################################
		1261	antivirus ()
		1262	{
1358	richard	1263	# create 'havp' user
288	richard	1264	havp_exist=`grep havp /etc/passwd\|wc -l`
307	richard	1265	if [ "$havp_exist" == "1" ]
288	richard	1266	then
478	richard	1267	userdel -r havp 2>/dev/null
894	richard	1268	groupdel havp 2>/dev/null
288	richard	1269	fi
307	richard	1270	groupadd -f havp
1486	richard	1271	useradd -r -g havp -s /bin/false -c "system user for havp (antivirus proxy)" havp
1366	richard	1272	mkdir -p /var/tmp/havp /var/log/havp /var/run/havp
1484	richard	1273	chown -R havp:havp /var/tmp/havp /var/log/havp /var/run/havp
109	richard	1274	[ -e /etc/havp/havp.config.default ] \|\| cp /etc/havp/havp.config /etc/havp/havp.config.default
		1275	$SED "/^REMOVETHISLINE/d" /etc/havp/havp.config
1484	richard	1276	$SED "s?^# PIDFILE.*?PIDFILE /var/run/havp/havp.pid?g" /etc/havp/havp.config # pidfile
		1277	$SED "s?^# TRANSPARENT.*?TRANSPARENT false?g" /etc/havp/havp.config # transparent mode
631	richard	1278	$SED "s?^# BIND_ADDRESS.*?BIND_ADDRESS 127.0.0.1?g" /etc/havp/havp.config # we listen only on loopback
1485	richard	1279	$SED "s?^# PORT.*?PORT 8090?g" /etc/havp/havp.config # datas come on port 8090 (on loopback)
990	franck	1280	$SED "s?^# TIMEFORMAT.*?TIMEFORMAT %Y %b %d %H:%M:%S?g" /etc/havp/havp.config # Log format
631	richard	1281	$SED "s?^ENABLECLAMLIB.*?ENABLECLAMLIB true?g" /etc/havp/havp.config # active libclamav AV
		1282	$SED "s?^# LOG_OKS.*?LOG_OKS false?g" /etc/havp/havp.config # log only when malware matches
659	richard	1283	$SED "s?^# SERVERNUMBER.*?SERVERNUMBER 10?g" /etc/havp/havp.config # 10 daemons are started simultaneously
835	richard	1284	$SED "s?^# SCANIMAGES.*?SCANIMAGES false?g" /etc/havp/havp.config # doesn't scan image files
		1285	$SED "s?^# SKIPMIME.?SKIPMIME image\/\ video\/\* audio\/\*?g" /etc/havp/havp.config # doesn't scan some multimedia files
1007	richard	1286	# skip checking of youtube flow (too heavy load / risk too low)
		1287	[ -e /etc/havp/whitelist.default ] \|\| cp /etc/havp/whitelist /etc/havp/whitelist.default
		1288	echo "# Whitelist youtube flow" >> /etc/havp/whitelist
		1289	echo ".youtube.com/" >> /etc/havp/whitelist
1544	richard	1290	# adapt init script and systemd unit
335	richard	1291	[ -e /etc/init.d/havp.default ] \|\| cp /etc/init.d/havp /etc/init.d/havp.default
481	franck	1292	cp -f $DIR_CONF/havp-init /etc/init.d/havp
1547	richard	1293	[ -e /lib/systemd/system/havp.service.default ] \|\| cp /lib/systemd/system/havp.service /lib/systemd/system/havp.service.default
		1294	$SED "/^PIDFile/i ExecStartPre=/bin/mkdir -p /var/run/havp" /lib/systemd/system/havp.service
1544	richard	1295	$SED "/^PIDFile/i ExecStartPre=/bin/chown -R havp:havp /var/run/havp /var/log/havp" /lib/systemd/system/havp.service
1358	richard	1296	# replace of the intercept page (template)
340	richard	1297	cp -f $DIR_CONF/virus-fr.html /etc/havp/templates/fr/virus.html
		1298	cp -f $DIR_CONF/virus-en.html /etc/havp/templates/en/virus.html
1358	richard	1299	# update virus database every 4 hours (24h/6)
1357	richard	1300	[ -e /etc/freshclam.conf.default ] \|\| cp /etc/freshclam.conf /etc/freshclam.conf.default
		1301	$SED "s?^Checks.*?Checks 6?g" /etc/freshclam.conf
489	richard	1302	$SED "s?^NotifyClamd.*?# NotifyClamd /etc/clamd.conf?g" /etc/freshclam.conf
1357	richard	1303	$SED "/^DatabaseMirror/i DatabaseMirror db.fr.clamav.net" /etc/freshclam.conf
1358	richard	1304	$SED "/^DatabaseMirror db.fr.clamav.net/i DatabaseMirror switch.clamav.net" /etc/freshclam.conf
		1305	$SED "s?MaxAttempts.*?MaxAttempts 3?g" /etc/freshclam.conf
1385	richard	1306	# update now
1382	richard	1307	/usr/bin/freshclam --no-warnings
1389	richard	1308	} # End of antivirus ()
71	richard	1309
1486	richard	1310	##########################################################################
		1311	## Fonction "tinyproxy" ##
		1312	## - configuration of tinyproxy (proxy between filterde users and havp) ##
		1313	##########################################################################
1485	richard	1314	tinyproxy ()
		1315	{
1486	richard	1316	tinyproxy_exist=`grep tinyproxy /etc/passwd\|wc -l`
		1317	if [ "$tinyproxy_exist" == "1" ]
		1318	then
		1319	userdel -r tinyproxy 2>/dev/null
		1320	groupdel tinyproxy 2>/dev/null
		1321	fi
		1322	groupadd -f tinyproxy
1488	richard	1323	useradd -r -g tinyproxy -s /bin/false -c "system user for tinyproxy" tinyproxy
1518	richard	1324	mkdir -p var/run/tinyproxy /var/log/tinyproxy
1517	richard	1325	chown -R tinyproxy.tinyproxy /run/tinyproxy /var/log/tinyproxy
1486	richard	1326	[ -e /etc/tinyproxy/tinyproxy.conf.default ] \|\| cp /etc/tinyproxy/tinyproxy.conf /etc/tinyproxy/tinyproxy.conf.default
		1327	$SED "s?^User.*?User tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1328	$SED "s?^Group.*?Group tinyproxy?g" /etc/tinyproxy/tinyproxy.conf
		1329	$SED "s?^Port.*?Port 8090?g" /etc/tinyproxy/tinyproxy.conf # Listen Port
		1330	$SED "s?^#Listen.*?Listen $PRIVATE_IP?g" /etc/tinyproxy/tinyproxy.conf # Listen NIC (only intif)
1508	richard	1331	$SED "s?^#LogFile.*?LogFile \"/var/log/tinyproxy/tinyproxy.log\"?g" /etc/tinyproxy/tinyproxy.conf
1518	richard	1332	$SED "s?^#PidFile.*?PidFile \"/var/run/tinyproxy/tinyproxy.pid\"?g" /etc/tinyproxy/tinyproxy.conf
1486	richard	1333	$SED "s?^LogLevel.*?LogLevel Error?g" /etc/tinyproxy/tinyproxy.conf # Only errors are logged
		1334	$SED "s?^#Upstream.*?Upstream 127.0.0.1:8090?g" /etc/tinyproxy/tinyproxy.conf # forward to HAVP
		1335	$SED "s?^#DisableViaHeader.*?DisableViaHeader Yes?g" /etc/tinyproxy/tinyproxy.conf # Stealth mode
1544	richard	1336	$SED "s?^Allow.*?Allow $PRIVATE_NETWORK_MASK?g" /etc/tinyproxy/tinyproxy.conf # Allow from LAN
1509	richard	1337	# Create the systemd unit
		1338	cat << EOF > /lib/systemd/system/tinyproxy.service
		1339	# This file is part of systemd.
		1340	#
		1341	# systemd is free software; you can redistribute it and/or modify it
		1342	# under the terms of the GNU General Public License as published by
		1343	# the Free Software Foundation; either version 2 of the License, or
		1344	# (at your option) any later version.
1485	richard	1345
1509	richard	1346	# This unit launches tinyproxy (a very light proxy).
1518	richard	1347	# The "sleep 2" is needed because the pid file isn't ready for systemd
1509	richard	1348	[Unit]
		1349	Description=Tinyproxy Web Proxy Server
		1350	After=network.target iptables.service
		1351
		1352	[Service]
		1353	Type=forking
1518	richard	1354	ExecStartPre=/bin/chown -R tinyproxy.tinyproxy /var/run/tinyproxy /var/log/tinyproxy
		1355	ExecStartPre=/bin/sleep 2
		1356	PIDFile=/var/run/tinyproxy/tinyproxy.pid
1509	richard	1357	ExecStart=/usr/sbin/tinyproxy -c /etc/tinyproxy/tinyproxy.conf
		1358
		1359	[Install]
		1360	WantedBy=multi-user.target
		1361	EOF
		1362
1485	richard	1363	} # end of tinyproxy
1	root	1364	##################################################################################
1389	richard	1365	## function "ulogd" ##
476	richard	1366	## - Ulog config for multi-log files ##
		1367	##################################################################################
1389	richard	1368	ulogd ()
476	richard	1369	{
		1370	# Three instances of ulogd (three different logfiles)
		1371	[ -d /var/log/firewall ] \|\| mkdir -p /var/log/firewall
478	richard	1372	nl=1
1358	richard	1373	for log_type in traceability ssh ext-access
478	richard	1374	do
1365	richard	1375	[ -e /lib/systemd/system/ulogd-$log_type.service ] \|\| cp -f /lib/systemd/system/ulogd.service /lib/systemd/system/ulogd-$log_type.service
1369	richard	1376	[ -e /var/log/firewall/$log_type.log ] \|\| echo "" > /var/log/firewall/$log_type.log
1375	richard	1377	cp -f $DIR_CONF/ulogd-sample.conf /etc/ulogd-$log_type.conf
1554	richard	1378	$SED "s?^nlgroup=.*?nlgroup=$nl?g" /etc/ulogd-$log_type.conf
		1379	if [ "$ARCH" == "i586" ]; then $SED "s/lib64/lib/g" /etc/ulogd-$log_type.conf; fi
478	richard	1380	cat << EOF >> /etc/ulogd-$log_type.conf
1452	richard	1381	[emu1]
478	richard	1382	file="/var/log/firewall/$log_type.log"
		1383	sync=1
		1384	EOF
1452	richard	1385	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/ulogd -u ulogd -c /etc/ulogd-$log_type.conf $ULOGD_OPTIONS?g" /lib/systemd/system/ulogd-$log_type.service
478	richard	1386	nl=`expr $nl + 1`
		1387	done
476	richard	1388	chown -R root:apache /var/log/firewall
		1389	chmod 750 /var/log/firewall
		1390	chmod 640 /var/log/firewall/*
1389	richard	1391	} # End of ulogd ()
476	richard	1392
1159	crox53	1393
		1394	##########################################################
1389	richard	1395	## Function "nfsen" ##
1567	richard	1396	## - install the nfsen grapher ##
		1397	## - install the two plugins porttracker & surfmap ##
1159	crox53	1398	##########################################################
1389	richard	1399	nfsen()
1	root	1400	{
1569	richard	1401	tar xzf ./conf/nfsen/nfsen-1.3.7.tar.gz -C /tmp/
1365	richard	1402	# Add PortTracker plugin
1534	richard	1403	for i in /var/www/html/acc/manager/nfsen/plugins /var/log/netflow/porttracker /usr/share/nfsen/plugins
1395	richard	1404	do
1536	richard	1405	[ ! -d $i ] && mkdir -p $i && chown -R apache:apache $i
1395	richard	1406	done
1569	richard	1407	$SED "s?^my \$PORTSDBDIR =.*?my \$PORTSDBDIR = \"/var/log/netflow/porttracker\";?g" /tmp/nfsen-1.3.7/contrib/PortTracker/PortTracker.pm
1365	richard	1408	# use of our conf file and init unit
1569	richard	1409	cp $DIR_CONF/nfsen/nfsen.conf /tmp/nfsen-1.3.7/etc/
1570	richard	1410	# Installation of nfsen (we change a little 'install.pl in order not to ask the user for the perl version)
1221	richard	1411	DirTmp=$(pwd)
1569	richard	1412	cd /tmp/nfsen-1.3.7/
1570	richard	1413	/usr/bin/perl install.pl etc/nfsen.conf
		1414	/usr/bin/perl install.pl etc/nfsen.conf # to avoid a Perl mistake "Semaphore introuvable"
1365	richard	1415	# Create RRD DB for porttracker (only in it still doesn't exist)
1570	richard	1416	cp contrib/PortTracker/PortTracker.pm /usr/share/nfsen/plugins/
		1417	cp contrib/PortTracker/PortTracker.php /var/www/html/acc/manager/nfsen/plugins/
1395	richard	1418	if [ "$(ls -A "/var/log/netflow/porttracker" 2>&1)" = "" ]; then sudo -u apache nftrack -I -d /var/log/netflow/porttracker; else echo "RRD DB already exists"; fi
		1419	chmod -R 770 /var/log/netflow/porttracker
1372	richard	1420	# nfsen unit for systemd
		1421	cat << EOF > /lib/systemd/system/nfsen.service
		1422	# This file is part of systemd.
		1423	#
		1424	# systemd is free software; you can redistribute it and/or modify it
		1425	# under the terms of the GNU General Public License as published by
		1426	# the Free Software Foundation; either version 2 of the License, or
		1427	# (at your option) any later version.
		1428
		1429	# This unit launches nfsen (a Netflow grapher).
		1430	[Unit]
		1431	Description= NfSen init script
		1432	After=network.target iptables.service
		1433
		1434	[Service]
		1435	Type=oneshot
		1436	RemainAfterExit=yes
1393	richard	1437	PIDFile=/var/run/nfsen/nfsen.pid
		1438	ExecStartPre=/bin/mkdir -p /var/run/nfsen
		1439	ExecStartPre=/bin/chown apache:apache /var/run/nfsen
1372	richard	1440	ExecStart=/usr/bin/nfsen start
		1441	ExecStop=/usr/bin/nfsen stop
1393	richard	1442	ExecReload=/usr/bin/nfsen restart
1372	richard	1443	TimeoutSec=0
		1444
		1445	[Install]
		1446	WantedBy=multi-user.target
		1447	EOF
1365	richard	1448	# Add the listen port to collect netflow packet (nfcapd)
1393	richard	1449	$SED "s?'\$ziparg $extensions.*?\$ziparg $extensions -b 127.0.0.1;'?g" /usr/libexec/NfSenRC.pm
1365	richard	1450	# expire delay for the profile "live"
1393	richard	1451	systemctl start nfsen
		1452	/bin/nfsen -m live -e 62d 2>/dev/null
1397	richard	1453	# add SURFmap plugin
1509	richard	1454	cp $DIR_CONF/nfsen/SURFmap_v3.3.1.tar.gz /tmp/
1512	richard	1455	cp $DIR_CONF/nfsen/GeoLiteCity* /tmp/
1509	richard	1456	tar xzf /tmp/SURFmap_v3.3.1.tar.gz -C /tmp/
1512	richard	1457	cd /tmp/
		1458	/usr/bin/sh SURFmap/install.sh
1544	richard	1459	chown -R apache:apache /var/www/html/acc/manager/nfsen /usr/share/nfsen
1365	richard	1460	# clear the installation
1221	richard	1461	cd $DirTmp
1509	richard	1462	rm -rf /tmp/nfsen*
		1463	rm -rf /tmp/SURFmap*
1389	richard	1464	} # End of nfsen ()
1	root	1465
1390	richard	1466	##################################################
1541	richard	1467	## Function "vnstat" ##
		1468	## Initialization of Vnstat and vnstat phpFE ##
		1469	##################################################
		1470	vnstat ()
		1471	{
		1472	[ -e /etc/vnstat.conf.default ] \|\| cp /etc/vnstat.conf /etc/vnstat.conf.default
		1473	$SED "s?Interface.*?Interface \"$EXTIF\"?g" /etc/vnstat.conf
		1474	[ -e $DIR_ACC/manager/stats/config.php.default ] \|\| cp $DIR_ACC/manager/stats/config.php $DIR_ACC/manager/stats/config.php.default
		1475	$SED "s?\$iface_list =.*?\$iface_list = array('$EXTIF');?g" $DIR_ACC/manager/stats/config.php
		1476	$SED "s?\$iface_title.*?\$iface_title['$EXTIF'] = 'Internet outbound';?g" $DIR_ACC/manager/stats/config.php
		1477	/usr/bin/vnstat -u -i $EXTIF
		1478	} # End of vnstat
		1479	##################################################
1389	richard	1480	## Function "dnsmasq" ##
1390	richard	1481	##################################################
1389	richard	1482	dnsmasq ()
219	jeremy	1483	{
		1484	[ -d /var/log/dnsmasq ] \|\| mkdir /var/log/dnsmasq
1356	richard	1485	[ -e /etc/sysconfig/dnsmasq.default ] \|\| cp /etc/sysconfig/dnsmasq /etc/sysconfig/dnsmasq.default
1387	richard	1486	$SED "s?^OPTION=.*?OPTION=-C /etc/dnsmasq.conf?g" /etc/sysconfig/dnsmasq # default conf file for the first dnsmasq instance
503	richard	1487	[ -e /etc/dnsmasq.conf.default ] \|\| cp /etc/dnsmasq.conf /etc/dnsmasq.conf.default
1472	richard	1488	# 1st dnsmasq listen on udp 53 ("dnsmasq - forward"). It's used as dhcp server only if "alcasar-bypass" is on.
503	richard	1489	cat << EOF > /etc/dnsmasq.conf
520	richard	1490	# Configuration file for "dnsmasq in forward mode"
1387	richard	1491	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
259	richard	1492	listen-address=$PRIVATE_IP
1390	richard	1493	pid-file=/var/run/dnsmasq.pid
259	richard	1494	listen-address=127.0.0.1
286	richard	1495	no-dhcp-interface=$INTIF
1387	richard	1496	no-dhcp-interface=tun0
		1497	no-dhcp-interface=lo
259	richard	1498	bind-interfaces
		1499	cache-size=256
		1500	domain=$DOMAIN
		1501	domain-needed
		1502	expand-hosts
		1503	bogus-priv
		1504	filterwin2k
		1505	server=$DNS1
		1506	server=$DNS2
1387	richard	1507	# DHCP service is configured. It will be enabled in "bypass" mode
865	richard	1508	dhcp-range=$PRIVATE_FIRST_IP,$PRIVATE_LAST_IP,$PRIVATE_NETMASK,12h
632	richard	1509	dhcp-option=option:router,$PRIVATE_IP
1482	richard	1510	dhcp-option=option:ntp-server,$PRIVATE_IP
259	richard	1511
1387	richard	1512	# Exemple of static dhcp assignation : <@MAC>,<name>,<@IP>,<MASK>,<ttl bail>
420	franck	1513	#dhcp-host=11:22:33:44:55:66,ssic-test,192.168.182.20,255.255.255.0,45m
259	richard	1514	EOF
1356	richard	1515	# 2nd dnsmasq listen on udp 54 ("dnsmasq with blacklist")
		1516	cat << EOF > /etc/dnsmasq-blacklist.conf
1390	richard	1517	# Configuration file for "dnsmasq with blacklist"
1387	richard	1518	# Add Toulouse blacklist domains
1472	richard	1519	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1015	richard	1520	conf-dir=$DIR_DEST_SHARE/dnsmasq-bl-enabled
1390	richard	1521	pid-file=/var/run/dnsmasq-blacklist.pid
498	richard	1522	listen-address=$PRIVATE_IP
		1523	port=54
		1524	no-dhcp-interface=$INTIF
1387	richard	1525	no-dhcp-interface=tun0
1472	richard	1526	no-dhcp-interface=lo
498	richard	1527	bind-interfaces
		1528	cache-size=256
		1529	domain=$DOMAIN
		1530	domain-needed
		1531	expand-hosts
		1532	bogus-priv
		1533	filterwin2k
		1534	server=$DNS1
		1535	server=$DNS2
		1536	EOF
1379	richard	1537	# 3rd dnsmasq listen on udp 55 ("dnsmasq with whitelist")
1357	richard	1538	cat << EOF > /etc/dnsmasq-whitelist.conf
1390	richard	1539	# Configuration file for "dnsmasq with whitelist"
1356	richard	1540	# Inclusion de la whitelist <domains> de Toulouse dans la configuration
1472	richard	1541	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
1356	richard	1542	conf-dir=$DIR_DEST_SHARE/dnsmasq-wl-enabled
1472	richard	1543	pid-file=/var/run/dnsmasq-whitelist.pid
1356	richard	1544	listen-address=$PRIVATE_IP
		1545	port=55
		1546	no-dhcp-interface=$INTIF
1387	richard	1547	no-dhcp-interface=tun0
1472	richard	1548	no-dhcp-interface=lo
1356	richard	1549	bind-interfaces
		1550	cache-size=256
		1551	domain=$DOMAIN
		1552	domain-needed
		1553	expand-hosts
		1554	bogus-priv
		1555	filterwin2k
1472	richard	1556	address=/#/$PRIVATE_IP # for Domain name without local resolution (WL)
		1557	ipset=/#/whitelist_ip_allowed # dynamicly add the resolv IP address in the Firewall rules
1356	richard	1558	EOF
1472	richard	1559	# 4th dnsmasq listen on udp 56 ("blackhole")
		1560	cat << EOF > /etc/dnsmasq-blackhole.conf
		1561	# Configuration file for "dnsmasq as a blackhole"
		1562	conf-file=$DIR_DEST_ETC/alcasar-dns-name # local DNS resolutions
		1563	address=/#/$PRIVATE_IP # redirect all on ALCASAR IP address
		1564	pid-file=/var/run/dnsmasq-blackhole.pid
		1565	listen-address=$PRIVATE_IP
		1566	port=56
		1567	no-dhcp-interface=$INTIF
		1568	no-dhcp-interface=tun0
		1569	no-dhcp-interface=lo
		1570	bind-interfaces
		1571	cache-size=256
		1572	domain=$DOMAIN
		1573	domain-needed
		1574	expand-hosts
		1575	bogus-priv
		1576	filterwin2k
		1577	EOF
		1578
1517	richard	1579	# the main instance should start after network and chilli (which create tun0)
1547	richard	1580	[ -e /lib/systemd/system/dnsmasq.service.default ] \|\| cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq.service.default
1517	richard	1581	$SED "s?^After=.*?After=syslog.target network-online.target chilli.service?g" /lib/systemd/system/dnsmasq.service
1474	richard	1582	# Create dnsmasq-blacklist, dnsmasq-whitelist and dnsmasq-blackhole unit
		1583	for list in blacklist whitelist blackhole
		1584	do
		1585	cp -f /lib/systemd/system/dnsmasq.service /lib/systemd/system/dnsmasq-$list.service
		1586	$SED "s?^ExecStart=.*?ExecStart=/usr/sbin/dnsmasq -C /etc/dnsmasq-$list.conf?g" /lib/systemd/system/dnsmasq-$list.service
		1587	$SED "s?^PIDFile=.*?PIDFile=/var/run/dnsmasq-$list.pid?g" /lib/systemd/system/dnsmasq-$list.service
		1588	done
308	richard	1589	} # End dnsmasq
		1590
		1591	##########################################################
1221	richard	1592	## Fonction "BL" ##
308	richard	1593	##########################################################
		1594	BL ()
		1595	{
1384	richard	1596	# copy and extract toulouse BL
648	richard	1597	rm -rf $DIR_DG/lists/blacklists
		1598	tar zxf $DIR_CONF/blacklists.tar.gz --directory=$DIR_DG/lists/ > /dev/null 2>&1
1383	richard	1599	# creation of the OSSI BL and WL categories (domain name and url)
878	richard	1600	mkdir $DIR_DG/lists/blacklists/ossi
1041	richard	1601	touch $DIR_DG/lists/blacklists/ossi/domains $DIR_DG/lists/blacklists/ossi/domains_wl
		1602	touch $DIR_DG/lists/blacklists/ossi/urls $DIR_DG/lists/blacklists/ossi/urls_wl
1384	richard	1603	chown -R dansguardian:apache $DIR_DG $DIR_DEST_SHARE
		1604	chmod -R g+rw $DIR_DG $DIR_DEST_SHARE
1383	richard	1605	# creation of file for the rehabilited domains and urls
648	richard	1606	[ -e $DIR_DG/lists/exceptionsitelist.default ] \|\| mv $DIR_DG/lists/exceptionsitelist $DIR_DG/lists/exceptionsitelist.default
673	richard	1607	[ -e $DIR_DG/lists/exceptionurllist.default ] \|\| mv $DIR_DG/lists/exceptionurllist $DIR_DG/lists/exceptionurllist.default
648	richard	1608	touch $DIR_DG/lists/exceptionsitelist
		1609	touch $DIR_DG/lists/exceptionurllist
311	richard	1610	# On crée la configuration de base du filtrage de domaine et d'URL pour Dansguardian
648	richard	1611	cat <<EOF > $DIR_DG/lists/bannedurllist
311	richard	1612	# Dansguardian filter config for ALCASAR
		1613	EOF
648	richard	1614	cat <<EOF > $DIR_DG/lists/bannedsitelist
311	richard	1615	# Dansguardian domain filter config for ALCASAR
		1616	# block all sites except those in the exceptionsitelist --> liste blanche (désactivée)
		1617	#**
		1618	# block all SSL and CONNECT tunnels
		1619	**s
		1620	# block all SSL and CONNECT tunnels specified only as an IP
		1621	*ips
		1622	# block all sites specified only by an IP
		1623	*ip
		1624	EOF
1000	richard	1625	# Add Bing and Youtube to the safesearch url regext list (parental control)
878	richard	1626	cat <<EOF >> $DIR_DG/lists/urlregexplist
		1627	# Bing - add 'adlt=strict'
		1628	#"(^http://[0-9a-z]+\.bing\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&adlt=strict"
		1629	# Youtube - add 'edufilter=your_ID'
885	richard	1630	#"(^http://[0-9a-z]+\.youtube\.[a-z]+[-/%.0-9a-z]\?)(.)"->"\1\2&edufilter=ABCD1234567890abcdef"
878	richard	1631	EOF
1000	richard	1632	# change the the google safesearch ("safe=strict" instead of "safe=vss")
1003	richard	1633	$SED "s?safe=vss?safe=strict?g" $DIR_DG/lists/urlregexplist
1370	richard	1634	# adapt the BL to ALCASAR architecture. Enable the default categories
654	richard	1635	if [ "$mode" != "update" ]; then
		1636	$DIR_DEST_SBIN/alcasar-bl.sh --adapt
1370	richard	1637	$DIR_DEST_SBIN/alcasar-bl.sh --cat_choice
654	richard	1638	fi
308	richard	1639	}
219	jeremy	1640
1	root	1641	##########################################################
1221	richard	1642	## Fonction "cron" ##
1	root	1643	## - Mise en place des différents fichiers de cron ##
		1644	##########################################################
		1645	cron ()
		1646	{
		1647	# Modif du fichier 'crontab' pour passer les cron à minuit au lieu de 04h00
		1648	[ -e /etc/crontab.default ] \|\| cp /etc/crontab /etc/crontab.default
		1649	cat <<EOF > /etc/crontab
		1650	SHELL=/bin/bash
		1651	PATH=/sbin:/bin:/usr/sbin:/usr/bin
		1652	MAILTO=root
		1653	HOME=/
		1654
		1655	# run-parts
		1656	01 * * * * root nice -n 19 run-parts --report /etc/cron.hourly
		1657	02 0 * * * root nice -n 19 run-parts --report /etc/cron.daily
		1658	22 0 * * 0 root nice -n 19 run-parts --report /etc/cron.weekly
		1659	42 0 1 * * root nice -n 19 run-parts --report /etc/cron.monthly
		1660	EOF
		1661	[ -e /etc/anacrontab.default ] \|\| cp /etc/anacrontab /etc/anacrontab.default
		1662	cat <<EOF >> /etc/anacrontab
667	franck	1663	7 8 cron.MysqlDump nice /etc/cron.d/alcasar-mysql
1380	richard	1664	7 10 cron.logExport nice /etc/cron.d/alcasar-archive
667	franck	1665	7 20 cron.importClean nice /etc/cron.d/alcasar-clean_import
1	root	1666	EOF
1247	crox53	1667
811	richard	1668	cat <<EOF > /etc/cron.d/alcasar-mysql
868	richard	1669	# Contrôle, réparation et export de la base des usagers (tous les lundi à 4h45)
955	richard	1670	45 4 * * 1 root $DIR_DEST_SBIN/alcasar-mysql.sh --dump
905	franck	1671	# Nettoyage des utilisateurs dont la date d'expiration du compte est supérieure à 7 jours
917	franck	1672	40 4 * * * root /usr/local/sbin/alcasar-mysql.sh --expire_user 2>&1 >/dev/null
1	root	1673	EOF
952	franck	1674	cat <<EOF > /etc/cron.d/alcasar-archive
		1675	# Archive des logs et de la base de données (tous les lundi à 5h35)
		1676	35 5 * * 1 root $DIR_DEST_BIN/alcasar-archive.sh --now
		1677	EOF
1566	richard	1678	cat << EOF > /etc/cron.d/alcasar-ticket-clean
		1679	# suppression des fichiers de mots de passe (imports massifs par fichier) et des ticket PDF d'utilisateur
		1680	30 * * * * root $DIR_DEST_BIN/alcasar-ticket-clean.sh
168	franck	1681	EOF
722	franck	1682	cat << EOF > /etc/cron.d/alcasar-distrib-updates
		1683	# mise à jour automatique de la distribution tous les jours 3h30
762	franck	1684	30 3 * * * root /usr/sbin/urpmi --auto-update --auto 2>&1
722	franck	1685	EOF
1247	crox53	1686	#cat << EOF > /etc/cron.d/alcasar-netflow
1159	crox53	1687	# mise à jour automatique du délais d'expiration des log Nertflow (tous les vendredi à 0h05)
1247	crox53	1688	#15 0 * * 1 root $DIR_DEST_BIN/alcasar-netflow.sh
		1689	#EOF
1159	crox53	1690
1	root	1691	# mise à jour des stats de connexion (accounting). Scripts provenant de "dialupadmin" (rpm freeradius-web) (cf. wiki.freeradius.org/Dialup_admin).
		1692	# on écrase le crontab d'origine installé par le RPM "freeradius-web" (bug remonté à qa.mandriva.com : 46739).
		1693	# 'tot_stats' (tout les jours à 01h01) : aggrégat des connexions journalières par usager (renseigne la table 'totacct')
		1694	# 'monthly_tot_stat' (tous les jours à 01h05) : aggrégat des connexions mensuelles par usager (renseigne la table 'mtotacct')
		1695	# 'truncate_raddact' (tous les 1er du mois à 01h10) : supprime les entrées journalisées plus vieilles que '$back_days' jours (défini ci-après)
		1696	# 'clean_radacct' (tous les 1er du mois à 01h15) : ferme les session ouvertes de plus de '$back_days' jours (défini ci-après)
		1697	$SED "s?^\$back_days.*?\$back_days = 365;?g" /usr/bin/truncate_radacct
		1698	$SED "s?^\$back_days.*?\$back_days = 30;?g" /usr/bin/clean_radacct
		1699	rm -f /etc/cron.daily/freeradius-web
		1700	rm -f /etc/cron.monthly/freeradius-web
		1701	cat << EOF > /etc/cron.d/freeradius-web
		1702	1 1 * * * root /usr/bin/tot_stats > /dev/null 2>&1
		1703	5 1 * * * root /usr/bin/monthly_tot_stats > /dev/null 2>&1
		1704	10 1 1 * * root /usr/bin/truncate_radacct > /dev/null 2>&1
		1705	15 1 1 * * root /usr/bin/clean_radacct > /dev/null 2>&1
		1706	EOF
671	franck	1707	cat << EOF > /etc/cron.d/alcasar-watchdog
713	franck	1708	# activation du "chien de garde" (watchdog) toutes les 3'
1	root	1709	/3 * * * root $DIR_DEST_BIN/alcasar-watchdog.sh > /dev/null 2>&1
		1710	EOF
808	franck	1711	# activation du "chien de garde des services" (watchdog) toutes les 18'
		1712	cat << EOF > /etc/cron.d/alcasar-daemon-watchdog
		1713	# activation du "chien de garde" (daemon-watchdog) toutes les 18'
		1714	/18 * * * root $DIR_DEST_BIN/alcasar-daemon.sh > /dev/null 2>&1
		1715	EOF
522	richard	1716	# suppression des crons usagers
		1717	rm -f /var/spool/cron/*
1	root	1718	} # End cron
		1719
		1720	##################################################################
1221	richard	1721	## Fonction "Fail2Ban" ##
1163	crox53	1722	##- Modification de la configuration de fail2ban ##
		1723	##- Sécurisation DDOS, SSH-Brute-Force, Intercept.php ... ##
		1724	##################################################################
		1725	fail2ban()
		1726	{
1191	crox53	1727	$DIR_CONF/fail2ban.sh
1474	richard	1728	# Autorise la lecture seule 2 des 3 fichiers de log concernés, havp est traité dans le script d'init de havp
1192	crox53	1729	[ -e /var/log/fail2ban.log ] \|\| touch /var/log/fail2ban.log
1489	richard	1730	[ -e /var/Save/security/watchdog.log ] \|\| touch /var/Save/security/watchdog.log
1165	crox53	1731	chmod 644 /var/log/fail2ban.log
1489	richard	1732	chmod 644 /var/Save/security/watchdog.log
1418	richard	1733	/usr/bin/touch /var/log/auth.log
1515	richard	1734	# fail2ban unit
		1735	[ -e /lib/systemd/system/fail2ban.service.default ] \|\| cp /lib/systemd/system/fail2ban.service /lib/systemd/system/fail2ban.service.default
		1736	$SED '/ExecStart=/a\ExecStop=/usr/bin/fail2ban-client stop' /usr/lib/systemd/system/fail2ban.service
		1737	$SED '/Type=/a\PIDFile=/var/run/fail2ban/fail2ban.pid' /usr/lib/systemd/system/fail2ban.service
1418	richard	1738	$SED '/After=*/c After=syslog.target network.target httpd.service' /usr/lib/systemd/system/fail2ban.service
1163	crox53	1739	} #Fin de fail2ban_install()
		1740
		1741	##################################################################
1376	richard	1742	## Fonction "gammu_smsd" ##
		1743	## - Creation de la base de donnée Gammu ##
		1744	## - Creation du fichier de config: gammu_smsd_conf ##
		1745	## ##
		1746	##################################################################
		1747	gammu_smsd()
		1748	{
		1749	# Create 'gammu' databse
		1750	MYSQL="/usr/bin/mysql -uroot -p$mysqlpwd --exec"
		1751	$MYSQL="CREATE DATABASE IF NOT EXISTS $DB_GAMMU;GRANT ALL ON $DB_GAMMU.* TO $DB_USER@localhost IDENTIFIED BY '$radiuspwd';FLUSH PRIVILEGES"
		1752	# Add a gammu database structure
		1753	mysql -u$DB_USER -p$radiuspwd $DB_GAMMU < $DIR_CONF/gammu-smsd-db-vierge.sql
		1754
		1755	# config file for the daemon
		1756	cat << EOF > /etc/gammu_smsd_conf
		1757	[gammu]
		1758	port = /dev/ttyUSB0
		1759	connection = at115200
		1760
		1761	;########################################################
		1762
		1763	[smsd]
		1764
		1765	PIN = 1234
		1766
		1767	logfile = /var/log/gammu-smsd/gammu-smsd.log
		1768	logformat = textall
		1769	debuglevel = 0
		1770
		1771	service = sql
		1772	driver = native_mysql
		1773	user = $DB_USER
		1774	password = $radiuspwd
		1775	pc = localhost
		1776	database = $DB_GAMMU
		1777
		1778	RunOnReceive = /usr/local/bin/alcasar-sms.sh --new_sms
		1779
		1780	StatusFrequency = 30
1380	richard	1781	;LoopSleep = 2
1376	richard	1782
		1783	;ResetFrequency = 300
		1784	;HardResetFrequency = 120
		1785
		1786	CheckSecurity = 1
		1787	CheckSignal = 1
		1788	CheckBattery = 0
		1789	EOF
		1790
		1791	chmod 755 /etc/gammu_smsd_conf
		1792
		1793	#Creation dossier de log Gammu-smsd
1382	richard	1794	[ -e /var/log/gammu-smsd ] \|\| mkdir /var/log/gammu-smsd
1376	richard	1795	chmod 755 /var/log/gammu-smsd
		1796
		1797	#Edition du script sql gammu <-> radius
1452	richard	1798	$SED "s/^u_db=\".*/u_db=\"$DB_USER\"/g" $DIR_DEST_BIN/alcasar-sms.sh
		1799	$SED "s/^p_db=\".*/p_db=\"$radiuspwd\"/g" $DIR_DEST_BIN/alcasar-sms.sh
1376	richard	1800
1380	richard	1801	#Création de la règle udev pour les Huawei // idVendor: 12d1
		1802	cat << EOF > /etc/udev/rules.d/66-huawei.rules
		1803	KERNEL=="ttyUSB0",ATTRS{idVendor}=="12d1",RUN+="/usr/local/bin/alcasar-sms.sh --mode"
		1804	EOF
		1805
1376	richard	1806	} # END gammu_smsd()
		1807
		1808	##################################################################
1221	richard	1809	## Fonction "post_install" ##
1	root	1810	## - Modification des bannières (locales et ssh) et des prompts ##
		1811	## - Installation de la structure de chiffrement pour root ##
		1812	## - Mise en place du sudoers et de la sécurité sur les fichiers##
		1813	## - Mise en place du la rotation des logs ##
5	franck	1814	## - Configuration dans le cas d'une mise à jour ##
1	root	1815	##################################################################
		1816	post_install()
		1817	{
		1818	# création de la bannière locale
1007	richard	1819	[ -e /etc/mageia-release.default ] \|\| cp /etc/mageia-release /etc/mageia-release.default
		1820	cp -f $DIR_CONF/banner /etc/mageia-release
		1821	echo " V$VERSION" >> /etc/mageia-release
1	root	1822	# création de la bannière SSH
1007	richard	1823	cp /etc/mageia-release /etc/ssh/alcasar-banner-ssh
5	franck	1824	chmod 644 /etc/ssh/alcasar-banner-ssh ; chown root:root /etc/ssh/alcasar-banner-ssh
1	root	1825	[ -e /etc/ssh/sshd_config.default ] \|\| cp /etc/ssh/sshd_config /etc/ssh/sshd_config.default
		1826	$SED "s?^Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
		1827	$SED "s?^#Banner.*?Banner /etc/ssh/alcasar-banner-ssh?g" /etc/ssh/sshd_config
793	richard	1828	# postfix banner anonymisation
		1829	$SED "s?^smtpd_banner =.*?smtpd_banner = $myhostname ESMTP?g" /etc/postfix/main.cf
604	richard	1830	# sshd écoute côté LAN et WAN
1548	richard	1831	$SED "s?^#ListenAddress 0\.0\.0\.0.*?ListenAddress 0\.0\.0\.0?g" /etc/ssh/sshd_config
860	richard	1832	# Put the default value in conf file (sshd, QOS and protocols/dns/ are off)(web antivirus is on)
628	richard	1833	echo "SSH=off" >> $CONF_FILE
1063	richard	1834	echo 'SSH_ADMIN_FROM=0.0.0.0/0.0.0.0' >> $CONF_FILE
628	richard	1835	echo "QOS=off" >> $CONF_FILE
		1836	echo "LDAP=off" >> $CONF_FILE
786	richard	1837	echo "LDAP_IP=0.0.0.0/0.0.0.0" >> $CONF_FILE
885	richard	1838	echo "YOUTUBE_ID=ABCD1234567890abcdef" >> $CONF_FILE
1078	franck	1839	echo "MULTIWAN=off" >> $CONF_FILE
		1840	echo "FAILOVER=30" >> $CONF_FILE
		1841	echo "## WANx=active,@IPx/mask,GWx,Weight,MTUx" >> $CONF_FILE
1336	richard	1842	echo "#WAN1=\"1,$EXTIF:1,192.168.2.20/24,192.168.2.6,1,1500\"" >> $CONF_FILE
		1843	echo "#WAN2=\"1,$EXTIF:2,192.168.3.20/24,192.168.3.1,2,1500\"" >> $CONF_FILE
1	root	1844	# Coloration des prompts
		1845	[ -e /etc/bashrc.default ] \|\| cp /etc/bashrc /etc/bashrc.default
5	franck	1846	cp -f $DIR_CONF/bashrc /etc/. ; chmod 644 /etc/bashrc ; chown root:root /etc/bashrc
630	franck	1847	$SED "s?^ORGANISME.*?ORGANISME=$ORGANISME?g" /etc/bashrc
1	root	1848	# Droits d'exécution pour utilisateur apache et sysadmin
		1849	[ -e /etc/sudoers.default ] \|\| cp /etc/sudoers /etc/sudoers.default
5	franck	1850	cp -f $DIR_CONF/sudoers /etc/. ; chmod 440 /etc/sudoers ; chown root:root /etc/sudoers
629	richard	1851	$SED "s?^Host_Alias.*?Host_Alias LAN_ORG=$PRIVATE_NETWORK/$PRIVATE_NETMASK,localhost #réseau de l'organisme?g" /etc/sudoers
1543	richard	1852	# Modify some logrotate files (gammu, ulogd)
1	root	1853	cp -f $DIR_CONF/logrotate.d/* /etc/logrotate.d/
		1854	chmod 644 /etc/logrotate.d/*
714	franck	1855	# rectification sur versions précédentes de la compression des logs
706	franck	1856	$SED "s?^delaycompress.*?#&?g" /etc/logrotate.conf
		1857	# actualisation des fichiers logs compressés
1342	richard	1858	for dir in firewall dansguardian httpd
706	franck	1859	do
714	franck	1860	find /var/log/$dir -type f -name *.log-[0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9] -exec gzip {} \;
706	franck	1861	done
1221	richard	1862	# create the alcasar-load_balancing unit
		1863	cat << EOF > /lib/systemd/system/alcasar-load_balancing.service
1184	crox53	1864	# This file is part of systemd.
		1865	#
		1866	# systemd is free software; you can redistribute it and/or modify it
		1867	# under the terms of the GNU General Public License as published by
		1868	# the Free Software Foundation; either version 2 of the License, or
		1869	# (at your option) any later version.
		1870
		1871	# This unit lauches alcasar-load-balancing.sh script.
		1872	[Unit]
		1873	Description=alcasar-load_balancing.sh execution
		1874	After=network.target iptables.service
		1875
		1876	[Service]
		1877	Type=oneshot
		1878	RemainAfterExit=yes
		1879	ExecStart=/usr/local/sbin/alcasar-load_balancing.sh start
		1880	ExecStop=/usr/local/sbin/alcasar-load_balancing.sh stop
		1881	TimeoutSec=0
		1882	SysVStartPriority=99
		1883
		1884	[Install]
		1885	WantedBy=multi-user.target
1157	stephane	1886	EOF
1221	richard	1887	# processes launched at boot time (Systemctl)
1525	franck	1888	for i in alcasar-load_balancing mysqld httpd ntpd iptables dnsmasq dnsmasq-blacklist dnsmasq-whitelist dnsmasq-blackhole radiusd nfsen dansguardian freshclam ulogd-ssh ulogd-traceability ulogd-ext-access chilli fail2ban havp tinyproxy vnstat
1221	richard	1889	do
1389	richard	1890	systemctl -q enable $i.service
1221	richard	1891	done
1452	richard	1892
		1893	# disable processes at boot time (Systemctl)
		1894	for i in ulogd
		1895	do
		1896	systemctl -q disable $i.service
		1897	done
		1898
1221	richard	1899	# Apply French Security Agency (ANSSI) rules
1362	richard	1900	# ignore ICMP broadcast (smurf attack)
		1901	echo "net.ipv4.icmp_echo_ignore_broadcasts = 1" > /etc/sysctl.d/alcasar.conf
		1902	# ignore ICMP errors bogus
		1903	echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" >> /etc/sysctl.d/alcasar.conf
		1904	# remove ICMP redirects responces
		1905	echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1906	echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.d/alcasar.conf
		1907	# enable SYN Cookies (Syn flood attacks)
		1908	echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.d/alcasar.conf
		1909	# enable kernel antispoofing
		1910	echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.d/alcasar.conf
		1911	# ignore source routing
		1912	echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.d/alcasar.conf
		1913	# set conntrack timer to 1h (3600s) instead of 5 weeks
		1914	echo "net.netfilter.nf_conntrack_tcp_timeout_established = 3600" >> /etc/sysctl.d/alcasar.conf
1157	stephane	1915	# disable log_martians (ALCASAR is often installed between two private network addresses)
1363	richard	1916	echo "net.ipv4.conf.all.log_martians = 0" >> /etc/sysctl.d/alcasar.conf
1362	richard	1917	# remove Magic SysReq Keys
1363	richard	1918	[ -e /etc/sysctl.d/51-alt-sysrq.conf ] && rm /etc/sysctl.d/51-alt-sysrq.conf
1003	richard	1919	# switch to multi-users runlevel (instead of x11)
1221	richard	1920	ln -sf /lib/systemd/system/multi-user.target /etc/systemd/system/default.target
1005	richard	1921	# GRUB modifications
		1922	# limit wait time to 3s
		1923	# create an alcasar entry instead of linux-nonfb
		1924	# change display to 1024*768 (vga791)
1221	richard	1925	$SED "s?^timeout.*?timeout 3?g" /boot/grub/menu.lst
		1926	$SED "s?^title linux?title ALCASAR?g" /boot/grub/menu.lst
		1927	$SED "/^kernel/s/splash quiet //" /boot/grub/menu.lst
		1928	$SED "/^kernel/s/vga=.*/vga=791 nomodeset/" /boot/grub/menu.lst
		1929	$SED "/^kernel/s/BOOT_IMAGE=linux /BOOT_IMAGE=linux-nonfb /" /boot/grub/menu.lst
		1930	$SED "/^gfxmenu/d" /boot/grub/menu.lst
1003	richard	1931	# Remove unused services and users
1502	richard	1932	for svc in sshd
1221	richard	1933	do
1502	richard	1934	/bin/systemctl -q disable $svc.service
1221	richard	1935	done
		1936	# Load and apply the previous conf file
		1937	if [ "$mode" = "update" ]
532	richard	1938	then
1266	richard	1939	$DIR_DEST_BIN/alcasar-archive.sh --now # exports current logs in /var/Save/logs
1221	richard	1940	$DIR_DEST_BIN/alcasar-conf.sh --load
		1941	PARENT_SCRIPT=`basename $0`
		1942	export PARENT_SCRIPT # to avoid stop&start process during the installation process
		1943	$DIR_DEST_BIN/alcasar-conf.sh --apply
		1944	$SED "s?^INSTALL_DATE=.*?INSTALL_DATE=$DATE?g" $CONF_FILE
		1945	$SED "s?^VERSION=.*?VERSION=$VERSION?g" $CONF_FILE
532	richard	1946	fi
1221	richard	1947	rm -f /tmp/alcasar-conf*
		1948	chown -R root:apache $DIR_DEST_ETC/*
		1949	chmod -R 660 $DIR_DEST_ETC/*
		1950	chmod ug+x $DIR_DEST_ETC/digest
1045	franck	1951	# Apply and save the firewall rules
		1952	sh $DIR_DEST_BIN/alcasar-iptables.sh
		1953	sleep 2
1	root	1954	cd $DIR_INSTALL
5	franck	1955	echo ""
1	root	1956	echo "#############################################################################"
638	richard	1957	if [ $Lang == "fr" ]
		1958	then
		1959	echo "# Fin d'installation d'ALCASAR #"
		1960	echo "# #"
		1961	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1962	echo "# des Accès au Réseau ( ALCASAR ) #"
		1963	echo "# #"
		1964	echo "#############################################################################"
		1965	echo
		1966	echo "- ALCASAR sera fonctionnel après redémarrage du système"
		1967	echo
		1968	echo "- Lisez attentivement la documentation d'exploitation"
		1969	echo
		1970	echo "- Le centre de controle d'ALCASAR (ACC) est à l'adresse http://alcasar"
		1971	echo
		1972	echo " Appuyez sur 'Entrée' pour continuer"
		1973	else
		1974	echo "# Enf of ALCASAR install process #"
		1975	echo "# #"
		1976	echo "# Application Libre pour le Contrôle Authentifié et Sécurisé #"
		1977	echo "# des Accès au Réseau ( ALCASAR ) #"
		1978	echo "# #"
		1979	echo "#############################################################################"
		1980	echo
		1981	echo "- The system will be rebooted in order to operate ALCASAR"
		1982	echo
		1983	echo "- Read the exploitation documentation"
		1984	echo
		1985	echo "- The ALCASAR Control Center (ACC) is at http://alcasar"
		1986	echo
		1987	echo " Hit 'Enter' to continue"
		1988	fi
815	richard	1989	sleep 2
		1990	if [ "$mode" != "update" ]
820	richard	1991	then
815	richard	1992	read a
		1993	fi
774	richard	1994	clear
1	root	1995	reboot
		1996	} # End post_install ()
		1997
		1998	#################################
1005	richard	1999	# Main Install loop #
1	root	2000	#################################
832	richard	2001	dir_exec=`dirname "$0"`
		2002	if [ $dir_exec != "." ]
		2003	then
		2004	echo "Lancez ce programme depuis le répertoire de l'archive d'ALCASAR"
		2005	echo "Launch this program from the ALCASAR archive directory"
		2006	exit 0
		2007	fi
		2008	VERSION=`cat $DIR_INSTALL/VERSION`
291	franck	2009	usage="Usage: alcasar.sh {-i or --install} \| {-u or --uninstall}"
1	root	2010	nb_args=$#
		2011	args=$1
		2012	if [ $nb_args -eq 0 ]
		2013	then
		2014	nb_args=1
		2015	args="-h"
		2016	fi
1062	richard	2017	chmod -R u+x $DIR_SCRIPTS/*
1	root	2018	case $args in
		2019	-\? \| -h* \| --h*)
		2020	echo "$usage"
		2021	exit 0
		2022	;;
291	franck	2023	-i \| --install)
1538	richard	2024	header_install
959	franck	2025	license
1544	richard	2026	header_install
29	richard	2027	testing
595	richard	2028	# RPMs install
		2029	$DIR_SCRIPTS/alcasar-urpmi.sh
		2030	if [ "$?" != "0" ]
1	root	2031	then
595	richard	2032	exit 0
		2033	fi
1249	richard	2034	if [ -e $CONF_FILE ]
595	richard	2035	then
597	richard	2036	# Uninstall the running version
532	richard	2037	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
595	richard	2038	fi
636	richard	2039	# Test if manual update
1362	richard	2040	if [ -e /tmp/alcasar-conf*.tar.gz ] && [ "$mode" == "install" ]
595	richard	2041	then
636	richard	2042	header_install
595	richard	2043	if [ $Lang == "fr" ]
636	richard	2044	then echo "Le fichier de configuration d'une ancienne version a été trouvé";
		2045	else echo "The configuration file of an old version has been found";
595	richard	2046	fi
597	richard	2047	response=0
		2048	PTN='^[oOnNyY]$'
		2049	until [[ $(expr $response : $PTN) -gt 0 ]]
		2050	do
		2051	if [ $Lang == "fr" ]
		2052	then echo -n "Voulez-vous l'utiliser (O/n)? ";
		2053	else echo -n "Do you want to use it (Y/n)?";
		2054	fi
		2055	read response
		2056	if [ "$response" = "n" ] \|\| [ "$response" = "N" ]
		2057	then rm -f /tmp/alcasar-conf*
		2058	fi
		2059	done
		2060	fi
636	richard	2061	# Test if update
1057	richard	2062	if [ -e /tmp/alcasar-conf* ]
597	richard	2063	then
		2064	if [ $Lang == "fr" ]
		2065	then echo "#### Installation avec mise à jour ####";
		2066	else echo "#### Installation with update ####";
		2067	fi
636	richard	2068	# Extract the central configuration file
1057	richard	2069	tar -xf /tmp/alcasar-conf* conf/etc/alcasar.conf
637	richard	2070	ORGANISME=`grep ORGANISM conf/etc/alcasar.conf\|cut -d"=" -f2`
1010	richard	2071	PREVIOUS_VERSION=`grep VERSION conf/etc/alcasar.conf\|cut -d"=" -f2`
		2072	MAJ_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f1`
		2073	MIN_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f2\|cut -c1`
		2074	UPD_PREVIOUS_VERSION=`echo $PREVIOUS_VERSION\|cut -d"." -f3`
5	franck	2075	mode="update"
1	root	2076	fi
1541	richard	2077	for func in init network ACC CA init_db radius radius_web chilli dansguardian antivirus tinyproxy ulogd nfsen vnstat dnsmasq BL cron fail2ban gammu_smsd post_install
5	franck	2078	do
		2079	$func
1362	richard	2080	# echo "* 'debug' : end of function $func *"; read a
14	richard	2081	done
5	franck	2082	;;
291	franck	2083	-u \| --uninstall)
5	franck	2084	if [ ! -e $DIR_DEST_SBIN/alcasar-uninstall.sh ]
1	root	2085	then
597	richard	2086	if [ $Lang == "fr" ]
		2087	then echo "ALCASAR n'est pas installé!";
		2088	else echo "ALCASAR isn't installed!";
		2089	fi
1	root	2090	exit 0
		2091	fi
5	franck	2092	response=0
		2093	PTN='^[oOnN]$'
580	richard	2094	until [[ $(expr $response : $PTN) -gt 0 ]]
5	franck	2095	do
597	richard	2096	if [ $Lang == "fr" ]
		2097	then echo -n "Voulez-vous créer le fichier de configuration de la version actuelle (0/n)? ";
854	richard	2098	else echo -n "Do you want to create the running version configuration file (Y/n)? ";
597	richard	2099	fi
5	franck	2100	read response
		2101	done
1103	richard	2102	if [ "$response" = "o" ] \|\| [ "$response" = "O" ] \|\| [ "$response" = "Y" ] \|\| [ "$response" = "y" ]
1	root	2103	then
1103	richard	2104	$DIR_SCRIPTS/alcasar-conf.sh --create
498	richard	2105	else
		2106	rm -f /tmp/alcasar-conf*
1	root	2107	fi
597	richard	2108	# Uninstall the running version
65	richard	2109	$DIR_SCRIPTS/sbin/alcasar-uninstall.sh
1	root	2110	;;
		2111	*)
		2112	echo "Argument inconnu :$1";
460	richard	2113	echo "Unknown argument :$1";
1	root	2114	echo "$usage"
		2115	exit 1
		2116	;;
		2117	esac
10	franck	2118	# end of script
366	franck	2119

Subversion Repositories ALCASAR

(root)/alcasar.sh @ 2681 – Rev 1570